Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-cly4wsfa29
Target 2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike
SHA256 373605d3ddfbbee1620af6674cb46a695ba0ab2a9ea9fd7dfc95e1d5138039e2
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

373605d3ddfbbee1620af6674cb46a695ba0ab2a9ea9fd7dfc95e1d5138039e2

Threat Level: Known bad

The file 2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:10

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:10

Reported

2024-06-01 02:13

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oLgkAMg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yKvwNdn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uWOBZed.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jqGNxrr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TERVYEf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fccYcoM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pifZSGA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KewUouY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sukIeVt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mhUDRet.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CgrxFkV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BuUSHRF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xxcexFD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OgGKqJP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RmOvWrF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yPAXjhg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YmXaPId.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iRsxdZC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TKHPVVc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MGAiVsU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qFarsaE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TERVYEf.exe
PID 2980 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TERVYEf.exe
PID 2980 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TERVYEf.exe
PID 2980 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KewUouY.exe
PID 2980 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KewUouY.exe
PID 2980 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KewUouY.exe
PID 2980 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fccYcoM.exe
PID 2980 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fccYcoM.exe
PID 2980 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fccYcoM.exe
PID 2980 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLgkAMg.exe
PID 2980 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLgkAMg.exe
PID 2980 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLgkAMg.exe
PID 2980 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OgGKqJP.exe
PID 2980 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OgGKqJP.exe
PID 2980 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OgGKqJP.exe
PID 2980 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmOvWrF.exe
PID 2980 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmOvWrF.exe
PID 2980 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmOvWrF.exe
PID 2980 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mhUDRet.exe
PID 2980 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mhUDRet.exe
PID 2980 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mhUDRet.exe
PID 2980 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgrxFkV.exe
PID 2980 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgrxFkV.exe
PID 2980 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgrxFkV.exe
PID 2980 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGAiVsU.exe
PID 2980 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGAiVsU.exe
PID 2980 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGAiVsU.exe
PID 2980 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sukIeVt.exe
PID 2980 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sukIeVt.exe
PID 2980 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sukIeVt.exe
PID 2980 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKvwNdn.exe
PID 2980 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKvwNdn.exe
PID 2980 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKvwNdn.exe
PID 2980 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qFarsaE.exe
PID 2980 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qFarsaE.exe
PID 2980 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qFarsaE.exe
PID 2980 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPAXjhg.exe
PID 2980 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPAXjhg.exe
PID 2980 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPAXjhg.exe
PID 2980 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YmXaPId.exe
PID 2980 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YmXaPId.exe
PID 2980 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YmXaPId.exe
PID 2980 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWOBZed.exe
PID 2980 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWOBZed.exe
PID 2980 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWOBZed.exe
PID 2980 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRsxdZC.exe
PID 2980 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRsxdZC.exe
PID 2980 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRsxdZC.exe
PID 2980 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqGNxrr.exe
PID 2980 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqGNxrr.exe
PID 2980 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqGNxrr.exe
PID 2980 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BuUSHRF.exe
PID 2980 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BuUSHRF.exe
PID 2980 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BuUSHRF.exe
PID 2980 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TKHPVVc.exe
PID 2980 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TKHPVVc.exe
PID 2980 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TKHPVVc.exe
PID 2980 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pifZSGA.exe
PID 2980 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pifZSGA.exe
PID 2980 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pifZSGA.exe
PID 2980 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xxcexFD.exe
PID 2980 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xxcexFD.exe
PID 2980 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xxcexFD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TERVYEf.exe

C:\Windows\System\TERVYEf.exe

C:\Windows\System\KewUouY.exe

C:\Windows\System\KewUouY.exe

C:\Windows\System\fccYcoM.exe

C:\Windows\System\fccYcoM.exe

C:\Windows\System\oLgkAMg.exe

C:\Windows\System\oLgkAMg.exe

C:\Windows\System\OgGKqJP.exe

C:\Windows\System\OgGKqJP.exe

C:\Windows\System\RmOvWrF.exe

C:\Windows\System\RmOvWrF.exe

C:\Windows\System\mhUDRet.exe

C:\Windows\System\mhUDRet.exe

C:\Windows\System\CgrxFkV.exe

C:\Windows\System\CgrxFkV.exe

C:\Windows\System\MGAiVsU.exe

C:\Windows\System\MGAiVsU.exe

C:\Windows\System\sukIeVt.exe

C:\Windows\System\sukIeVt.exe

C:\Windows\System\yKvwNdn.exe

C:\Windows\System\yKvwNdn.exe

C:\Windows\System\qFarsaE.exe

C:\Windows\System\qFarsaE.exe

C:\Windows\System\yPAXjhg.exe

C:\Windows\System\yPAXjhg.exe

C:\Windows\System\YmXaPId.exe

C:\Windows\System\YmXaPId.exe

C:\Windows\System\uWOBZed.exe

C:\Windows\System\uWOBZed.exe

C:\Windows\System\iRsxdZC.exe

C:\Windows\System\iRsxdZC.exe

C:\Windows\System\jqGNxrr.exe

C:\Windows\System\jqGNxrr.exe

C:\Windows\System\BuUSHRF.exe

C:\Windows\System\BuUSHRF.exe

C:\Windows\System\TKHPVVc.exe

C:\Windows\System\TKHPVVc.exe

C:\Windows\System\pifZSGA.exe

C:\Windows\System\pifZSGA.exe

C:\Windows\System\xxcexFD.exe

C:\Windows\System\xxcexFD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2980-0-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2980-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\TERVYEf.exe

MD5 b94a20d8a56dc08a659696e5f74ddcc8
SHA1 abeae3319c609c5a9c4a9a2451569464ff41f4db
SHA256 5fd6e5b530ac429293452020be7c6991f6a6ae37652cda2f2a1c04124c0d1469
SHA512 8ed5965277484046d64a9298a2593afd7b70c8c34ea66b3cb4fd61228bec8fa503c8ffaa178c5d9958a6360dcdab20f4c6b2208916684a14720b0dfe7b1484f7

\Windows\system\KewUouY.exe

MD5 ed4e42b18e2effbb5fe50117c40260f1
SHA1 2f2690d7a13746be738269a1d7ffc6de9b77edc7
SHA256 2e3b717855d0d86f9a866263eadb9be6ac72cf5e374772d118a48c3ede343d9a
SHA512 a0bca83e331b127638dd4dd6647115e22ec0d436558ce2d9acedfdaea799eee261bc22a68ad5eec04d3becf799788cc346cf76bd94ce226b70ad656906f6315d

memory/2980-16-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\OgGKqJP.exe

MD5 bbf646601131b01db21d0f94aa575cd3
SHA1 c501d13011676315243fa3bac4292044878c5eac
SHA256 c2cb346783130c6db76c1316ff986a0bcd9bcc6439e10f0ade3c55fcb995c26f
SHA512 708f3b1724e99b432df150cd66ca68858171ca99cdb738103b6d58d18441c3743679d1c00e73c17355db69279253d04984a403780472def29a97a7a15fb49093

C:\Windows\system\oLgkAMg.exe

MD5 885caff8d90f2d4e8c04fc98ca299bd3
SHA1 47433eceabcc65eea1fd65fc46572b7d7d7b4c10
SHA256 c9e74d82458134e7e35fa28825768e411b9d1bc675c84004d9b973c86f6cceeb
SHA512 d930c6450d68c2f89ec4f008e644c55ed5afb92a9127a91f18ff73fbbe88881630683c847b950bec0e01ec6c1534030ea196ab60be395dc82180300679844358

C:\Windows\system\RmOvWrF.exe

MD5 85a52ecb7d8bfc442f3b75ebb59ff723
SHA1 e0c9c19c82ed4ad3847ffe6a45e00ece84d6059d
SHA256 f505e5b55d1c4d57995c0c4ac905d3e45050e155fb4211820a91781873b175ea
SHA512 a168caf5f36a4b4224cf06da5742ec90c73728592866f5cf580810ac17be7adb7eabd862cab98e23c122886923d9d6ee81dbdf2cd2af3b0a9e8100b56da50a68

C:\Windows\system\mhUDRet.exe

MD5 5252b6d3e88d9fe65227deceed8e8f8f
SHA1 6cb6dbeb6706c267489706c83976438744b952e3
SHA256 b0dc6888af551d56d0429524561fdd8493734876a8450540948e640fe6c89a2f
SHA512 10ea1afbd3e3b6a77037972248ea1d56c5349c2df8708a66320a2f04791e6b5add67a2a00e54ffad004cd72d4691607cc45cdb8aef697521166566514f33469c

C:\Windows\system\MGAiVsU.exe

MD5 dd0849fd19614fcafc7acf5d0f22fabc
SHA1 0f53ffa5d0e8bc5787fe03fdb27576cbe84edf03
SHA256 38313b73fe314617040c9b0fbbcd380b905ed350a1b419a904369a769074ceef
SHA512 b5ae533372dcdf495986f3ee7b4bdbf65484021b8a4209578b60b37cb4d0a0c4370e0a13c0e0e9ac10a56fe15a80ddb483f15a2deb04a7947116cdb6b9a67e56

C:\Windows\system\qFarsaE.exe

MD5 b2cf75e7010f3a2a98e76df10048849d
SHA1 7ecb0c45b8fe718d35f8ee7682ba93eb3c9a5ca2
SHA256 0bec958d59c164f45ce0d4b8e24e477202e1e5ff2b5d406faecce343b9068d74
SHA512 baa28348e81342e51e319a0b689a1ba4d5594c0fd4ba2645da80fdc94f4a086a735a2604a6ebea31487fbd37764677baac728042605a3859c2677616ff5ab7cb

C:\Windows\system\uWOBZed.exe

MD5 8efc04cce09a6276596809c4dce436cb
SHA1 766612f2cd9dd8779985a301d542321f6bb184a2
SHA256 3785d3549287fe895670b0d43a4eafd75c9692f0f8758e4e46d44652d97c9fdd
SHA512 338697430f7ea277f7efb5751e93ca7755f93042d2035966b7fa94da1667d7967f99c52a0d9c68cc1f0cd92e2dfa81ef5ac05e3fd5728cd432c78a13250e4d20

C:\Windows\system\xxcexFD.exe

MD5 2ea97e6e78dec58b077cce0c899b587b
SHA1 4b4b0af25a4c999f8ddc93efe342408d09a5d926
SHA256 77566eaf56b4e1bc8e76e2340970c7f44ab6adfac9866ec31db08dcccc3f1b9d
SHA512 e18a1d1bee2c4de16a29d4c1706d624181bda91bd7876bec761383c08ec2258ed106c50ead247f847476f44f72ef173dcea031a42062490bd5e40efbc1a0b079

C:\Windows\system\pifZSGA.exe

MD5 8e39214023ace2079f3980144dc30989
SHA1 f004999080af1b26c5a9c6721038410c6a7d9ce8
SHA256 a3a677e0add3fe64d97d1178206803fe92994ac74aeefdf02958249badb78730
SHA512 ff94127244719b4006b5c4e1cc1f4fd49360a391f692b7379f5a2730ae31145efb201468151ad4298916e79c71523cc6d96490ef8eb0e9a73698203535526521

C:\Windows\system\TKHPVVc.exe

MD5 180b0eda0fe360a0046334f408abceb7
SHA1 6d43e47dc45848762c3a7f29b95aade2a675ecc3
SHA256 7e74f948527b8a0857f2737e9fb07725813707d03a911760ccfd1a2327b15f5a
SHA512 63ca8ec716a1d2ea487266a0e684f713a2a36d39a90cb3b3a7a36078feb6e053dae7ffa53faedb8ee8c3580a0176fe07ed68c77e6f78b2795ba096048cae87d0

memory/2112-89-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\BuUSHRF.exe

MD5 dfd02e282dbb427c1309100ffe31c6b4
SHA1 e045376b1f09ed765dfa0d22824ea99e9ef47175
SHA256 deedcd4518705eff5ddbebfe8f5d7ab3b9e3672b799b368d6f59fc0dc5eec66c
SHA512 671271c121a1d8ab7b87909b3a1357ceb051c99bc467b6f51c28e3018456eee22aba65962ba8d61f723afa20144ce7262e34193ee23c5b3a5368037162bbf002

C:\Windows\system\jqGNxrr.exe

MD5 7a6c190b3f5c2b1f264c35fd2f70d927
SHA1 f2db4093946742054ade34e6c6529920cce9927e
SHA256 8bfc8721920549a1ffb9dd3863b536409ab47e6af4187d8349c831112150522e
SHA512 993e832aec3946b28328a2754e2d1bdedb432d9208d68c51ba98ff86baf6a047a83b0a579898c851f899f3a169dea3ad25e8b7780d8d89a1245e15306296c093

C:\Windows\system\iRsxdZC.exe

MD5 d471f5e54f34b7bb01161d61b43b0635
SHA1 4ef1c9b6ef6c0f2d9d99205cd7b404e634a6d3c0
SHA256 7d611cc48da99f521cd9483463eadeff54cb63495e1f08a5dd8eec27e65da0eb
SHA512 edc64be65bda5b0dda1671fbf65eacb5502809a6af01d82d59cf819352727c873b65a589f3e9d0aa43b177d3d49e7a9004a566896b098c860ec2c8e038ad04b3

C:\Windows\system\YmXaPId.exe

MD5 3ece44a9b8e51148c4d03d9f5188d46a
SHA1 3c375449ae868cf9057c29364c1c7d9718c21839
SHA256 441d0d1736ee1533d2693bfab12ddc5e31595833ae526016163b29893bb53f4d
SHA512 b045fdf4af95fc05da7f4fc5b0222f640be724b3c883fe334c9dfc5bc7b262a8b8b45838c0f71de077dcaf806ff6859144f4aaf7d7e770f9997b99c3645b4451

C:\Windows\system\yPAXjhg.exe

MD5 54786916a293bfd485dc02570828a88a
SHA1 9947749694007997d6c070f586356e8ae7e3ac64
SHA256 076d4a9ec599a158bb83a1660a964c446f53644bee159688d4cc774ba65bb079
SHA512 4e7d3df950d938fed43795c3062499fa75cccbfc8c1ac6275f098d5899d5651eb8c786d6055387eea8c78882d8966eec9e49e13da380df03a830268b6b88169a

C:\Windows\system\yKvwNdn.exe

MD5 9ffa3d8e2ca69b339909cd547427b7f5
SHA1 42e3875f1b8e0ce6bda1b61c1b84f9eedaaf78d9
SHA256 e46819c0a745bf91c6f7236be1e534a6968075c7119bd17c65d1e529520b4125
SHA512 9a9ec88763eba38d59cebd4e543be373cb0dddf986fd33aa8257b987507a3b1ac37c5a88075dc1e160b44b7657a4b4dbc955c9ae3eb39b8325187179ef85669c

C:\Windows\system\sukIeVt.exe

MD5 aeea2048c4be40756bf9e7fdc9cad2f2
SHA1 267500ea50ce8b8b2b8291e53e9493bc80b38eae
SHA256 c4d8c8c9d1cadca4a4c281f6b215c33bc115ba876a719c1b5542d13063f9f1fa
SHA512 d695ec83b1cb1d26e9602f03cc38dde0e7ccb4205d07ab239e28e22f8c44727c03dccdf8c509e114743e3de50f493f700ba00110dafbc68d9d39a7efa23bde72

C:\Windows\system\CgrxFkV.exe

MD5 c60a7f449507e6ecf8f22fbb4a87eec1
SHA1 c19a7e351efd42d1ab93ada326c5be2b0aa27243
SHA256 34ca22ed916d514a7e38f5ad98da340e0da7bff49cbbdb7af8e9db572fc0f998
SHA512 ab9e797be3bed823d7cff6b766d1452e838e79c8094b14438c5571b765fcd47fc4cde9cd8614cfedf12e91a10414a15f1dca949bb6a281cbb3072ee9e9f42d55

C:\Windows\system\fccYcoM.exe

MD5 b57a2982b5ce8b6ca16eb229910f2913
SHA1 974a78a13acaabe3bd9792d0e4c67e3ecc9ba0f4
SHA256 8625ef80301852a79dea141d0666086913e279324d2edc4a9f632b1ea223b97d
SHA512 c131f4eefc4414acb979276c70aa86f22831ad11f4be2442621ecf71f18b50adfe0538ea47ad331b78b312f85be654d93687b4a4ac75de86e509a797ff0a6705

memory/2980-95-0x00000000021B0000-0x0000000002504000-memory.dmp

memory/2688-113-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2980-111-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2980-117-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2580-116-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2980-114-0x00000000021B0000-0x0000000002504000-memory.dmp

memory/2584-107-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2980-119-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2460-122-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2980-121-0x00000000021B0000-0x0000000002504000-memory.dmp

memory/2624-128-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2980-127-0x00000000021B0000-0x0000000002504000-memory.dmp

memory/2980-134-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2980-135-0x00000000021B0000-0x0000000002504000-memory.dmp

memory/2980-133-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2548-132-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2980-131-0x00000000021B0000-0x0000000002504000-memory.dmp

memory/2444-130-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2980-129-0x00000000021B0000-0x0000000002504000-memory.dmp

memory/2592-126-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2980-125-0x00000000021B0000-0x0000000002504000-memory.dmp

memory/2620-124-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2980-123-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2772-120-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2432-118-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2992-98-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2920-94-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2980-136-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2980-137-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2920-138-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2980-139-0x00000000021B0000-0x0000000002504000-memory.dmp

memory/2584-140-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2980-141-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2112-142-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2992-143-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2432-145-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2460-146-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2688-144-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2592-147-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2580-151-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2584-150-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2920-149-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2444-148-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2548-153-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2772-155-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2620-154-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2624-152-0x000000013F470000-0x000000013F7C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:10

Reported

2024-06-01 02:13

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hmgXtoc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CRHZbAz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BdzXCAN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OCzxLCA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FGASqSa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sgdlyLo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XfDPQph.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iYFfEad.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ybkklFw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lFKmwvO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OQaOiuV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eFldnIe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jweaeeA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jOmexhm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tFQjzyV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fSZtAuU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FYASsoQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vkKhDdq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\buyUdOX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OZAAIoO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hLihZjl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jOmexhm.exe
PID 1848 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jOmexhm.exe
PID 1848 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFQjzyV.exe
PID 1848 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFQjzyV.exe
PID 1848 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmgXtoc.exe
PID 1848 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmgXtoc.exe
PID 1848 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fSZtAuU.exe
PID 1848 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fSZtAuU.exe
PID 1848 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybkklFw.exe
PID 1848 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybkklFw.exe
PID 1848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lFKmwvO.exe
PID 1848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lFKmwvO.exe
PID 1848 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\buyUdOX.exe
PID 1848 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\buyUdOX.exe
PID 1848 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sgdlyLo.exe
PID 1848 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sgdlyLo.exe
PID 1848 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQaOiuV.exe
PID 1848 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQaOiuV.exe
PID 1848 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XfDPQph.exe
PID 1848 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XfDPQph.exe
PID 1848 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OZAAIoO.exe
PID 1848 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OZAAIoO.exe
PID 1848 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYFfEad.exe
PID 1848 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYFfEad.exe
PID 1848 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFldnIe.exe
PID 1848 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFldnIe.exe
PID 1848 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdzXCAN.exe
PID 1848 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdzXCAN.exe
PID 1848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLihZjl.exe
PID 1848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLihZjl.exe
PID 1848 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jweaeeA.exe
PID 1848 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jweaeeA.exe
PID 1848 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCzxLCA.exe
PID 1848 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCzxLCA.exe
PID 1848 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vkKhDdq.exe
PID 1848 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vkKhDdq.exe
PID 1848 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGASqSa.exe
PID 1848 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGASqSa.exe
PID 1848 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYASsoQ.exe
PID 1848 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYASsoQ.exe
PID 1848 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRHZbAz.exe
PID 1848 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRHZbAz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a910008adaf9450eea3202c7f36efe6f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jOmexhm.exe

C:\Windows\System\jOmexhm.exe

C:\Windows\System\tFQjzyV.exe

C:\Windows\System\tFQjzyV.exe

C:\Windows\System\hmgXtoc.exe

C:\Windows\System\hmgXtoc.exe

C:\Windows\System\fSZtAuU.exe

C:\Windows\System\fSZtAuU.exe

C:\Windows\System\ybkklFw.exe

C:\Windows\System\ybkklFw.exe

C:\Windows\System\lFKmwvO.exe

C:\Windows\System\lFKmwvO.exe

C:\Windows\System\buyUdOX.exe

C:\Windows\System\buyUdOX.exe

C:\Windows\System\sgdlyLo.exe

C:\Windows\System\sgdlyLo.exe

C:\Windows\System\OQaOiuV.exe

C:\Windows\System\OQaOiuV.exe

C:\Windows\System\XfDPQph.exe

C:\Windows\System\XfDPQph.exe

C:\Windows\System\OZAAIoO.exe

C:\Windows\System\OZAAIoO.exe

C:\Windows\System\iYFfEad.exe

C:\Windows\System\iYFfEad.exe

C:\Windows\System\eFldnIe.exe

C:\Windows\System\eFldnIe.exe

C:\Windows\System\BdzXCAN.exe

C:\Windows\System\BdzXCAN.exe

C:\Windows\System\hLihZjl.exe

C:\Windows\System\hLihZjl.exe

C:\Windows\System\jweaeeA.exe

C:\Windows\System\jweaeeA.exe

C:\Windows\System\OCzxLCA.exe

C:\Windows\System\OCzxLCA.exe

C:\Windows\System\vkKhDdq.exe

C:\Windows\System\vkKhDdq.exe

C:\Windows\System\FGASqSa.exe

C:\Windows\System\FGASqSa.exe

C:\Windows\System\FYASsoQ.exe

C:\Windows\System\FYASsoQ.exe

C:\Windows\System\CRHZbAz.exe

C:\Windows\System\CRHZbAz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 52.111.227.11:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/1848-0-0x00007FF6A3F10000-0x00007FF6A4264000-memory.dmp

memory/1848-1-0x00000215FB8E0000-0x00000215FB8F0000-memory.dmp

C:\Windows\System\jOmexhm.exe

MD5 84870a002b4cfab8c5617f6a9941494d
SHA1 1501d09929e93fa690b180432591b4819ddf7aa3
SHA256 19446a126ee5efcd7cb001a5b69cf013383fa1cf0a18bbd5096f00a9a14b081d
SHA512 1a6003fb001e8dd924ff52ada1107f1433ba64ef958652665f58224fb2470f3e6b1e726e18e20d33d88b919964d3523c5d695bb10cf628e8c8af4f9123549acb

C:\Windows\System\tFQjzyV.exe

MD5 e62b34a00701d39bb4b80c129665e25e
SHA1 13516ab1fcbf399855ee7d53bbd7daaa35c66b48
SHA256 c622defd6927a02ef99b2745fac84c62292d94a0caeba2d452721e6a45305229
SHA512 40540e8c468100b6a0243d162a76c0b468006ff9178d81843ffa7ef996d97622a470d34c24a49534a2c7394c575cac8d251361fd312f920d61b6ab56fd02a189

C:\Windows\System\hmgXtoc.exe

MD5 a9bfb3ad3cfc99ca2d29ee3f203a232c
SHA1 c83f28fd2ac599ee41a31fafd4c4953cc8c9050a
SHA256 9f2f5b27d5f4eedee9672355de87fae21e5cdf5b600f7a3efb20e5773b94e6a1
SHA512 fb55449ae26e93ddce5f99506ca9bd8d3f9b0588873198b06a9bb85e22121b6aef7b7ecd858b9c8649f22557857a15145ba5950562844815885b545b7b6830b8

memory/3968-8-0x00007FF7025E0000-0x00007FF702934000-memory.dmp

C:\Windows\System\ybkklFw.exe

MD5 8c15def02dfe23e5a9a3a6f731910d9d
SHA1 b537fb2f3473b7746da45147615779f3d2e1812b
SHA256 a4025228420d55c99d11246f6a0eed8ef464ccac4039c9f28215d1390426f7fa
SHA512 e7707147c442c2af1b20ebe63f81574754673497d2d49e837f4ba7433fc774c54a247372dea48058eb28d92e584381fcfcb6681381edc034a4b93f201cd94ee0

C:\Windows\System\fSZtAuU.exe

MD5 773ccec6d399405742fcd1af091d4b58
SHA1 c09c9fca96a8f865a170852cfdc81c9ba3f5e659
SHA256 4f644e2658c0b8fd60fbcf7ca2d7a604f9dfc00804af62537fe7f62164b96f12
SHA512 8684a9cbac436365e2c90daca202a9d1f515a7ae8914b56f6e686ea9ed760a893721b81913298e7364bedf11e6a52c39118ecc8a790c2749bbc62dc68ea58869

memory/2152-30-0x00007FF7FE350000-0x00007FF7FE6A4000-memory.dmp

C:\Windows\System\lFKmwvO.exe

MD5 1534587dcce010610b5a4317a422a325
SHA1 9dc5ef7532d5baa3000d02f3b95c277a259322b8
SHA256 a7ceeafe80eba7d831229bcf8a5fffb8430dc8af2bbb4ffb0ce4c669d9b18114
SHA512 97ca965656d47c05e4d3ac93db3f95ff53657361552ffb9c322e98a1a4cb02171b0b1f505be45a4e32e7eae62e3ca378a96afa3f005af4fe8bc35900786547ac

C:\Windows\System\buyUdOX.exe

MD5 44b52ef97de23990940f3efeb590f81e
SHA1 4f485e49a69659eac8688f8dedd05f9beeff6a45
SHA256 e1cec3a74570f571f469c5af47b5001d6e9506ca3384b83a7db3acedfa70d4c9
SHA512 8b107c8b41f661f63648806a0fcd01663471ea883b0358683b63b1a5e22f1f8003cb234d4d403c8b72b9b3a26b22145a48a9bad174659c4d8e6a9bbbd8cb320b

C:\Windows\System\OQaOiuV.exe

MD5 0deb33d3cafe5bf6d24001defef375e1
SHA1 99435522c994cf929608d3d3e5aef1c064d8a7ea
SHA256 6cbe5587fa3199859687d59c3bf88b7751895bfa00b37030975c9c2f2f2f8dbf
SHA512 a5f72a294022e1a8c3869a431bcd8b3aad27be7e7c06eccc5940e83d210820ef00230349e9959d9800a8d9ffe82f8574824be8a8a05369c3a85d6c18c39e69ce

C:\Windows\System\sgdlyLo.exe

MD5 2e1c9c8e4004856035679b2777ffe88a
SHA1 bc7f853882f36b6d1d245e07bfb2de0036dce7ed
SHA256 9c3126d7ff759deb78aa2d07f70a1d06684e661374646679860c5932a2f1087e
SHA512 ba53dea9b7e8ce1427ef2ffcb01dbb2a2a4bd47df7a5655472e8d5ed1cd4704e8d10b73fcbd748e2928f8c8ddc6a3d8d048270058bc505e3fa5a9e0eebad8baa

C:\Windows\System\OZAAIoO.exe

MD5 e0a6eef328a2ca94c54d0f673d8948ed
SHA1 cdcea59f60ca55ff554db292d5de854d5d8a8358
SHA256 325db1219131a4b0f764e813b93bb0d5da5afe20b217cc051e4abc79c0bc32eb
SHA512 0f38d97d3ffa2da7adf0d4b0c783c7b632e9a3570ea3670678bb0530b2603faa6282dd8a07635334ecbc4fbd14464d2d86b6415254205567365859a1966dd9aa

C:\Windows\System\iYFfEad.exe

MD5 2796cf7a87b025878c9455bc46bd5a18
SHA1 b2f1ae76898778acad2b8df34974d7292a3e79af
SHA256 3c93387ac93f780e95e2ab93f25052560ed35bab105034b00c7edf22f41d0fb8
SHA512 aa44562eac6a538f6c29fe896bab3231428fce47d0d453748abdc8ace8064cdf2c95a7783da9c72bb197e623af432ea01f42464b45ca5923506ecd18d9493322

memory/2272-76-0x00007FF6B2120000-0x00007FF6B2474000-memory.dmp

memory/388-83-0x00007FF70A050000-0x00007FF70A3A4000-memory.dmp

memory/632-85-0x00007FF7DAB50000-0x00007FF7DAEA4000-memory.dmp

C:\Windows\System\BdzXCAN.exe

MD5 c66ba6e8c31801312abad37deb533242
SHA1 60b194deed27fe468b822a411b7aeba621d54082
SHA256 31dc1875ce9260726a39cc2bc4f552b8964fdc991cdbb82ad3b86bf8d2da78a7
SHA512 0618367a34081b1b3cc9de425a8ec62812618168c0d282322bf0a531530f4a85d204350f14670ba9d01d1269350edf85685c9773a8bc0d03f798b8f5618b1a01

memory/1848-84-0x00007FF6A3F10000-0x00007FF6A4264000-memory.dmp

memory/804-82-0x00007FF6583C0000-0x00007FF658714000-memory.dmp

C:\Windows\System\eFldnIe.exe

MD5 9e6fdad08db46894c0c2c2274d720199
SHA1 fb587171332866571e97b2f864e47da5d449f41d
SHA256 17acfb3e8820cec637a42a97d27483660764a6741017bebc411c5055da78dcc9
SHA512 5e5871b41ab659b3c3f4e8c04af450e81832f21b3856646891378bda135a82f560ac8243a4f2b99a8ebb5d8b2b53f29c0c684e057f91508e865c9e387f2062d9

memory/856-71-0x00007FF6589C0000-0x00007FF658D14000-memory.dmp

memory/2656-66-0x00007FF690AD0000-0x00007FF690E24000-memory.dmp

C:\Windows\System\XfDPQph.exe

MD5 594e579008375fb11ab368e5b5f1708b
SHA1 e478727f60cbc82a7eecc65e715b0b78791a9a9d
SHA256 761a99623799098e7ea2cf81a6aec15d62dccd1b8b81e69a3a31c3fef48bbe3a
SHA512 a3dd66279db6b750c1df2743562adce1c12fb74518a14195c79eac66eea57102b75b51ad7bae92a83171197413a7eaf071a260d30d5aae58f7263b6f5b8afe90

memory/4696-53-0x00007FF7F4E30000-0x00007FF7F5184000-memory.dmp

memory/3324-45-0x00007FF7D0490000-0x00007FF7D07E4000-memory.dmp

memory/2508-35-0x00007FF6FA070000-0x00007FF6FA3C4000-memory.dmp

memory/4224-27-0x00007FF6C86D0000-0x00007FF6C8A24000-memory.dmp

memory/4068-22-0x00007FF704EC0000-0x00007FF705214000-memory.dmp

memory/3020-14-0x00007FF7B2B20000-0x00007FF7B2E74000-memory.dmp

memory/3968-91-0x00007FF7025E0000-0x00007FF702934000-memory.dmp

C:\Windows\System\jweaeeA.exe

MD5 7d90ab526ea2f72ef14894994c7cd6bd
SHA1 849eea85f6967e54ace334be3b2e42a9ebbe35d9
SHA256 65c0976986047ef2d921059c870193564a40e7a668d151670541855c0aa59114
SHA512 f5f143ccb7f2d64f8af347cb5564fc4d86e6055b23fe4177b2e370a2498fe8e11600d7c86482c6d2ff4a18fff6648341a36af5eee6ab7bb3157373a17f357600

memory/4232-111-0x00007FF6F0710000-0x00007FF6F0A64000-memory.dmp

C:\Windows\System\vkKhDdq.exe

MD5 2cc66b714904a63c9b1f2d1076dfb70d
SHA1 cfc33a163aec6bf165345d3de3694814aaabc68b
SHA256 4fa8dfe2a4c09d8c7b6712bd93b9632b58941d42e9ed36c7aa097619742bce17
SHA512 8aad97fb1ba8e0fe8bc89657570663a476ed95940be13c829a951d60611875344ea1511e01919e64200bb2fecc76384405dad4935159f9a505be6d6552923e6c

memory/1012-120-0x00007FF7CB7E0000-0x00007FF7CBB34000-memory.dmp

memory/3928-121-0x00007FF7342B0000-0x00007FF734604000-memory.dmp

C:\Windows\System\FGASqSa.exe

MD5 8b29b9f08e1a44bc6c182e151978430c
SHA1 a827fa29ad04d8062747ff794fd7d3f83f42c2d6
SHA256 5c616e8bb75898f76cd7a4c42bdb096891a62dff62c9e7e1846c0d665fc0a32e
SHA512 9a908e0a30ec7431af10a61089b7f953eab79a5e8d26b4601eb190eb413c9080c9cbfd4b0683453296dd4ccabc11c3b750965f75cbb468ca59078d1c10d4d2b5

C:\Windows\System\CRHZbAz.exe

MD5 0628f6b2b3c73c58f0f47a34f7980f3f
SHA1 92f5ecf1efed1bfe05b90d4f6aad2cd8f8330ef0
SHA256 1d281b7b145e4df4a96cd20dd11cff6fed0422a6cccf601f202fe7ae2d2648f2
SHA512 f6e5f688ec0b82e80833a6e35f5e40d408a56983ab60599171132cf48ef69899533d4439dc16019b8b1d605a4cbafa40b6936d549bf513b48a879c9239774368

C:\Windows\System\FYASsoQ.exe

MD5 2f60aa07270c18743e948889752ba7f4
SHA1 a8e0b7af7f87f972d4e79fc43c5966f677e9eed4
SHA256 cd66ee14ed021ed2664a7892d99929d1653078044791946bb92004d69003c970
SHA512 526d220737c3e3993c18caa4de9f5cc19701763996a66c965b6df24c488acee2dbb8813b2c7d2fba94ac0ec76ff775f0473cee9ddf11a478bc51c6353d67db1c

memory/4224-112-0x00007FF6C86D0000-0x00007FF6C8A24000-memory.dmp

C:\Windows\System\OCzxLCA.exe

MD5 20dd476aa2cbd01285fb68769d6e3f39
SHA1 c2914f4f8805a093e337e33b3d2e782355a7ccc1
SHA256 9b37e1eb4892e242a388ee667ab25be116fd82958efe27dfb08b8447aadd9a7b
SHA512 d494e5dbfce9bac3aae5355dd9f4f27bd05eab8c338e020cb5fc8ef64a0a78ad8abb18dbdb3cb25d7314efc7e5da5a72358a6a9e93ab9b478e9dd649481c7d2c

memory/1200-106-0x00007FF6241D0000-0x00007FF624524000-memory.dmp

C:\Windows\System\hLihZjl.exe

MD5 0271029edffec6f0ffd9ba81405df508
SHA1 768b3fab0757282a9db753cbe140cf15179e6d89
SHA256 a78a7618df7166bb3784814ac8757cc720b55de4c8592dfc04644914473f10c4
SHA512 bcdafe613e0add9d8760f8671eca8759189b70b9acec69d5040b0ff97b748332bb24a2ed50f9681c0f5143a3b52c4b91653d73c1980e0ed7c511714a4e27bd08

memory/2624-96-0x00007FF6C3660000-0x00007FF6C39B4000-memory.dmp

memory/2152-129-0x00007FF7FE350000-0x00007FF7FE6A4000-memory.dmp

memory/3372-131-0x00007FF759710000-0x00007FF759A64000-memory.dmp

memory/2348-130-0x00007FF7A0F60000-0x00007FF7A12B4000-memory.dmp

memory/2508-132-0x00007FF6FA070000-0x00007FF6FA3C4000-memory.dmp

memory/4696-134-0x00007FF7F4E30000-0x00007FF7F5184000-memory.dmp

memory/856-135-0x00007FF6589C0000-0x00007FF658D14000-memory.dmp

memory/3324-133-0x00007FF7D0490000-0x00007FF7D07E4000-memory.dmp

memory/2624-137-0x00007FF6C3660000-0x00007FF6C39B4000-memory.dmp

memory/632-136-0x00007FF7DAB50000-0x00007FF7DAEA4000-memory.dmp

memory/1200-138-0x00007FF6241D0000-0x00007FF624524000-memory.dmp

memory/4232-139-0x00007FF6F0710000-0x00007FF6F0A64000-memory.dmp

memory/3968-140-0x00007FF7025E0000-0x00007FF702934000-memory.dmp

memory/3020-141-0x00007FF7B2B20000-0x00007FF7B2E74000-memory.dmp

memory/4068-142-0x00007FF704EC0000-0x00007FF705214000-memory.dmp

memory/4224-143-0x00007FF6C86D0000-0x00007FF6C8A24000-memory.dmp

memory/2152-144-0x00007FF7FE350000-0x00007FF7FE6A4000-memory.dmp

memory/2508-145-0x00007FF6FA070000-0x00007FF6FA3C4000-memory.dmp

memory/3324-146-0x00007FF7D0490000-0x00007FF7D07E4000-memory.dmp

memory/4696-148-0x00007FF7F4E30000-0x00007FF7F5184000-memory.dmp

memory/2656-147-0x00007FF690AD0000-0x00007FF690E24000-memory.dmp

memory/2272-149-0x00007FF6B2120000-0x00007FF6B2474000-memory.dmp

memory/804-150-0x00007FF6583C0000-0x00007FF658714000-memory.dmp

memory/856-151-0x00007FF6589C0000-0x00007FF658D14000-memory.dmp

memory/388-152-0x00007FF70A050000-0x00007FF70A3A4000-memory.dmp

memory/632-153-0x00007FF7DAB50000-0x00007FF7DAEA4000-memory.dmp

memory/2624-154-0x00007FF6C3660000-0x00007FF6C39B4000-memory.dmp

memory/1200-155-0x00007FF6241D0000-0x00007FF624524000-memory.dmp

memory/1012-156-0x00007FF7CB7E0000-0x00007FF7CBB34000-memory.dmp

memory/4232-157-0x00007FF6F0710000-0x00007FF6F0A64000-memory.dmp

memory/3928-158-0x00007FF7342B0000-0x00007FF734604000-memory.dmp

memory/2348-160-0x00007FF7A0F60000-0x00007FF7A12B4000-memory.dmp

memory/3372-159-0x00007FF759710000-0x00007FF759A64000-memory.dmp