Malware Analysis Report

2025-01-22 19:52

Sample ID 240601-azwvksbd7y
Target 2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike
SHA256 d4c3b14e61b5be8b392b9a5a1cd77b0db1cec5c26ab5dd764397edf76cdde1c0
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4c3b14e61b5be8b392b9a5a1cd77b0db1cec5c26ab5dd764397edf76cdde1c0

Threat Level: Known bad

The file 2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

UPX dump on OEP (original entry point)

xmrig

Xmrig family

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 00:39

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 00:39

Reported

2024-06-01 00:42

Platform

win7-20240221-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xvjbeWV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DOQwChJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NhoieqA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\psRIsAr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CxVBvOs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kqZUnML.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\likSIQu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QDMGUBN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ScVCuJM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nDiunfl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PRnQhWP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jTeqcoB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cvFLhhI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dMLCyfh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hxnNsGA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JBEMKfc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lpbPeXt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gMAxsWi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KWoYXEH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ElEldFX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CldDUaz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ScVCuJM.exe
PID 2004 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ScVCuJM.exe
PID 2004 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ScVCuJM.exe
PID 2004 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nDiunfl.exe
PID 2004 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nDiunfl.exe
PID 2004 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nDiunfl.exe
PID 2004 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxnNsGA.exe
PID 2004 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxnNsGA.exe
PID 2004 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxnNsGA.exe
PID 2004 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRnQhWP.exe
PID 2004 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRnQhWP.exe
PID 2004 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRnQhWP.exe
PID 2004 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvjbeWV.exe
PID 2004 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvjbeWV.exe
PID 2004 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvjbeWV.exe
PID 2004 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTeqcoB.exe
PID 2004 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTeqcoB.exe
PID 2004 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTeqcoB.exe
PID 2004 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMAxsWi.exe
PID 2004 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMAxsWi.exe
PID 2004 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMAxsWi.exe
PID 2004 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOQwChJ.exe
PID 2004 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOQwChJ.exe
PID 2004 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOQwChJ.exe
PID 2004 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWoYXEH.exe
PID 2004 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWoYXEH.exe
PID 2004 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWoYXEH.exe
PID 2004 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvFLhhI.exe
PID 2004 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvFLhhI.exe
PID 2004 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvFLhhI.exe
PID 2004 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NhoieqA.exe
PID 2004 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NhoieqA.exe
PID 2004 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NhoieqA.exe
PID 2004 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\psRIsAr.exe
PID 2004 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\psRIsAr.exe
PID 2004 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\psRIsAr.exe
PID 2004 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElEldFX.exe
PID 2004 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElEldFX.exe
PID 2004 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElEldFX.exe
PID 2004 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JBEMKfc.exe
PID 2004 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JBEMKfc.exe
PID 2004 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JBEMKfc.exe
PID 2004 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxVBvOs.exe
PID 2004 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxVBvOs.exe
PID 2004 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxVBvOs.exe
PID 2004 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqZUnML.exe
PID 2004 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqZUnML.exe
PID 2004 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqZUnML.exe
PID 2004 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\likSIQu.exe
PID 2004 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\likSIQu.exe
PID 2004 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\likSIQu.exe
PID 2004 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDMGUBN.exe
PID 2004 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDMGUBN.exe
PID 2004 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDMGUBN.exe
PID 2004 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpbPeXt.exe
PID 2004 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpbPeXt.exe
PID 2004 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpbPeXt.exe
PID 2004 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CldDUaz.exe
PID 2004 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CldDUaz.exe
PID 2004 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CldDUaz.exe
PID 2004 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMLCyfh.exe
PID 2004 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMLCyfh.exe
PID 2004 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMLCyfh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ScVCuJM.exe

C:\Windows\System\ScVCuJM.exe

C:\Windows\System\nDiunfl.exe

C:\Windows\System\nDiunfl.exe

C:\Windows\System\hxnNsGA.exe

C:\Windows\System\hxnNsGA.exe

C:\Windows\System\PRnQhWP.exe

C:\Windows\System\PRnQhWP.exe

C:\Windows\System\xvjbeWV.exe

C:\Windows\System\xvjbeWV.exe

C:\Windows\System\jTeqcoB.exe

C:\Windows\System\jTeqcoB.exe

C:\Windows\System\gMAxsWi.exe

C:\Windows\System\gMAxsWi.exe

C:\Windows\System\DOQwChJ.exe

C:\Windows\System\DOQwChJ.exe

C:\Windows\System\KWoYXEH.exe

C:\Windows\System\KWoYXEH.exe

C:\Windows\System\cvFLhhI.exe

C:\Windows\System\cvFLhhI.exe

C:\Windows\System\NhoieqA.exe

C:\Windows\System\NhoieqA.exe

C:\Windows\System\psRIsAr.exe

C:\Windows\System\psRIsAr.exe

C:\Windows\System\ElEldFX.exe

C:\Windows\System\ElEldFX.exe

C:\Windows\System\JBEMKfc.exe

C:\Windows\System\JBEMKfc.exe

C:\Windows\System\CxVBvOs.exe

C:\Windows\System\CxVBvOs.exe

C:\Windows\System\kqZUnML.exe

C:\Windows\System\kqZUnML.exe

C:\Windows\System\likSIQu.exe

C:\Windows\System\likSIQu.exe

C:\Windows\System\QDMGUBN.exe

C:\Windows\System\QDMGUBN.exe

C:\Windows\System\lpbPeXt.exe

C:\Windows\System\lpbPeXt.exe

C:\Windows\System\CldDUaz.exe

C:\Windows\System\CldDUaz.exe

C:\Windows\System\dMLCyfh.exe

C:\Windows\System\dMLCyfh.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2004-0-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2004-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\ScVCuJM.exe

MD5 b7321dcce58cb41439907245e71f7945
SHA1 b5521453cbda084afe82d30ddbb4855846422792
SHA256 732a371512ed3a73dddffa420a08aa67a41610509dc1a71b3f1dd93588df3098
SHA512 435027b3990e06161708e66d3acc41874a83e058f28cf8962c5d9109443169a32a5df36a5c2f8fd2ded841ea53955a8f7598ff0ae61183240cd2a8c4df5aa53a

C:\Windows\system\nDiunfl.exe

MD5 d7c0995011a1deff1b4554d304e00276
SHA1 09a83cc14f12084171470ef57d13499dd033d990
SHA256 ac9413ff3357fec200520127d818c099fc5a3ec888a712391e57d09e88ff3c89
SHA512 63fc9d73afd1354935750a830a9fe592ed24ec5dc85ec8fdd21b17b1c3b56cb7cc0b25c7bf53e9f0e86468907cdce6420bd0186be383fa5aed999bdee4770fe8

C:\Windows\system\hxnNsGA.exe

MD5 81045693089ee4d9636d8478c73f9e6e
SHA1 269073f32ca5d7b97c77f752834daa6033c02e94
SHA256 ef2b6a1ac2dba2a3fc7659fe658ecc6bca0e48ee15be1aeb8b83b1856ec784bd
SHA512 80423f78247d1fb99e3e0646a09e40da20f4503918805d59160e8a75e9dc93c2ed9b86c73acc6e7adb69d51777b06e8f0b58c98c2fdeb9c8b54c13b2374f15fe

memory/2532-19-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2004-17-0x000000013F160000-0x000000013F4B4000-memory.dmp

C:\Windows\system\PRnQhWP.exe

MD5 9e915b42a87a704db2de965a385eee61
SHA1 0a98f7d40b82b3ba462e88da29fbbb79f6d5b775
SHA256 2bfe39ce3fb75ef1c1836eb2ee8506aca8d5c4adfcdf2b8a7d3934e7c0f5e2c7
SHA512 ee04bb356a4fa9a7134dc2560bfc239ab5c8de94de2fb004ea2178ec4d7190ab31474efc98c6364b02c2af467c3b491c8552a6ba9a77a7ff497e53a4df3ccdca

C:\Windows\system\xvjbeWV.exe

MD5 2641ff83249b98c053ed4b89b402f574
SHA1 9bf851172c16df9e12ed1d74943d7da72fe51ad8
SHA256 5f9f534c9657c3bd1f43739fe96c21b3d35a3a186c604d57b23793aaa29919fe
SHA512 6bbf13d67973e79134d41d5385745171d369f4a3f3ba17dd0aa2b3088fad137b3efe41910f106f79447a07fe0d7202ca57ae2afc9d00f8507932681e0200db93

C:\Windows\system\jTeqcoB.exe

MD5 be304976d6a481f016e85185a8dd3997
SHA1 c241f899b1aeaa949637ec7884128dbd078eeebc
SHA256 53c1bb4496140123a823f8101269e0b047412bebdb3f94e7b9cc8e08735b3f1e
SHA512 047a2a65ce5c6eece2bcde5c65542fda341f7878131a32b4297b0a571a6e2a59a6f3755e73264a539a5e7979210ef540c353481fe4d4140987792689572bedaf

C:\Windows\system\gMAxsWi.exe

MD5 95d81d140d516013fd9a0fc1a0353d0d
SHA1 068a3184d80937aff2493ec172f318f6283851f1
SHA256 959f8940af7d4ad22e228b52aaf3c21b904abe24bcf9332cb4db03008542aaba
SHA512 f5aac21b21d4b279cccb771bf2a6c6c2f9dd3e7bebb73e1a16789a081feb4b957947b0cfea71525aab5872f10d6d3e125d527c4171c258589b5429946e360863

C:\Windows\system\DOQwChJ.exe

MD5 02a71ecfc1af5a7890d8f139c7e4efd5
SHA1 d4cd87b9f34a254bba02bee2653bae037d2d252a
SHA256 372ba59b4003ce71d41750ef4baa905f37d0a64709d294fa32e8e38b274db7ea
SHA512 dcd41b7b6372132bcc6929d8c1f9e52dd2c70e1b47428159ef2567d58ba85ae23aea06a7e616b615fa6f1c73a81e47bf9a3c99a5b8cd3b80c051d4277f0226ed

C:\Windows\system\KWoYXEH.exe

MD5 6dce9b6d9d3a49f65892a647fbe903af
SHA1 02bb6e4c04460cfde396136f4147aac4b9017b1e
SHA256 4c983e9852549817fc63b2f994b8648c5a34e14fdd94a43569827a1c4c6bfa77
SHA512 dc89fc8d4a971e34fd78f6eab9cf798269f34f9dc6fe458d5b5b56545a2df3d5802c5b0836e5adcd427390a4ca45f5b8d23b9f87a329fa6f59a2bd7760ad8ef3

memory/2724-53-0x000000013F620000-0x000000013F974000-memory.dmp

C:\Windows\system\ElEldFX.exe

MD5 6810005bfe94c0f770d53ba6efd5043e
SHA1 9befa670b424ce9d91f5aad7f194710dd9d8baff
SHA256 bc0f96b8b6c4ac9117e5a6eee1d70446687043381e0466273010950f09bfb33d
SHA512 2848ea3ab28606483eab9a5ebc384524fcdfb2e2c843a695e9d1e43cecb3b4e23457ed15e9ab2d46f2a0cf11dc8f4e203a0626b9ab37ceb8a854cde2755c4ab3

C:\Windows\system\CldDUaz.exe

MD5 696e07869951064160d5e8e5dbf67d42
SHA1 80f8422aef7251c9fc82bf577ca6f869f8edda2a
SHA256 765b14ee9ca1aae4548280328becc965d8214efe5861a46ef284ac230089cfcc
SHA512 4520654fefdd88f64a0e753b67eed84de1fb86af1cf52364d24402d5642c909f2ccc8301a0723e60b1b36fc4e1c7dec58b19c0ec8875fd89344540ace5202498

C:\Windows\system\dMLCyfh.exe

MD5 d11d96fa6766348a25cb4cc1182204c1
SHA1 eff7612fcce26880a1de78072285ca47d3da0e6c
SHA256 cf3875fde9ee410c2c48f9a37b89cf455e5e25336852a1b01159d0f8c3c128f4
SHA512 5bcd2c674b1978c14fd20742d9a4d9db6c1aa72b4655a9fe90a43c43ab55eaa4d67ab086d00fbf528447e03d96c2b020a3fba5fe17cd3d50220eb1b1bc7acb70

C:\Windows\system\lpbPeXt.exe

MD5 8aeeab14130482eda54dbb935b4798dd
SHA1 4d0fdf3894e7a7e5a712f5b3929d0cf9a1304fc0
SHA256 fba009b3dd7e5f0e432bc1b7eb212ac1514e43e8ef8fa925c0cd7fc6abed5df4
SHA512 092447cbe29c199c5667891602486194a37b57edcf4211200d30db6e56369f80639b0a1f18728ae6e8829087b3045510f3e245aedcff69510d868393ca15a2b2

C:\Windows\system\QDMGUBN.exe

MD5 c50cf4efe8753634573a388fb3314f75
SHA1 4a2fc9f22d45cbfc0d6ece08b7e790ca4262c77f
SHA256 27f370c5fd6063c45b471cf58857d3273d4365a3e84455bbb465e76a0b1ba33c
SHA512 40e7bdc5f404c788b084985ac75410b1bd0202227f88a6c5167c5187146d9bbb94d7668dec3ca86ba1f3bda05d81210231275c60e18d4a8921109cee08963446

C:\Windows\system\likSIQu.exe

MD5 2d826f0e499158275a87c280e7fb5027
SHA1 307610ae5d8964fd3e47c92a84d6b649c70e47aa
SHA256 5729b8a15224bac4ee819231225f55fc0078819e0dfcccc7a3889b9abcd022ab
SHA512 5ba453845d302c839a60411b37aadbff4189e3cc9eace964959b48b8084fb9131782e0ebcc6aa96546030d55c88a6686da058d9585291518e45ed2d9d7586fe4

C:\Windows\system\kqZUnML.exe

MD5 025cb4942d3482e791fcd2efa45ba632
SHA1 ec3f1578af8115445a9f785c94d227cb803f8e73
SHA256 743cf3286e90ccef7bb9fa07e933eaf9bb3d059e6425a6a49c3e10d814b44642
SHA512 354b1eb3a4a9dd99c49a6ea9ca25dabab6321fbb9292668f5f6bee30935ceb0e54bc0fe0d0482aef1d25bacbbebb34c279d5ff1fe8a4be353055bc48e134fded

\Windows\system\JBEMKfc.exe

MD5 e3cffac21d15b849cabd0120eb819530
SHA1 5b7679400f3f09b507e2a494f3b3b5712639d4d2
SHA256 0b9d3489439706c9600a4bd18a8a7cdbd8e842f23f51789476268df62e7bd0ea
SHA512 d9f9bc3483faea2e43a15764fb7be460a3de725de56059dd0ab1c4b14ccf8b50a14e3334f9e80676a720c254fc48271ea75fd32c002a33cd048b09212858318a

C:\Windows\system\CxVBvOs.exe

MD5 ea9ce001866b93565d02f736fd053f36
SHA1 5a9b5b7d0ea842a17621a8d50d6d5590e367ea9e
SHA256 258a9d4eec0245204f5651e6527b9b8c68d1d499d7ccf977b254bb8cf4146e3b
SHA512 8e8ccbb7b19750278ebf1d8fac84be3573a5d93bd23d947ca7691eac175ceaecc5d7924595a6e78803eeb927790088fe9a72c46e99c9141bb69a3744a316991b

C:\Windows\system\psRIsAr.exe

MD5 fbbf662f2fc7c852a5e6d817b04f2243
SHA1 4d08b95da8fe047566579cd5c52d1a4a45e2d670
SHA256 e54e61e0dc727e7492bc5d48a1b113b1dc5e00801ec1b5f6e0cca0973c47d73b
SHA512 d303e721eb832cee322e4fab73367992245c46bd2e35e0a3a12b2e7aadc762cdb98cf4beb2acbe7cce4d46ea8b04d8356c202982e26c22814eee4b273cfa60bd

C:\Windows\system\NhoieqA.exe

MD5 8ab0fba82cf7af5b2202b8bf949455fc
SHA1 7e62238e601a1f79798baedf3fe87b209412f604
SHA256 4f6aa4d067cd49bb6a50e7173e84ffde64cb187240f6fd00a86764a7c09b0900
SHA512 cc8d3452553b174787e35f07268c591e220fa0787b5094d07f1d3439aa0a276141a1efaa63127727d566787c55fd593f01a23996927a61e800eaae21c60f39fc

C:\Windows\system\cvFLhhI.exe

MD5 3febff843e49dc7a581083760a53fcbf
SHA1 3f50daced093f1295c0ad24547810ee37009d348
SHA256 e147d016a686000b44f0529c6e44bc6566288bce5cccad90b6085dda1f0181db
SHA512 3ef167a7f9efb6c73f69dfa7a9b10f4333446d17252886a7ab847617b2f2d1a175ffb13af31e0d780fbe2d24f6c54c16efa541706f73062349198ba9f5a5ad95

memory/2160-52-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2004-51-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/2540-44-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2696-114-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2004-113-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2004-115-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2580-116-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2716-120-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2004-119-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2656-121-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2764-118-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2004-125-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2004-127-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2896-131-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2004-130-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2004-129-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2828-128-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/3068-126-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2752-124-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2004-123-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/560-122-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2004-117-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/2004-132-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2532-133-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2160-134-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2540-135-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2656-139-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2724-140-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2580-141-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2716-138-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2764-137-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2696-136-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2752-142-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2828-143-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/3068-144-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2896-145-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/560-146-0x000000013FC00000-0x000000013FF54000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 00:39

Reported

2024-06-01 00:42

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rBUGRlv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CjpBeuZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MHonMeB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BNNYCwO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RdLhJWE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VNphNkF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zucupGb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pRYaCxA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tlJeqON.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KtUwFKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WWccVqK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pGTZFiy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QpPsBRD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WVBsHjm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wWXcqll.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pSNyYiZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAjGcZS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NegWAvQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pxyZkLj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mGJrQKq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BdGzqdc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VNphNkF.exe
PID 2200 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VNphNkF.exe
PID 2200 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\zucupGb.exe
PID 2200 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\zucupGb.exe
PID 2200 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpPsBRD.exe
PID 2200 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpPsBRD.exe
PID 2200 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRYaCxA.exe
PID 2200 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRYaCxA.exe
PID 2200 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NegWAvQ.exe
PID 2200 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NegWAvQ.exe
PID 2200 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tlJeqON.exe
PID 2200 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tlJeqON.exe
PID 2200 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxyZkLj.exe
PID 2200 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxyZkLj.exe
PID 2200 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WVBsHjm.exe
PID 2200 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WVBsHjm.exe
PID 2200 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHonMeB.exe
PID 2200 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHonMeB.exe
PID 2200 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWXcqll.exe
PID 2200 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWXcqll.exe
PID 2200 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rBUGRlv.exe
PID 2200 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rBUGRlv.exe
PID 2200 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSNyYiZ.exe
PID 2200 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSNyYiZ.exe
PID 2200 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtUwFKJ.exe
PID 2200 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtUwFKJ.exe
PID 2200 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGJrQKq.exe
PID 2200 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGJrQKq.exe
PID 2200 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdGzqdc.exe
PID 2200 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdGzqdc.exe
PID 2200 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNNYCwO.exe
PID 2200 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNNYCwO.exe
PID 2200 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjpBeuZ.exe
PID 2200 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjpBeuZ.exe
PID 2200 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAjGcZS.exe
PID 2200 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAjGcZS.exe
PID 2200 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WWccVqK.exe
PID 2200 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WWccVqK.exe
PID 2200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdLhJWE.exe
PID 2200 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdLhJWE.exe
PID 2200 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGTZFiy.exe
PID 2200 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGTZFiy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\VNphNkF.exe

C:\Windows\System\VNphNkF.exe

C:\Windows\System\zucupGb.exe

C:\Windows\System\zucupGb.exe

C:\Windows\System\QpPsBRD.exe

C:\Windows\System\QpPsBRD.exe

C:\Windows\System\pRYaCxA.exe

C:\Windows\System\pRYaCxA.exe

C:\Windows\System\NegWAvQ.exe

C:\Windows\System\NegWAvQ.exe

C:\Windows\System\tlJeqON.exe

C:\Windows\System\tlJeqON.exe

C:\Windows\System\pxyZkLj.exe

C:\Windows\System\pxyZkLj.exe

C:\Windows\System\WVBsHjm.exe

C:\Windows\System\WVBsHjm.exe

C:\Windows\System\MHonMeB.exe

C:\Windows\System\MHonMeB.exe

C:\Windows\System\wWXcqll.exe

C:\Windows\System\wWXcqll.exe

C:\Windows\System\rBUGRlv.exe

C:\Windows\System\rBUGRlv.exe

C:\Windows\System\pSNyYiZ.exe

C:\Windows\System\pSNyYiZ.exe

C:\Windows\System\KtUwFKJ.exe

C:\Windows\System\KtUwFKJ.exe

C:\Windows\System\mGJrQKq.exe

C:\Windows\System\mGJrQKq.exe

C:\Windows\System\BdGzqdc.exe

C:\Windows\System\BdGzqdc.exe

C:\Windows\System\BNNYCwO.exe

C:\Windows\System\BNNYCwO.exe

C:\Windows\System\CjpBeuZ.exe

C:\Windows\System\CjpBeuZ.exe

C:\Windows\System\NAjGcZS.exe

C:\Windows\System\NAjGcZS.exe

C:\Windows\System\WWccVqK.exe

C:\Windows\System\WWccVqK.exe

C:\Windows\System\RdLhJWE.exe

C:\Windows\System\RdLhJWE.exe

C:\Windows\System\pGTZFiy.exe

C:\Windows\System\pGTZFiy.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2200-0-0x00007FF6C01D0000-0x00007FF6C0524000-memory.dmp

memory/2200-1-0x000001CFA1D30000-0x000001CFA1D40000-memory.dmp

C:\Windows\System\VNphNkF.exe

MD5 15b84986c0bdc2ad032bc750e92130b8
SHA1 f10eee3a36245bb21222bb4be0fdd312d5df19d9
SHA256 d682566929882d7ce28c955307400175df9a064a5a3f3ef83b51f92ef03af359
SHA512 54bcb1a388074149d4c69b20292dc6a0ce75c2501810890e3ad2def41c8d6a1fad915dc38e2f594bb390e8e83f083f48bc0fd8d132435a7e5cf0ef26b2b78fcd

memory/3924-7-0x00007FF7064D0000-0x00007FF706824000-memory.dmp

C:\Windows\System\zucupGb.exe

MD5 75417884525d4f4bd9b890d3fa7e2dde
SHA1 7a09537ae56403ddb3bf6760cde2397430c5b228
SHA256 5d0d1da7526c14bf8540bff8ff5b27d45549df550280048f776a215c8bb60f4a
SHA512 d3264ac1b02e98266c8ae5449888e94ea9192465f14a50bf537ace93a3e3d88c13460740d28177dacb94cd9a4962ea211fae7ce32d8562728179621f40853fd0

C:\Windows\System\QpPsBRD.exe

MD5 dff190dcef9e3ca28e3d0b7acfc45011
SHA1 22580bd031bda9fc22b1852c9a079633bce55b6d
SHA256 c04b23b80104e5e40d673dfc9a32f2e7693e431afd957076e73912a3954e65c9
SHA512 8040f0cea8e2a3789ba0b4ce494cf61b4f903d82535c94024107e1d4288041a10470aec715f837e55bc6f9e9d9d77ab013c9814a802e26bef69fe45bdd1cf612

memory/3744-16-0x00007FF743BA0000-0x00007FF743EF4000-memory.dmp

C:\Windows\System\pRYaCxA.exe

MD5 db8cef28ce644e5c6fd155b65d10957d
SHA1 e6c60fa0185f2fc72ff9f027f136a426687f4cb0
SHA256 9650c6811fa5f9740033db216ed17ae5360d14072e4a84f05c32c9a5a995b232
SHA512 1e21fef7a2692391c9dedaecf062d65b71e5dc7323ca35444b0c737321eba403fba1d5393fd148d00eab4ab0cf46a7596c0908e902c3a8e34e6f1beae6fefc2f

memory/3664-24-0x00007FF680340000-0x00007FF680694000-memory.dmp

C:\Windows\System\tlJeqON.exe

MD5 2eee7a3a8b7f6c11991e68caa98e2636
SHA1 c6862c6c6e3705db40851fa92da8315d9ff9fe14
SHA256 cd069b17d8399912a292a60f863a5afc32d5025c4f2a6d26a2d1e1e71f3818f9
SHA512 e39707bcd6cb1102f42e9d53ffcc58bb8b75fd8dd77227a3f222afac493f3dc625f375ea34dc1f3b0f05c0d5380191f709bc59b6e8e53dfbe42a90de8b0bf079

C:\Windows\System\pxyZkLj.exe

MD5 efe3867ae8bf47a5638042e890dadd78
SHA1 97bd856f0152f214ff47ae513c5d88dc891aa922
SHA256 9cb251c29791cf03f8b9ae64731287181a8925cf664c2acbe4cf5b564e95aa87
SHA512 3350f4bee28331d93abe990ce4683cb1348814035f6aa6254fed8b11fe92336b2e7462c434dcedd6fac661b2411eb2c39b4455684d145f7dfd189c80756287bc

memory/3624-43-0x00007FF7FFAE0000-0x00007FF7FFE34000-memory.dmp

memory/4796-45-0x00007FF6A59E0000-0x00007FF6A5D34000-memory.dmp

C:\Windows\System\WVBsHjm.exe

MD5 08ee50ad887f4bda3428f63d916c6585
SHA1 60ae51a09b0d625ed81847c2e0cb6461b61a7015
SHA256 827c98d2671dbd8f1ccd6b150be0e2510d7b4aafa332fa316527bd04a6c2f8d3
SHA512 aaab80a24a2b72281490188696ce0aa60075f2a6edab59d91d5fb26294f650d8a18524654f9b78c7d695697a9aacb9b68457c53ff8eb45a07467ceeb5ff3349a

C:\Windows\System\wWXcqll.exe

MD5 45a27921c0d78d331c25ab58846c64e5
SHA1 964c5ffecd98332e5af37cbcc36f18feba8c5234
SHA256 c0274536766f49c20bf447c78a2698cd48657fd5b1a5caf23d20dba68848ec4c
SHA512 934a8dae2e7f6f01a13ce0c4eb19e5df6170cc05b12953e07e1e843af2f8098dbc426edc36a1acd2138273e4d3ab587db414c4ef857fc0f62477a06be9753266

C:\Windows\System\rBUGRlv.exe

MD5 29d079a97150bc577336688c92d21d11
SHA1 02f7a5e4b041ef6ee333d8c7bd1cc5c33b2d8154
SHA256 89333e52b63469713f89273ef2cda0289f161c23a326ca69dde6d3e4bac00a7d
SHA512 69ece8e3c755bb248e93e9fdcb0487552dcfbfb907302a8909c782ef1029632ab81ee1b08d01b35df9ce07f2de09726c558cea8738096dbf668a145dd2de5f16

C:\Windows\System\mGJrQKq.exe

MD5 ee4840f86bfad812cf9d8853bacd40fa
SHA1 616f3bde61540da774b2128bae743ab21dcbead5
SHA256 b3ea258d92c33ab3b30b1e260cfb2ea98f7b80150406e645ba6898ddee377644
SHA512 871681cea55f9703db63fc8437c7434345f22e069432d2ff19d050e5fef5e852d1616e3767f9428ae97cdfb31887a3efef6e80edd9d8259b204d6e95df99c562

C:\Windows\System\CjpBeuZ.exe

MD5 9d25b8d8f2b50a500644e039b7845436
SHA1 6df496df6c0034abcb379e9a31de851382970634
SHA256 6e9426d3c6d507036997017dc33f74777800df7007a94086b5fcb13a0dd60c0b
SHA512 aa7bcbecdc5850cd89d2a4a97a8b68781eb89352d2c88633bff2d8560b40475b1e9b8cbf12839c3a38f5355f5f66893122dadde27e07df8761d33d99a22f253a

C:\Windows\System\pGTZFiy.exe

MD5 546dd070e4b4082b43850c64a99f2353
SHA1 2754cb44ae01cff430f13cca9fe6553007ab291e
SHA256 23eb989e3a25b2e7c347cb7f93b4634a87720241fd2e133fd73598b93c3a6a6b
SHA512 6155d95e22e328beff18e90cee8481600a0f620c28363dbc19cb85081033e9cc5752116bea7f28d42c7239a3eaf0520d20c82beb86d22293109b21d88f55bfdd

C:\Windows\System\WWccVqK.exe

MD5 87a5d324e273f41cfa12afed1e396f97
SHA1 00dc613ce4f6065b926fe54fc77534c1148919d8
SHA256 11f7950b124fc104d11bd696ea0e3b8b9418cff7838935a298dfdc6b3872b9a2
SHA512 4d791331ed0d46f2186f7898c79fc0c0da80ea22e3aaf2b28d0c8f3c07cb57eebc2edad1ef0e157c2b74b119cf8571187b5d1325528435489261c08ff5ed20a6

memory/5072-118-0x00007FF7BD820000-0x00007FF7BDB74000-memory.dmp

memory/3540-122-0x00007FF78D6F0000-0x00007FF78DA44000-memory.dmp

memory/4240-127-0x00007FF7788D0000-0x00007FF778C24000-memory.dmp

memory/4072-126-0x00007FF71A070000-0x00007FF71A3C4000-memory.dmp

memory/3924-125-0x00007FF7064D0000-0x00007FF706824000-memory.dmp

memory/2200-124-0x00007FF6C01D0000-0x00007FF6C0524000-memory.dmp

memory/5052-123-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp

memory/3340-121-0x00007FF733AD0000-0x00007FF733E24000-memory.dmp

memory/5092-120-0x00007FF613C70000-0x00007FF613FC4000-memory.dmp

C:\Windows\System\RdLhJWE.exe

MD5 5cf96fbefae11dfce518be67ee0b29fc
SHA1 fe1d4b637d1bc8246a8672c2a255a27a7c625360
SHA256 10020d80ec0d82a37398f1c2ea6025d5ba273340c4dd359ad9873df18d4aebf2
SHA512 bd6943e590cd822a93cb4f06226680a3039c0a82bb6e013faa2400f49045149eb74bd4b72bf61954c65d54d9f3755b084e15b3628a8cef863f0145b80af459f0

memory/1496-116-0x00007FF68D020000-0x00007FF68D374000-memory.dmp

memory/5096-113-0x00007FF60D260000-0x00007FF60D5B4000-memory.dmp

C:\Windows\System\NAjGcZS.exe

MD5 bc84cb434e076c3fc1f11c40c52fe6b5
SHA1 d6059ff23c5175cb9ab4494b1afd36f8716937b9
SHA256 827c9408a0a2b76aaaa51f1e90c9bac080cbeed4db8ff37f828e55ae193784ab
SHA512 bde828dfcfffc064a88aad96fac04b5cc37e7637deb2f5e1d6ec31bc04113d193addd576a9f63298bf12d480213f791111dd9482600c94fa665b1cd37de47aea

memory/2572-109-0x00007FF622840000-0x00007FF622B94000-memory.dmp

memory/1956-105-0x00007FF7C4E50000-0x00007FF7C51A4000-memory.dmp

C:\Windows\System\BNNYCwO.exe

MD5 eb040bd9a74ad4262408d039e2a75f58
SHA1 0d86c3ee7ff0299c88fa6d79d8f3a48fe4ce4e32
SHA256 2b4aca42795fc87d3db8b515680045735f967a613d669b31b16e4902719d9177
SHA512 801e61fa239c76e58dd83990229676acfdbb8903a127352ae79469ccdd6eaf98345e6ee862e486a4b5d3f4c7f49c41752b72e27928c17e0361a32683cf74d17c

C:\Windows\System\BdGzqdc.exe

MD5 55f42acef3ec86a7b1401e9d2e85a486
SHA1 9821df35114f63dbed70cb0232792929dfe6d29a
SHA256 e6abaed2b9ecf0195db256bec90b5303088712a9b5ed126cfd108e337ed9da0b
SHA512 3ab9842f3489db2fa7690304ea598c2cbae563c567f0b7d7b7d1552b8a64d0238bdab5ac2cafe5c685839a21eb0e64a340307cc0c1ddc0b5a25952dfe1145af7

C:\Windows\System\KtUwFKJ.exe

MD5 cb08dc976ba1ce87dd6ea7a7613f1fa0
SHA1 0f6622688e0e260b3c5b07b5ba62fec8c8a83696
SHA256 75d417e37dc2ab57092eed6b7f687ca07c4d8642a152706af9942f0a04f65d37
SHA512 b1b38bbb3d7ee9bc55e43f05d9260805a9958b93e5e4b0a15402872c49058be16b4faf57198cdb1733cf303be78db91da76ab5184367853a79802b3758f16cfc

C:\Windows\System\pSNyYiZ.exe

MD5 35ec7dc9ce508279474aed39de735ea0
SHA1 60c4ab4d938e75b82f03357d5c9029eec356b1a2
SHA256 944d662b23d6f51e66b02389813273258cadabaf05e3fcabb52778274e025fcc
SHA512 1cb8cbcf94a2dea5a71ac644ffd967a6cc38489360072538b14e9bacbafcb48e035a6b5783e69cb3d611e05319c9f177b93a361954d06c4b0e7f88f843815ea5

memory/2708-68-0x00007FF6616B0000-0x00007FF661A04000-memory.dmp

memory/1656-63-0x00007FF602010000-0x00007FF602364000-memory.dmp

C:\Windows\System\MHonMeB.exe

MD5 2c65f78b21c2a65e14130e65d2bfed15
SHA1 b46d94d4795117f5a022377bee162fbbfa53287d
SHA256 cad02de7b6aa66fb032d1287926896674243544476a9d57ef76cae4826452919
SHA512 0fdd5bc2bd69ac36ada433c3c0a0bb06f641151457f73ac0b8daa9e72ebd64fe38fdc3eeb9708483344f701ae3a29ef33ab23946fafcf9808bbf6fc5c865719d

memory/2652-38-0x00007FF680380000-0x00007FF6806D4000-memory.dmp

C:\Windows\System\NegWAvQ.exe

MD5 c1e5f626f430bf72f68df1e3f93109ae
SHA1 cb9243b42dffc44f4d71faaf7ff3e1cde055e8a2
SHA256 af8a5a4be28b9ae3fd3664e53c44a54712546b70f0d3c6c66e16735e68e8c86e
SHA512 f6c02e56deb11352174a7f0b27c65a7b5b49e504f35bcade8f4d014564b5b91b77b54978476b4a78f5279712b1b9873df10875a24772753172cda61ea36bb935

memory/2304-30-0x00007FF6CAF90000-0x00007FF6CB2E4000-memory.dmp

memory/1484-28-0x00007FF7F88E0000-0x00007FF7F8C34000-memory.dmp

memory/3744-130-0x00007FF743BA0000-0x00007FF743EF4000-memory.dmp

memory/3664-131-0x00007FF680340000-0x00007FF680694000-memory.dmp

memory/1484-132-0x00007FF7F88E0000-0x00007FF7F8C34000-memory.dmp

memory/2304-133-0x00007FF6CAF90000-0x00007FF6CB2E4000-memory.dmp

memory/2652-134-0x00007FF680380000-0x00007FF6806D4000-memory.dmp

memory/3624-135-0x00007FF7FFAE0000-0x00007FF7FFE34000-memory.dmp

memory/4796-136-0x00007FF6A59E0000-0x00007FF6A5D34000-memory.dmp

memory/1656-137-0x00007FF602010000-0x00007FF602364000-memory.dmp

memory/2708-138-0x00007FF6616B0000-0x00007FF661A04000-memory.dmp

memory/1956-139-0x00007FF7C4E50000-0x00007FF7C51A4000-memory.dmp

memory/5052-140-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp

memory/4240-141-0x00007FF7788D0000-0x00007FF778C24000-memory.dmp

memory/3924-142-0x00007FF7064D0000-0x00007FF706824000-memory.dmp

memory/3744-143-0x00007FF743BA0000-0x00007FF743EF4000-memory.dmp

memory/3664-144-0x00007FF680340000-0x00007FF680694000-memory.dmp

memory/1484-145-0x00007FF7F88E0000-0x00007FF7F8C34000-memory.dmp

memory/2304-146-0x00007FF6CAF90000-0x00007FF6CB2E4000-memory.dmp

memory/2652-147-0x00007FF680380000-0x00007FF6806D4000-memory.dmp

memory/3624-148-0x00007FF7FFAE0000-0x00007FF7FFE34000-memory.dmp

memory/1656-150-0x00007FF602010000-0x00007FF602364000-memory.dmp

memory/4796-149-0x00007FF6A59E0000-0x00007FF6A5D34000-memory.dmp

memory/2708-151-0x00007FF6616B0000-0x00007FF661A04000-memory.dmp

memory/1956-152-0x00007FF7C4E50000-0x00007FF7C51A4000-memory.dmp

memory/2572-154-0x00007FF622840000-0x00007FF622B94000-memory.dmp

memory/5096-155-0x00007FF60D260000-0x00007FF60D5B4000-memory.dmp

memory/4072-153-0x00007FF71A070000-0x00007FF71A3C4000-memory.dmp

memory/1496-156-0x00007FF68D020000-0x00007FF68D374000-memory.dmp

memory/5072-157-0x00007FF7BD820000-0x00007FF7BDB74000-memory.dmp

memory/5092-158-0x00007FF613C70000-0x00007FF613FC4000-memory.dmp

memory/3540-160-0x00007FF78D6F0000-0x00007FF78DA44000-memory.dmp

memory/3340-159-0x00007FF733AD0000-0x00007FF733E24000-memory.dmp

memory/5052-162-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp

memory/4240-161-0x00007FF7788D0000-0x00007FF778C24000-memory.dmp