Malware Analysis Report

2025-01-22 19:39

Sample ID 240601-gynwxada79
Target 2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike
SHA256 7465ebabba677948946966a179f6b27b2c849b54db4dbe4b772fb9dd99acff56
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7465ebabba677948946966a179f6b27b2c849b54db4dbe4b772fb9dd99acff56

Threat Level: Known bad

The file 2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobaltstrike

Xmrig family

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 06:12

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 06:12

Reported

2024-06-01 06:15

Platform

win7-20240508-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LqFrWgZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YHCLfDf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DMekFef.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CJCBcAp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uMwycWF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HuTtPKK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EjoeAdT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\veLpnQo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IPWyFhm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RLfMqpX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wAfsCqf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yKLqqyi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wBzrRdn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zFJgoHg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PWvmdKu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GfKgsxI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XBaSDBg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BmdlfTv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TCmrVkO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kQDiuIG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ezlveql.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWvmdKu.exe
PID 1988 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWvmdKu.exe
PID 1988 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWvmdKu.exe
PID 1988 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMwycWF.exe
PID 1988 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMwycWF.exe
PID 1988 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMwycWF.exe
PID 1988 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LqFrWgZ.exe
PID 1988 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LqFrWgZ.exe
PID 1988 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LqFrWgZ.exe
PID 1988 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GfKgsxI.exe
PID 1988 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GfKgsxI.exe
PID 1988 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GfKgsxI.exe
PID 1988 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBaSDBg.exe
PID 1988 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBaSDBg.exe
PID 1988 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBaSDBg.exe
PID 1988 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\IPWyFhm.exe
PID 1988 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\IPWyFhm.exe
PID 1988 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\IPWyFhm.exe
PID 1988 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuTtPKK.exe
PID 1988 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuTtPKK.exe
PID 1988 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuTtPKK.exe
PID 1988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmdlfTv.exe
PID 1988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmdlfTv.exe
PID 1988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmdlfTv.exe
PID 1988 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCmrVkO.exe
PID 1988 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCmrVkO.exe
PID 1988 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCmrVkO.exe
PID 1988 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\kQDiuIG.exe
PID 1988 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\kQDiuIG.exe
PID 1988 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\kQDiuIG.exe
PID 1988 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YHCLfDf.exe
PID 1988 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YHCLfDf.exe
PID 1988 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YHCLfDf.exe
PID 1988 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLfMqpX.exe
PID 1988 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLfMqpX.exe
PID 1988 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLfMqpX.exe
PID 1988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMekFef.exe
PID 1988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMekFef.exe
PID 1988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMekFef.exe
PID 1988 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezlveql.exe
PID 1988 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezlveql.exe
PID 1988 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezlveql.exe
PID 1988 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAfsCqf.exe
PID 1988 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAfsCqf.exe
PID 1988 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAfsCqf.exe
PID 1988 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKLqqyi.exe
PID 1988 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKLqqyi.exe
PID 1988 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKLqqyi.exe
PID 1988 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJCBcAp.exe
PID 1988 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJCBcAp.exe
PID 1988 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJCBcAp.exe
PID 1988 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\EjoeAdT.exe
PID 1988 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\EjoeAdT.exe
PID 1988 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\EjoeAdT.exe
PID 1988 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFJgoHg.exe
PID 1988 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFJgoHg.exe
PID 1988 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFJgoHg.exe
PID 1988 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\veLpnQo.exe
PID 1988 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\veLpnQo.exe
PID 1988 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\veLpnQo.exe
PID 1988 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBzrRdn.exe
PID 1988 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBzrRdn.exe
PID 1988 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBzrRdn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\PWvmdKu.exe

C:\Windows\System\PWvmdKu.exe

C:\Windows\System\uMwycWF.exe

C:\Windows\System\uMwycWF.exe

C:\Windows\System\LqFrWgZ.exe

C:\Windows\System\LqFrWgZ.exe

C:\Windows\System\GfKgsxI.exe

C:\Windows\System\GfKgsxI.exe

C:\Windows\System\XBaSDBg.exe

C:\Windows\System\XBaSDBg.exe

C:\Windows\System\IPWyFhm.exe

C:\Windows\System\IPWyFhm.exe

C:\Windows\System\HuTtPKK.exe

C:\Windows\System\HuTtPKK.exe

C:\Windows\System\BmdlfTv.exe

C:\Windows\System\BmdlfTv.exe

C:\Windows\System\TCmrVkO.exe

C:\Windows\System\TCmrVkO.exe

C:\Windows\System\kQDiuIG.exe

C:\Windows\System\kQDiuIG.exe

C:\Windows\System\YHCLfDf.exe

C:\Windows\System\YHCLfDf.exe

C:\Windows\System\RLfMqpX.exe

C:\Windows\System\RLfMqpX.exe

C:\Windows\System\DMekFef.exe

C:\Windows\System\DMekFef.exe

C:\Windows\System\ezlveql.exe

C:\Windows\System\ezlveql.exe

C:\Windows\System\wAfsCqf.exe

C:\Windows\System\wAfsCqf.exe

C:\Windows\System\yKLqqyi.exe

C:\Windows\System\yKLqqyi.exe

C:\Windows\System\CJCBcAp.exe

C:\Windows\System\CJCBcAp.exe

C:\Windows\System\EjoeAdT.exe

C:\Windows\System\EjoeAdT.exe

C:\Windows\System\zFJgoHg.exe

C:\Windows\System\zFJgoHg.exe

C:\Windows\System\veLpnQo.exe

C:\Windows\System\veLpnQo.exe

C:\Windows\System\wBzrRdn.exe

C:\Windows\System\wBzrRdn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1988-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/1988-1-0x000000013FC20000-0x000000013FF74000-memory.dmp

\Windows\system\PWvmdKu.exe

MD5 6c332cbbafe6e7304f6c762fe4faed91
SHA1 816792c00db880448ecdc7cca893b5302c0b38ab
SHA256 e8dc2d6287cc541ac6869e27fadc82a5b82e8768c78f86fbe0af33d61b804b38
SHA512 8e5e1bedb639c979a509754b744b940521d6fe5c6c88aeb62644b5c63c1e1efb0bde77102b12d3354c9a80fcdc8418583264fd2580c58255fcfa5dd5863d8cb0

memory/1988-6-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\uMwycWF.exe

MD5 989b7aca7d41f93e0b52ca39ccf68481
SHA1 c83519105dcce6dd1b2872f156fb8719e1bb036f
SHA256 0d1cdfeadcc8a36497f4bf02f7cc380e0445904b05bbcb3d8f87e650bfc6e500
SHA512 076d67a2aac20a262844f841b07a9d6468d55eaeed64aa54cc6c5aa0f3be4998fdf79e72ef1e230dc7ad2630942325ee62f4250af81f5fbc45be3d1aa757aaae

memory/2632-15-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2148-14-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

C:\Windows\system\LqFrWgZ.exe

MD5 99932577a1e57a66859068054452c031
SHA1 2266840b4d1d5ec1f7a1f1e51e8ba3f342f4f33e
SHA256 5b670c8476f659616e520fcb0c81947f0c90e17bb9b73f4e4d3f68b6e0e09c45
SHA512 4ec2e6ab3edfe1539c93523013c20103bc2972d7e003dc0ddefdabfc4e9d28cf1b15f9fe82290310396a9655bb0dcaf1fccd24db5ca9b43edb54681bd5acf9fe

memory/2708-21-0x000000013F740000-0x000000013FA94000-memory.dmp

C:\Windows\system\GfKgsxI.exe

MD5 a55090e5092fafcf4d351f2cc9192f42
SHA1 3ba300862daa0f65a90a03e9aaf748362105b0f2
SHA256 9d90ecac08da1f37ec0fcfa92b6ecf8f8d7bc563ef680470a5e0b60ddb893dd0
SHA512 ec978aa3c824a37d5486d501f80a7029dc16f7d0d15ec169055ecc2c5f8211305efb41e8c98eb0679da5cc5fc32f8e0b4ed190acd2c12bdcaad9c8b81c09b4f9

C:\Windows\system\IPWyFhm.exe

MD5 47d8f8760d3490a26de0b170baa2e7db
SHA1 5090e2dc1d5854730c7a51c6510af345494449bf
SHA256 43b34229ec9d4aa2fd49e1f8ef5a6ab5ef7a1ed3f636485f87b1b83b3421fe6b
SHA512 710b5e4b729cf756b0eca9859b409b7e135ed9957407bebf606a837bde8941b60fad252d6a5d88d642fb31c134fe20095d0a612759454c022c6b113aafcba197

memory/2120-38-0x000000013F730000-0x000000013FA84000-memory.dmp

C:\Windows\system\XBaSDBg.exe

MD5 e0278d96bcf0fb31898d54436b3b1769
SHA1 9d984dfae4969d007cca6b518d3560817d25657b
SHA256 ea3c314f976f41bcfa2843f663d948254916e11df6dda4d23604cb3f0c8d9056
SHA512 fdfd883381b8f254fbb0c4ddc3be43bb44336da190d46338c2451687a1436e85c2e7f557a84d4dac7633d1d3ff10f91d4896584509141d5ac788d7fb3d81bf16

memory/2524-41-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2516-39-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/1988-36-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2492-47-0x000000013F7B0000-0x000000013FB04000-memory.dmp

C:\Windows\system\BmdlfTv.exe

MD5 5b05470c17e628d93303cbb9efa58831
SHA1 da7b1a8014f34d71eca49ff16d2870d056415e82
SHA256 20f8db63f46a36a14bf738f31f16fec4e882ad5c870be17c2caafdbb58028996
SHA512 0678f7ed958cf76453d035b482b9a5810882bae35810690f1028a5d809bc318e92f5177c061654c771debdd051cc54ff6af972492568a69d2b7465ed04b5b270

C:\Windows\system\kQDiuIG.exe

MD5 5d4e743cb9323ec472f16050ab30d67d
SHA1 0b537fb7c1cd2f4000de9ce54d2ca0f0b0978b5e
SHA256 ea9eb741413520a3f447f8dba92525c73cda2a9931c34fffd1209cadfa7cef1d
SHA512 dc180e0e87bb71593482821afd9195c60955fe9933db4595cbb5f56f5551b4c1c2047a0ab0dfdc5ef8534db4b0ff2730296438281508ba07ba59c60559277cd4

C:\Windows\system\YHCLfDf.exe

MD5 bf0dc07a8afc2067f745e87ceceb4f4d
SHA1 c3f5b243eb6de2410da0e42efe1f9d983498dc81
SHA256 1286a9dc68ecdb31173aab88cec8f44ecd5c746405e4529b70379349503aba68
SHA512 a5c8f841983018de011563b61e00f870bb58b353322bc4e6fe1f05431d8f9d7bdbf001a1b6ebbfba9c1678290a72fee0d3d09cc508fe0d150529db2e403b7dfe

C:\Windows\system\ezlveql.exe

MD5 c372bc04790de23e3eed15a081fb747d
SHA1 65a5e609104d48f82b8d2c05007682cb407f02e6
SHA256 d9da8b81a61a83318b56690dc27bf74ee7281bdef6db9cfc366c48eb3156ea3b
SHA512 88bdf74ed459f1aab20b86a283241550b30123f6d8e6423c9c1aa674fd0dd00c0b3698352137b37631af6940cf9958b817d0183ae2f45a8f09d200ee977f8145

C:\Windows\system\wAfsCqf.exe

MD5 189bf55258525640e0d5c7ebaa1bf792
SHA1 05eb3373eb9ea41fa4ce6ecc65aa5dbe16098b9b
SHA256 c9bc8140cae7611fa919fa21944fe3749b84e05df0ce60a7de2b9a8863994ba1
SHA512 d51dcc869ce73978bf1efb44e398ed1ec8f27dd54dea410277ee5ee08fbc21b358261f42df50d0bf5dc3f90256732adedb4679cb6e01f6bbea6d543053f4855a

C:\Windows\system\yKLqqyi.exe

MD5 ac7f73aff9eb8ce49cb57a216629c0b6
SHA1 46d8fbc1826795d75af373300f578a4a999296c1
SHA256 9bf1a1838e486e8cb5df2d5e74dfe39e99df824a3f79be7bfa06ce867045f6e3
SHA512 7f9362f3843c1d8e1e0436e706b6c0749611a3ac812cb011c04ef1453fa16346833ec672993fb61975370bac4ecc3967923c9893838cd42ed66421f737cda8a9

C:\Windows\system\CJCBcAp.exe

MD5 aea8fb3272e1b7c1dc30f1c8a39c4610
SHA1 c2055445d2fbc7f36612180a9b505b9e628d4333
SHA256 d4ce31297df9b3b6b7c3e386c123ad4830f21abd2f7db6c900679eed05a3dc1f
SHA512 ab377f3ad07138a6732d574c3f607c43c520788a067214ade34a2b9ca816c8e4c28c6cf0b8ecd5ca9c856ea8b3503c8afbf2f6b4666f574b69aad35ac606b989

C:\Windows\system\EjoeAdT.exe

MD5 ed327fe1cdf3e0292555ad5bc4e4c379
SHA1 2fe61bc6e51ae31b87159672d1cbf09fcc5d6752
SHA256 254dc11a802df3c4a47c70504681157bf2e305d5deb2a030b3705afe02f55ca8
SHA512 74fffd25ac951db8056c81ef262e58bc3def317ef08a40e984748b530b7fd356d5d87bafc724558bec17deab8b570028cbbdf3cd9a671f673bd6b5241baa82bc

C:\Windows\system\veLpnQo.exe

MD5 55e70a16452266d92bae821cfb828ed1
SHA1 f9fef1c51b52de2e630b1abaf05c565284d2f2d9
SHA256 18aff6f5205dc312c11a1809338d3842192d7fac983b79514459d9be7c5bf2c4
SHA512 86c694ec89b930cdb8ec3caaabcae9af30b45bb7c9e4dd256feb2a4de8a02536aaf20a93062bb1ca3ed6015da5b73b8f2127b883d2908c044e513f430cbcf49a

\Windows\system\wBzrRdn.exe

MD5 c3bd723f11240d4f4a5239f87515e028
SHA1 d52e55b06bec367ee36e70f492e0cfaa14ffabde
SHA256 b683ed70df57b6b0871da5095c661aa01208d9ff4eec9fdde935aa21547931b9
SHA512 53906588c0078b5de5c0a60f6531cf9adef6d7c27cf40d0e30229df52003c17b20698a9d915c865f045973f225ca117b2321bc2a7a2dd9fb1f84c3685d20ba66

C:\Windows\system\zFJgoHg.exe

MD5 8005fb7e3e099f98420eaa785d94c219
SHA1 a5723951b94fa7b29e257d048a62168fc116f465
SHA256 a431a27dc1c47daa7354be7a7f6ecbb8a2094915021493fe804c1fef8fe34392
SHA512 5270454b2267668241ddaba01425325306e49297665eff8b159577e4a079a9fb3d9c26e2c7d0b6cd1335ef7fb2b7953ad88b4ad9f6577a074643049b35d9f5bc

C:\Windows\system\DMekFef.exe

MD5 11e3080e1a42ffd7ff18419c4e5555e7
SHA1 49e8774f965a8275bc9932fb42398df8d680cf52
SHA256 798428e0f169570deef14e3690937a22c511503af7b4def7bb6999974ae5e853
SHA512 af4c0ac635225e3b8080d9765daaa9d9fef92a44c42c6e0c14267c2254260a0bcd4731ebae27e4f34b794e735ccccbb0df2a4a413e76d9cd9295519b441f3eeb

C:\Windows\system\RLfMqpX.exe

MD5 e6f95d8d3b82d1e05f9f84a84af732ea
SHA1 87e38102a05257314290b5efebf75a0d1bf60eed
SHA256 8d026f0c1efbcdf9d026f29a88ad9708fe6501409896e1a3d89679e3e653e240
SHA512 0ae1ded7420d3af6dc22233d8576ec9ca7a8da2d0bbe7096b5acef2ac94679c357b327b3196b43e97fcd476de47f340a0a82232663b46b6e870b5025eadca52a

C:\Windows\system\TCmrVkO.exe

MD5 007577eaaee4a9f62539b3c4ec2984a8
SHA1 e9238d5dc0ee45f644bc3d96f55db5be64c9bd3b
SHA256 e8ebf3eacd67166e706f52e495fef6db02fd8a790abe4f1390363bf52def26f0
SHA512 e652920708f61cd1a5589207c13ee540f3001bc8e7f362e9c22b78f5c4d4933ee55955179849a480b4fddc6bdf02e108ab35b33e23125061b097359b2b2dab16

memory/1988-46-0x000000013FC20000-0x000000013FF74000-memory.dmp

C:\Windows\system\HuTtPKK.exe

MD5 ef3e921d87dad085219b1db0f974ac0b
SHA1 8f4a70b6c26771a5c49175f16f204a3a09f905de
SHA256 4a370ac35032fb9b6716b31fcd7c6d9edfe08d4ea444c369dcf4e578a1243ff5
SHA512 574191211e14022812f4e4c679d3068a50fd5019c21bb479aa693309e504e25e2cdda0491b17464dfad451614e652798c78afbc5e6ab1916ad4cbfceebc75ef4

memory/1988-34-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1988-33-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1988-120-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2564-119-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2996-121-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/1988-122-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2504-123-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/1560-125-0x000000013F310000-0x000000013F664000-memory.dmp

memory/1988-124-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2800-127-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2816-129-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1988-132-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1988-133-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2836-131-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1988-130-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1988-128-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1988-126-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2148-134-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1988-135-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2524-136-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2492-137-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2632-139-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2148-138-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2708-140-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2120-141-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2516-142-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2524-144-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2564-143-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2996-145-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2504-146-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/1560-147-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2800-148-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2816-149-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2836-150-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2492-151-0x000000013F7B0000-0x000000013FB04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 06:12

Reported

2024-06-01 06:15

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PvqGexu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uTijSya.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RlaCWPG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CfTeIuZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IDHOYoD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KgtmTOy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VneGBKH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GFqZsNH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HpAuxak.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TKIsydU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KOtTbNl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SyXRvkm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mipWnyk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gfoqNZB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RXQdHzT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UtWhkVR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wzUrEMj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vkXNYaj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JUuwZjR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nZIpyEO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\snJtmix.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4228 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyXRvkm.exe
PID 4228 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyXRvkm.exe
PID 4228 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PvqGexu.exe
PID 4228 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PvqGexu.exe
PID 4228 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\mipWnyk.exe
PID 4228 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\mipWnyk.exe
PID 4228 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfoqNZB.exe
PID 4228 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfoqNZB.exe
PID 4228 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\vkXNYaj.exe
PID 4228 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\vkXNYaj.exe
PID 4228 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgtmTOy.exe
PID 4228 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgtmTOy.exe
PID 4228 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RXQdHzT.exe
PID 4228 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RXQdHzT.exe
PID 4228 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtWhkVR.exe
PID 4228 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtWhkVR.exe
PID 4228 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\VneGBKH.exe
PID 4228 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\VneGBKH.exe
PID 4228 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzUrEMj.exe
PID 4228 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzUrEMj.exe
PID 4228 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTijSya.exe
PID 4228 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTijSya.exe
PID 4228 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RlaCWPG.exe
PID 4228 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RlaCWPG.exe
PID 4228 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUuwZjR.exe
PID 4228 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUuwZjR.exe
PID 4228 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GFqZsNH.exe
PID 4228 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GFqZsNH.exe
PID 4228 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nZIpyEO.exe
PID 4228 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nZIpyEO.exe
PID 4228 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpAuxak.exe
PID 4228 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpAuxak.exe
PID 4228 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TKIsydU.exe
PID 4228 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TKIsydU.exe
PID 4228 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CfTeIuZ.exe
PID 4228 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CfTeIuZ.exe
PID 4228 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\snJtmix.exe
PID 4228 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\snJtmix.exe
PID 4228 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\KOtTbNl.exe
PID 4228 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\KOtTbNl.exe
PID 4228 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDHOYoD.exe
PID 4228 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDHOYoD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SyXRvkm.exe

C:\Windows\System\SyXRvkm.exe

C:\Windows\System\PvqGexu.exe

C:\Windows\System\PvqGexu.exe

C:\Windows\System\mipWnyk.exe

C:\Windows\System\mipWnyk.exe

C:\Windows\System\gfoqNZB.exe

C:\Windows\System\gfoqNZB.exe

C:\Windows\System\vkXNYaj.exe

C:\Windows\System\vkXNYaj.exe

C:\Windows\System\KgtmTOy.exe

C:\Windows\System\KgtmTOy.exe

C:\Windows\System\RXQdHzT.exe

C:\Windows\System\RXQdHzT.exe

C:\Windows\System\UtWhkVR.exe

C:\Windows\System\UtWhkVR.exe

C:\Windows\System\VneGBKH.exe

C:\Windows\System\VneGBKH.exe

C:\Windows\System\wzUrEMj.exe

C:\Windows\System\wzUrEMj.exe

C:\Windows\System\uTijSya.exe

C:\Windows\System\uTijSya.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8

C:\Windows\System\RlaCWPG.exe

C:\Windows\System\RlaCWPG.exe

C:\Windows\System\JUuwZjR.exe

C:\Windows\System\JUuwZjR.exe

C:\Windows\System\GFqZsNH.exe

C:\Windows\System\GFqZsNH.exe

C:\Windows\System\nZIpyEO.exe

C:\Windows\System\nZIpyEO.exe

C:\Windows\System\HpAuxak.exe

C:\Windows\System\HpAuxak.exe

C:\Windows\System\TKIsydU.exe

C:\Windows\System\TKIsydU.exe

C:\Windows\System\CfTeIuZ.exe

C:\Windows\System\CfTeIuZ.exe

C:\Windows\System\snJtmix.exe

C:\Windows\System\snJtmix.exe

C:\Windows\System\KOtTbNl.exe

C:\Windows\System\KOtTbNl.exe

C:\Windows\System\IDHOYoD.exe

C:\Windows\System\IDHOYoD.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4228-0-0x00007FF7AC8D0000-0x00007FF7ACC24000-memory.dmp

memory/4228-1-0x000001D2F4270000-0x000001D2F4280000-memory.dmp

C:\Windows\System\SyXRvkm.exe

MD5 0d90e2bf0bef5d7384814d3f9b27198c
SHA1 be5786f817724f5f63307a41e1f883077328c9bd
SHA256 93a0d5fa9d72796cdabd7e27a5eeb922f9c2fb1f380e70cb009f999faad63b53
SHA512 2f55f2887355ba21740509b10ef7c58381a4235d822b4bbf7e17a9b5d6340328b45fab38863e8034b95c6a7ce8716a0357164c6f3bb475122cd6c6ac52edbb7a

memory/1484-6-0x00007FF6088B0000-0x00007FF608C04000-memory.dmp

C:\Windows\System\PvqGexu.exe

MD5 a1e6fcfc9d02215f4437a960177f5a56
SHA1 0e76431123188bbcc36be440ea69a26880ac4f58
SHA256 03e8886053f6a2046a5088f5fdea50dec98836f5c27e3aa713bd3607c0150f24
SHA512 b3f07dca54828ad1d01138efde34b6e6a318815cc9a9d55654da86e9fe39436545ed81626508cabf09cf4ada60538391b351fda9c7bcca5783e8bb7a98331774

C:\Windows\System\mipWnyk.exe

MD5 666bd03e8de1bf04c66b5526937a7cfb
SHA1 8ccc8b2e126b54a2aa656663e594f76fbd7a537c
SHA256 bdb6ad71b2cfc07707764fe3ff2e1edb1a5d5cf9369bb8ecaf534705d7824a39
SHA512 e98bb6cc55c9b09b7e4dce8608014c9a71c7a5e816145e3f6e7ab1f48dd259b89f09a5358006c43eb6d869d6850ee7c515a0c7232ba73a5c16706c52f1173bcb

memory/2800-15-0x00007FF752140000-0x00007FF752494000-memory.dmp

C:\Windows\System\gfoqNZB.exe

MD5 8554c87d07daf07e35e4d6a822931b82
SHA1 9739470a45c130311dc95d689a7e0eafb46c2a19
SHA256 154e03aa7853eb64b1c80aff464404d496c2d5db578b4ab68588eb94fbe72cc7
SHA512 03b9a4703a9642bf1d74da2df799134dbaa5b0b9d568f752f37d729cd074b82b2a4121abc775196aab7ec30829f098f8982e8d8c9685501d2d1d4c1568a6a75a

memory/4476-27-0x00007FF61FB50000-0x00007FF61FEA4000-memory.dmp

C:\Windows\System\vkXNYaj.exe

MD5 fcd55e65f31f17d9c9f51a9e22716a05
SHA1 bb10f34d4c2290e85414388148c8427d3f8117fb
SHA256 f45e0b9e453afad500bd9681f734675d17ea0c24b3d9a7cf75ff729989020395
SHA512 5d676e72f058d7db7e8f286b7e01e0699c8aac6fb3830d890510c777b7bf3bf670540f5a22d9e28f3b1b476bf0bb741d1f6cbfa066a4c775978f3735ccd45c5a

C:\Windows\System\KgtmTOy.exe

MD5 2a9bf715e759588adb9e82a898ad816a
SHA1 9b98cfe2091dbd998b6e940eaff1e7e3fc4dffc7
SHA256 dbb247e6273e71f1af434518a1cd77c5d534cd4720d3b5d0b04516da2af2dd32
SHA512 ba6d745ecb0d0c59f5c10c62908f79d7ebca9acfe5e4a12677ee17a27ac16bad6c6698bce03f3b4e6c6a916a95e85e576c522ed10c56d3fb6f89050a7627d6cd

memory/2284-52-0x00007FF7AD0D0000-0x00007FF7AD424000-memory.dmp

C:\Windows\System\VneGBKH.exe

MD5 6a12e3833e168db5bd0d3bcf8b9a0a86
SHA1 81bcfaf20b202eb36f054c23e6c2102ec6bf7358
SHA256 667d33a3cd776e7e641e4c255bc887035cf0a1d1f64b56d14b37a6f8847bd500
SHA512 74cebe8eafb89b746f300237163e54f789fff0151d34a8b31ea1dcec541f22c0228e515495c8f78dc7a352ca7268f49a3ac6c43c58d9551f9cac43c9bf9c507b

C:\Windows\System\wzUrEMj.exe

MD5 d80ceac0df0c9824b05321f5d6114b9e
SHA1 ad4a54203238bc15b9de43da7f9d8e1e93a6946a
SHA256 f6d388855475d419313340f30a2d4bbc750f45d8b26839b9dfc871d4614f34aa
SHA512 91ec402e9007e1f09c87e57f033740d698407f0d69a5627126a8eec95e3977bc43be73682638b8e193890f27cd92cec4c20246e8fdd61b56a0be150c754b8e0d

memory/428-60-0x00007FF66CDA0000-0x00007FF66D0F4000-memory.dmp

memory/324-59-0x00007FF72E170000-0x00007FF72E4C4000-memory.dmp

memory/3268-55-0x00007FF69BC60000-0x00007FF69BFB4000-memory.dmp

C:\Windows\System\UtWhkVR.exe

MD5 7b945ccc94d938fa202d9101afefb47b
SHA1 0ced7a706d004b10dda765dca9b5bb02f064cb66
SHA256 8fda9130ffeb5553d793fa8f6d9cc995654aacb14070e744009627176f2ac6e2
SHA512 598747e306034069ffed2aa784438bdd31743ed1009ca560bce1d78d60e4e792322235ab454534ed9dc481a6efa452833f50a14d347208ec93e9a867bddf3305

C:\Windows\System\RXQdHzT.exe

MD5 d5e273cf72545a23a97fb0e89aedcc7c
SHA1 005d0427f744128a50a75d8ea7a53ddd462f4627
SHA256 79ccb52565f9546946fedd83e7f270804c229d05975e138546b6eeab1094adf2
SHA512 9a7f13a4ab0c5feda126775521160e5ed8b563b3152cb11c3034d9bd6e7403bd4d88908100c6f09281ae92250929fbadc76aeb2a3d581b4214f365fbf493dad7

memory/1212-36-0x00007FF70F730000-0x00007FF70FA84000-memory.dmp

memory/1004-35-0x00007FF60E710000-0x00007FF60EA64000-memory.dmp

memory/2736-32-0x00007FF630870000-0x00007FF630BC4000-memory.dmp

C:\Windows\System\uTijSya.exe

MD5 8a140b4c90927722d422a7a4075c5f3e
SHA1 e55c417b094237c477812b9daca256e303f56992
SHA256 65b210972df7cb670fe6e2891496c23c7506ae5596a47dcc13943d1bbf91eb69
SHA512 4938b6d4c4bf8f03699392ed8f935748b267fddbbbe668c16f53effc412a890744af4c185031221f2f87b618db2487afbbc5501a126b80757dbf2296cc1638f5

C:\Windows\System\RlaCWPG.exe

MD5 121546437fd786e56dc939fa9877ee4a
SHA1 50d87d5a0706e59911153b1d62ca14ab0b964997
SHA256 407616a165b5df844788d13c330038da8221d7d1517c36cac11147291e4ec54d
SHA512 78b2869c994537ec9235bf8cdf6bc88b19e59558901b43e789466430c50b07712262c4c8d709b1c168926e2c6427643de38973f62539aa13009e50cff5e17dfd

C:\Windows\System\GFqZsNH.exe

MD5 70ef3663d3c417fce036ec249079412e
SHA1 02642c81bcbf6e6c880bfe20a604a05b394e36ae
SHA256 949cba9766076f8c2cd5697efd214af4e8215ebe425e4eb44beac7996eaee1f8
SHA512 87eec9ad7edd51aa49d86f5849e57e8ad16e931c5a7ff05161ce21d5c5e352b07095d140cef4003830a327709085352ec908d5743fdc6c6782262bcfd006d792

memory/2280-84-0x00007FF633000000-0x00007FF633354000-memory.dmp

memory/5100-82-0x00007FF76AF60000-0x00007FF76B2B4000-memory.dmp

C:\Windows\System\nZIpyEO.exe

MD5 9cc5fc6813165236b6c7050970e1a404
SHA1 3923fe9c36865a75e2eaa9235b9d81c7378b8fce
SHA256 e59a13892f5ea7b2d7a93d0ccd3d44b2965e01b80323091756bee8c88ef24e57
SHA512 ebd6f1d3c8a44930a71e074ed9bac5e08452cf43a64637734698d920b8eabe6e18cb49090d8106429d601cb618ffced9805283b412385137d06550706887e8f2

C:\Windows\System\HpAuxak.exe

MD5 3e7746c4ecc741953f44388dbd7c7585
SHA1 db8b3172d1c354bd8fa66b1712c48584d85905ad
SHA256 6d80315e16f56e920eb64eb6acc6fe38b85f958c73feabc47f92850e4ab00629
SHA512 2235fd5db48065baea028888485041214e0e4ef4ad9667ba40334df320e6d600ae192f68a432ae7fc4ffdfb7e7371c7323256fa7435efea5c0966bdd6ac7c623

memory/2692-93-0x00007FF6040B0000-0x00007FF604404000-memory.dmp

C:\Windows\System\JUuwZjR.exe

MD5 5a29efce7b3fa48801f79c7ec2dd5b56
SHA1 aceb76d885245577ff4ebbe4bb2349f0cc4ca504
SHA256 0061a9b27c943d489dc6420595b9ffe200b2f73ee157de4e38684631f348eff5
SHA512 9180f5fae8f9d49e3e3b61def6221086e8cc16d5fe012487169b4c23890b3b5a6232d12f0ee028de5e93198255491598e765655926ec48411c5af915adec6918

memory/4036-72-0x00007FF7C4A50000-0x00007FF7C4DA4000-memory.dmp

C:\Windows\System\TKIsydU.exe

MD5 b9b9a3d74724492851b720e9238ab69c
SHA1 c55656815ce12aeb0262f8c8474c835baaff451f
SHA256 d8eb935f0fed8ccb6eb48c6af7d7dd25e7a8caa58f2cb76b0bcf043173d0f2e6
SHA512 a9a495da0b4dd378e996260b2c231435e97273cf453248b8f9b0a2307363516a22a5eb75f63f17882e02d4a652c83d31bfd22a31521714ad5855d02572d57eda

C:\Windows\System\CfTeIuZ.exe

MD5 5e6febf3bd017f098620335cb73be981
SHA1 fb09ef4ccebd4f92bca9fd9d3581d140bdb6aef2
SHA256 d87bec6a6c51c82930385cbd29675bea01e31cd4ff64209e57ea4d296b715d59
SHA512 754b191f71d9cf9e5789bcd9ab1000b634f16d4b296c2840c299e5c2807fc909fb1e61f8b0155b87d960135021c34946b958cddb719867904b9f08fb4c4f648c

C:\Windows\System\snJtmix.exe

MD5 3c66b07b65f13836103852288c2e0153
SHA1 bc05e5978673034639876889fda1fd4a83914461
SHA256 40347b6a5e3a8b6236787b69b64fa6fdea1a5df4cab6a67101ccad85ec31f488
SHA512 120ec15a5b2a41a78954a92c5b79ef7e6300815ad6cc86bb5c03b30ad6dfd6ca9b90dbf1b9e701fe197ba73d7837a400ffed90005e2f0eea4a3d7a731e061dab

memory/2736-116-0x00007FF630870000-0x00007FF630BC4000-memory.dmp

C:\Windows\System\KOtTbNl.exe

MD5 448e62c46b8df6b69b5e8cab1508e3c7
SHA1 156ceaf11b1ce12e937a56ac2db2c2dbeb70fa68
SHA256 6d25c5e281fe3a8a5c7a74650adc87d3cfcb5c4325045e7077087629a2282035
SHA512 56fa9dcfe58e71ef63d1894d9974c920a07cad7b8edf4b430b469cfd51c087cc7c12ae6b067bc78744f7b3e09d3c2c8eb4bd9f7517229a7b30692e3d93a364a8

memory/1440-117-0x00007FF71D800000-0x00007FF71DB54000-memory.dmp

memory/2332-115-0x00007FF7BE250000-0x00007FF7BE5A4000-memory.dmp

memory/1484-113-0x00007FF6088B0000-0x00007FF608C04000-memory.dmp

memory/3764-112-0x00007FF66B5A0000-0x00007FF66B8F4000-memory.dmp

memory/1136-105-0x00007FF73FF70000-0x00007FF7402C4000-memory.dmp

memory/4228-102-0x00007FF7AC8D0000-0x00007FF7ACC24000-memory.dmp

memory/1252-100-0x00007FF6E8AB0000-0x00007FF6E8E04000-memory.dmp

memory/320-125-0x00007FF7F3700000-0x00007FF7F3A54000-memory.dmp

C:\Windows\System\IDHOYoD.exe

MD5 3115a0a9e47ee03c2699b2afd69f4996
SHA1 13bade81ce1c056ef4022ee33ebe746f5236848d
SHA256 fc5461e9f17751e67fd4f908af72c3283ee1582ba6a726b12b9f024320a578ad
SHA512 978e3a392a934d6eb4060175bfa30633c0608384b7b64787676fb9588a3a302bd83a5927112c0f2e5cb3de53a2c3cd862aea84da493adc25548e5e13266282ec

memory/1212-130-0x00007FF70F730000-0x00007FF70FA84000-memory.dmp

memory/4980-132-0x00007FF7BE0C0000-0x00007FF7BE414000-memory.dmp

memory/324-131-0x00007FF72E170000-0x00007FF72E4C4000-memory.dmp

memory/428-133-0x00007FF66CDA0000-0x00007FF66D0F4000-memory.dmp

memory/2280-134-0x00007FF633000000-0x00007FF633354000-memory.dmp

memory/2692-135-0x00007FF6040B0000-0x00007FF604404000-memory.dmp

memory/1252-136-0x00007FF6E8AB0000-0x00007FF6E8E04000-memory.dmp

memory/3764-137-0x00007FF66B5A0000-0x00007FF66B8F4000-memory.dmp

memory/1440-138-0x00007FF71D800000-0x00007FF71DB54000-memory.dmp

memory/1484-139-0x00007FF6088B0000-0x00007FF608C04000-memory.dmp

memory/2800-140-0x00007FF752140000-0x00007FF752494000-memory.dmp

memory/4476-141-0x00007FF61FB50000-0x00007FF61FEA4000-memory.dmp

memory/1004-142-0x00007FF60E710000-0x00007FF60EA64000-memory.dmp

memory/1212-144-0x00007FF70F730000-0x00007FF70FA84000-memory.dmp

memory/2284-145-0x00007FF7AD0D0000-0x00007FF7AD424000-memory.dmp

memory/2736-143-0x00007FF630870000-0x00007FF630BC4000-memory.dmp

memory/3268-146-0x00007FF69BC60000-0x00007FF69BFB4000-memory.dmp

memory/324-147-0x00007FF72E170000-0x00007FF72E4C4000-memory.dmp

memory/428-148-0x00007FF66CDA0000-0x00007FF66D0F4000-memory.dmp

memory/4036-149-0x00007FF7C4A50000-0x00007FF7C4DA4000-memory.dmp

memory/5100-150-0x00007FF76AF60000-0x00007FF76B2B4000-memory.dmp

memory/2692-151-0x00007FF6040B0000-0x00007FF604404000-memory.dmp

memory/2280-152-0x00007FF633000000-0x00007FF633354000-memory.dmp

memory/1252-153-0x00007FF6E8AB0000-0x00007FF6E8E04000-memory.dmp

memory/2332-155-0x00007FF7BE250000-0x00007FF7BE5A4000-memory.dmp

memory/3764-156-0x00007FF66B5A0000-0x00007FF66B8F4000-memory.dmp

memory/1136-154-0x00007FF73FF70000-0x00007FF7402C4000-memory.dmp

memory/1440-157-0x00007FF71D800000-0x00007FF71DB54000-memory.dmp

memory/320-158-0x00007FF7F3700000-0x00007FF7F3A54000-memory.dmp

memory/4980-159-0x00007FF7BE0C0000-0x00007FF7BE414000-memory.dmp