Malware Analysis Report

2025-01-22 19:41

Sample ID 240601-cf8fdaeg64
Target 2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike
SHA256 40c4c891d39ae7918c0dc45a87e6fa6a5c3fa6732c0412305492c8f69e59ec8b
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40c4c891d39ae7918c0dc45a87e6fa6a5c3fa6732c0412305492c8f69e59ec8b

Threat Level: Known bad

The file 2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

xmrig

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:02

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:02

Reported

2024-06-01 02:04

Platform

win7-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TsCjdxH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QtXMBgo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dqEwAOP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HLtcwXS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wxLVXGn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lLMEohh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MpPhThE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AIyVwsb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iAccrVq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iKXPWaE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\seVpbNI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lgkBFnd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VUliqBI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hJQDzEC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hyvMWwp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WDKIIHn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IKorwrz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lZJkyNK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vhsvcRm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KyyCNPO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KkIsjcp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKorwrz.exe
PID 1612 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKorwrz.exe
PID 1612 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKorwrz.exe
PID 1612 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lZJkyNK.exe
PID 1612 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lZJkyNK.exe
PID 1612 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lZJkyNK.exe
PID 1612 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KyyCNPO.exe
PID 1612 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KyyCNPO.exe
PID 1612 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KyyCNPO.exe
PID 1612 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MpPhThE.exe
PID 1612 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MpPhThE.exe
PID 1612 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MpPhThE.exe
PID 1612 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIyVwsb.exe
PID 1612 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIyVwsb.exe
PID 1612 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIyVwsb.exe
PID 1612 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsCjdxH.exe
PID 1612 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsCjdxH.exe
PID 1612 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsCjdxH.exe
PID 1612 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyvMWwp.exe
PID 1612 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyvMWwp.exe
PID 1612 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyvMWwp.exe
PID 1612 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\VUliqBI.exe
PID 1612 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\VUliqBI.exe
PID 1612 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\VUliqBI.exe
PID 1612 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\WDKIIHn.exe
PID 1612 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\WDKIIHn.exe
PID 1612 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\WDKIIHn.exe
PID 1612 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkIsjcp.exe
PID 1612 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkIsjcp.exe
PID 1612 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkIsjcp.exe
PID 1612 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vhsvcRm.exe
PID 1612 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vhsvcRm.exe
PID 1612 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vhsvcRm.exe
PID 1612 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJQDzEC.exe
PID 1612 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJQDzEC.exe
PID 1612 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJQDzEC.exe
PID 1612 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtXMBgo.exe
PID 1612 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtXMBgo.exe
PID 1612 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtXMBgo.exe
PID 1612 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqEwAOP.exe
PID 1612 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqEwAOP.exe
PID 1612 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqEwAOP.exe
PID 1612 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAccrVq.exe
PID 1612 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAccrVq.exe
PID 1612 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAccrVq.exe
PID 1612 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLtcwXS.exe
PID 1612 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLtcwXS.exe
PID 1612 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLtcwXS.exe
PID 1612 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxLVXGn.exe
PID 1612 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxLVXGn.exe
PID 1612 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxLVXGn.exe
PID 1612 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lLMEohh.exe
PID 1612 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lLMEohh.exe
PID 1612 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lLMEohh.exe
PID 1612 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKXPWaE.exe
PID 1612 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKXPWaE.exe
PID 1612 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKXPWaE.exe
PID 1612 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\seVpbNI.exe
PID 1612 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\seVpbNI.exe
PID 1612 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\seVpbNI.exe
PID 1612 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lgkBFnd.exe
PID 1612 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lgkBFnd.exe
PID 1612 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lgkBFnd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\IKorwrz.exe

C:\Windows\System\IKorwrz.exe

C:\Windows\System\lZJkyNK.exe

C:\Windows\System\lZJkyNK.exe

C:\Windows\System\KyyCNPO.exe

C:\Windows\System\KyyCNPO.exe

C:\Windows\System\MpPhThE.exe

C:\Windows\System\MpPhThE.exe

C:\Windows\System\AIyVwsb.exe

C:\Windows\System\AIyVwsb.exe

C:\Windows\System\TsCjdxH.exe

C:\Windows\System\TsCjdxH.exe

C:\Windows\System\hyvMWwp.exe

C:\Windows\System\hyvMWwp.exe

C:\Windows\System\VUliqBI.exe

C:\Windows\System\VUliqBI.exe

C:\Windows\System\WDKIIHn.exe

C:\Windows\System\WDKIIHn.exe

C:\Windows\System\KkIsjcp.exe

C:\Windows\System\KkIsjcp.exe

C:\Windows\System\vhsvcRm.exe

C:\Windows\System\vhsvcRm.exe

C:\Windows\System\hJQDzEC.exe

C:\Windows\System\hJQDzEC.exe

C:\Windows\System\QtXMBgo.exe

C:\Windows\System\QtXMBgo.exe

C:\Windows\System\dqEwAOP.exe

C:\Windows\System\dqEwAOP.exe

C:\Windows\System\iAccrVq.exe

C:\Windows\System\iAccrVq.exe

C:\Windows\System\HLtcwXS.exe

C:\Windows\System\HLtcwXS.exe

C:\Windows\System\wxLVXGn.exe

C:\Windows\System\wxLVXGn.exe

C:\Windows\System\lLMEohh.exe

C:\Windows\System\lLMEohh.exe

C:\Windows\System\iKXPWaE.exe

C:\Windows\System\iKXPWaE.exe

C:\Windows\System\seVpbNI.exe

C:\Windows\System\seVpbNI.exe

C:\Windows\System\lgkBFnd.exe

C:\Windows\System\lgkBFnd.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1612-0-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/1612-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\lZJkyNK.exe

MD5 e56a1f455a70d76ff508773240533193
SHA1 a31eda506098c7ed31eec0c9595bbf419c19a426
SHA256 2305277347365f42158c58f966199053e7180c288ebb7ff60caef83a175f82aa
SHA512 e8a9df76de0edb0f5bc7a4f4bb2791523a7c9f0388e36a9735792b103d9a1da9f383cbccf86d4a7c6a9fae03e75fc9b956f4135b6a8289d583c8712d4a2dddfc

memory/1612-9-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2604-16-0x000000013F230000-0x000000013F584000-memory.dmp

memory/1964-14-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/1612-11-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\IKorwrz.exe

MD5 dfafcb1c0e1fc9776b5916c59bb0838d
SHA1 85b02a0ba2766aee140774524e57ad6fe16145ab
SHA256 fb0c5cbfa7cc312a7a00d8f676d21e6ed9f5a1e2d41805a3eb9cc71682eabda7
SHA512 78b759cf27994529b4809861774bb83e39059a796bef59470c2d6fc64e435879a44d7975a843651632252f591c64fcc03ad6b17fa9af8ef0b432c6ecaab96076

C:\Windows\system\KyyCNPO.exe

MD5 699d07407c53ad8f45eca7c900fab4db
SHA1 b3e04ba42b3e93e470426ef2972666828f671e89
SHA256 241fa5f6e5c9073be7f5f76c3a91c9832999e02cc71998c3a3d0017bede856b4
SHA512 2f1eddf8e3f12ef475c73ed5372467379cd56f8242c67b151f57e096b370bd4f72bf1353fc7cb6ca6a21a71ae96af478a964ff12ad233fd22f0902f886016527

memory/2736-23-0x000000013F300000-0x000000013F654000-memory.dmp

\Windows\system\MpPhThE.exe

MD5 a661cb3a72fe1f3a999bd1af5956a9c7
SHA1 d1f93bf015243edb620623c5af7685cbfbb4200e
SHA256 766211f68e60d1306eb0fdce71509bdbaf04bbacdde9dbad1100378729fb6726
SHA512 7d0393a3cd48b5e0e65e94e5cad17d3121766659b80ad6c55c0ec58a141c98908b06e58419f1ace7174f79e5e952a7ad4e3401f704d7e060921fd78bc6ef7f04

memory/2592-29-0x000000013F400000-0x000000013F754000-memory.dmp

memory/1612-47-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1612-50-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2580-61-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1304-67-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2448-77-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/1612-112-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\iKXPWaE.exe

MD5 d44cc9d86c9b57556fd048751566f4f7
SHA1 ae20ffbe03ccc111739a6ff2fcb748f7d4c1ed82
SHA256 194c59a7381ad2a546534c0fd6b80b7c560747f03bcca721423c989d1cee5376
SHA512 38a990d4b7ce55ef083710e9cfcd91fb09b787d50f944af6d6c730e6b821603dc3c01ab64e310e13081c79ce1dfb80d4faf5dd0901c365a21f720a99411d5e24

\Windows\system\seVpbNI.exe

MD5 5eab763cf8c54b138ded264c982db625
SHA1 80a2c7a937a5a4f79de3e5d3c503d62d8285cdc3
SHA256 35b0e5908b565b9b2346e6493727189cbef6a91df95c312ab060d4113416e2b9
SHA512 f1da92ee3bf240e6ac52b6fa2b0791cddd1600d257b9a329e0e8e210aac13cb9d221285fb2881eb6543f4c6ef8b2cda44573292d1508ca358496d09ec920849b

C:\Windows\system\wxLVXGn.exe

MD5 e64d65b8a0ee0404d2e6439d20240938
SHA1 bb2ebe4e88253468f6cafd71f815f7d7368bcad1
SHA256 9d54a8dcec3940f8b5fce6b484a7439f8d4b856b2845d98e4b5ba553784768f9
SHA512 941298c7206b7d363e1a14b1bc08b07d313783a7c3142ab5f9b8a90acadf629aab783071b6c10b1bac369cb387fb684efb831f5894475fc37a18db553d559f5e

\Windows\system\lLMEohh.exe

MD5 cb3db2871bbe6d7cd2c7abe6c3bd2606
SHA1 f47c70f49982424802a0d9d9b5525d8741f0292f
SHA256 3ecd944d7ad9610b8182e5b1ee15c76afe583da3e13f76eeedfe247aad39255e
SHA512 a3528f2d46512b76a01d638658156d5a6eaf3762745faf534172c8ae678e08a1ee844057e9729bf35991806f035d7b6e34ba2c166ca8170d42e0026ffd5d94a8

C:\Windows\system\iAccrVq.exe

MD5 3dd7c1c7cedf32acf7c775163c61b126
SHA1 bb1c5473a3db84999402f69f06adebca913ba207
SHA256 80f2fa1bfda1a560a4a9fa35155d8e7901cda3250ab223448812b60c6adc657f
SHA512 489a98be0ff47f3e6011dbb3aae22b0e8a2d866cee2ee0d34be64def0e3e68123745ba92987accfa0652d3fffc8b9e0b1edcd246fdabfe44066ae3a91d4babf7

\Windows\system\HLtcwXS.exe

MD5 82542f4158fa3fec66ec3adf1c6ffabb
SHA1 8e15c222142d2618f70fdf6fabc177c3e0686ea9
SHA256 0d7aa8c94681a786f5d3b3428b623d91dbf86b9c5c191bb69f8d2d0ca3b80833
SHA512 08186503e0151b330e1d3412e22f582bbd85e3c50c47928b6f568e68e0bc86d2c7a78e000c1a3457213f800a40ecb45a526ee9b0891ddf6786879035941c7265

memory/2592-87-0x000000013F400000-0x000000013F754000-memory.dmp

\Windows\system\dqEwAOP.exe

MD5 10b6b72ca9bbccdb823ad2f8910c60e6
SHA1 1c98054f14509fe3d53b2d1e71e0303cd9286baa
SHA256 ce26da75172a21e570a4c45109097c90399602db93132bc8ffca067ebc1852e4
SHA512 112a0534d80a846068673b59e65308398a1f651d9ddd50fb83e5ff0ad7e46997a3c9f0e8670e2362889e485b6471f2f1dde9a11348fef1765ac441578c1d3365

\Windows\system\hJQDzEC.exe

MD5 e45d246c2a48b13d57ad1c6d9f427c9f
SHA1 0a3c07d460881ae92c201acfb61c83c55299df8f
SHA256 e6c1d52e1fc74e19bf745971c7a62c0c1ed7b54edcabda52b490eabb74ee28a8
SHA512 358e237f5e0b7b814536c642f180d547667b6abd2d29fc07f6592bac2d4f252f87e705b540912655b253cf7033b9f241e496a813efa90a41b6c05c9ea55bdf78

C:\Windows\system\lgkBFnd.exe

MD5 0d7dd44d495791a27a7699de55fb5089
SHA1 c74014e77daa48742f0a7dd318d13b597bdb81fe
SHA256 8d5cd2ea9b19a5c82b5c0ccd1d9ba86931a3154b2e109b095ab874e57dc534da
SHA512 9965e677a6a74ef3d7643ee066bcecda53ddbf565c1c9c76e8b1d0d686b7c7afde4c27f7bbd9668b39a802566e9d4e85238bea11f32dd49ce736ba8a3363cac4

memory/1552-116-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/1612-115-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\KkIsjcp.exe

MD5 e2c0d34778231fd676a113106091585f
SHA1 586b40980fb75dbc129d37a78e97b56cdc65a87f
SHA256 ba0c31598bba81fc15c89379676edc96ed6694592b1a2b9d7ddd8a675495f600
SHA512 0d7e4c55d4e80b2bf4d22710e6c96afa9e6d7ebac8eda3922c336e24d6a37e59cb6fa58fe5c051186970915bf8f8ecff04604a2f29d47691e5404552ab805249

memory/1612-65-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2576-106-0x000000013F600000-0x000000013F954000-memory.dmp

memory/1612-99-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2772-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1612-83-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1612-82-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\QtXMBgo.exe

MD5 d74175ca51e76b1d4ee886b46b6d78f7
SHA1 b23f9cfb4f9c0ce2f4287d1abfd124814c9d65ad
SHA256 1bc6a50fea313efcdff7a45dd5137997ef4e854a6441344674460f91335f882f
SHA512 a7d70b842d51e4a34477f6ad1209860149cc645caeedadbb0be96b792c3ef4664b1acbee5bb106ee4b32fda38e21b86d7f66404ed2026eb6ac63a6b7a99b18c1

memory/1612-73-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2604-72-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\vhsvcRm.exe

MD5 ea60dce58def41ec7d2f2e7fa6f4efb6
SHA1 a06b744aa98161dc5dc75ebc4d50c5dadd0443ce
SHA256 d7af169ef1a10f55e2750e2ede6380f95184bc95bda8978ea6f1e580499a7521
SHA512 e062c7a08229376a0f0a0a5a2e57b64e4caac9aec7ac852d9bca94f856d1a14c4292c73c652980df03e39d92e1b11c0f2de686554ff25cc341c3fbde4f901d2e

memory/2480-56-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/1612-55-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2580-138-0x000000013F2F0000-0x000000013F644000-memory.dmp

C:\Windows\system\WDKIIHn.exe

MD5 3e9f829a0e09c7f72f656bf7a15061df
SHA1 99acc53deaa189144d41db0f0a45663adbfa40b3
SHA256 f3d10267cefe7d5ece7e323be4657562909e0aed04707c96dd33e77b72ecdd83
SHA512 21e57ddbea49ec2eac44e4cd1aab1b8b5c1e815d151524a3ef0ee3fe6078e4ee6e628baff820872668c38857f074d8ea2fd889f622fa2ca2aa7e004dfb719bf8

C:\Windows\system\VUliqBI.exe

MD5 e1e0ceb966bf8cb0b84e29d554c7b6c5
SHA1 4dbe82cb7bc8081d7e91931cd19a433a245d9b92
SHA256 f32bbef5c6fea6dedc79096c8e733a4eea134ef1e860dd2fd6202403a61ed601
SHA512 325f28e2f57d211837d9f2c7f6eeccb3338c42a5afba6ef6f3c18dfff32d67fdbfd78e29ee91c7ed4b854739bc469e86179d3efd9fe939dc2e4caf6a727dff41

memory/2632-49-0x000000013F1F0000-0x000000013F544000-memory.dmp

C:\Windows\system\TsCjdxH.exe

MD5 0a01cf8465475a0a3b2c41b9b749f532
SHA1 67ec5499165075e805656ea76f501701b38d987b
SHA256 7eddbc43e4e7642e290e3548aab9e8dc8100f33a249749077f8b2a5253c8fff5
SHA512 7feb366311ff85e1f5dd52ba751e62a3c7b7e04aa599b74926c2255bc4c9c2cd2bce42d1827f2108260358c1f3fbd7ddcd15c7524120395649fb60ea4f0bc25c

memory/2816-46-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\hyvMWwp.exe

MD5 23b054a682c7ff47cc978ccdcebc8825
SHA1 c84d67df0495d953e845f0e7a9726fa3a6844ab4
SHA256 05db73667fed9763dc6ae9c821522ce88bcd60d152198a091eda944edec63dfc
SHA512 640f104da3924c7cfe0b56bf92fff212b01d52b08dc3eff7adc6aca10396ce204ab092192cd9fe8c195841e3a42026f17e43b43f752a2547f1ef075f17bb4a64

memory/2576-35-0x000000013F600000-0x000000013F954000-memory.dmp

memory/1612-34-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\AIyVwsb.exe

MD5 1eba42fba73e29040490bed1f992706a
SHA1 855a0f085cd5b0f424ae602b0e18e7dd84e0be8a
SHA256 e00df38a01110be4a7989aa1c50c563314ccd25ee0f861eae8a58bb4ae3a398c
SHA512 2562efeae299d50d08fddb057758c2792ac390fa78257ece79692918f417e2b703033db27fdd245949677eb50bdc41c3a6ecbf40db3da83c84e210dfb3dc9941

memory/1612-28-0x000000013F400000-0x000000013F754000-memory.dmp

memory/1612-22-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1304-140-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/1612-139-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2448-141-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/1612-142-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2772-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1612-144-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/1552-145-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/1964-146-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2604-147-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2736-148-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2816-149-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2576-150-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2592-151-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2772-153-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2448-154-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2632-152-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1552-156-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2580-155-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1304-158-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2480-157-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:02

Reported

2024-06-01 02:04

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IUiiCEZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YUJzdNG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UAdsQZH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qeiqUxe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IxfwwjP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ojIbGQl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UpwIjay.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UJEElQv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NJuBeYe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CEQqUYA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZNcwVJp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LFwzXcM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kDbwrgQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZbuALEb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GggunFz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qAPwcha.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TGQaqPt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mLzaDBR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XLheihT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KTXWrkb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ftCTltS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUJzdNG.exe
PID 1056 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUJzdNG.exe
PID 1056 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UAdsQZH.exe
PID 1056 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UAdsQZH.exe
PID 1056 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJuBeYe.exe
PID 1056 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJuBeYe.exe
PID 1056 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEQqUYA.exe
PID 1056 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEQqUYA.exe
PID 1056 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kDbwrgQ.exe
PID 1056 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kDbwrgQ.exe
PID 1056 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\mLzaDBR.exe
PID 1056 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\mLzaDBR.exe
PID 1056 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLheihT.exe
PID 1056 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLheihT.exe
PID 1056 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTXWrkb.exe
PID 1056 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTXWrkb.exe
PID 1056 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNcwVJp.exe
PID 1056 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNcwVJp.exe
PID 1056 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qeiqUxe.exe
PID 1056 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qeiqUxe.exe
PID 1056 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFwzXcM.exe
PID 1056 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFwzXcM.exe
PID 1056 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbuALEb.exe
PID 1056 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbuALEb.exe
PID 1056 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojIbGQl.exe
PID 1056 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojIbGQl.exe
PID 1056 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GggunFz.exe
PID 1056 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GggunFz.exe
PID 1056 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UpwIjay.exe
PID 1056 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UpwIjay.exe
PID 1056 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxfwwjP.exe
PID 1056 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxfwwjP.exe
PID 1056 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJEElQv.exe
PID 1056 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJEElQv.exe
PID 1056 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftCTltS.exe
PID 1056 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftCTltS.exe
PID 1056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TGQaqPt.exe
PID 1056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TGQaqPt.exe
PID 1056 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IUiiCEZ.exe
PID 1056 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IUiiCEZ.exe
PID 1056 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAPwcha.exe
PID 1056 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAPwcha.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YUJzdNG.exe

C:\Windows\System\YUJzdNG.exe

C:\Windows\System\UAdsQZH.exe

C:\Windows\System\UAdsQZH.exe

C:\Windows\System\NJuBeYe.exe

C:\Windows\System\NJuBeYe.exe

C:\Windows\System\CEQqUYA.exe

C:\Windows\System\CEQqUYA.exe

C:\Windows\System\kDbwrgQ.exe

C:\Windows\System\kDbwrgQ.exe

C:\Windows\System\mLzaDBR.exe

C:\Windows\System\mLzaDBR.exe

C:\Windows\System\XLheihT.exe

C:\Windows\System\XLheihT.exe

C:\Windows\System\KTXWrkb.exe

C:\Windows\System\KTXWrkb.exe

C:\Windows\System\ZNcwVJp.exe

C:\Windows\System\ZNcwVJp.exe

C:\Windows\System\qeiqUxe.exe

C:\Windows\System\qeiqUxe.exe

C:\Windows\System\LFwzXcM.exe

C:\Windows\System\LFwzXcM.exe

C:\Windows\System\ZbuALEb.exe

C:\Windows\System\ZbuALEb.exe

C:\Windows\System\ojIbGQl.exe

C:\Windows\System\ojIbGQl.exe

C:\Windows\System\GggunFz.exe

C:\Windows\System\GggunFz.exe

C:\Windows\System\UpwIjay.exe

C:\Windows\System\UpwIjay.exe

C:\Windows\System\IxfwwjP.exe

C:\Windows\System\IxfwwjP.exe

C:\Windows\System\UJEElQv.exe

C:\Windows\System\UJEElQv.exe

C:\Windows\System\ftCTltS.exe

C:\Windows\System\ftCTltS.exe

C:\Windows\System\TGQaqPt.exe

C:\Windows\System\TGQaqPt.exe

C:\Windows\System\IUiiCEZ.exe

C:\Windows\System\IUiiCEZ.exe

C:\Windows\System\qAPwcha.exe

C:\Windows\System\qAPwcha.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4368,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1056-0-0x00007FF64DE10000-0x00007FF64E164000-memory.dmp

memory/1056-1-0x000001F914140000-0x000001F914150000-memory.dmp

C:\Windows\System\YUJzdNG.exe

MD5 8892e44fe6ab70fc2842464d37575a25
SHA1 09b084ac3708d326176b8f13954d415f572d14f9
SHA256 40071567e0341480785a786a8633365cc5b64577ff3b646dcf4b347a2a0fcd10
SHA512 687a884fd954872d766da6031c2dbadf70d0d4b55eefdadaf2e33995a9e349c83e9d96963395ef7b6fb0785e6f6a5bc6d5cbb3abcd920f386387a815682649de

memory/1392-9-0x00007FF615830000-0x00007FF615B84000-memory.dmp

C:\Windows\System\NJuBeYe.exe

MD5 69296b3219b65bb562e4ab32443c3b35
SHA1 3e1233bd276362c6e691aaf5ecaf0e7331d43bfe
SHA256 c19f53445d8477c8aee5b24400f1b7efae8a06ead3d1eab54b245b4b354e8182
SHA512 679c95e34418ea1a6e8da3b74cbbdfed650e7e9eb3aa78b498e661e3102450d1f624cd1a5ca1bb2f6e03104a9e3ad0576a7b4c0d7284a903a32e7ec5dee0e977

C:\Windows\System\UAdsQZH.exe

MD5 5cc82687166c9649cd5987522105f08b
SHA1 83fd3384a625fc22dc07441f9e8868addcc60412
SHA256 3a8ca49cca4f3263125238efc88cb143bff1e6017e9fae169a851813569f1701
SHA512 e81d8b4b09e4169474b5a2816241d7b29846c12516830cb3dffad5d476bd3f9687efa65a56395e4e8dbcc07770ff0a224729731e8934008a027f6f4ae6c2fd13

memory/4608-14-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp

memory/3016-18-0x00007FF690400000-0x00007FF690754000-memory.dmp

memory/4800-24-0x00007FF7BB850000-0x00007FF7BBBA4000-memory.dmp

C:\Windows\System\CEQqUYA.exe

MD5 af75cb98acfd713e6b9c17845faad0dd
SHA1 ac85d9336c523dd5e2f3536bd5df7ef7f4a91e24
SHA256 fae504aaa78732311e4513b9c82ec0542ef57aa3fa3aab5cb5d61bf5d5061f10
SHA512 f121721e46ab7c3e36be451a78922ace0981c5a5df1ac112d8fafc309cefd1a9ac5482bf7edab9e1e97ec71e3a9464862f0a641476fc336a0c0e51373b413ccc

C:\Windows\System\kDbwrgQ.exe

MD5 a7526aa1e52b2c49e4b185625bcba069
SHA1 27e4b39d9f41937c686bfc5fe8a3633c5d7d17b1
SHA256 105eb1d4c20af4ca5d9ea5ce4bcdb2df0948b907b88bc4aabde66d2c3df7a0da
SHA512 28e4f40944af43adc598b9b3d7d252e25b39709f4d1ae7c2815bb7dd578d3da1b6239670e347f221fe9c80d98c0cfc04dab467bd82228a2db68612bc05c215d1

C:\Windows\System\mLzaDBR.exe

MD5 f10f6b314f918d0b791ede9ad737d6f4
SHA1 6921dad9ffe622dd42bf670d3b9102706ab8d8ea
SHA256 16c5fea36568290a5bc89294fde5c337d9cdc16863bf8603d990cd5c9233964c
SHA512 94722b0617090a1c510f0481dcf32a28f20b3bb4e4fb925d7abe74754daefa3589546a4f4e41d038666256f68279d580e23f31969804382bbea7b0dba83f76fb

memory/1728-40-0x00007FF6D8BD0000-0x00007FF6D8F24000-memory.dmp

C:\Windows\System\ZNcwVJp.exe

MD5 f017c4b7b7b8ea52fde0588d7a6d0dce
SHA1 cc3f9d98e234d3ed4baf009b7d87008bd2ec2723
SHA256 e34ecfb36bb4a3be3cfe2a7320663342b369303eaa09283758ef10998f2855ff
SHA512 ab603ef4e7e103abc4a17c831bafd4ff8c1cba08dac2ef70e5ea308feba86e4e8ddcbc608357a0784c4640ec10947e6d05d035a594e64c583c093fbd6b14fb21

C:\Windows\System\qeiqUxe.exe

MD5 299863641b428e69457b68f23336ae34
SHA1 fd5c4797050cd17a4bedee78a11811aaae30de2f
SHA256 4aa475cdf8dc6cbabb7a6e21b32f4802367adf41f973e8a8a7531e34058e3a42
SHA512 1b595b822dbf20a494413c782ed8fc46106c40f65c4149b8ab5ee0a3e2eaafe8c01f812a2b6bc039dc14385cd939c80f077b3925f69538ba75a8638e641a441c

C:\Windows\System\ZbuALEb.exe

MD5 63d55f8c34177dbec900623bbec89a19
SHA1 969f0b88eae93017f1d793740c06bb40d6cb5692
SHA256 e3aa202a4061991b370aac57d745e25aaa76d033c4d2d498e66b6e97dbd08404
SHA512 a16730cd1c65b711acba538785be2ff2b4d524bc00106b5a2283110a429c00a6839bf5bb74697d99fedde335f173b13c2fa795a92e3d63b096391baecd2e00ed

C:\Windows\System\ojIbGQl.exe

MD5 90e88bb272696da52f5bc64ce64cf78f
SHA1 cb94029d4757f0102245c4389c41be7b25341b7c
SHA256 765740b27e2f10b10c7dd7a3812cb35bfaf18ecdb3ecc9728e4d1de5149fbacc
SHA512 c3c57a479b4f5da94cf2e3d4f4e7344ca64847a6467a5885c0658be2ad327634ac239f0e43939b9498e3ebb7cd5329214ad248db5fdffaf69b86241fb4f9ee9c

C:\Windows\System\GggunFz.exe

MD5 a021b34379a51f9942df11538ab91175
SHA1 7ff551646a2d70b58a3028ea4c07ecbc495b29f8
SHA256 54977d4bdfcd85b2c8c5fd3036a5af69c7b92a14c098630a92b4502834f4e68a
SHA512 cdc03480783b314ab067e0b5a0482b1bc923cfe8dd698b387e5c644f8b59619623a72c44715805decf6bdc87b782e06a14c0d2ebe92c20a6b4758146dbd47856

C:\Windows\System\UJEElQv.exe

MD5 497c616158e836b89713dd0b707fba74
SHA1 1bdb4f3c1068e542c11c6adc336d7da1c3b26ec5
SHA256 4ddc5fe14021c1920aa582b8d4ab6a812e217c9f8c93fe8a32b666388fa487bf
SHA512 b417da55d8575f9d8ea815106fcf3c273ec067504fc760819460b3b18d63621e001df7dc652cd1efd05cd89d7a338a7220ef1ddb3d379b939bf1ffa7dd87f648

memory/4056-92-0x00007FF688F30000-0x00007FF689284000-memory.dmp

memory/4952-99-0x00007FF7C2E60000-0x00007FF7C31B4000-memory.dmp

memory/384-105-0x00007FF63AF80000-0x00007FF63B2D4000-memory.dmp

C:\Windows\System\IUiiCEZ.exe

MD5 3a0fcf7abcd811869ba54e2eeae8e661
SHA1 d2f1b1e226760623ee9ee9272896dfa89f768c37
SHA256 3ff525748e5cab554777d2250112cf718a33bdbea038986b871c93744796e18d
SHA512 e05c756dd5c742f1d993f1cd018653c30f2f7d1228429f9a234ed3bd668404b58b025bc73e7ff4ca5c5a1897bb7f4e30072b8fd87b0f66d599be0e31fee1c43c

memory/1616-126-0x00007FF66DA60000-0x00007FF66DDB4000-memory.dmp

memory/536-127-0x00007FF759580000-0x00007FF7598D4000-memory.dmp

memory/3520-125-0x00007FF7649A0000-0x00007FF764CF4000-memory.dmp

C:\Windows\System\qAPwcha.exe

MD5 21a2f42f2102356e0613d861ee8b846c
SHA1 3fa69d83c8290588a429b7910d17150c43f97fa4
SHA256 209c73d852e93aa951fe153e65ddb952350730691f11354d5fc44044cd28561f
SHA512 4526e7442249cc6cc4239dd0d444c547c4b61d5e4ac5720fd452ee9054b3d2dbf923b2d92a23706a12c1059d08495c352ce1c82b83adae8fdac7b9b9c5774a70

memory/4372-122-0x00007FF7ACCE0000-0x00007FF7AD034000-memory.dmp

memory/1932-119-0x00007FF72A380000-0x00007FF72A6D4000-memory.dmp

C:\Windows\System\TGQaqPt.exe

MD5 e3657e1286f4a3851b5252fa73a43cbd
SHA1 b75895d49654588099091cac2ffaa1632efdee94
SHA256 af93a5ccbeac9a170d21cea643c1f6e8488943adbe9da90c7ea96e955d75a90a
SHA512 d7ad3ecc5b9335dd7d9b3d07a041c404f25ab296c314ca9511a6c3805686c37bd039ce0e23441602e6696b3b8f110629c8d030915b406a09e6b65bb0f0adcbdc

memory/908-115-0x00007FF73BFB0000-0x00007FF73C304000-memory.dmp

memory/4048-112-0x00007FF7C0F10000-0x00007FF7C1264000-memory.dmp

memory/3472-111-0x00007FF6ED740000-0x00007FF6EDA94000-memory.dmp

memory/1356-104-0x00007FF6BAF50000-0x00007FF6BB2A4000-memory.dmp

memory/1408-103-0x00007FF64E910000-0x00007FF64EC64000-memory.dmp

C:\Windows\System\ftCTltS.exe

MD5 aed2a8c59e1998d8453d2bd43e4e75c5
SHA1 9d58110c282347679498bacd8474c032028aa287
SHA256 81e675f98140b2d825b3776e529b6f1202066b6f3e6c28d67854757ce4d0df2a
SHA512 291604507bf230b2a8125b9036b322c1dc86a6f477edb11ef3c6dba664630c2bf093d5454967f43b595a3c9b1f2dd5cd2997a8585241e3177c08a90139eaf88f

memory/2068-100-0x00007FF74AE70000-0x00007FF74B1C4000-memory.dmp

memory/3716-95-0x00007FF6CDD40000-0x00007FF6CE094000-memory.dmp

C:\Windows\System\IxfwwjP.exe

MD5 da1faf2d4fb90103484038eb8a54b30d
SHA1 68e2d77c27692992ee36f75dc0db6588b11db4ab
SHA256 62559116b0b573d9053b529b90944074e24a74a10601e882e77caf7bbaa824d4
SHA512 eea6dc11866993d6e37109df25ad54d76669e0bc55e076afd5fe57ae8ebac6d5d18927f5b6e4b17f45122a05368b78e230946dd41479f43e64fa8ccab35a81e5

C:\Windows\System\UpwIjay.exe

MD5 21b56a0f91017896a951f411ec76373a
SHA1 a5e25c3cb7ecf8518479d171d5f50eb8b1d91330
SHA256 97d86fd71e76be2dd8a3451b077d3a24a63b202d0a9999bdf6d317a47fc73d09
SHA512 581e2c77d06fb640e6e2ee7a299d29ec3f91692fec59d2cf8072b047cd3240dac41d9d3c91c656ee5a503b26952b658a91efe6972ded0ecd6ca901654e3c8ed9

C:\Windows\System\LFwzXcM.exe

MD5 2f5991a1a816ccffc85ccb1aa04b6e3a
SHA1 f6e50b7273125131a3a2458027156512d7344d9e
SHA256 da6ce075fadd70604bbd83da12d63593e850d010578da7b5e70ff0fb353fd1a5
SHA512 28ee9d102d9529191c373f646506c5c191dc971bfb3c056284a4430f5c86695debb4bb8dddbd16071c928d0a5df98b3d02d84bd767a88ab3c9b105939810c42a

C:\Windows\System\KTXWrkb.exe

MD5 4f8ded73c5da2310fc886231c59d86fb
SHA1 6e46bed317fc556206a1fd1e392ff981a0a736cc
SHA256 10f369ee28f82f4c22864a8d3a440ae50e6992c457604f93ee5bd3a9398ab064
SHA512 f630384bd07e9b83d399cd17f73dd5049812ce6d05803e89bdcaf44b5002e7822cdacd76f38f38a91cd05ec209af6527257f7fdda262538851d8e707be4ddd8c

C:\Windows\System\XLheihT.exe

MD5 962c11ddcb905f2904a6247385907e76
SHA1 b88f3dbf7fef1fb4d097aaf44acb2e02b7d2db50
SHA256 6b7429c1c111f25673a3c2659f142c2c6a59d3ad7d7f0730bc4217c60b7b5e1d
SHA512 cf1241ed2f21937cd117c16ffbe2c693abc4a54ea32eb3007d7af69c510da24a4bd7903784319c582acf1d611ebe127dbaa61e05d8e7ead8ac945fc1d46bb08d

memory/2340-38-0x00007FF6FF910000-0x00007FF6FFC64000-memory.dmp

memory/1056-128-0x00007FF64DE10000-0x00007FF64E164000-memory.dmp

memory/1392-129-0x00007FF615830000-0x00007FF615B84000-memory.dmp

memory/4608-130-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp

memory/3016-131-0x00007FF690400000-0x00007FF690754000-memory.dmp

memory/4800-132-0x00007FF7BB850000-0x00007FF7BBBA4000-memory.dmp

memory/1392-133-0x00007FF615830000-0x00007FF615B84000-memory.dmp

memory/4608-134-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp

memory/3016-135-0x00007FF690400000-0x00007FF690754000-memory.dmp

memory/2340-137-0x00007FF6FF910000-0x00007FF6FFC64000-memory.dmp

memory/4800-136-0x00007FF7BB850000-0x00007FF7BBBA4000-memory.dmp

memory/3716-139-0x00007FF6CDD40000-0x00007FF6CE094000-memory.dmp

memory/4056-141-0x00007FF688F30000-0x00007FF689284000-memory.dmp

memory/4952-140-0x00007FF7C2E60000-0x00007FF7C31B4000-memory.dmp

memory/1728-138-0x00007FF6D8BD0000-0x00007FF6D8F24000-memory.dmp

memory/2068-142-0x00007FF74AE70000-0x00007FF74B1C4000-memory.dmp

memory/1356-145-0x00007FF6BAF50000-0x00007FF6BB2A4000-memory.dmp

memory/4048-147-0x00007FF7C0F10000-0x00007FF7C1264000-memory.dmp

memory/908-148-0x00007FF73BFB0000-0x00007FF73C304000-memory.dmp

memory/1408-146-0x00007FF64E910000-0x00007FF64EC64000-memory.dmp

memory/384-144-0x00007FF63AF80000-0x00007FF63B2D4000-memory.dmp

memory/3472-143-0x00007FF6ED740000-0x00007FF6EDA94000-memory.dmp

memory/1932-149-0x00007FF72A380000-0x00007FF72A6D4000-memory.dmp

memory/3520-152-0x00007FF7649A0000-0x00007FF764CF4000-memory.dmp

memory/4372-153-0x00007FF7ACCE0000-0x00007FF7AD034000-memory.dmp

memory/536-151-0x00007FF759580000-0x00007FF7598D4000-memory.dmp

memory/1616-150-0x00007FF66DA60000-0x00007FF66DDB4000-memory.dmp