Malware Analysis Report

2025-01-22 19:41

Sample ID 240601-cvxbnaef2w
Target 2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike
SHA256 d50c18e056a3c90b312b78c6b2ba54d7e20a9eaf4bc2bba24ee9e874b4b37311
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d50c18e056a3c90b312b78c6b2ba54d7e20a9eaf4bc2bba24ee9e874b4b37311

Threat Level: Known bad

The file 2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

xmrig

XMRig Miner payload

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:24

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:24

Reported

2024-06-01 02:27

Platform

win7-20240221-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pRukAJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fuOAqHw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CHooSsD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jhYwaqQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JpWatoj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SKyjBRY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RvLFjJU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MbKGhXK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zDZFTKq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nQjqyUb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JErmZRZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FYFXpVS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cusrzAq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UJPTpfz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IHQRjGv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nFMYavN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XNuiYTO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hjTKQRv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DTKwMMT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ipzSUIH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wliKoKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cusrzAq.exe
PID 2948 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cusrzAq.exe
PID 2948 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cusrzAq.exe
PID 2948 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fuOAqHw.exe
PID 2948 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fuOAqHw.exe
PID 2948 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fuOAqHw.exe
PID 2948 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJPTpfz.exe
PID 2948 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJPTpfz.exe
PID 2948 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJPTpfz.exe
PID 2948 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvLFjJU.exe
PID 2948 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvLFjJU.exe
PID 2948 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvLFjJU.exe
PID 2948 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHQRjGv.exe
PID 2948 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHQRjGv.exe
PID 2948 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHQRjGv.exe
PID 2948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbKGhXK.exe
PID 2948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbKGhXK.exe
PID 2948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbKGhXK.exe
PID 2948 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHooSsD.exe
PID 2948 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHooSsD.exe
PID 2948 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHooSsD.exe
PID 2948 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjTKQRv.exe
PID 2948 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjTKQRv.exe
PID 2948 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjTKQRv.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jhYwaqQ.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jhYwaqQ.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jhYwaqQ.exe
PID 2948 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTKwMMT.exe
PID 2948 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTKwMMT.exe
PID 2948 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTKwMMT.exe
PID 2948 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFMYavN.exe
PID 2948 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFMYavN.exe
PID 2948 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFMYavN.exe
PID 2948 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ipzSUIH.exe
PID 2948 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ipzSUIH.exe
PID 2948 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ipzSUIH.exe
PID 2948 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpWatoj.exe
PID 2948 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpWatoj.exe
PID 2948 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpWatoj.exe
PID 2948 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKyjBRY.exe
PID 2948 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKyjBRY.exe
PID 2948 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKyjBRY.exe
PID 2948 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRukAJJ.exe
PID 2948 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRukAJJ.exe
PID 2948 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRukAJJ.exe
PID 2948 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XNuiYTO.exe
PID 2948 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XNuiYTO.exe
PID 2948 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XNuiYTO.exe
PID 2948 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQjqyUb.exe
PID 2948 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQjqyUb.exe
PID 2948 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQjqyUb.exe
PID 2948 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JErmZRZ.exe
PID 2948 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JErmZRZ.exe
PID 2948 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JErmZRZ.exe
PID 2948 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYFXpVS.exe
PID 2948 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYFXpVS.exe
PID 2948 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYFXpVS.exe
PID 2948 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDZFTKq.exe
PID 2948 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDZFTKq.exe
PID 2948 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDZFTKq.exe
PID 2948 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wliKoKl.exe
PID 2948 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wliKoKl.exe
PID 2948 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wliKoKl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\cusrzAq.exe

C:\Windows\System\cusrzAq.exe

C:\Windows\System\fuOAqHw.exe

C:\Windows\System\fuOAqHw.exe

C:\Windows\System\UJPTpfz.exe

C:\Windows\System\UJPTpfz.exe

C:\Windows\System\RvLFjJU.exe

C:\Windows\System\RvLFjJU.exe

C:\Windows\System\IHQRjGv.exe

C:\Windows\System\IHQRjGv.exe

C:\Windows\System\MbKGhXK.exe

C:\Windows\System\MbKGhXK.exe

C:\Windows\System\CHooSsD.exe

C:\Windows\System\CHooSsD.exe

C:\Windows\System\hjTKQRv.exe

C:\Windows\System\hjTKQRv.exe

C:\Windows\System\jhYwaqQ.exe

C:\Windows\System\jhYwaqQ.exe

C:\Windows\System\DTKwMMT.exe

C:\Windows\System\DTKwMMT.exe

C:\Windows\System\nFMYavN.exe

C:\Windows\System\nFMYavN.exe

C:\Windows\System\ipzSUIH.exe

C:\Windows\System\ipzSUIH.exe

C:\Windows\System\JpWatoj.exe

C:\Windows\System\JpWatoj.exe

C:\Windows\System\SKyjBRY.exe

C:\Windows\System\SKyjBRY.exe

C:\Windows\System\pRukAJJ.exe

C:\Windows\System\pRukAJJ.exe

C:\Windows\System\XNuiYTO.exe

C:\Windows\System\XNuiYTO.exe

C:\Windows\System\nQjqyUb.exe

C:\Windows\System\nQjqyUb.exe

C:\Windows\System\JErmZRZ.exe

C:\Windows\System\JErmZRZ.exe

C:\Windows\System\FYFXpVS.exe

C:\Windows\System\FYFXpVS.exe

C:\Windows\System\zDZFTKq.exe

C:\Windows\System\zDZFTKq.exe

C:\Windows\System\wliKoKl.exe

C:\Windows\System\wliKoKl.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2948-0-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2948-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\cusrzAq.exe

MD5 d1549a42f9a3ac32737ecea9a20a1374
SHA1 798618366d8682f636ed2b0b3956bc5785fec1af
SHA256 c2da210f7ba460a7ae13c3008e44201285602af68b079a6692826962d0cff03f
SHA512 c8917a0b2d4f0af72238c8bae6beb84a53528a41d0781236947cc7492a880496c34a2db38a08a4682543e418fe9f192e19e0d1fa65c7642d1abed20c200c5334

C:\Windows\system\fuOAqHw.exe

MD5 6ae7738a521d8f74694cc110b1ceeb68
SHA1 5de77dc8d318ac2f00517541bba842e532d1e8a1
SHA256 aa7f936146d52d2ac0de32a7f46c8b1ab579ec00d4d3f0ce4276c0a0ec3a8162
SHA512 f9ba19e83f5cf96eda0141ea838f7736ffb232fccc491c0497485db0fa53ed2933d6ab99265df4faa3ac57b3cbe8cf74220aa96acec77842b1898e307d8048a9

C:\Windows\system\UJPTpfz.exe

MD5 f8bc8402a2b699720e90a0ecdc396c10
SHA1 8df85ec05865ae88a73541523c9d6da1d93aa037
SHA256 34a4e53d7bd9e4f50e8502073ec007862cc572ed78b0aac14a425abf84bcc04e
SHA512 23225bde9ccde414e06a7c4b2bf11dc890f5014a89ae666d6d9d0857adbcd977581ac2c554d748bef0a28efad519512f8a28c203076e8852b1b47f5bb777b1c3

memory/2948-15-0x000000013F330000-0x000000013F684000-memory.dmp

\Windows\system\RvLFjJU.exe

MD5 f23cf980f67c27cdbfc57115d640353b
SHA1 ead5df4025c19233442ba30adddd2addc2808cf3
SHA256 ffa1a88ac9a3499fceefae743e153b56150adc2ed8ba15e4e427afd83f5fd707
SHA512 4a93c0ea347f80fc006a0c797b02fd332dce1b965469aeeae8403620019f5aa37086be1bbed59d071e4ca47bec2fece2ce6eeed8ada9a3195b2d62c8d7964aed

memory/2036-22-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2948-33-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2948-32-0x000000013F4B0000-0x000000013F804000-memory.dmp

C:\Windows\system\IHQRjGv.exe

MD5 d7ed0db92754ce34c59cd8a4cdf656eb
SHA1 a0ca307139ffe7bf019c0a647585d002be881873
SHA256 409db0700bbfa230d8fb94f9684d1c7184bd7bf67d18cc90c7c7ec3dab63a100
SHA512 d7fbfd89d97553c2e412230a41e31252ed86eb2b9bac6ebbac74af362a7d6c0be9ea4c1c65e396ded4ffec93f708ac73bc705290d2c4172b4e4908823c7bd8c2

\Windows\system\MbKGhXK.exe

MD5 2de1fd25117589c5128c8d4b79a1ca45
SHA1 5bb87046be75a03c77a2d80012f1cbe449152b52
SHA256 8d84ea2c3b2eae09d4a2147a21d10690ae8e6d00728e5df830b430e64f3c064b
SHA512 e3ad86426cd94d02431c40d497dc529c1be5756f5f1e5ca5c797bb905e2c537dbce2a334f48089fd7f4faf6a0eaa4df7e9c025f74ed9e1d934aa56ae47670053

memory/2152-30-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2948-27-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2612-26-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2576-41-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2948-39-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2628-42-0x000000013F560000-0x000000013F8B4000-memory.dmp

\Windows\system\CHooSsD.exe

MD5 6af876edf2e3389ee3282f3c81d1ec96
SHA1 bebb16f0f48c5f08d94f5fd99ad429253619e798
SHA256 415eecf3987e343cf8217242ec19784afc1a66b8887460246e16f7acde459440
SHA512 d2d56073c5012fa8b155853d9d5e75ab14a08af317adc35e6967f19744c7ef662d22977d1b73683a9965d8d97b91ca5b141603a0d8fc92a574061798044bee33

\Windows\system\hjTKQRv.exe

MD5 84dcef74c2a3c56bbde8dbdc73222ff7
SHA1 c7873cdba290bb67adc672c40d04da33466d27e8
SHA256 ac79e4f05339a25222d4f57544f0e92cd9c28c227654f351ccaeed1414047cf3
SHA512 c9fd1aebd3445ec69332677e25f04a359a865b293848cee5c73c78bea5407ade5142086ff2f5e793f54b3877d95fca2e33eda783919a6fa2858058d8c3f7db61

memory/2948-55-0x00000000021E0000-0x0000000002534000-memory.dmp

C:\Windows\system\jhYwaqQ.exe

MD5 69b9c5154c5435a9a003281d0d5a90e0
SHA1 b6c65028a9efee4952bc3518679f2b4751b2512d
SHA256 b52567e5fbdd19463826113020b4e885c14b3d140b58272883e8e7d889bf14d1
SHA512 35c14f0c6f8c977e43581acff81204b9b5e9483c793018656132b6b6534ea49a951bed7fab30a6ed5965a473f0b83eaabb27001728bef0f6f202c472eb64f4a3

memory/2228-57-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

\Windows\system\ipzSUIH.exe

MD5 41e74014fba2de1de441046bb1b52d9b
SHA1 7e87f45fefdfb39eddcdea1013ef301aba65732b
SHA256 980dc1405ad5d793d882472cfd74301698ac5f6533c79c489b57baeacecd6692
SHA512 c43d297b0b556b455881c0388359c5a278ad705c44da14273681049fe2068ec34a2972bf6e00e67724f0920e5a1cedec3ad40f70ad33693264f1c2746944bc76

C:\Windows\system\JpWatoj.exe

MD5 760e217683024f02ae961a7aedc7cb33
SHA1 97f295b0e1e8a505ac7a641cf6ec35fac1ce9ef1
SHA256 4b271dd701a92bba58831481ad002231836803592a15a6d3989e9eb8511fa4fc
SHA512 6c1351f86a09ad956e16536bcf17a32d07dfc6c4563712f4c3570ff79f34c9ac522fcde70d5fab4dc1cb2c519b1f923145cec2f617a05958ce71a794b7b6dd3d

\Windows\system\pRukAJJ.exe

MD5 9dccb4dca0b9e481af30f9616e473a37
SHA1 d121df276186f97e1cc1f4349f25486bf14d2409
SHA256 37cbc33edd3ddb7f33aa71dcdba661f0f137d5b42568cdb11c49797c1ff3f785
SHA512 480f377352c089f5074dc0c545a5da533234655abfe2dbc9ed9458448aa874ed0bdc86f040dcc7ff7355047ff81ee0c17a5d83a72e6cfbcfccff5791e9c3067a

C:\Windows\system\nQjqyUb.exe

MD5 ad4f30a4c4d80800200350c2a0c51afd
SHA1 7743dbbda868fa4231b321f6360149ed9dafce87
SHA256 4379ffc9b2e94c6fb8911ccc8c0a7b43e6f2e0b8608b6335e23ae506b57db393
SHA512 9247667f64eda9a7602c38078fac067be73652a8832abbfc2b15f716a3b7815cf2eeedeb3ea5f0ddd1b8c9996877352ff9020dc5e809030d34ae89fd39bc3abe

C:\Windows\system\JErmZRZ.exe

MD5 5930237ef41b3c0ba52da5095231b538
SHA1 5621f743b7dd6f652ee3fd507e8f0dbb080e563e
SHA256 3ef0e296d8cf8878bc2de9c8e20677d01a2c68130d44e8c279031fad400e1acd
SHA512 f15494000d66294a7c5296526a678feb90ee1c275d843f8573369da530234f53b28122a5cb567f4e16b011ee6867f4083e5bbee5b03b34ca64bb3da4da4e73c9

C:\Windows\system\FYFXpVS.exe

MD5 00fe820041e4c26b0a1f3162602de5ba
SHA1 acddef5c6d1ba13d9050221eb177d5b7730c320a
SHA256 c2e6c29d3a5264a32182dfabdc1aa8e9358f38078b397b029cab6f002cfb4d9d
SHA512 3e1dc5feeb1eab6d62eab1a6604419b68e5c7f6bcee76a8771a9813477f6906783a9ed61a75b5681ebfa0b5aa449aaefebdb2f3c63ed3c553c54e9a91aab96e5

C:\Windows\system\zDZFTKq.exe

MD5 622856842b4229b3545d544426ca0845
SHA1 90928d10e481efbe69e84134295b82c83fce12d6
SHA256 533c84ba70dfb6d50a02637516f4a8732595104cfcf76806ee3507dc89030801
SHA512 8c40c2e8ba469ac19915644191709ee7fb01d9584348dd1bce0ef1abbdb5f265e1385fac49c47b330b9209d36117350dc4cd2a620a1143a63687e6b8e1bd46ec

C:\Windows\system\wliKoKl.exe

MD5 7e5709311e2f3395f4d06fdef6280dd8
SHA1 a506a6d86300fd0bc29549ae0b0ed64c0b8271b8
SHA256 b8b94d985bc6053ed9028f9f4dc2d4514f150ab590dcfecbd28620a451717916
SHA512 f61d0bf9ab87195ab6b45264622c76b7bc39baeed9c6f9504c0e2c8f54334b8de7a2df56913baf4edb6a0a1a580688682b2f37b778a591dfcc8ba6967e83bc70

C:\Windows\system\XNuiYTO.exe

MD5 f6d73ec1a179f6abb8b98deb71c2ad0a
SHA1 54a346d52c87e37614b8ae6a0cbf8a3b807ca961
SHA256 0f0ef53e9534f11c7f3993e456d36109d987d7da81862f5dcbac3b8d20b90c7f
SHA512 812756c4badf9a3101261f26c0c6f477e0af8500354855895ff38133cbac53886602a4f4d6d8800ec569afdbff26f7c8161895b612831939bf69c03ffb800095

C:\Windows\system\SKyjBRY.exe

MD5 4bc94add27a2e298fc1004124e21c8f2
SHA1 c72e5d28d961c5b5f40f48a2e2f2430f922498b2
SHA256 367d5483f7583cb54fd0f7f22e04a85474f1de5cc475e74a042b27dec560ed1e
SHA512 02be75a5e34cb25d6456fd9fb7aed226490b4341cb7d689f61edf0996a8ca1e3e5f88f0a03ca396213e1d1abe988486da9b76c125a8f37fffea98aff9a52303b

memory/2856-106-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2948-105-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2948-104-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2948-103-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2908-98-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2948-97-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2324-90-0x000000013F980000-0x000000013FCD4000-memory.dmp

C:\Windows\system\nFMYavN.exe

MD5 a2ff0929c9e0815afef395b42a4553ee
SHA1 addd8a853f4a4926639d897812519130b7dfae56
SHA256 61a6b25d5314b9d94041b9fb1de98845cf30dbd8376ba28aff8c1b0108666b3e
SHA512 8b836d25843d47177b733775c2538e1a645967789eb206e51776b84076b2172fb37328ad980f49bb7cda9ac8e730229fe870bdb00a95c2f86897489cae69321e

memory/2948-73-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2948-72-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2492-70-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2948-69-0x000000013FDD0000-0x0000000140124000-memory.dmp

C:\Windows\system\DTKwMMT.exe

MD5 357daffc23ee1379168632a963e831ef
SHA1 12128a79fef5837d3cc251432597eb28edf1b220
SHA256 272faf68eaa806e90d1d13680bfdcd4f874a1611cba6d83d08770b04fa402953
SHA512 18c7dc0b29d14a93d2a4e9933959b05124be67fda22916c6c2eb0abd39b493c421f9d97e44225ee4ae138e274f487eda968febaa1ba992bf532e769a40f2d06c

memory/2624-64-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2752-51-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2948-48-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2948-44-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2664-43-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2752-135-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2948-136-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2228-137-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2492-138-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2948-139-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2948-140-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2036-141-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2612-142-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2152-143-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2576-144-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2664-145-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2628-146-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2752-147-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2624-149-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2228-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2492-150-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2908-151-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2324-152-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2856-153-0x000000013F570000-0x000000013F8C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:24

Reported

2024-06-01 02:27

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OwGjHGv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sdIAsql.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YiFMFnq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zqMGNTR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KZsoNqI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gyfavYs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gtamfCR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ERohUpG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IeqhwUK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\geUXSbj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XspuvEW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PCbFVQw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QpumNuV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MslYKZM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lRYLGIS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uQEOIwn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OAWlhif.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DBqyGqC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rvpPElN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iPuAAqq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zFGknos.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\geUXSbj.exe
PID 1884 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\geUXSbj.exe
PID 1884 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdIAsql.exe
PID 1884 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdIAsql.exe
PID 1884 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBqyGqC.exe
PID 1884 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBqyGqC.exe
PID 1884 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rvpPElN.exe
PID 1884 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rvpPElN.exe
PID 1884 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YiFMFnq.exe
PID 1884 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YiFMFnq.exe
PID 1884 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XspuvEW.exe
PID 1884 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XspuvEW.exe
PID 1884 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MslYKZM.exe
PID 1884 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MslYKZM.exe
PID 1884 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqMGNTR.exe
PID 1884 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqMGNTR.exe
PID 1884 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRYLGIS.exe
PID 1884 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRYLGIS.exe
PID 1884 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCbFVQw.exe
PID 1884 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCbFVQw.exe
PID 1884 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZsoNqI.exe
PID 1884 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZsoNqI.exe
PID 1884 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iPuAAqq.exe
PID 1884 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iPuAAqq.exe
PID 1884 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpumNuV.exe
PID 1884 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpumNuV.exe
PID 1884 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uQEOIwn.exe
PID 1884 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uQEOIwn.exe
PID 1884 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gyfavYs.exe
PID 1884 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gyfavYs.exe
PID 1884 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtamfCR.exe
PID 1884 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtamfCR.exe
PID 1884 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ERohUpG.exe
PID 1884 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ERohUpG.exe
PID 1884 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAWlhif.exe
PID 1884 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAWlhif.exe
PID 1884 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFGknos.exe
PID 1884 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFGknos.exe
PID 1884 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwGjHGv.exe
PID 1884 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwGjHGv.exe
PID 1884 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeqhwUK.exe
PID 1884 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeqhwUK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\geUXSbj.exe

C:\Windows\System\geUXSbj.exe

C:\Windows\System\sdIAsql.exe

C:\Windows\System\sdIAsql.exe

C:\Windows\System\DBqyGqC.exe

C:\Windows\System\DBqyGqC.exe

C:\Windows\System\rvpPElN.exe

C:\Windows\System\rvpPElN.exe

C:\Windows\System\YiFMFnq.exe

C:\Windows\System\YiFMFnq.exe

C:\Windows\System\XspuvEW.exe

C:\Windows\System\XspuvEW.exe

C:\Windows\System\MslYKZM.exe

C:\Windows\System\MslYKZM.exe

C:\Windows\System\zqMGNTR.exe

C:\Windows\System\zqMGNTR.exe

C:\Windows\System\lRYLGIS.exe

C:\Windows\System\lRYLGIS.exe

C:\Windows\System\PCbFVQw.exe

C:\Windows\System\PCbFVQw.exe

C:\Windows\System\KZsoNqI.exe

C:\Windows\System\KZsoNqI.exe

C:\Windows\System\iPuAAqq.exe

C:\Windows\System\iPuAAqq.exe

C:\Windows\System\QpumNuV.exe

C:\Windows\System\QpumNuV.exe

C:\Windows\System\uQEOIwn.exe

C:\Windows\System\uQEOIwn.exe

C:\Windows\System\gyfavYs.exe

C:\Windows\System\gyfavYs.exe

C:\Windows\System\gtamfCR.exe

C:\Windows\System\gtamfCR.exe

C:\Windows\System\ERohUpG.exe

C:\Windows\System\ERohUpG.exe

C:\Windows\System\OAWlhif.exe

C:\Windows\System\OAWlhif.exe

C:\Windows\System\zFGknos.exe

C:\Windows\System\zFGknos.exe

C:\Windows\System\OwGjHGv.exe

C:\Windows\System\OwGjHGv.exe

C:\Windows\System\IeqhwUK.exe

C:\Windows\System\IeqhwUK.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1884-0-0x00007FF6F4D80000-0x00007FF6F50D4000-memory.dmp

memory/1884-1-0x0000017EE3710000-0x0000017EE3720000-memory.dmp

C:\Windows\System\geUXSbj.exe

MD5 5ffc7a39033756df9967835c8e105a86
SHA1 81b765ba811907609ca6657fb0f6f310f2f7d9c5
SHA256 50eb72472b7242b6f25f766dbdfab069b0971aabd8f4d6bffe6f3745c2e5bf23
SHA512 dd6947cf9a509f14d9eca38f2c4497e6f44e9f6608782610316a5fdcd703e6cf5db96d4ed85cc91a8c26e8062671ba185894289f7031393df2f4cf6c85271406

memory/3164-8-0x00007FF665440000-0x00007FF665794000-memory.dmp

C:\Windows\System\sdIAsql.exe

MD5 c29d295470ca5c81c7920d2aad3de8e4
SHA1 4c6446e93a8e46dba243682e9408cb73af0f00b5
SHA256 57abff8ca4d8074cc33d76d73bf1724fe267dcf1c2446493d63b97649bdaf648
SHA512 9b5e0a8ec56acf923fa6a0986e1ba92744c82d0b226bf50e5f9ef32247faeff7d1bedc50a5873c60ba71eea078371fc56c9d06d5f14c714cab57818ee3002780

C:\Windows\System\DBqyGqC.exe

MD5 d16167bac74c853e1f6b8f9b035af733
SHA1 a6135e62415a66a2c10590f0ed9bb86bdbd8a170
SHA256 6fc5ffa4d8fadf41b5b6095c58860872f311d6d893686f73ff6aad82d31e616d
SHA512 dc1d3f1dc759bb297487daa0a0562c0a63fc639db27b65a752392a764e05c692b51b20f1877d849952a2dc4b580f60ef9a5c1567e937b8188e78bc686254a527

memory/3536-13-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp

memory/1016-20-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp

C:\Windows\System\rvpPElN.exe

MD5 aa35f8045eacf08cb365d6e4ab7e34cb
SHA1 b93dd70d59c19e81abeb577404c7f137fd72d5ad
SHA256 6a2977bdc99e934ef9bf259d43a570997da2126b3b929d5b942075acd648d8c0
SHA512 53c018998c4d92ac127548a22eabf94dcf7b1880ee582e154bb655a8f068c1de9749eceb7ebd804ed1f8758166ea0e5690b66e48df132527fb4fdb0c16d2da28

memory/2344-25-0x00007FF639380000-0x00007FF6396D4000-memory.dmp

C:\Windows\System\YiFMFnq.exe

MD5 21b8ff43ebea489a5b3581dee1f692bc
SHA1 dd4e29e704e0822d078891d2a77a948692be24a8
SHA256 eb52c51fc469c82b473c8b312b71d5ae7656b307bdfe5c00be0b768da3c847f8
SHA512 d160bf2829fc92e0dabe32442fa516e71493c48a449698a3ef38eb2e3b2ae395678e117e0f944105a3352862d3920a9a492ee7e4fd194a437fe3a85a63d3786e

memory/2912-30-0x00007FF721360000-0x00007FF7216B4000-memory.dmp

C:\Windows\System\XspuvEW.exe

MD5 5ce07daf8823ae874b703e1e8de1f121
SHA1 bcc02b0859ecda712f363a2a4c3a599c15c45bd3
SHA256 7f42cc29e84349081d0ada8ec7332f29f6b1e1df79ca093863a7db31fa8fdcb1
SHA512 c6e2113d428a73729e4203e0fbea2023b8c12e45d6129133d8d486cc5c02b335b4fd1ed7219f9f53cbf21750b9cd4fd7595833d9c8c085349012b80399aa24a3

memory/2068-38-0x00007FF707800000-0x00007FF707B54000-memory.dmp

C:\Windows\System\MslYKZM.exe

MD5 12b98003a054791b541abcd70fcc3267
SHA1 f1d0c26ceb5378d3d51afab04fa499dbdb7b70ca
SHA256 d37d81dd3540349656ab7e4d5aef9d67039b9f8516f8cd73e6b0ded6b9b41bf7
SHA512 b1504d1910f7d0898b8a8c90182f8752e420a6155d18e7566632a7855b3f6d2d2a05007e15d222b191748e05be92f030592d686c33579c268646910266dd40a5

C:\Windows\System\zqMGNTR.exe

MD5 904309278f3bbe5412ab052bf9f0bb64
SHA1 c5576b0bd626876d209977c01a8fbcd93d32ad31
SHA256 e1e71aaa5a2d008886fe87bee0b682cdf91487c0bae28a192c48df6f4d31e81c
SHA512 01c90861822f1873b3f454ef761aa67917f54c0c74ac73124ca458f0c3ab4aa66cc6745dcc2724d57a0b24e163a802744530fe49be386ec5a33e583fe8fe771b

C:\Windows\System\lRYLGIS.exe

MD5 f5ab822e229d8bed6cb07848ce8b4cc8
SHA1 47d42f5cf6a2d64aea2c3ba8c1fb1ce0b7679895
SHA256 4ac6c974c0913da281b7f8778870f909dc2406643c911fa621d8dcd0bbaec3f9
SHA512 ca39668674efa8d3c4490418b3b4c110b4a6fcb05b937a0d6655991a5bf2b611f2019fc341d3a093a4cc9a0cee325c52fe6b4dbb97e5ad8f883b989e5a064461

C:\Windows\System\PCbFVQw.exe

MD5 3ce9f67f1305d7858d70b7307b83d354
SHA1 98daf5f6398b90237b2a46d2b305f8e1e9a04527
SHA256 895ba6ce32d92dea506eda83c0964265dace57917772c844e397486f6aafbd40
SHA512 79f0bcb2f6353ce4c279e835eb5298a8badd762ec26f06ff8e3d4ec798dfea7f0ec722f2617105d59a33502b7e84bc836ba4ee4130484bb765e4291b42aea8dd

memory/3184-69-0x00007FF7520E0000-0x00007FF752434000-memory.dmp

C:\Windows\System\QpumNuV.exe

MD5 032fb72921ce2f5ce409cae2a9b4044f
SHA1 35d376139e3ed2c10b8f0ed8d33b1a899d348aa7
SHA256 3ea26660b4eea6ad08a45bedf40db4c9de5ea295b80614d101935b0af3e8ff9b
SHA512 bea58f7d58c6741e847209ee153410fb42a86a1ca717160d4c87a57071bed0f51402d37ab019eae9298705649f3b3c9c9e5c70ef4fd06230ab66b334758d2e05

C:\Windows\System\ERohUpG.exe

MD5 ce959b9acdf6ca36634ec94d6ec318ee
SHA1 07a28c4926f673a8b387b22ffeece3b0a3915642
SHA256 31d208fff92e22ea4ef5fe19f0c04f6beae5be826e3191ecbdffb94415e3de50
SHA512 8e9312ea72c4bba18b5699e1ec3f8aebcdd73a93df67fd44912ec057b373de59f9f8a1856abd3964a4bfd78a2d11a1daffa74e72403baa559b796ceae75f1804

C:\Windows\System\OwGjHGv.exe

MD5 9cbdce18cc2e9a10cdf4f226fb545de7
SHA1 b667784da3e107a2488f322864d28c4bd748c65d
SHA256 0669f5953aa77fd009ad5cd5de2a6d438b0bf0167d640301cc906cfa4b3f0f99
SHA512 c8cc7e29eb3abc1603c18002a4fd5f7efcf5a3651a5a0a4a4e9bffcbc0130a6fe8b6fbd0ba34ba593b1a7ef89aed5d6e9982845f9a35a69cc46da7486b96809b

C:\Windows\System\IeqhwUK.exe

MD5 b430b37fbf95fd227fdaf9c256d035ec
SHA1 2c62f1bac519a435786628468723d31db039a670
SHA256 3ea8ccf8f252d59de27c454cdc538e55f234498465d22a89682e129cc97c77b9
SHA512 35a8c7bd3c84c220189bf82931dd2742c89f21a333d25e1e36bebc4156a2378998fc6516f730694a69e9b4a694b1e65652f02dff5ef68ce9db4cfeada0f269dc

C:\Windows\System\zFGknos.exe

MD5 324bd5130c750908ade8256fb1ce3a5c
SHA1 a2b277d8eb508a78db9b1248c6938cd4cdc911f3
SHA256 ccff3d6d9d2e19d43601c6963489c2313909eb023f1ba7054558df8f6dcd83cc
SHA512 a0c0249bd2d9aeef8c38378ba0c00ee293e1193707da45bc5df4af36a872f69b3ab309d476eefdf7d90c708ae4a50fe20fc3238fb89f889e1fd1e5b46902d526

C:\Windows\System\OAWlhif.exe

MD5 2d347204cf5597253aadeffe386c8014
SHA1 08250634a3e30bf2a777878f2fa730ab41443fc3
SHA256 948f33d8370ae07f0b6e985b3fe489927207b366934c5f3ac6747f335b78636b
SHA512 a5e421442b81bb4419dfd5f8671c68de0c8586694106bce778a2ab1da9e98e3be2ba625fd9cd16955eaa9cdb0ab798ecdb5ac6ddb1f0accac0b6b711301fee99

C:\Windows\System\gtamfCR.exe

MD5 9387116000c2123c060176f9de38155b
SHA1 d6dd94811c3da1404186765d9d0476e6eaa245d3
SHA256 6d1978464bc886e71cef1966e30f60294074f6338d16c634c4ddd7741ec7ddbf
SHA512 63cf2bcac4fbd082aff986e704eaa4cb80da3d73437904865756f2daf7969d26c120c6f367eb8ba1eb82fe99f0b8a941708f3d7ee2efe4dfc1a00da79eb14be6

C:\Windows\System\gyfavYs.exe

MD5 c000e4ccfb9b53a0986e8600e12f5a2b
SHA1 c061d8e1f01200147b9e4c14d0cd1e4cada8f8fc
SHA256 20264c7ad4a159f36bd7de28581c35be143ce50201e8dbdfdd17da84fa51a0a6
SHA512 123121e55ac6f2a783b34101a96198a899d6b2a31953945b767214c519d08b3aea41d0bf0d2efb2c11ce08c8159213271b8712ea5d29219e8b643267e28ab31b

C:\Windows\System\uQEOIwn.exe

MD5 823a571e3a4a58a6936d5b212aa0260c
SHA1 5f204aa49261b6187fb7db2dee3dd4a2d61fcf93
SHA256 7a6d32c8ce244d46a0938497b7d3e8f9485a4c681ddf70789e156df7f763d289
SHA512 01ee7e0ba486b811790c499de265b759a9be0bdf1a10d791e63bf40dc0c0e0a05a9bc6612a1dc1037123e9fc27026dba119ceb5e23402fb147675c0b3a840f38

C:\Windows\System\KZsoNqI.exe

MD5 f9d9dc791d5e09edbbbd8234f3ca76cf
SHA1 56a5710eb0be9f291cd128b553be87fcd37df1a5
SHA256 b3cd6503e1dc3d3ff92b4db4a64d0d14147b56b08c86e50ba415288487204f89
SHA512 713c574edac11b47fcbe9b50c0ef93b6f5d34bad05831142e26881abe060c425726ebe389168551dc440d2ee79b1888d3d6ec378d9476c84c2dc42dd5b3b8b3d

C:\Windows\System\iPuAAqq.exe

MD5 693027f2ac8873a84e483116eb79fa5f
SHA1 bf32c902e32c9b02e41fda4825ea79afa5e9abee
SHA256 b01e44a8da46ef47ce302dd45cdf9aa868b6c68e6c498c5679de055c9a753803
SHA512 ddde55e932eec9246e65aa10dd5ee256b167f735caee10d284adebf6fdb92d270a19af188039813e176d12860d58f00f57112c2e5f69d6c75d6f547f7521ab4e

memory/4820-72-0x00007FF673AB0000-0x00007FF673E04000-memory.dmp

memory/4468-60-0x00007FF7C6D50000-0x00007FF7C70A4000-memory.dmp

memory/4660-59-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp

memory/2220-57-0x00007FF716FD0000-0x00007FF717324000-memory.dmp

memory/3852-54-0x00007FF711BE0000-0x00007FF711F34000-memory.dmp

memory/1884-119-0x00007FF6F4D80000-0x00007FF6F50D4000-memory.dmp

memory/4032-121-0x00007FF607F10000-0x00007FF608264000-memory.dmp

memory/4460-120-0x00007FF7316B0000-0x00007FF731A04000-memory.dmp

memory/1588-122-0x00007FF7D2AD0000-0x00007FF7D2E24000-memory.dmp

memory/4840-123-0x00007FF7D35E0000-0x00007FF7D3934000-memory.dmp

memory/3196-124-0x00007FF6F8D20000-0x00007FF6F9074000-memory.dmp

memory/2356-125-0x00007FF7180F0000-0x00007FF718444000-memory.dmp

memory/2280-127-0x00007FF6C50B0000-0x00007FF6C5404000-memory.dmp

memory/4636-128-0x00007FF75D210000-0x00007FF75D564000-memory.dmp

memory/4092-126-0x00007FF6ADE00000-0x00007FF6AE154000-memory.dmp

memory/3164-129-0x00007FF665440000-0x00007FF665794000-memory.dmp

memory/3536-130-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp

memory/1016-131-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp

memory/2344-132-0x00007FF639380000-0x00007FF6396D4000-memory.dmp

memory/2912-133-0x00007FF721360000-0x00007FF7216B4000-memory.dmp

memory/4468-134-0x00007FF7C6D50000-0x00007FF7C70A4000-memory.dmp

memory/3184-135-0x00007FF7520E0000-0x00007FF752434000-memory.dmp

memory/4820-136-0x00007FF673AB0000-0x00007FF673E04000-memory.dmp

memory/3164-137-0x00007FF665440000-0x00007FF665794000-memory.dmp

memory/3536-138-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp

memory/1016-139-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp

memory/2344-140-0x00007FF639380000-0x00007FF6396D4000-memory.dmp

memory/2912-141-0x00007FF721360000-0x00007FF7216B4000-memory.dmp

memory/2068-142-0x00007FF707800000-0x00007FF707B54000-memory.dmp

memory/3852-143-0x00007FF711BE0000-0x00007FF711F34000-memory.dmp

memory/4660-144-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp

memory/2220-145-0x00007FF716FD0000-0x00007FF717324000-memory.dmp

memory/4468-146-0x00007FF7C6D50000-0x00007FF7C70A4000-memory.dmp

memory/4820-147-0x00007FF673AB0000-0x00007FF673E04000-memory.dmp

memory/3184-148-0x00007FF7520E0000-0x00007FF752434000-memory.dmp

memory/4460-149-0x00007FF7316B0000-0x00007FF731A04000-memory.dmp

memory/4636-150-0x00007FF75D210000-0x00007FF75D564000-memory.dmp

memory/4032-152-0x00007FF607F10000-0x00007FF608264000-memory.dmp

memory/1588-151-0x00007FF7D2AD0000-0x00007FF7D2E24000-memory.dmp

memory/4840-153-0x00007FF7D35E0000-0x00007FF7D3934000-memory.dmp

memory/2356-155-0x00007FF7180F0000-0x00007FF718444000-memory.dmp

memory/3196-154-0x00007FF6F8D20000-0x00007FF6F9074000-memory.dmp

memory/2280-157-0x00007FF6C50B0000-0x00007FF6C5404000-memory.dmp

memory/4092-156-0x00007FF6ADE00000-0x00007FF6AE154000-memory.dmp