Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-chn5hsea9z
Target 2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike
SHA256 521e02eb3fa8e32014a9c2f0fcbd5bf91d3a1755824b7c32d5306c5b6ae241c2
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

521e02eb3fa8e32014a9c2f0fcbd5bf91d3a1755824b7c32d5306c5b6ae241c2

Threat Level: Known bad

The file 2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike family

Xmrig family

Cobaltstrike

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:04

Reported

2024-06-01 02:07

Platform

win7-20240215-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vJfrsxm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QTpTOyC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iHZcopM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QkPtSbx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eOBzpOz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MswDvQR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gKQFtYE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JbJcTYM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TBnVtEL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TEazTfk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bdvzykv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cKzYILC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YGRwUJw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yGZCCyj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zkXQfzP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wXgEYYx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\djWQOJD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IKRViOs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MdZIYhY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kVgSBNe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YWWxhZP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\djWQOJD.exe
PID 1304 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\djWQOJD.exe
PID 1304 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\djWQOJD.exe
PID 1304 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJfrsxm.exe
PID 1304 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJfrsxm.exe
PID 1304 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJfrsxm.exe
PID 1304 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MswDvQR.exe
PID 1304 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MswDvQR.exe
PID 1304 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MswDvQR.exe
PID 1304 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\gKQFtYE.exe
PID 1304 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\gKQFtYE.exe
PID 1304 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\gKQFtYE.exe
PID 1304 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKRViOs.exe
PID 1304 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKRViOs.exe
PID 1304 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKRViOs.exe
PID 1304 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdvzykv.exe
PID 1304 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdvzykv.exe
PID 1304 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdvzykv.exe
PID 1304 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JbJcTYM.exe
PID 1304 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JbJcTYM.exe
PID 1304 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JbJcTYM.exe
PID 1304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTpTOyC.exe
PID 1304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTpTOyC.exe
PID 1304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTpTOyC.exe
PID 1304 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cKzYILC.exe
PID 1304 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cKzYILC.exe
PID 1304 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cKzYILC.exe
PID 1304 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TBnVtEL.exe
PID 1304 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TBnVtEL.exe
PID 1304 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TBnVtEL.exe
PID 1304 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEazTfk.exe
PID 1304 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEazTfk.exe
PID 1304 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEazTfk.exe
PID 1304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGRwUJw.exe
PID 1304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGRwUJw.exe
PID 1304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGRwUJw.exe
PID 1304 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdZIYhY.exe
PID 1304 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdZIYhY.exe
PID 1304 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdZIYhY.exe
PID 1304 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVgSBNe.exe
PID 1304 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVgSBNe.exe
PID 1304 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVgSBNe.exe
PID 1304 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGZCCyj.exe
PID 1304 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGZCCyj.exe
PID 1304 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGZCCyj.exe
PID 1304 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkXQfzP.exe
PID 1304 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkXQfzP.exe
PID 1304 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkXQfzP.exe
PID 1304 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkPtSbx.exe
PID 1304 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkPtSbx.exe
PID 1304 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkPtSbx.exe
PID 1304 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOBzpOz.exe
PID 1304 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOBzpOz.exe
PID 1304 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOBzpOz.exe
PID 1304 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YWWxhZP.exe
PID 1304 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YWWxhZP.exe
PID 1304 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YWWxhZP.exe
PID 1304 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXgEYYx.exe
PID 1304 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXgEYYx.exe
PID 1304 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXgEYYx.exe
PID 1304 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHZcopM.exe
PID 1304 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHZcopM.exe
PID 1304 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHZcopM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\djWQOJD.exe

C:\Windows\System\djWQOJD.exe

C:\Windows\System\vJfrsxm.exe

C:\Windows\System\vJfrsxm.exe

C:\Windows\System\MswDvQR.exe

C:\Windows\System\MswDvQR.exe

C:\Windows\System\gKQFtYE.exe

C:\Windows\System\gKQFtYE.exe

C:\Windows\System\IKRViOs.exe

C:\Windows\System\IKRViOs.exe

C:\Windows\System\bdvzykv.exe

C:\Windows\System\bdvzykv.exe

C:\Windows\System\JbJcTYM.exe

C:\Windows\System\JbJcTYM.exe

C:\Windows\System\QTpTOyC.exe

C:\Windows\System\QTpTOyC.exe

C:\Windows\System\cKzYILC.exe

C:\Windows\System\cKzYILC.exe

C:\Windows\System\TBnVtEL.exe

C:\Windows\System\TBnVtEL.exe

C:\Windows\System\TEazTfk.exe

C:\Windows\System\TEazTfk.exe

C:\Windows\System\YGRwUJw.exe

C:\Windows\System\YGRwUJw.exe

C:\Windows\System\MdZIYhY.exe

C:\Windows\System\MdZIYhY.exe

C:\Windows\System\kVgSBNe.exe

C:\Windows\System\kVgSBNe.exe

C:\Windows\System\yGZCCyj.exe

C:\Windows\System\yGZCCyj.exe

C:\Windows\System\zkXQfzP.exe

C:\Windows\System\zkXQfzP.exe

C:\Windows\System\QkPtSbx.exe

C:\Windows\System\QkPtSbx.exe

C:\Windows\System\eOBzpOz.exe

C:\Windows\System\eOBzpOz.exe

C:\Windows\System\YWWxhZP.exe

C:\Windows\System\YWWxhZP.exe

C:\Windows\System\wXgEYYx.exe

C:\Windows\System\wXgEYYx.exe

C:\Windows\System\iHZcopM.exe

C:\Windows\System\iHZcopM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1304-0-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1304-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\djWQOJD.exe

MD5 3ebdcf9bbe462cb4d2929daf55a55ef2
SHA1 e5f7020f652dee966131c12175280510db777ad4
SHA256 fe67f4ff1cb9638c003fbb01e58a6e86cd085053d16a218fa2204327994e6b42
SHA512 c0a742c939d1ca4f30a4d71a6e53430604672bede474c2e8d3ad6bdc5a7c12e14566f60ea32ed07edacedca797cfe46079cfe3f39fbaf7a02b8c108f60b63c1d

\Windows\system\vJfrsxm.exe

MD5 b02c8f6df90339c93ff372a94b9c7830
SHA1 fa33660f768d7e84c4b38506afd0e427f7d9f264
SHA256 e39bb702bc35a20cdec1dadaed673c108a5ed0006ff6ee8de1039ccd8830f4cf
SHA512 f4c63a597bff8eb7c17b506928ab68a3f988218ec88f40097e335c603e0bc5a576a58f85d20cf006293fe0d283bd6c508ff1afdf4002e91d48b77cb2cae77e24

C:\Windows\system\MswDvQR.exe

MD5 7faef159d2b795a084961fd40457a0f2
SHA1 5bf80e6af38bc9f3578504ffc29e96e98bff05a9
SHA256 5482cc64a4d3b633d73b3781d6bf31990df4e5dd37dc052c1b0d2ecb7ef7a85c
SHA512 e0091cd35abfbc9735afe1b16ebc6703a9bd4655153683fae66d82de944bc6d3ac4d12e6c1c989d90322f3edc5689e320e9721c95bf6598a541ccea6cc49f88c

memory/2228-19-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/1928-14-0x000000013F1E0000-0x000000013F534000-memory.dmp

\Windows\system\gKQFtYE.exe

MD5 5edc95c41352df745d11fc94215cccfb
SHA1 2d5eac6a417b9d161d4b98c943da4482fb44c209
SHA256 f08339f6b698f0ea12652886a37d9b6bcb0782cc203777509688b3af33795a75
SHA512 ec478228b7341659edfc422f421539720bd750ce809c0d869f8c9a8379dd2fcddbe2cce6fec75286465ce3bb4619ee4657954c590685332124a8b1a54fdd633d

C:\Windows\system\bdvzykv.exe

MD5 159d6aa695450505cce18401e180fb51
SHA1 024219211a650c09a26d6a21f92da6361a114d42
SHA256 e6344ad7fd57b243bc88ad6961bcae0ae6c5cd7d29547878ad58161a0b5e7f83
SHA512 9442ef38edf91a8c6c12c7fad00a77ceaa2514673d2e23c2357b9bd79ea8a45d2c0beae482fdb8c3707efd64a943c23c7cd9dd6aa1f6baeba6d2c79f087e06f3

C:\Windows\system\IKRViOs.exe

MD5 212d5697787befa685d0f6ce5f1e15f4
SHA1 967f62ba8e1beaf7331ed4b09d30e5bac576a20b
SHA256 2125fd05c52e50554edb79cc9329568747ccbb62c9d0295b56853bf1a7f247db
SHA512 5565e5197c265b6f5ee8326a0f0126ef99aafdcf5008d0259a0802f87d524ca1e8bae1a71abdfdc3fee08066d0dae14e62dac1d89e1b0a80e1bb8e4375e90f23

C:\Windows\system\JbJcTYM.exe

MD5 a235a6cbf0d20548dc5474d08a90a7c5
SHA1 b98e459849f312132ff7c0946dbd47ffdda7bc29
SHA256 4747ec6a9cccb1d4390d88dd6d88eaaf7e2ddfc5ef64995c8d76d04fbae125ad
SHA512 d8062fb7aa3aab5f167d225213450a6b63af287a0b04c9f9371358c5c4295c869bfa6a0d7bb7c7e824a9b31e16254afb78383cd2a602f20f7826ac11872c2de3

C:\Windows\system\QTpTOyC.exe

MD5 c62f9ed1721aad55df458ceb6c561117
SHA1 f8c7628e40ea386299f0fe3eb1f8616573c099c8
SHA256 5260706293ec8f25759447b85e036a1dd0c1f1d244fad04bbec74ba0a29b743e
SHA512 4762d833df310cebdd5e73101f0603e74ee58cc27841fcf65df9d2520956945d868791fe4e5b7863366d173cefae5b8c019018a0246fdeaa24c02cb13ed120a6

C:\Windows\system\YGRwUJw.exe

MD5 13b9829a63721d108f227331e42c2677
SHA1 4b72e1f3f307b37c959dc9dd7c6c18592217478b
SHA256 15b10a7ad6123786bf3524cba3b38415b9d041c65ccf562d35ad1229495e3e81
SHA512 b53ea19e967e7819d9344b3c08c6ea64035d51df9ae6764fc0a98ed090496b30f9e1a1a90b756e4a0e3139f38ca8bbbbd335ce633d7bf31c9968aec354afdf51

C:\Windows\system\zkXQfzP.exe

MD5 f7fef8a24cb21a9a2fe16ac61a792297
SHA1 221b7d9949c6c4cb1f22e010ce4675598cf0a5ce
SHA256 dfd57cdd1533da7cb5992e2baeca8d1c4612d31df913ff20134c9b2531ea6c10
SHA512 f1c1d99fc49e3206548eb92b0be2b4009edfb0cbd7dd31f2749d805163b8e53220e76911219b97f186eaf379cb1a417b18e361306862101866457dea34a2383a

C:\Windows\system\wXgEYYx.exe

MD5 25b5646c577b367706a039cff906d39c
SHA1 8db28faa3a4dfbb5dba9ba6f9420a5f956f9570f
SHA256 3c47a531cb89a203c682c6bf8047f14bfd5a7072e26a2386ec4630dd0bd6fadb
SHA512 9f40e4b428914db0482002a7373e57dbe08e1eb6ebacec74f3cd98b744d27da2d1b85caf1ae469149f114f26fea0ea4dc388f85d0d40df997f84bf957d6b64d8

\Windows\system\iHZcopM.exe

MD5 cba6520b92fd9f1cc4443ae12d812598
SHA1 bbe48566e6c38cac0d087a38c560c4c6628a71b2
SHA256 e116c773ff05d59a0c6d45bf27480f4636804e371ef2228515712b2785701485
SHA512 574089e9ebfb639e2bea2a9af2f3d5e55b97db937333bbdfb9474b9f6fd327ceae2fc43b7b9ee04ee8baaebc04c7f277b4c17a0401b7b5956d604470359eb78b

C:\Windows\system\YWWxhZP.exe

MD5 f38699f49bf012c3d04ff7e1c3d2fabc
SHA1 03d67e5e117d79bdf6fc43040cbe3a581633cf33
SHA256 a5ba8f66551a6ad132ac905937350de5b66a514f1ac36a7929dfeffc3f9a7da9
SHA512 d027f8dbe342f83c79378788ee712a96949db75d6f4a57be8ebeeeee13c4dc1b20ef86958eda72d963fde99afc8b7d742a73861162ae271131555825163f15e1

C:\Windows\system\eOBzpOz.exe

MD5 43b7cd297590145213522a668f5ffda7
SHA1 18625fc647217a6af15dfd5be57051b707df9945
SHA256 981c608f02b824b2d3d4552cf0556aee5460e01bd7e5de162f24598a0121a32f
SHA512 c942bf16ea0848f75ffc7608fa5827a2f2c8ad6f560cb28cc0136c455eb39647a9e3e038e5daa421be696bd743637422f64c29c5cf80535325ffb1323d4d5564

C:\Windows\system\QkPtSbx.exe

MD5 625d29df2ca2feaae507df058bf330a9
SHA1 a1f918c0cf6ea0259964029250dec00b610eb93e
SHA256 6bb6b7382107a68f3109361f55c30359be0073ee7df439b8df24631f05965a5e
SHA512 9fd9d11fa6006cc9f687494f7bc293db8ee7ed203a68df7490d9051c5993d18f9161aabba7aea5ec5e292f056cbac171f985d91d6a994453b9f24da83bdc09a6

C:\Windows\system\yGZCCyj.exe

MD5 1d4b43a6ccebf2efa629e67385639f2d
SHA1 641e49c8b439a28d49fa1577db85d4a6135a56fb
SHA256 610d0d55336581ae703ef2da131605f765073242f04eb4fbeeb87e214c32958f
SHA512 10dab65133b99ea892528c6ad875f5a826ae873c4a010d492febda795f19c4d41b0f46a5b1d09f364866d93dec2445fca3a973d9d3743a4aa368003f6d9ca995

C:\Windows\system\kVgSBNe.exe

MD5 094974cca21c67a71157a6935ebc2f92
SHA1 4b3a8ddf8b2b8981f3c87f5d6247928a3d7018e4
SHA256 987bdb929630af6657a475ef49df21143d23f0a4edcd6718e9cb95b23250caa8
SHA512 a8e3fcb2dedc22841dd67bd38d2b653d5023876d7893704efd7a2a9b11b2974c78549eda849a67e65d3ad7cef0312b45a13f68f3689b208b96cc2642d5c004c3

C:\Windows\system\MdZIYhY.exe

MD5 fb3617a50710325925bb5a0619a0b629
SHA1 ec09c899a9c8d1fcb952c01cfdf884f0c5543219
SHA256 9154da2af1d927d97ea08397c99bc536811f6e557200b87d1fec606aa7eb4d69
SHA512 64eaa633af831840af703e5e8c29ecd8891e2d987a4a579d3b0585fdedfcfa3fa09f4b4eba2e1897fc2adca20e923e7446e2e39b72cc6afb6c7a04bd894ed65c

C:\Windows\system\TEazTfk.exe

MD5 6cdd8fe2c466e526bd98dbce0e839c34
SHA1 350332dbc6de128298b340bf43ab72cd5ff90aaf
SHA256 42bb33c91334043bd10fad66624718ea8ea8f18987a1d274d7e98d76bab90c4f
SHA512 3465061b2150e839b2f54f9f4a001cfe7b766697e747766f8906ef0bd322661e9724416f812afcd47f9e6a1adfd4ce47594a72df83f9a9ee545cd516a98e687b

memory/1304-113-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/1304-112-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/280-111-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1304-110-0x0000000002330000-0x0000000002684000-memory.dmp

C:\Windows\system\TBnVtEL.exe

MD5 c5001616004d4390ac3ffc0fe072d7ea
SHA1 1dbd9915564cbfd40b2febf0bb75753a38c1d5cb
SHA256 5f5c774438ed1373acfa1331d809f911f23475c36594167ccbb65ee27c1d0309
SHA512 392a4c3dfa9f0eb9587a8fa35138ad7ca407577947152f3182bd3ab291649fd49be8f48e386372c157d5394539d61794688e05d134dc05051a892fb6d95ee01a

C:\Windows\system\cKzYILC.exe

MD5 d28bf9db159ae8e51b5783192f7428b9
SHA1 7de6eada86a8c0da46e1b473be4508e41a69e090
SHA256 4c47a484dd552d335562421aa6b3b3c60894a39fc18f4e5520f1b32c58bdb873
SHA512 d10e3ca445a33a506ebb473399c60afd929fc9ba513fd206b007a2898f2500642422055d6ed78f8fb814e963c50aef6ac8de7807ccbfcb83668c46046f5658fc

memory/1304-12-0x0000000002330000-0x0000000002684000-memory.dmp

memory/2136-114-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2652-115-0x000000013F600000-0x000000013F954000-memory.dmp

memory/1304-118-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1304-122-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2704-125-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2256-127-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2464-129-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/1304-130-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2012-131-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2564-128-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1304-126-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/1304-124-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2612-123-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2584-121-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/1304-120-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2556-119-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2684-117-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/1304-116-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/1304-132-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1928-133-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2228-134-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2136-136-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/280-135-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2012-137-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2556-140-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2584-141-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2652-139-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2612-142-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2684-138-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2256-144-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2704-143-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2564-145-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2464-146-0x000000013F2D0000-0x000000013F624000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:04

Reported

2024-06-01 02:07

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UpEALZr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oLRXEGe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cWxtIcm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tXNCKPs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lrZppvC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fUwMWcX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fvuuKQa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZlPwDvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qIOtdLR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xanDRnO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xDyJnap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uMqKLXA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MIymbDQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JBFzBau.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lOIkzwG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\krUoYdK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YzACIjm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mDuMJMc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lyClhaA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TzMHeCe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EdLTCKR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qIOtdLR.exe
PID 1164 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qIOtdLR.exe
PID 1164 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JBFzBau.exe
PID 1164 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JBFzBau.exe
PID 1164 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLRXEGe.exe
PID 1164 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLRXEGe.exe
PID 1164 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xanDRnO.exe
PID 1164 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xanDRnO.exe
PID 1164 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cWxtIcm.exe
PID 1164 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cWxtIcm.exe
PID 1164 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXNCKPs.exe
PID 1164 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXNCKPs.exe
PID 1164 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xDyJnap.exe
PID 1164 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xDyJnap.exe
PID 1164 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMqKLXA.exe
PID 1164 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMqKLXA.exe
PID 1164 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrZppvC.exe
PID 1164 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrZppvC.exe
PID 1164 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUwMWcX.exe
PID 1164 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUwMWcX.exe
PID 1164 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MIymbDQ.exe
PID 1164 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MIymbDQ.exe
PID 1164 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YzACIjm.exe
PID 1164 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YzACIjm.exe
PID 1164 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\mDuMJMc.exe
PID 1164 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\mDuMJMc.exe
PID 1164 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lyClhaA.exe
PID 1164 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lyClhaA.exe
PID 1164 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOIkzwG.exe
PID 1164 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOIkzwG.exe
PID 1164 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\krUoYdK.exe
PID 1164 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\krUoYdK.exe
PID 1164 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvuuKQa.exe
PID 1164 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvuuKQa.exe
PID 1164 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzMHeCe.exe
PID 1164 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzMHeCe.exe
PID 1164 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZlPwDvw.exe
PID 1164 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZlPwDvw.exe
PID 1164 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdLTCKR.exe
PID 1164 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdLTCKR.exe
PID 1164 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UpEALZr.exe
PID 1164 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UpEALZr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qIOtdLR.exe

C:\Windows\System\qIOtdLR.exe

C:\Windows\System\JBFzBau.exe

C:\Windows\System\JBFzBau.exe

C:\Windows\System\oLRXEGe.exe

C:\Windows\System\oLRXEGe.exe

C:\Windows\System\xanDRnO.exe

C:\Windows\System\xanDRnO.exe

C:\Windows\System\cWxtIcm.exe

C:\Windows\System\cWxtIcm.exe

C:\Windows\System\tXNCKPs.exe

C:\Windows\System\tXNCKPs.exe

C:\Windows\System\xDyJnap.exe

C:\Windows\System\xDyJnap.exe

C:\Windows\System\uMqKLXA.exe

C:\Windows\System\uMqKLXA.exe

C:\Windows\System\lrZppvC.exe

C:\Windows\System\lrZppvC.exe

C:\Windows\System\fUwMWcX.exe

C:\Windows\System\fUwMWcX.exe

C:\Windows\System\MIymbDQ.exe

C:\Windows\System\MIymbDQ.exe

C:\Windows\System\YzACIjm.exe

C:\Windows\System\YzACIjm.exe

C:\Windows\System\mDuMJMc.exe

C:\Windows\System\mDuMJMc.exe

C:\Windows\System\lyClhaA.exe

C:\Windows\System\lyClhaA.exe

C:\Windows\System\lOIkzwG.exe

C:\Windows\System\lOIkzwG.exe

C:\Windows\System\krUoYdK.exe

C:\Windows\System\krUoYdK.exe

C:\Windows\System\fvuuKQa.exe

C:\Windows\System\fvuuKQa.exe

C:\Windows\System\TzMHeCe.exe

C:\Windows\System\TzMHeCe.exe

C:\Windows\System\ZlPwDvw.exe

C:\Windows\System\ZlPwDvw.exe

C:\Windows\System\EdLTCKR.exe

C:\Windows\System\EdLTCKR.exe

C:\Windows\System\UpEALZr.exe

C:\Windows\System\UpEALZr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1164-0-0x00007FF61C6B0000-0x00007FF61CA04000-memory.dmp

memory/1164-1-0x000001C82E3A0000-0x000001C82E3B0000-memory.dmp

C:\Windows\System\qIOtdLR.exe

MD5 c96fda308b100c2cdcf4f57b1f29ae75
SHA1 41d44c381ebe2516a33f9bb04a1f3ea8028197c2
SHA256 efa5eb0b687138c6bb09d321b1113eca024a052220d54dd40d241a7a0dab6d1a
SHA512 50365b7ce8c45541f61ca1a0cfef01b6e15305f99d7f04921b0d9332238f5d135a1a9d92434bba37bf193bec75d42932dd5378c89ab0588275327955a49b9b81

memory/1280-8-0x00007FF6EEE30000-0x00007FF6EF184000-memory.dmp

C:\Windows\System\JBFzBau.exe

MD5 a9d8ff8800a40a402e2e8ca9418b6b98
SHA1 595a6f50c33025693bd5247ad0ca05c64eb277a5
SHA256 82508a753347412e5f709a29bca9e36c969bae150cd922acfae3988de3c0925b
SHA512 06cf4df22152d1e67cf7cc7a544ad049ea0aab213c62020cd6ecbbffce72b18a3840e3573f78a4c230ab136ee453abf87826382cc6e34f90e9c20517120e8928

memory/1960-12-0x00007FF6E38A0000-0x00007FF6E3BF4000-memory.dmp

C:\Windows\System\oLRXEGe.exe

MD5 8e03bf1f8c60cdb2396090e6567c19cf
SHA1 8cfdacad918420e1389b33f75e3b4de20b7dc144
SHA256 48e694e3693d4e8d516396b3610fdfceeece9771bbafe845732e5fee5e2bff87
SHA512 e3fc87322b315eb163096ab800f547a9d5013a1d7061b93858cce31f65f80bb2f8224a643fad868eb8023de7d8a2565597075c7a382899b2fdb89386b4c073b5

memory/440-20-0x00007FF738FF0000-0x00007FF739344000-memory.dmp

C:\Windows\System\xanDRnO.exe

MD5 efdde6babf1b66668635aab3341b2416
SHA1 ef4ef910c99ce54c06350e9681f7696b414657ea
SHA256 2b07a3f60dc76dc38fc99fa90ed298e6847a34efaf0aebc0008d99faaa105c32
SHA512 33aef3e830dfafec094accad70b2058af1726fd0139c4c6be6edca5f896476a5437488bd07a00639966b23559ff463279ea59d00c9081fa0db9430a04868bd04

memory/3068-26-0x00007FF74D280000-0x00007FF74D5D4000-memory.dmp

C:\Windows\System\cWxtIcm.exe

MD5 bc0ede90b798c35a516a21964670236c
SHA1 0b9f8b3d2e563221d06ae4f12c9cfc944f768972
SHA256 ad856135592cdc6230e7b362d06277057bb6dfc5b0753c022732031888632fe4
SHA512 85d6b4f0311e2997fcfce559e4abc1daa2723d02d2ab2fc9674bddf80a341af567224d0aff173914b98d83fd2207eabde3309912128f3cd94c43725e87be08a6

C:\Windows\System\tXNCKPs.exe

MD5 46d9b68f3f6bc2761f0def51e0553fc2
SHA1 a948eccb4301593eb420d089dfde6123d3611c93
SHA256 fbce5acf0c681247d8155b7ac3519b7de2cfdd404cac31404513e928c858d7fb
SHA512 c551e8b3a0301147030f151da0541b6658be9582da4735490584daf6cbc4f086ac238a90e805750dd77079033fee792a786c0116c8d5c73adcd696cbf734c8ea

C:\Windows\System\xDyJnap.exe

MD5 cab3a51afebff338b6d2d23c3ebcaf88
SHA1 a30a612f21729962a6fe32bf1b2e53cf631bba9a
SHA256 e1e8a1b32edf3bb71a171f412d3a4116bc38857bd9e9f4a48f6cc8ee37c8fe03
SHA512 14eb22eec7a1b6f750028929f95e7f860f1dcfa704a691dd1677d6c5272b9c67bfc30e09f2621a67e7ee9cb533f150b4b5703ee1217e48d44aa346f2a0e0a105

C:\Windows\System\uMqKLXA.exe

MD5 db85d91f87fe8dfadab46603f00cbdac
SHA1 1c5fab9ad894e9ceeb11fecbf38098f332d01ab1
SHA256 6ce83122dcb370cce6e387788373f4407f11cb06daf2262686b3e3e9086d8016
SHA512 879ba2af4f54d0b59cf08530abab79ab632ab444a380d888d457996b26189c03b245a58d62d292369768e39e2e04d3da2728074ed7e03a05e7b591d092e1e5ec

memory/4584-46-0x00007FF798000000-0x00007FF798354000-memory.dmp

memory/4116-36-0x00007FF659B20000-0x00007FF659E74000-memory.dmp

memory/3700-31-0x00007FF6E6DE0000-0x00007FF6E7134000-memory.dmp

memory/3964-50-0x00007FF655180000-0x00007FF6554D4000-memory.dmp

C:\Windows\System\lrZppvC.exe

MD5 517ecc25db1408227d63448e3f109b50
SHA1 7c6f7b3a50dfe12cf469d2ea7d60b0068f466911
SHA256 7a1f7a9bdc1f71d7c95fc48b75c513c86ad625868358355fbe3b3835df731b94
SHA512 d06da86a33400ca0c13e81c716fdf725eecf2b8fa834ddc5272e4891ef04dd26cb726c81a1c60dc67c287e6de6113160e4dbd27e32f400f91ca1073cbc373e40

memory/3492-56-0x00007FF7D4A10000-0x00007FF7D4D64000-memory.dmp

C:\Windows\System\fUwMWcX.exe

MD5 35e6869f514b905ed83a0b7999cb4c94
SHA1 207c13318089616b81c73729c01ca328c7175aaa
SHA256 c636c535318ff4c286d2e510a2cce1955b2e7e461c48b781e40034773f6d093c
SHA512 46c5ad107f5009ae84f9bdb32064ea1bf15a88ba7bbe12192f7a98d57b9f8a7c230ef4e3c075a0f7292dc6869c694a22aa6161f147f03f9acdeab31e60417d88

C:\Windows\System\MIymbDQ.exe

MD5 d2e6e085a9b463b53dac57cbb2c7166b
SHA1 161d35fe2aac2b1edef0036c77aecb56f6cb6c99
SHA256 f2ad287d4e6e4a8bd6a426c1f7a45aa8c0a7e4471f1308b9ed9d1237cbfb5a02
SHA512 4e01dd5f6e9d894aa77d053dfc5cd01212cde5876f4c19db652f09dfff5da8853a1e893e82aa62d5d985197067220484324cc793d369332f1026923c3732aa99

memory/4956-67-0x00007FF6ACDA0000-0x00007FF6AD0F4000-memory.dmp

C:\Windows\System\mDuMJMc.exe

MD5 ab38304fc9c20e4b86ab0194732d046f
SHA1 21d90ab70b60c8c1f86c96c9722f420948dfe2ae
SHA256 e53b090858d65bec5be5a1b4acf0e46f63023119f21b85a6c8aba328b414edcb
SHA512 2c4bb4e7e57e63dd7bc3e1f1dcd78566ee7989731f062b917751066cb1595b9f3ca2669ded5d8b280a1690ff5876d5ce79cfbadf08e11b8756a4cc6e2354dbdf

C:\Windows\System\YzACIjm.exe

MD5 b368bc9ec7471d9b934b8d3c0c52fbeb
SHA1 162c0ce7bfe9ef6196b7944eb0233b73d29493e6
SHA256 849f397ba9ac3a064a3be0dd127517b81b78669d39821c5d299c2b7a346a319e
SHA512 4d2570255c46543a91d8d46ff76fc0401c905ccac24799511465e5d57389841d89d99393b2f22c8510986bc60db5625d887e62c1eff846d7997f031b0850f2f0

memory/1280-81-0x00007FF6EEE30000-0x00007FF6EF184000-memory.dmp

memory/1304-82-0x00007FF674890000-0x00007FF674BE4000-memory.dmp

C:\Windows\System\lyClhaA.exe

MD5 cdbb9db60f39383239b2dbdd8b7f7147
SHA1 28c3aff6a2a6c06fa490ab8cee38c2238f77c8e8
SHA256 1ab2b461867f7ff0576e7b94d6372a0057bcd0821a76521791304b952d0a3020
SHA512 c9c98a7edd5756fce84dd22e6d6376968ff5bfa9eea00a203198e7dfa37739331100333fea522fe5501ab39e5056dac9b48ed4f10501d027f44f5bf6e6ac51c9

memory/4452-88-0x00007FF702410000-0x00007FF702764000-memory.dmp

memory/1464-85-0x00007FF6E0AC0000-0x00007FF6E0E14000-memory.dmp

memory/1104-69-0x00007FF756FA0000-0x00007FF7572F4000-memory.dmp

memory/1164-66-0x00007FF61C6B0000-0x00007FF61CA04000-memory.dmp

C:\Windows\System\lOIkzwG.exe

MD5 c74ba07d3e2c5e6aea0a3211b39a3bb2
SHA1 582a4d790c74e22d91670c6fac9cff0cdaf4c6e6
SHA256 e9ca328fbdd3c453e19ea3e521ab57ea226866239d3d1e3aca739684da931d27
SHA512 07975343c023e5c58b76ab2f58507a2fcd3f301f5afc8235d77887f77a02f1269a1e669c531cfdc94408055e3c0077ea5487b976a3024961cfd7848fdbf1839f

memory/1960-92-0x00007FF6E38A0000-0x00007FF6E3BF4000-memory.dmp

memory/876-95-0x00007FF7F7470000-0x00007FF7F77C4000-memory.dmp

C:\Windows\System\krUoYdK.exe

MD5 5f6b6369a522b7f6c460cc5996cb6969
SHA1 bf0617e3a1ae8c9a1442cf68979aa4a1da50e0a4
SHA256 4e3e14f6cddf35780070532de9bf3752452de2ae6abbc24300fd521e84be7f5c
SHA512 978fe8af9d3afeb563043872f4c3b2eeb9dbdb8fe77d1eb63228252daed32d27e10b2aab55144df90887b8aaf370e48827875670d75b36505d8b0b0b0949a581

memory/4676-99-0x00007FF66D400000-0x00007FF66D754000-memory.dmp

C:\Windows\System\fvuuKQa.exe

MD5 bbd5b2ef9f02f4fe684bd8de4f5ad9e6
SHA1 200bc677b6f86067c7bca0ce168c08f9e2650775
SHA256 66fa6a2b19ab4e26a33ab3613b08379019134440a7bd7acae00d140b1d6af315
SHA512 c59b9363594a9ff644fd1da25e39834cade7c2f5888819419bc5c31d9369a6da849aff6a72a5463f13ecae07bcf7ad043199eac24577383096aff77c4820ee2f

memory/3300-107-0x00007FF768B00000-0x00007FF768E54000-memory.dmp

C:\Windows\System\TzMHeCe.exe

MD5 9701861d0834556b62382f6c2cb44623
SHA1 6cbf15a1c1a0c363cfa44e102664aa3ddfe505b3
SHA256 3db2fc801534166c97f630b92a2cda14e42c830095da15e285e04fc72a13ff08
SHA512 4a29910a1a11d0c256d249afa9ae669ae09be2431d13bcb18584af8230f1bbd95afdde22f10d439f6991f63f475fd92e08823131d2e8a3b1defa8f191a6d7d2e

memory/1096-114-0x00007FF7BEA50000-0x00007FF7BEDA4000-memory.dmp

memory/3700-113-0x00007FF6E6DE0000-0x00007FF6E7134000-memory.dmp

C:\Windows\System\ZlPwDvw.exe

MD5 f3d49e40271062090f7fe504fbc7f267
SHA1 f5e54e27e2c69238f5fbac7090b4ed6e9854e9e4
SHA256 c0d7db5370ee09115efdd4f5fe0f44d988765d20f83c05e62e874cc5a676dc10
SHA512 84d57abbff487a5635972d305e9a40936ae51dc9753416d50f9a47c57bb78dcebcecef66afc11af15290200ee5a08e00277e186cc6f6e7c48839f91e808045e5

C:\Windows\System\EdLTCKR.exe

MD5 27052b12168f4f522e153da35ae8bef9
SHA1 199fab6f5682f74346b365059b112e85bd54935d
SHA256 c33d7117d8b3deab24e3fc9579a1459bad40a0569c267ed8ba5552fd22ac3e56
SHA512 fcbeae439169df4bead7c091d6464ed1d6d07578b8856d2dc216ee3a7243b209a5503a44e9c7bc3d6cdff1243f8846bfd14f1b491a0c4417c9ad00e9190d6577

memory/2532-125-0x00007FF70D210000-0x00007FF70D564000-memory.dmp

memory/4780-122-0x00007FF69BA00000-0x00007FF69BD54000-memory.dmp

memory/4116-120-0x00007FF659B20000-0x00007FF659E74000-memory.dmp

C:\Windows\System\UpEALZr.exe

MD5 579cc1f1dcf541603209e769bf35fda5
SHA1 6068c37ad72da3279621ea35013e19a08d6254fc
SHA256 744673dbe1813a95244521bb2924f19a2e3706da8c05c89cfe459d2398b1c855
SHA512 28b97eb11c57fdd3461ab7651566e34255bf7f4579435b8b880568f695b003761452fb5643971be6466dc6b02a9bc736adfc83d34fca828cecccef92a6626ec3

memory/4304-132-0x00007FF7EFFA0000-0x00007FF7F02F4000-memory.dmp

memory/876-133-0x00007FF7F7470000-0x00007FF7F77C4000-memory.dmp

memory/4676-134-0x00007FF66D400000-0x00007FF66D754000-memory.dmp

memory/2532-135-0x00007FF70D210000-0x00007FF70D564000-memory.dmp

memory/1280-136-0x00007FF6EEE30000-0x00007FF6EF184000-memory.dmp

memory/1960-137-0x00007FF6E38A0000-0x00007FF6E3BF4000-memory.dmp

memory/440-138-0x00007FF738FF0000-0x00007FF739344000-memory.dmp

memory/3068-139-0x00007FF74D280000-0x00007FF74D5D4000-memory.dmp

memory/3700-140-0x00007FF6E6DE0000-0x00007FF6E7134000-memory.dmp

memory/4116-141-0x00007FF659B20000-0x00007FF659E74000-memory.dmp

memory/4584-142-0x00007FF798000000-0x00007FF798354000-memory.dmp

memory/3964-143-0x00007FF655180000-0x00007FF6554D4000-memory.dmp

memory/3492-144-0x00007FF7D4A10000-0x00007FF7D4D64000-memory.dmp

memory/4956-145-0x00007FF6ACDA0000-0x00007FF6AD0F4000-memory.dmp

memory/1104-146-0x00007FF756FA0000-0x00007FF7572F4000-memory.dmp

memory/1304-147-0x00007FF674890000-0x00007FF674BE4000-memory.dmp

memory/1464-148-0x00007FF6E0AC0000-0x00007FF6E0E14000-memory.dmp

memory/4452-149-0x00007FF702410000-0x00007FF702764000-memory.dmp

memory/876-150-0x00007FF7F7470000-0x00007FF7F77C4000-memory.dmp

memory/4676-151-0x00007FF66D400000-0x00007FF66D754000-memory.dmp

memory/3300-152-0x00007FF768B00000-0x00007FF768E54000-memory.dmp

memory/1096-153-0x00007FF7BEA50000-0x00007FF7BEDA4000-memory.dmp

memory/4780-154-0x00007FF69BA00000-0x00007FF69BD54000-memory.dmp

memory/2532-155-0x00007FF70D210000-0x00007FF70D564000-memory.dmp

memory/4304-156-0x00007FF7EFFA0000-0x00007FF7F02F4000-memory.dmp