Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-bxtswadf99
Target 2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike
SHA256 7237d3b90945d7caa6c5190e46590149b6a981378d6993162b28cbcd25015c6f
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7237d3b90945d7caa6c5190e46590149b6a981378d6993162b28cbcd25015c6f

Threat Level: Known bad

The file 2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

xmrig

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

XMRig Miner payload

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:31

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:31

Reported

2024-06-01 01:34

Platform

win7-20240215-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eJiqlYY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AdMwTzV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YOSbGxG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FeMofxq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZRhSFlW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nQxCEAr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FPZdUJV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ENYpLIc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YGDEJvo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zVxTueV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TnFoFUj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\veuZBcY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rXvHjvE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JRcsHCX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZwngHuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oRdsEgU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dOptFgW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TkgrAZG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gZUGsvf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\STdBekU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QgexGAt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwngHuk.exe
PID 3000 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwngHuk.exe
PID 3000 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwngHuk.exe
PID 3000 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPZdUJV.exe
PID 3000 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPZdUJV.exe
PID 3000 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPZdUJV.exe
PID 3000 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oRdsEgU.exe
PID 3000 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oRdsEgU.exe
PID 3000 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oRdsEgU.exe
PID 3000 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ENYpLIc.exe
PID 3000 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ENYpLIc.exe
PID 3000 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ENYpLIc.exe
PID 3000 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJiqlYY.exe
PID 3000 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJiqlYY.exe
PID 3000 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJiqlYY.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGDEJvo.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGDEJvo.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGDEJvo.exe
PID 3000 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVxTueV.exe
PID 3000 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVxTueV.exe
PID 3000 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVxTueV.exe
PID 3000 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdMwTzV.exe
PID 3000 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdMwTzV.exe
PID 3000 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdMwTzV.exe
PID 3000 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnFoFUj.exe
PID 3000 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnFoFUj.exe
PID 3000 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnFoFUj.exe
PID 3000 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZUGsvf.exe
PID 3000 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZUGsvf.exe
PID 3000 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZUGsvf.exe
PID 3000 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dOptFgW.exe
PID 3000 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dOptFgW.exe
PID 3000 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dOptFgW.exe
PID 3000 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOSbGxG.exe
PID 3000 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOSbGxG.exe
PID 3000 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOSbGxG.exe
PID 3000 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkgrAZG.exe
PID 3000 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkgrAZG.exe
PID 3000 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkgrAZG.exe
PID 3000 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\STdBekU.exe
PID 3000 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\STdBekU.exe
PID 3000 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\STdBekU.exe
PID 3000 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgexGAt.exe
PID 3000 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgexGAt.exe
PID 3000 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgexGAt.exe
PID 3000 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeMofxq.exe
PID 3000 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeMofxq.exe
PID 3000 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeMofxq.exe
PID 3000 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\veuZBcY.exe
PID 3000 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\veuZBcY.exe
PID 3000 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\veuZBcY.exe
PID 3000 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXvHjvE.exe
PID 3000 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXvHjvE.exe
PID 3000 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXvHjvE.exe
PID 3000 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQxCEAr.exe
PID 3000 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQxCEAr.exe
PID 3000 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQxCEAr.exe
PID 3000 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZRhSFlW.exe
PID 3000 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZRhSFlW.exe
PID 3000 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZRhSFlW.exe
PID 3000 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRcsHCX.exe
PID 3000 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRcsHCX.exe
PID 3000 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRcsHCX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZwngHuk.exe

C:\Windows\System\ZwngHuk.exe

C:\Windows\System\FPZdUJV.exe

C:\Windows\System\FPZdUJV.exe

C:\Windows\System\oRdsEgU.exe

C:\Windows\System\oRdsEgU.exe

C:\Windows\System\ENYpLIc.exe

C:\Windows\System\ENYpLIc.exe

C:\Windows\System\eJiqlYY.exe

C:\Windows\System\eJiqlYY.exe

C:\Windows\System\YGDEJvo.exe

C:\Windows\System\YGDEJvo.exe

C:\Windows\System\zVxTueV.exe

C:\Windows\System\zVxTueV.exe

C:\Windows\System\AdMwTzV.exe

C:\Windows\System\AdMwTzV.exe

C:\Windows\System\TnFoFUj.exe

C:\Windows\System\TnFoFUj.exe

C:\Windows\System\gZUGsvf.exe

C:\Windows\System\gZUGsvf.exe

C:\Windows\System\dOptFgW.exe

C:\Windows\System\dOptFgW.exe

C:\Windows\System\YOSbGxG.exe

C:\Windows\System\YOSbGxG.exe

C:\Windows\System\TkgrAZG.exe

C:\Windows\System\TkgrAZG.exe

C:\Windows\System\STdBekU.exe

C:\Windows\System\STdBekU.exe

C:\Windows\System\QgexGAt.exe

C:\Windows\System\QgexGAt.exe

C:\Windows\System\FeMofxq.exe

C:\Windows\System\FeMofxq.exe

C:\Windows\System\veuZBcY.exe

C:\Windows\System\veuZBcY.exe

C:\Windows\System\rXvHjvE.exe

C:\Windows\System\rXvHjvE.exe

C:\Windows\System\nQxCEAr.exe

C:\Windows\System\nQxCEAr.exe

C:\Windows\System\ZRhSFlW.exe

C:\Windows\System\ZRhSFlW.exe

C:\Windows\System\JRcsHCX.exe

C:\Windows\System\JRcsHCX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3000-0-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/3000-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\ZwngHuk.exe

MD5 353d74a18e01eb8c33870662ed697558
SHA1 411001b77dadfd067428ce067c0de3d402035241
SHA256 0a1e2b630c9fd06cc0e0d4f630b57400c1051971d22bcd3c7cdd3d2c7948474d
SHA512 dda2c65c2a76db75d2349f9be0a8f9b6f7dce6a29b828320268a3f9d3261d262ecc21f672200f33f4825b62eb0f89b7fcbaf57f5d85fa146328c380e3f19fd6e

C:\Windows\system\oRdsEgU.exe

MD5 ee9d5e2694421e650d32b978f381ac7f
SHA1 859a285c1d452b6cab8a289b5d99bcd51b25210e
SHA256 dc29f49fb7ef20d61bc01e5d57f7c3b2d7652198c0e3fab0d6f2810d8f9c32f2
SHA512 83e689182b55b765486488c38b3af5a3b2bec890faafcc8f4910b1002bc06d454b2fc8913b08383fa3592cad92231f1f8c134c28f1a76091ec88c518e54e19ef

C:\Windows\system\FPZdUJV.exe

MD5 8c60cdadda28a9c2c343be4570338fdc
SHA1 26639f033b576c6c6421e76f8095666a99e3fff9
SHA256 c4463e8ccccb38619f7272eb359f772422f3732adcc820ad3ff85cfed379d176
SHA512 754942a386873e7edacc0b728231747649376fb678f0541d098ef066491c9306c9b1093d288d452acd60f77ca74d34e7c8aaed7d8f3e1afce96cd996fba7103a

memory/2096-13-0x000000013F660000-0x000000013F9B4000-memory.dmp

C:\Windows\system\ENYpLIc.exe

MD5 4a968ae2d0334d2127f60bc05e822d57
SHA1 95623c00f76704f8f775b63fddbf39cb117fef74
SHA256 259a86e076907482fb99b5d0219497965aef1d325122a443cc10d47a9ccf1990
SHA512 6f93fd326188c650aab32657b009a4adade723ce8162ccf2dcf93c1dfda436e6ef86e662efba08882753f5476fb0554224874ae908bb30119c5101fd69b050dc

memory/3000-27-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2680-28-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2988-22-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/3000-17-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2992-15-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/3000-11-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/3000-8-0x000000013F660000-0x000000013F9B4000-memory.dmp

\Windows\system\eJiqlYY.exe

MD5 80672bb88d5fc394de7ecc162d0e678e
SHA1 91cd33aa0c4a186d2b62a5034c57788578b50175
SHA256 db7b1dfd339a35b94cfdfb72bb1967ca6fd69c8ad45da7ad57314630ede4ce9d
SHA512 449fb6906f1c6e54ce4e01e640d32c68704f4163e22bfd36cedb573a8dee8afd2533c4254ab20cf134a8cd6b47bae7497725b2aa55f5b72534f0d4df08ee5833

memory/2560-37-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/3000-36-0x00000000023D0000-0x0000000002724000-memory.dmp

\Windows\system\YGDEJvo.exe

MD5 a7843013565970d65b1eaacd8c03f225
SHA1 c06e13387aee313f49535c6f94d4e95a27197657
SHA256 41095e1f36640e98cb6c22e82c23c119d0c3b5e65e90f75e27f941765f28bf4f
SHA512 88291293936acef2bc5873b6a3352ac36801d521bc1b68a04bea1f27c99a159388a0c732277f5bce5f1cd27f1f6bb242c1a317fd9429744f18a3fa8a0938ecef

memory/3000-42-0x000000013FA10000-0x000000013FD64000-memory.dmp

\Windows\system\AdMwTzV.exe

MD5 ff45d5952b258a239e4e96ae0711dc21
SHA1 7c91d93f7df018b65c0fbdd7308379fa6f19aaa9
SHA256 06cef01a4721692ae345e5f3507a1a0ffc22e0121d250dff64ed720d403ade5b
SHA512 ff3050c119ea559c59014e6c6e70ea4c1be73dfb6ea0547c8428c61122b98acb33063883f54a4eb13a8608dcaff79dc07d0650786de1954bb71fad733939b313

memory/2276-57-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2644-59-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2096-58-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/3000-56-0x000000013FFA0000-0x00000001402F4000-memory.dmp

C:\Windows\system\zVxTueV.exe

MD5 a8b35968c76861fa98e4b30c27d9ac40
SHA1 1a0293a5779b091e3e13b0a613b31f9ace2b3be8
SHA256 fb5374ac5450e5f0a215215e43c635b7dc3bc63ce7062a7d859205fab0955edd
SHA512 09bafb90ee36c0d1ee3878cffd12fd671d9a31d87e16c29fa2253c87d8ce1b61fa3aab36dc4d3f315987dadccc0634c9fe4a541c13f0620bd2e6d922d15c2fd3

memory/2648-48-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/3000-40-0x00000000023D0000-0x0000000002724000-memory.dmp

\Windows\system\dOptFgW.exe

MD5 e025ab95832351a140b90995a7c6bfbf
SHA1 0436521151b10db1622dbbd52107b6671bf1783f
SHA256 e55166a07ff8eb0ca4bd0cdef8c2811c93f346dc32a40c5ac8f2bd86f7dec7a2
SHA512 8f23e36ad0e069063f4df4e90738bb2d42eff6e332ecf9b60d1bda8d8146be0c505f979d123e91c016935856fcecf7ef22ae6ec83f6d889959edb11262f6cd4a

memory/2780-85-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\YOSbGxG.exe

MD5 97d97c665add2c77997ce9061298bc7b
SHA1 a8f7545f63c20bbbadee51567f20cefa73b5c306
SHA256 4a33fbcbb5de2fad3f56fe5c2286379c0bd27771d79819d20e9c892cfd0aee8b
SHA512 5138a4891262bac79de146f6ce28b8af1bf0bfe64207daee4b92a7bb322657a1c31234797fcab1df3afebe93364e5350eea0105a5537015d2baa4abc1cafe3c7

\Windows\system\FeMofxq.exe

MD5 80743171c37f05bba7216837cec58572
SHA1 7fc553e90662eea8103a0b012fd51f112194c7e6
SHA256 3ba1f0d4522397f7fec3b1b3791ac7641a342da9e8d31d38fc5efc7e0e0456ae
SHA512 aa09c37696a903c863c2e6e092541d0d8308632edead3ca791001de15506e2f367c1f270f1f12e9a9535292f40d2f424f1a0859fe7e2c9856d8d99096e241e46

memory/3000-112-0x000000013F0E0000-0x000000013F434000-memory.dmp

C:\Windows\system\ZRhSFlW.exe

MD5 596da22c6b344361f44436eb67b70592
SHA1 00ccc8b5c9a8077512d2e41ce9b2a14236f4d119
SHA256 65352013016c830c1508586933d52f0fd92830082575cb02c94aa92beef21878
SHA512 8417a82515b3d6f0a279950808046e51ae1a42e1f8496f69814da5a54abf1276a210861bdf49d7c02087a268bbec51be8aacc1cdf20760a78164607d6ae6e80d

\Windows\system\JRcsHCX.exe

MD5 74260f005a67dcd938bf1ac6bc2e11c9
SHA1 f2ecb42b459d4cc349b05e5133e071b81db5f955
SHA256 7c54bcfe3f6b36003cbcb94c92250c1b8622cc1e982ecdc85934c2285155b983
SHA512 ce53cd72908ebdb2cdb0124794927d1313fe8ebb5f3b9f315fb897fde828e7607e786795f68f8a6d8d1da80f9d0b4f4d69633966b7dd9a1adadf8609166f3ce6

C:\Windows\system\nQxCEAr.exe

MD5 1d1563c33a56e088126904820e601ee9
SHA1 02a0f27709f283865d33f3c85c978f2b8e33ee73
SHA256 b685afe3e830d3f61337537b789d8fa1d308f3686da9a0e5eb96d61a5de19da9
SHA512 4d60c73160ba264bb9cc25dce9740ba475695e9855ce6e06617e9c9e9349708ae3b6f5f2aa83005a7d20d58be6dd460ae8fb2499dcca95d3376ec3bd7cde4229

C:\Windows\system\rXvHjvE.exe

MD5 c5bd52a3316dc536817fdab46c1346b0
SHA1 4e0186fb85d8f7045b1d9a0e47eee95a70f2ff8e
SHA256 c5a2b37a84ef0253b2fa116709841f1cb749a8b853166822f77a38826402b10c
SHA512 926a166a6e877ed0af3c22cddbd1802ecd95322044018737c6465d2ccf090d9544560ee498fd47dedebc5bc6439de39929193b2911f58617aa125a5628cd486f

C:\Windows\system\veuZBcY.exe

MD5 9f247bad2ce975ac78a0ccf5433ee610
SHA1 fe0d052d178dd187273e790be2d06f187a1a2754
SHA256 15f263f0146235b5390ce57413743deb3548a85e9f50b0e037f1af6a7ad3f1e2
SHA512 0f0d0d40fe46d7d63c593817769ebb505f7046547d71c943924a557d0d61ef961e1a532e17bb26642129d6e6b78ca5d6fd71654b37cdf8325da5e0b4c30b36da

memory/2936-117-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/3000-109-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\QgexGAt.exe

MD5 593ead2a0706eac18be3adb906822358
SHA1 0433f77600a60785f7ee99714879467c462bde46
SHA256 25a75d2be7f2d6f3f070a33c905d2280dee44f27fb0a120288cb09da49583eaa
SHA512 8bb6a17af05396fdd85adbc66b5c02956df28e4bae534dfad31aee4cabec8e53552e332d652ef832c8dd2ec5d9a62552a87d430cd9ef303c3e42aedf4c3dafaf

memory/3000-106-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2816-105-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/3000-103-0x00000000023D0000-0x0000000002724000-memory.dmp

C:\Windows\system\STdBekU.exe

MD5 a2b9f36d47206f3e57d0c364a99dccba
SHA1 34144b42d4a9a3878b523ccad3c6fc586edfa7de
SHA256 c6713f6b53a3264ee99379848a01b8f8b82934e061c0340a9496f85b7cf23b4b
SHA512 3c0863b4d9694e96a4dc13554ffa84a37f27bbc23dd87980a10e0b65830794451a8c2d6b58a0a99f339cd0c56b7833b17833d16563a02d470caf4649c887e334

C:\Windows\system\TkgrAZG.exe

MD5 94899ff980d2ff8f0f2643f0269326d2
SHA1 311f240ffd52267f368482f71108935a43ecdea5
SHA256 4c7898118c9b6c015cbec95a0b67e1c018ada93e253d3d7f31b9a4bc288322e2
SHA512 1923b75c1451123760996359257f19064a68ee252ec99370e4064273599bf309f9ac116b598d672b445314e7c86b163f046a2b15b7e399b17694ac4543b91452

memory/3000-99-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2680-76-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2460-81-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\TnFoFUj.exe

MD5 94d27464b5c0598d0848414a4371e42d
SHA1 7db838f2a4edb335143f6e36ddd0959800c3ebea
SHA256 e946c18a24da066a6d9c56e21b8a4de4dc560a9e37d214a4ea688825e2974816
SHA512 59310dcee281c91f1f48e7a9d60eb356fae902f9a6845a4402cf3bbbd208141ed62c99de279f5d6b712543dff2b2be662423ee92c5721e652145f4fe6065e5eb

memory/2140-73-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2988-71-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/3000-70-0x00000000023D0000-0x0000000002724000-memory.dmp

C:\Windows\system\gZUGsvf.exe

MD5 0cfdd0e58aaba6862f453d09102dc8a0
SHA1 6e8112c220c267a2862723140ccf9fa6c170da56
SHA256 a36388a64337a57da8be821fda75cc18d88439304fd7dfe75eb52a2e7d186fa8
SHA512 e2225e778639a49bcc1f207f2d37ded44cb8af320f44b5d2607b973db543fccfa0ebb8069f4d6002e34817e515fee02e20dd021dd926454b4360bbf7547dce47

memory/2992-63-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/3000-68-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/3000-67-0x000000013F230000-0x000000013F584000-memory.dmp

memory/3000-140-0x000000013F230000-0x000000013F584000-memory.dmp

memory/3000-141-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2140-142-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2780-143-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/3000-144-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2096-145-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2992-146-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2680-147-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2988-148-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2560-149-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2648-150-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2644-151-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2276-152-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2140-153-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2460-154-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2780-155-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2816-156-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2936-157-0x000000013F490000-0x000000013F7E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:31

Reported

2024-06-01 01:34

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TkxsQJz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zhWSsbJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PMPvBHd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YyxPvbI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VKcHPNo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cYHLaVc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XJEXVrX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ukflGyb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bQirfdA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VPxDlml.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sAlOCzI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YpOJmfo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OJssmgl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IGuDnMe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZswDUfs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZjgsQi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MeIQXyD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wTaHsTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oCPwChb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SySdWkK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eNJAgjN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cYHLaVc.exe
PID 2164 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cYHLaVc.exe
PID 2164 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\SySdWkK.exe
PID 2164 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\SySdWkK.exe
PID 2164 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJEXVrX.exe
PID 2164 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJEXVrX.exe
PID 2164 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\eNJAgjN.exe
PID 2164 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\eNJAgjN.exe
PID 2164 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ukflGyb.exe
PID 2164 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ukflGyb.exe
PID 2164 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\bQirfdA.exe
PID 2164 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\bQirfdA.exe
PID 2164 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGuDnMe.exe
PID 2164 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGuDnMe.exe
PID 2164 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkxsQJz.exe
PID 2164 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkxsQJz.exe
PID 2164 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPxDlml.exe
PID 2164 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPxDlml.exe
PID 2164 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\sAlOCzI.exe
PID 2164 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\sAlOCzI.exe
PID 2164 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zhWSsbJ.exe
PID 2164 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zhWSsbJ.exe
PID 2164 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpOJmfo.exe
PID 2164 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpOJmfo.exe
PID 2164 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZswDUfs.exe
PID 2164 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZswDUfs.exe
PID 2164 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZjgsQi.exe
PID 2164 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZjgsQi.exe
PID 2164 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMPvBHd.exe
PID 2164 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMPvBHd.exe
PID 2164 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\OJssmgl.exe
PID 2164 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\OJssmgl.exe
PID 2164 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MeIQXyD.exe
PID 2164 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MeIQXyD.exe
PID 2164 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTaHsTS.exe
PID 2164 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTaHsTS.exe
PID 2164 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YyxPvbI.exe
PID 2164 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YyxPvbI.exe
PID 2164 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCPwChb.exe
PID 2164 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCPwChb.exe
PID 2164 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKcHPNo.exe
PID 2164 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKcHPNo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\cYHLaVc.exe

C:\Windows\System\cYHLaVc.exe

C:\Windows\System\SySdWkK.exe

C:\Windows\System\SySdWkK.exe

C:\Windows\System\XJEXVrX.exe

C:\Windows\System\XJEXVrX.exe

C:\Windows\System\eNJAgjN.exe

C:\Windows\System\eNJAgjN.exe

C:\Windows\System\ukflGyb.exe

C:\Windows\System\ukflGyb.exe

C:\Windows\System\bQirfdA.exe

C:\Windows\System\bQirfdA.exe

C:\Windows\System\IGuDnMe.exe

C:\Windows\System\IGuDnMe.exe

C:\Windows\System\TkxsQJz.exe

C:\Windows\System\TkxsQJz.exe

C:\Windows\System\VPxDlml.exe

C:\Windows\System\VPxDlml.exe

C:\Windows\System\sAlOCzI.exe

C:\Windows\System\sAlOCzI.exe

C:\Windows\System\zhWSsbJ.exe

C:\Windows\System\zhWSsbJ.exe

C:\Windows\System\YpOJmfo.exe

C:\Windows\System\YpOJmfo.exe

C:\Windows\System\ZswDUfs.exe

C:\Windows\System\ZswDUfs.exe

C:\Windows\System\uZjgsQi.exe

C:\Windows\System\uZjgsQi.exe

C:\Windows\System\PMPvBHd.exe

C:\Windows\System\PMPvBHd.exe

C:\Windows\System\OJssmgl.exe

C:\Windows\System\OJssmgl.exe

C:\Windows\System\MeIQXyD.exe

C:\Windows\System\MeIQXyD.exe

C:\Windows\System\wTaHsTS.exe

C:\Windows\System\wTaHsTS.exe

C:\Windows\System\YyxPvbI.exe

C:\Windows\System\YyxPvbI.exe

C:\Windows\System\oCPwChb.exe

C:\Windows\System\oCPwChb.exe

C:\Windows\System\VKcHPNo.exe

C:\Windows\System\VKcHPNo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2164-0-0x00007FF72EB10000-0x00007FF72EE64000-memory.dmp

memory/2164-1-0x0000016CBE3B0000-0x0000016CBE3C0000-memory.dmp

C:\Windows\System\cYHLaVc.exe

MD5 49e2b2f05185dfc1264de5188a08b2ea
SHA1 61c14d4a17a3b6be75df108393a96c848701e088
SHA256 2b86bcbd313c2c9a3b5df204b9d6f8cb9e902190c55a8580e0d33f6d220fd23a
SHA512 6c51d65326569894d8df2b0fc6bc87771da74234b3abc7389b38b15e8d9785459958cf25e198f0cdacbdc601b32d8fc2233980a34aa61047504c5f23d5d05234

C:\Windows\System\SySdWkK.exe

MD5 98311d29360a23bc39eaeabf5a99b56d
SHA1 f3a5856859976b19df56c23ee1efb6d33f0a14e5
SHA256 ea93e3fb278c0c880518d8a1948f32a2744eee8ab0948fa1e3c74a04d1d12c5c
SHA512 a41fc47974e4eecd420778610a6e06bdccf21d9a89c8b9b9105cd06e9f04d91a2f954aa504dc68c54f07b103213d9a1f9a6a1600bfcaafefadbe6f9d0a6a0624

memory/116-8-0x00007FF6CD8E0000-0x00007FF6CDC34000-memory.dmp

C:\Windows\System\XJEXVrX.exe

MD5 4ae0003962f6131627d98952611342d6
SHA1 b8bdcfb73db729a9a15174bddf0e604912307d48
SHA256 7315f8c17c4c70bb4f4ca9524fd3b2ab7dcc92d4e5bd2c03ca0844e735f39c59
SHA512 989fbe14d325477e3ffc58c199d128efee8bffd9603f011e09644ae633263657bd6a7b180d60e71b5aa446feaa4e1649ac750882e4e539c6a54dbcf21159b40a

C:\Windows\System\eNJAgjN.exe

MD5 17cba280f4b266bca6e2d4d4168d14ad
SHA1 f5b048d1639e7a852f4ed36af5cb827fce1d2421
SHA256 404590684b644743a4ae1e7d46ef5b9ed9c0676b959572d607ffa8d529f2ce44
SHA512 f31b3e760e20d4372fc91973720bc493fabe028a7eed31da7375273df2ce1b95c274c294cc0cbb92f2b5fe1a6c02c0a11a02663461eedd35b5a61ead23cffc20

C:\Windows\System\bQirfdA.exe

MD5 a902f01c6fc2388c40c762f3b8feeaf9
SHA1 34f25fb8b5acc945ede4e06d99ee1a5077296d46
SHA256 0ae5c9efbdfe572489648b68449d1c41393588483206324b9b8e918bbc7cc53c
SHA512 81f91c5b3f9afab7d2955193018758573e8fdaec1fb4de89954598d27eba90acf7753720bc2ef8d068b23aa4851be939f4e3ab4e78f924e611a879cd504000cf

memory/1740-35-0x00007FF64F180000-0x00007FF64F4D4000-memory.dmp

memory/1492-34-0x00007FF78C020000-0x00007FF78C374000-memory.dmp

memory/440-31-0x00007FF6D9360000-0x00007FF6D96B4000-memory.dmp

C:\Windows\System\ukflGyb.exe

MD5 52ce012130be7eb0dd1d1b167463b1e5
SHA1 4f86730a476117f04e1becd48b554d48601afddb
SHA256 15b92dd452be7e6b2661ad6acdc43979f2a1b34a38e06c2b2bb4cdc2b2407d52
SHA512 70c206264f99724ef897100094e0d5665fdf0153cab41c8164241796872e1449690ea9104fa41975fd3ddcf039d8cf6414a97a3e02502bc715ad482fc1af7506

memory/1792-18-0x00007FF7EE400000-0x00007FF7EE754000-memory.dmp

memory/1904-14-0x00007FF6F9A70000-0x00007FF6F9DC4000-memory.dmp

C:\Windows\System\IGuDnMe.exe

MD5 5b257238783dbfafd2dc3af599f88adf
SHA1 ead4b4ced6acd1b7adb205e07b2250e4b10558de
SHA256 1eae871c7088350101b18cdde729a5587839b9b788bf1e6fd92451844c9da974
SHA512 e4b2b8996b48cf1a83e6418c2d9f57b8cf93cffa27567013cb690258bc2627d79919d07a4ac07c3378b18c6d50d7f837cf107aa31b658e39dc396f44108f2109

memory/2744-42-0x00007FF605F90000-0x00007FF6062E4000-memory.dmp

C:\Windows\System\TkxsQJz.exe

MD5 46392ec5f808f23d9944a5d859a8a158
SHA1 9737de65bd28d24b3b97f51cfa5aa7e1eb9a3e46
SHA256 1f7acbe062ec1947f658cf9c323ada110d0f4681ac780887c10c148f836251bd
SHA512 54eb680551f5115d5ad8218a6509053fd11b18288207e1c643668fe437cc295d57165c5c926e7e566963ef2fdc78a6dda1610ef1a1499442f357f7375577dc60

C:\Windows\System\VPxDlml.exe

MD5 a403c7c3e6cb31069ed69826d0468556
SHA1 bcb6cfb062eb6919684c46c815831207f655352d
SHA256 d6857fb17326f5257076ccbfd664c033084781032f1cf8262885c1676fe9fc8f
SHA512 e53b7465e41d1733248312f3444e58a437ab145a8b46eb98a267eb51d9c389c5f1827df8782f62ab7040f17a1ee796b54202bdb3fcee88f54014dcd910cf81dc

memory/1968-48-0x00007FF7CD540000-0x00007FF7CD894000-memory.dmp

memory/1380-56-0x00007FF6DC3E0000-0x00007FF6DC734000-memory.dmp

memory/2164-62-0x00007FF72EB10000-0x00007FF72EE64000-memory.dmp

memory/116-66-0x00007FF6CD8E0000-0x00007FF6CDC34000-memory.dmp

C:\Windows\System\zhWSsbJ.exe

MD5 42090ba38378d88f068bd3c2ff5b9ea0
SHA1 f7604733ee2fb17b146cac7c594458f172514c3b
SHA256 5e5ad91a374eca17d5e5f94bf766de61f35ed90bffc1e5a1a36e8fc81182c9ed
SHA512 cab8ae387e067f8ccdc6dffc14d05ef9ce327754ce1f15369de41ca3760a0eba88dacd47104ad6c09f3fd1925cea8a04fa3b16cc45d68dfd0861a67aaa5e8100

memory/5012-67-0x00007FF7E7810000-0x00007FF7E7B64000-memory.dmp

memory/4352-65-0x00007FF670C60000-0x00007FF670FB4000-memory.dmp

C:\Windows\System\sAlOCzI.exe

MD5 2e02bcd91272bdecb4ab2b8922c62b58
SHA1 048d85c68657391063c509053eae2aac59e669e9
SHA256 126eb5a6ce8bf0cf7e0e132c59607d96830f8317fea75e8f37a59adc4986e559
SHA512 c104be4f1ac1bcab24d206d489f1557f7e7182e30daa1aee801c09f4d735ace4ecf29ff56c9ca3250b3d08e66961c79125e6ce603bcf0199f73dbe7cfe00c46b

C:\Windows\System\YpOJmfo.exe

MD5 e4bf84c2eb5164076ababd1624758f63
SHA1 75f6733fe374b666ec6ecfe5184740e36bae078f
SHA256 8f46522cb5c6689a4f6ba3f853e28ed53c5bdaf199d5f704fab188baa69b553c
SHA512 14a9f30d4e65bbfa8654d726609a00681f198b588a5f2d043f43a9c86948eb5ce0ddd9d5e73d349433cc24dc32b396ccf973952809840e924015ebe234b961dd

C:\Windows\System\ZswDUfs.exe

MD5 538fb9996ca2893c3230ec37e37524da
SHA1 97ad87b9910ca2d77dbc71d869bf9a3ee5f2c1f9
SHA256 bc9d00bbe543d01eb3c528c2a490fa6cd5baae5f6e3fcafa8b13078961d80c98
SHA512 7075da2592c41d8d06a53fb73df32a54788d2f36545aee9cf3c7770a8321d1b1b8d59b449ceec9169ad339fd37ff8d357c5480ebd8ff6f68ee4f3cb12169689f

C:\Windows\System\uZjgsQi.exe

MD5 279fe374fc316b486774f85945d756b5
SHA1 d907ed37185e02ebfb2f0fa69089123f810208fb
SHA256 96cc2fcf5ac0bc6a7e5516e3bfdce92fe5435ca75626656bd8a1a9f27331787f
SHA512 02323ee79ea67d3548709302c9cad14ec670f8794b03fba09688301be9d2575de3d601cc5ed4bcff32fa8608be8bfb04805ae45724705f777ac13c05ede86fef

memory/4832-84-0x00007FF6CE290000-0x00007FF6CE5E4000-memory.dmp

memory/1792-80-0x00007FF7EE400000-0x00007FF7EE754000-memory.dmp

memory/1464-78-0x00007FF6FEC00000-0x00007FF6FEF54000-memory.dmp

memory/1904-74-0x00007FF6F9A70000-0x00007FF6F9DC4000-memory.dmp

C:\Windows\System\PMPvBHd.exe

MD5 37719888bee6d489b146bd8d53c7791f
SHA1 723329627c1d0354b322c09e925117247b9f524c
SHA256 a5cb2714f7fa8cc9748e7ac323028db278fd16f6253c2f730de2e6e2e4e864e4
SHA512 3b12088dd57399b9cff3c748a1029f255ff8ea92f333a2368615fef41f756856d25d06ecc0768db22eacd274f933c9c6246ddee30acedede4b2b573030751a21

C:\Windows\System\MeIQXyD.exe

MD5 97a47308b78007d0d153fe62858bf64a
SHA1 4db7a8c22d84a2525f0681c2721e48ac1b481650
SHA256 96bffc9e39b5b9263a1d8612cf03b45e561538a735fc66fc604b1178c237e42e
SHA512 d7f912b889679829ebf3f02bda0e778235802a6ff43538ddb5e6ba3820e08e316ceac7eb118de248eebe4a8a6e9d806a98b6f9f593d3beb8a4e6718feabb8e90

C:\Windows\System\wTaHsTS.exe

MD5 c5b06ed0553f2ed4f02f570da040085c
SHA1 8279a864eef078176abb993f5b28f059c337d310
SHA256 142a348117592c324ef28e8d48c1a72694482d0f9065bbf2fab44f06e61ce005
SHA512 2dae732bcb101b04106777ba1b488be4b4d3b5796a57adc3944d82b75609d82fd152a8eac6f9403cdb9f7a31ca7acc0bdc2f71244a4e16fb945e02290fe1ab67

C:\Windows\System\oCPwChb.exe

MD5 3735258d7c14eb591de68db84083ba41
SHA1 8f4d5f843559e997f99c028ba90a5675acfb15d0
SHA256 cdc0db1c26fd01af38d31d06a68872cd262b1af12eb6f6ae7137b5f29694bfa0
SHA512 62c746b1c179435e31d05d1a668a52c28d00bcde1d32d69545c7a1640842f6db2f965f751314a4b9377b90999b5ff2fb17ecc906a76357e638fbfb824755191c

C:\Windows\System\VKcHPNo.exe

MD5 49f6b344d59085b0c0a4db77c75fe72a
SHA1 0c8477bc8d2caf620dd305e734b412482b39388e
SHA256 1af11a5e268dc0a39d424c3ccedb8f9da1b5aaf40c0dfa98868f1e831bb1b612
SHA512 f10f4efe47f46f1de9b0fbd7603406eb80ee5168337288e4edf2cfce3c39284ed83ccf6cfbb5f67d075bd8889c1d39825d25073d4ef278797880892cda6a03dd

C:\Windows\System\YyxPvbI.exe

MD5 88a0976c9265f25d6473c5e8e424b024
SHA1 8e4ca878c7ec8de8a1fd987c725a583136585903
SHA256 aac5efe7500a175e3fbc29700c87f75abaa80ccaae3e9967e9f5bf2ad58e9631
SHA512 793dfbdafd67d55e95b1a0b1f09cd066d71e6e55525fab339833234386a2f8dd392214d7a19c53fee358ceede8a4438cb66ae3b4d0f294aed747f08f14a839f4

C:\Windows\System\OJssmgl.exe

MD5 7364855e85551aa9a1ae6fad189fba1a
SHA1 10406446eb46dd8bd0e8cdd5beab445013780aa7
SHA256 6d1833b06323761416c9b59e7aa322779f7390c0436d8e167fa64634576a7e57
SHA512 ef063e7615cdda7c29adee8faa5a13e29778f208a299cdfe673f6b61c7053211e89733ae64f020f63d01749dba2bf6968e7428ec905fc0db8d918a40be29ea51

memory/4516-124-0x00007FF6CE390000-0x00007FF6CE6E4000-memory.dmp

memory/2272-125-0x00007FF7BD280000-0x00007FF7BD5D4000-memory.dmp

memory/4324-127-0x00007FF78C5C0000-0x00007FF78C914000-memory.dmp

memory/1612-126-0x00007FF7496B0000-0x00007FF749A04000-memory.dmp

memory/3404-128-0x00007FF724E30000-0x00007FF725184000-memory.dmp

memory/4824-130-0x00007FF6520B0000-0x00007FF652404000-memory.dmp

memory/3300-131-0x00007FF729850000-0x00007FF729BA4000-memory.dmp

memory/1676-129-0x00007FF682E50000-0x00007FF6831A4000-memory.dmp

memory/1740-132-0x00007FF64F180000-0x00007FF64F4D4000-memory.dmp

memory/2744-133-0x00007FF605F90000-0x00007FF6062E4000-memory.dmp

memory/1968-134-0x00007FF7CD540000-0x00007FF7CD894000-memory.dmp

memory/1464-136-0x00007FF6FEC00000-0x00007FF6FEF54000-memory.dmp

memory/5012-135-0x00007FF7E7810000-0x00007FF7E7B64000-memory.dmp

memory/4832-137-0x00007FF6CE290000-0x00007FF6CE5E4000-memory.dmp

memory/4516-138-0x00007FF6CE390000-0x00007FF6CE6E4000-memory.dmp

memory/116-139-0x00007FF6CD8E0000-0x00007FF6CDC34000-memory.dmp

memory/1904-140-0x00007FF6F9A70000-0x00007FF6F9DC4000-memory.dmp

memory/1792-141-0x00007FF7EE400000-0x00007FF7EE754000-memory.dmp

memory/440-142-0x00007FF6D9360000-0x00007FF6D96B4000-memory.dmp

memory/1492-143-0x00007FF78C020000-0x00007FF78C374000-memory.dmp

memory/1740-144-0x00007FF64F180000-0x00007FF64F4D4000-memory.dmp

memory/2744-145-0x00007FF605F90000-0x00007FF6062E4000-memory.dmp

memory/1968-146-0x00007FF7CD540000-0x00007FF7CD894000-memory.dmp

memory/1380-147-0x00007FF6DC3E0000-0x00007FF6DC734000-memory.dmp

memory/4352-148-0x00007FF670C60000-0x00007FF670FB4000-memory.dmp

memory/5012-149-0x00007FF7E7810000-0x00007FF7E7B64000-memory.dmp

memory/1464-150-0x00007FF6FEC00000-0x00007FF6FEF54000-memory.dmp

memory/1612-151-0x00007FF7496B0000-0x00007FF749A04000-memory.dmp

memory/4324-152-0x00007FF78C5C0000-0x00007FF78C914000-memory.dmp

memory/3404-154-0x00007FF724E30000-0x00007FF725184000-memory.dmp

memory/4516-158-0x00007FF6CE390000-0x00007FF6CE6E4000-memory.dmp

memory/3300-157-0x00007FF729850000-0x00007FF729BA4000-memory.dmp

memory/1676-156-0x00007FF682E50000-0x00007FF6831A4000-memory.dmp

memory/4824-155-0x00007FF6520B0000-0x00007FF652404000-memory.dmp

memory/2272-153-0x00007FF7BD280000-0x00007FF7BD5D4000-memory.dmp

memory/4832-159-0x00007FF6CE290000-0x00007FF6CE5E4000-memory.dmp