Malware Analysis Report

2025-01-22 19:41

Sample ID 240601-h7528adg7z
Target 2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike
SHA256 ec1d1ce88ab03dd9cc86add87383fa41f82ca65f66d6aff4c8e91e75e1457ae1
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec1d1ce88ab03dd9cc86add87383fa41f82ca65f66d6aff4c8e91e75e1457ae1

Threat Level: Known bad

The file 2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

Xmrig family

Cobaltstrike

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:23

Reported

2024-06-01 07:26

Platform

win7-20240220-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yrzbtNS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fVSPQwc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UIEmbSq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AvXVapN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VpdLTGA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KpceKKC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GSwbHfF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qeOxzXo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IEQZxGh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IKzuxxs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ELHQrss.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IWyeWTz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nRBnuCT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uNLbGBJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aJCvoyQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mGoYKzR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NnHxMMo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dEbdXGz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OnWzDiS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uoLcJiF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tGmSUYt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\qeOxzXo.exe
PID 2968 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\qeOxzXo.exe
PID 2968 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\qeOxzXo.exe
PID 2968 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IEQZxGh.exe
PID 2968 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IEQZxGh.exe
PID 2968 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IEQZxGh.exe
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKzuxxs.exe
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKzuxxs.exe
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKzuxxs.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\aJCvoyQ.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\aJCvoyQ.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\aJCvoyQ.exe
PID 2968 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\fVSPQwc.exe
PID 2968 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\fVSPQwc.exe
PID 2968 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\fVSPQwc.exe
PID 2968 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELHQrss.exe
PID 2968 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELHQrss.exe
PID 2968 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELHQrss.exe
PID 2968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\UIEmbSq.exe
PID 2968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\UIEmbSq.exe
PID 2968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\UIEmbSq.exe
PID 2968 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGoYKzR.exe
PID 2968 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGoYKzR.exe
PID 2968 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGoYKzR.exe
PID 2968 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSwbHfF.exe
PID 2968 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSwbHfF.exe
PID 2968 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSwbHfF.exe
PID 2968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnHxMMo.exe
PID 2968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnHxMMo.exe
PID 2968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnHxMMo.exe
PID 2968 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\dEbdXGz.exe
PID 2968 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\dEbdXGz.exe
PID 2968 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\dEbdXGz.exe
PID 2968 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnWzDiS.exe
PID 2968 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnWzDiS.exe
PID 2968 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnWzDiS.exe
PID 2968 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\AvXVapN.exe
PID 2968 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\AvXVapN.exe
PID 2968 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\AvXVapN.exe
PID 2968 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\VpdLTGA.exe
PID 2968 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\VpdLTGA.exe
PID 2968 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\VpdLTGA.exe
PID 2968 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWyeWTz.exe
PID 2968 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWyeWTz.exe
PID 2968 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWyeWTz.exe
PID 2968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBnuCT.exe
PID 2968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBnuCT.exe
PID 2968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBnuCT.exe
PID 2968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpceKKC.exe
PID 2968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpceKKC.exe
PID 2968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpceKKC.exe
PID 2968 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrzbtNS.exe
PID 2968 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrzbtNS.exe
PID 2968 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrzbtNS.exe
PID 2968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNLbGBJ.exe
PID 2968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNLbGBJ.exe
PID 2968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNLbGBJ.exe
PID 2968 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoLcJiF.exe
PID 2968 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoLcJiF.exe
PID 2968 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoLcJiF.exe
PID 2968 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGmSUYt.exe
PID 2968 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGmSUYt.exe
PID 2968 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGmSUYt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qeOxzXo.exe

C:\Windows\System\qeOxzXo.exe

C:\Windows\System\IEQZxGh.exe

C:\Windows\System\IEQZxGh.exe

C:\Windows\System\IKzuxxs.exe

C:\Windows\System\IKzuxxs.exe

C:\Windows\System\aJCvoyQ.exe

C:\Windows\System\aJCvoyQ.exe

C:\Windows\System\fVSPQwc.exe

C:\Windows\System\fVSPQwc.exe

C:\Windows\System\ELHQrss.exe

C:\Windows\System\ELHQrss.exe

C:\Windows\System\UIEmbSq.exe

C:\Windows\System\UIEmbSq.exe

C:\Windows\System\mGoYKzR.exe

C:\Windows\System\mGoYKzR.exe

C:\Windows\System\GSwbHfF.exe

C:\Windows\System\GSwbHfF.exe

C:\Windows\System\NnHxMMo.exe

C:\Windows\System\NnHxMMo.exe

C:\Windows\System\dEbdXGz.exe

C:\Windows\System\dEbdXGz.exe

C:\Windows\System\OnWzDiS.exe

C:\Windows\System\OnWzDiS.exe

C:\Windows\System\AvXVapN.exe

C:\Windows\System\AvXVapN.exe

C:\Windows\System\VpdLTGA.exe

C:\Windows\System\VpdLTGA.exe

C:\Windows\System\IWyeWTz.exe

C:\Windows\System\IWyeWTz.exe

C:\Windows\System\nRBnuCT.exe

C:\Windows\System\nRBnuCT.exe

C:\Windows\System\KpceKKC.exe

C:\Windows\System\KpceKKC.exe

C:\Windows\System\yrzbtNS.exe

C:\Windows\System\yrzbtNS.exe

C:\Windows\System\uNLbGBJ.exe

C:\Windows\System\uNLbGBJ.exe

C:\Windows\System\uoLcJiF.exe

C:\Windows\System\uoLcJiF.exe

C:\Windows\System\tGmSUYt.exe

C:\Windows\System\tGmSUYt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2968-0-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2968-1-0x000000013FC80000-0x000000013FFD4000-memory.dmp

\Windows\system\qeOxzXo.exe

MD5 1bb2dfaafcb53f6370d352040108cb97
SHA1 e96c9b9330a777562249bd1f19ec5c973e669cdc
SHA256 c187990e77f0c05a20accbcc992e1b177909b2c2fc933cd4aae1d09a3fe5b723
SHA512 9ecd2db47a1ea8eafadf52020c999dc75d13d5d747952de42ada5ccee9869f33477a271bd3fce4efc8b0f111c84761664ca038359622cbe3ce724dea2b09a905

memory/2964-9-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2968-8-0x000000013F450000-0x000000013F7A4000-memory.dmp

C:\Windows\system\IKzuxxs.exe

MD5 791c7ef214f4650627e6028f868d24df
SHA1 3c3779c8e6c803d5a28c81aaf3e7d8c0ec0cd0ff
SHA256 455c447ae7446763563b9c35884485451a1537b6dd3ea3ea098836cc6847347c
SHA512 15ea958bdaddd848aed4131f731d0a2c39b936e6974558945c2a6fc6f7fe13f875dde90a2891b8470e14054784a564f58454c32ec81fa8ecd5bba9c36d6111e1

\Windows\system\aJCvoyQ.exe

MD5 cf3722c2cf87b9b6dbf4211056df3212
SHA1 80c48d8e4c2e8d8b70d233ab7721f4667ddb4fbc
SHA256 73e6eea458de3d4c6b8e38182e08cb5bdd2e74bb6f1462552bb1ed1bd751bdc2
SHA512 fbe0ee0697660a655338792bafaa9406e51680f34660c990a95d83c8ccd3a13edf9aaca8900d4e6540dbdbafe6f08718e38a64be20108474f4d5f030cd5c4912

memory/2968-25-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2560-34-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2548-32-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2968-31-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2968-36-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2696-35-0x000000013F710000-0x000000013FA64000-memory.dmp

C:\Windows\system\fVSPQwc.exe

MD5 ba7162288f1fc22675a55ca27fde9827
SHA1 eb0aa01f405d92695403b188e202508dda6d17ef
SHA256 bf56f9055080c5fbe7aba6753a136c6ecd10d57a392fb4e7881f474739130f18
SHA512 d562c98384730aa574b9be1ed8d354a24035e885e46673ae8cb68d9d9117db566d0c62c28903bbf7f2af39eca2590b2fe6e7c992220bc0ccca962277051b7148

memory/2112-23-0x000000013F8B0000-0x000000013FC04000-memory.dmp

C:\Windows\system\IEQZxGh.exe

MD5 2e0fd17186d0f95146ce865685b66a53
SHA1 68d9f6b7471dd85bdab554aca7b288c2105b6290
SHA256 fdb52666b543731a6fc39bdc04dec4af206ac39c6d2bcafb1a0ddd8ab60ec608
SHA512 a9be8a88d3f6091c4b647bc3bdfb7e083df6e0e67deaa866697b0a65045a287a0f6dee264cba7ae7ded90db4b6c74bb5ba76c78700679df4a2849c5a52ce655c

C:\Windows\system\ELHQrss.exe

MD5 f7196241cca181b8e44de721c1a75f2f
SHA1 c252e504492cd9087895d5fa65d785d17cb6f221
SHA256 1906c3e746da4870ab53871bdf1ee7272ac166a823aa9a096c135492a3e02497
SHA512 ac96939f69abdcf5238756ec8a30ea195822ec59e99b4d07806be2934420bed3a0c66172275b06e110837a22533c3e11094bce09f4d2c84b088aead5fae4d750

memory/2464-43-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2968-42-0x0000000002410000-0x0000000002764000-memory.dmp

C:\Windows\system\UIEmbSq.exe

MD5 c83fa854faf6592fc9faaa12da308508
SHA1 9e4e37161cfec7b5ccec7373afb18ff899c952f1
SHA256 6a16770a99734b96c0438683edada0ce5e880f7efd7e5ee2331e07788db9197b
SHA512 dc34894a2b2b05a643bcb31ff9b51fe0ca80f95db1978b06265bc12ffa1f23cdde3e7c5016a16a846e7f4b93a7471bd792499612d0647b1293e1a8485355433b

memory/2968-49-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2752-50-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\mGoYKzR.exe

MD5 b02cf6d808bbfe7aaff0c3a7e1a3b66f
SHA1 9cd06b0982d6c6e4e4addba1f61f90710fd20461
SHA256 9c001988ec581ee1719f343d29dc9f56f58ede714a639b9b04b8d0c278fea142
SHA512 9bb8c4c19ec87a9960c8d0a7f1cf2cd90b852055faf29cb3ea87b8fe2d14c51c06cb09047c6239d78ac31d5b10912a170a3cea680fb19ccd0947e42506739c6e

memory/2372-56-0x000000013FC60000-0x000000013FFB4000-memory.dmp

C:\Windows\system\GSwbHfF.exe

MD5 d535d7c692333593022bd06667a4d011
SHA1 59bcfcf1685217af1012e5504545f7ef9ee92aa4
SHA256 29d4c02aa15bc5d117d0207b8efe01e3ca4f83ef58141107462bce739a34310d
SHA512 edcb165ed87c3c0e21bc8135fea95d775bb098aa1937954f3cd1cb8e1edfee3b14329565fdd3d0a3120666fb39cd66d910bf91840eeb7ae6da0ae87f528592e9

memory/2968-62-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2520-63-0x000000013FDE0000-0x0000000140134000-memory.dmp

C:\Windows\system\NnHxMMo.exe

MD5 3d06ea9b3393cca3e134bd012bdea8be
SHA1 a41817cfb461e2651b1152e6e89fca376b262842
SHA256 54c00ebfbc6c98b0613104267743b91c96dfd81e8e27210e360996593a68c8e7
SHA512 caa906f27ebd5b306c91ce9bc704c25fac831c85e505d619bcc7b39f9c279f3de4217b076a29a28bfb5de5732266c032da7840f9f944a5c5c0ace2b05a1986db

memory/2968-69-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2136-70-0x000000013F4C0000-0x000000013F814000-memory.dmp

C:\Windows\system\dEbdXGz.exe

MD5 c759f437950e354ee9e6be73362bc534
SHA1 612a0aac25de011dde34756856c7eaa41415a61b
SHA256 c3f525330e90a0147bc8e9b973911d14940ef91624c40cdef9741b141d4ed8e6
SHA512 7522aa9f1a7a5da8d339345dc5a9e482629ca23b3e2c8b17185f6e6e0657e3d98a0efd99579701109741c2d936bf93961adc91d362e2ad70590a41e1e0fdbed8

\Windows\system\OnWzDiS.exe

MD5 0c8b8f0a22094e8a2e2d9bf5dfee6968
SHA1 596bcd9a5a0c015f053af7e6665638c31ac7ca4f
SHA256 f6cda5325c5c4373a5517d8c082d36b25328e33bbaf47b68327029e7dfa8ed91
SHA512 cb33686573df0dd6b9ddf1d2fec9150fe259b25cc0961931b8f0ef23a2c46d8d5f56537db564cb5a4d25baa9a8ea116ca1d03954a644cb9a8f3212ecbc84bd10

\Windows\system\KpceKKC.exe

MD5 9fdde5067f13dd8bb7fdded00668384c
SHA1 36188759d73915ff1a3eae8cc3b35ea85d647045
SHA256 b822eb68995f301205e3cea10944f39d2d080ddd038dd64f5518cc9547db0d6d
SHA512 2e0bbb8fb74293b4a10af25b0e6223b19da660abf4f373777088b94fd783bd736d11643dc33fffdaf1e4cfea1a240123ad6f228f92947491f6a5035fca3af7ca

memory/2968-125-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\uNLbGBJ.exe

MD5 c49e5b4e0a0eb63f8a4e2c80598bb837
SHA1 94776bb6ba62cf5972d328b28623168d56d57a8e
SHA256 877afef1395ec3a477aaf306a9327fbd9d52390ebb5b6731cbb3457d025c8aa0
SHA512 21b1386ad78630fbdbb9aac3f228a226da341f77db8748ba7c81eafb642339191e0180574a57501beb837c87f7ca1a1ce70e20d1ad1acacc4bed6214712102a0

\Windows\system\tGmSUYt.exe

MD5 5a69f5dbf16bcb32a957c1ffd23644d3
SHA1 f7b0f5a8beb5e5e9a43418fc6b897a44719b5aba
SHA256 d4a43012783b4e3cd5e34ff98c813514642e7862c1b66eeb81e5fa0f517ccbc6
SHA512 ee87a3ac0688dd054ee1716ef9057bbbc2735cb7a77aa3d9c92b28c05983f274d9e56ae0081cea8b285fc7e1c105179dd11c6a09e985d1af3d8221fd8538d799

memory/2968-100-0x000000013F1C0000-0x000000013F514000-memory.dmp

C:\Windows\system\nRBnuCT.exe

MD5 3497fa2cf67576bf1d81ebf9c5d83327
SHA1 31f7567504bbda55ab95584ac4e0569b7cf87608
SHA256 377d134565cb373fa6747e71d3d6b762b0efa0d295fb86e7dbdc039aa5f20d7e
SHA512 0828b27adbd1e40125aa0efb8ca16427a0403941237173c4edfdf84e8ca988199c1562c4e46c0564c83a4812e9a5538c3e767239b2f228a932be4137f97dece3

C:\Windows\system\VpdLTGA.exe

MD5 552d3b414a03ae066b4b36d10f72468b
SHA1 74287a0953ae646774eeebc565970b0392ec558e
SHA256 7ff9614c92900d50045b38f8f796560c20ce49867def1a00d7993e765a0a0edc
SHA512 39d37e8904ca31403897990797ce422ad2c428feacd50202f45ee588ba50059c2f4eb8880631ce20b179cd403a31e957631bfc1e9838dc6171c980a453b630cd

memory/2780-123-0x000000013F1C0000-0x000000013F514000-memory.dmp

C:\Windows\system\uoLcJiF.exe

MD5 fa338d7cd13c26f588222e4ce34fc46d
SHA1 bf6cb85d30cb64bf01bf336453b7f521ee4dfe53
SHA256 56f3c09a532895e2d4335cec3d4ceba0ff87cc2528a8fb3d949d065fab3ff188
SHA512 ebeaa505ad3d33741290c31125765840d713e1b506fe1be522e1bd3838704b474e464b4ef25cd63fda18b243142680a4b40abe138b26f99d153b70a18e78ab6d

C:\Windows\system\yrzbtNS.exe

MD5 7ae813ed58146cc05df068f3c3b70f8d
SHA1 bc834f1861d6b26fe59d65f05ed309f749e60ea5
SHA256 c1379cd5c4803d02b1f499a4710549739c18f84b7080605aaa4c4832c6d012b7
SHA512 c3c8b579a869aa78ebf98e50623fc5764b7654dac3a7e5417fa3cd9656227d36c06de6c19e8b9964cc107a270d4d9e991c60641e2bc906b04f63d63f23418ae2

C:\Windows\system\IWyeWTz.exe

MD5 4a72fa5b8a0b7740edb5a63221243112
SHA1 8022148a0a3c006656d198312cc87b5e376d1fa7
SHA256 467ee9cbd8a4cde5a68d31988cfdb05c79ce77295639987915c2115cba2538a6
SHA512 202706f1c4a1608ed8e888fb87b566196a2e2ed9f902b0233544a92a44967231e7412038dbedd5f251f322ba0f59312a8f22d8979894ff71f3079624c4227eb2

memory/2968-108-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2968-90-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2968-88-0x000000013F880000-0x000000013FBD4000-memory.dmp

C:\Windows\system\AvXVapN.exe

MD5 90ea43c71382dad6eb1350b9a883d1ac
SHA1 58aaba066e573d724fb11e4ce151c127d881f071
SHA256 5b3b55e0d1e69c35e32a2036dfe6d228dc78d92512e12eb631180e78b2cc750b
SHA512 bf6eb637e73c7e4a7193c54d6222ba7d077424b5fa8f6ffafef40c6c17d42a306916a07210ad194a91078e20fb9ffa442896a2cf12bcc0143909d5784fc92790

memory/1960-82-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2968-132-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2968-134-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2968-133-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2968-135-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2964-136-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2112-137-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2560-139-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2548-138-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2696-140-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2464-141-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2752-142-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2372-143-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2520-144-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2136-145-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/1960-146-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2780-147-0x000000013F1C0000-0x000000013F514000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:23

Reported

2024-06-01 07:26

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GSwbHfF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dEbdXGz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AvXVapN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VpdLTGA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uNLbGBJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fVSPQwc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NnHxMMo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OnWzDiS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nRBnuCT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KpceKKC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yrzbtNS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tGmSUYt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ELHQrss.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IEQZxGh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aJCvoyQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UIEmbSq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mGoYKzR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qeOxzXo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IWyeWTz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uoLcJiF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IKzuxxs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\qeOxzXo.exe
PID 2880 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\qeOxzXo.exe
PID 2880 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IEQZxGh.exe
PID 2880 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IEQZxGh.exe
PID 2880 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKzuxxs.exe
PID 2880 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKzuxxs.exe
PID 2880 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\aJCvoyQ.exe
PID 2880 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\aJCvoyQ.exe
PID 2880 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\fVSPQwc.exe
PID 2880 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\fVSPQwc.exe
PID 2880 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELHQrss.exe
PID 2880 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELHQrss.exe
PID 2880 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\UIEmbSq.exe
PID 2880 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\UIEmbSq.exe
PID 2880 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGoYKzR.exe
PID 2880 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGoYKzR.exe
PID 2880 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSwbHfF.exe
PID 2880 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSwbHfF.exe
PID 2880 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnHxMMo.exe
PID 2880 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnHxMMo.exe
PID 2880 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\dEbdXGz.exe
PID 2880 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\dEbdXGz.exe
PID 2880 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnWzDiS.exe
PID 2880 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnWzDiS.exe
PID 2880 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\AvXVapN.exe
PID 2880 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\AvXVapN.exe
PID 2880 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\VpdLTGA.exe
PID 2880 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\VpdLTGA.exe
PID 2880 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWyeWTz.exe
PID 2880 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWyeWTz.exe
PID 2880 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBnuCT.exe
PID 2880 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBnuCT.exe
PID 2880 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpceKKC.exe
PID 2880 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpceKKC.exe
PID 2880 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrzbtNS.exe
PID 2880 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrzbtNS.exe
PID 2880 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNLbGBJ.exe
PID 2880 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNLbGBJ.exe
PID 2880 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoLcJiF.exe
PID 2880 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoLcJiF.exe
PID 2880 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGmSUYt.exe
PID 2880 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGmSUYt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qeOxzXo.exe

C:\Windows\System\qeOxzXo.exe

C:\Windows\System\IEQZxGh.exe

C:\Windows\System\IEQZxGh.exe

C:\Windows\System\IKzuxxs.exe

C:\Windows\System\IKzuxxs.exe

C:\Windows\System\aJCvoyQ.exe

C:\Windows\System\aJCvoyQ.exe

C:\Windows\System\fVSPQwc.exe

C:\Windows\System\fVSPQwc.exe

C:\Windows\System\ELHQrss.exe

C:\Windows\System\ELHQrss.exe

C:\Windows\System\UIEmbSq.exe

C:\Windows\System\UIEmbSq.exe

C:\Windows\System\mGoYKzR.exe

C:\Windows\System\mGoYKzR.exe

C:\Windows\System\GSwbHfF.exe

C:\Windows\System\GSwbHfF.exe

C:\Windows\System\NnHxMMo.exe

C:\Windows\System\NnHxMMo.exe

C:\Windows\System\dEbdXGz.exe

C:\Windows\System\dEbdXGz.exe

C:\Windows\System\OnWzDiS.exe

C:\Windows\System\OnWzDiS.exe

C:\Windows\System\AvXVapN.exe

C:\Windows\System\AvXVapN.exe

C:\Windows\System\VpdLTGA.exe

C:\Windows\System\VpdLTGA.exe

C:\Windows\System\IWyeWTz.exe

C:\Windows\System\IWyeWTz.exe

C:\Windows\System\nRBnuCT.exe

C:\Windows\System\nRBnuCT.exe

C:\Windows\System\KpceKKC.exe

C:\Windows\System\KpceKKC.exe

C:\Windows\System\yrzbtNS.exe

C:\Windows\System\yrzbtNS.exe

C:\Windows\System\uNLbGBJ.exe

C:\Windows\System\uNLbGBJ.exe

C:\Windows\System\uoLcJiF.exe

C:\Windows\System\uoLcJiF.exe

C:\Windows\System\tGmSUYt.exe

C:\Windows\System\tGmSUYt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2880-0-0x00007FF62C4F0000-0x00007FF62C844000-memory.dmp

memory/2880-1-0x0000028E0C8B0000-0x0000028E0C8C0000-memory.dmp

C:\Windows\System\qeOxzXo.exe

MD5 1bb2dfaafcb53f6370d352040108cb97
SHA1 e96c9b9330a777562249bd1f19ec5c973e669cdc
SHA256 c187990e77f0c05a20accbcc992e1b177909b2c2fc933cd4aae1d09a3fe5b723
SHA512 9ecd2db47a1ea8eafadf52020c999dc75d13d5d747952de42ada5ccee9869f33477a271bd3fce4efc8b0f111c84761664ca038359622cbe3ce724dea2b09a905

memory/3160-8-0x00007FF775240000-0x00007FF775594000-memory.dmp

C:\Windows\System\IEQZxGh.exe

MD5 2e0fd17186d0f95146ce865685b66a53
SHA1 68d9f6b7471dd85bdab554aca7b288c2105b6290
SHA256 fdb52666b543731a6fc39bdc04dec4af206ac39c6d2bcafb1a0ddd8ab60ec608
SHA512 a9be8a88d3f6091c4b647bc3bdfb7e083df6e0e67deaa866697b0a65045a287a0f6dee264cba7ae7ded90db4b6c74bb5ba76c78700679df4a2849c5a52ce655c

C:\Windows\System\IKzuxxs.exe

MD5 791c7ef214f4650627e6028f868d24df
SHA1 3c3779c8e6c803d5a28c81aaf3e7d8c0ec0cd0ff
SHA256 455c447ae7446763563b9c35884485451a1537b6dd3ea3ea098836cc6847347c
SHA512 15ea958bdaddd848aed4131f731d0a2c39b936e6974558945c2a6fc6f7fe13f875dde90a2891b8470e14054784a564f58454c32ec81fa8ecd5bba9c36d6111e1

memory/2324-14-0x00007FF703620000-0x00007FF703974000-memory.dmp

C:\Windows\System\aJCvoyQ.exe

MD5 cf3722c2cf87b9b6dbf4211056df3212
SHA1 80c48d8e4c2e8d8b70d233ab7721f4667ddb4fbc
SHA256 73e6eea458de3d4c6b8e38182e08cb5bdd2e74bb6f1462552bb1ed1bd751bdc2
SHA512 fbe0ee0697660a655338792bafaa9406e51680f34660c990a95d83c8ccd3a13edf9aaca8900d4e6540dbdbafe6f08718e38a64be20108474f4d5f030cd5c4912

C:\Windows\System\fVSPQwc.exe

MD5 ba7162288f1fc22675a55ca27fde9827
SHA1 eb0aa01f405d92695403b188e202508dda6d17ef
SHA256 bf56f9055080c5fbe7aba6753a136c6ecd10d57a392fb4e7881f474739130f18
SHA512 d562c98384730aa574b9be1ed8d354a24035e885e46673ae8cb68d9d9117db566d0c62c28903bbf7f2af39eca2590b2fe6e7c992220bc0ccca962277051b7148

C:\Windows\System\ELHQrss.exe

MD5 f7196241cca181b8e44de721c1a75f2f
SHA1 c252e504492cd9087895d5fa65d785d17cb6f221
SHA256 1906c3e746da4870ab53871bdf1ee7272ac166a823aa9a096c135492a3e02497
SHA512 ac96939f69abdcf5238756ec8a30ea195822ec59e99b4d07806be2934420bed3a0c66172275b06e110837a22533c3e11094bce09f4d2c84b088aead5fae4d750

memory/1516-35-0x00007FF62C720000-0x00007FF62CA74000-memory.dmp

C:\Windows\System\UIEmbSq.exe

MD5 c83fa854faf6592fc9faaa12da308508
SHA1 9e4e37161cfec7b5ccec7373afb18ff899c952f1
SHA256 6a16770a99734b96c0438683edada0ce5e880f7efd7e5ee2331e07788db9197b
SHA512 dc34894a2b2b05a643bcb31ff9b51fe0ca80f95db1978b06265bc12ffa1f23cdde3e7c5016a16a846e7f4b93a7471bd792499612d0647b1293e1a8485355433b

C:\Windows\System\mGoYKzR.exe

MD5 b02cf6d808bbfe7aaff0c3a7e1a3b66f
SHA1 9cd06b0982d6c6e4e4addba1f61f90710fd20461
SHA256 9c001988ec581ee1719f343d29dc9f56f58ede714a639b9b04b8d0c278fea142
SHA512 9bb8c4c19ec87a9960c8d0a7f1cf2cd90b852055faf29cb3ea87b8fe2d14c51c06cb09047c6239d78ac31d5b10912a170a3cea680fb19ccd0947e42506739c6e

C:\Windows\System\GSwbHfF.exe

MD5 d535d7c692333593022bd06667a4d011
SHA1 59bcfcf1685217af1012e5504545f7ef9ee92aa4
SHA256 29d4c02aa15bc5d117d0207b8efe01e3ca4f83ef58141107462bce739a34310d
SHA512 edcb165ed87c3c0e21bc8135fea95d775bb098aa1937954f3cd1cb8e1edfee3b14329565fdd3d0a3120666fb39cd66d910bf91840eeb7ae6da0ae87f528592e9

memory/2068-53-0x00007FF76F340000-0x00007FF76F694000-memory.dmp

memory/2864-54-0x00007FF7DE860000-0x00007FF7DEBB4000-memory.dmp

memory/1968-51-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp

memory/4092-36-0x00007FF6606D0000-0x00007FF660A24000-memory.dmp

memory/4872-28-0x00007FF724DF0000-0x00007FF725144000-memory.dmp

memory/3672-21-0x00007FF73E6D0000-0x00007FF73EA24000-memory.dmp

C:\Windows\System\NnHxMMo.exe

MD5 3d06ea9b3393cca3e134bd012bdea8be
SHA1 a41817cfb461e2651b1152e6e89fca376b262842
SHA256 54c00ebfbc6c98b0613104267743b91c96dfd81e8e27210e360996593a68c8e7
SHA512 caa906f27ebd5b306c91ce9bc704c25fac831c85e505d619bcc7b39f9c279f3de4217b076a29a28bfb5de5732266c032da7840f9f944a5c5c0ace2b05a1986db

memory/4348-64-0x00007FF6D2F00000-0x00007FF6D3254000-memory.dmp

C:\Windows\System\OnWzDiS.exe

MD5 0c8b8f0a22094e8a2e2d9bf5dfee6968
SHA1 596bcd9a5a0c015f053af7e6665638c31ac7ca4f
SHA256 f6cda5325c5c4373a5517d8c082d36b25328e33bbaf47b68327029e7dfa8ed91
SHA512 cb33686573df0dd6b9ddf1d2fec9150fe259b25cc0961931b8f0ef23a2c46d8d5f56537db564cb5a4d25baa9a8ea116ca1d03954a644cb9a8f3212ecbc84bd10

C:\Windows\System\dEbdXGz.exe

MD5 c759f437950e354ee9e6be73362bc534
SHA1 612a0aac25de011dde34756856c7eaa41415a61b
SHA256 c3f525330e90a0147bc8e9b973911d14940ef91624c40cdef9741b141d4ed8e6
SHA512 7522aa9f1a7a5da8d339345dc5a9e482629ca23b3e2c8b17185f6e6e0657e3d98a0efd99579701109741c2d936bf93961adc91d362e2ad70590a41e1e0fdbed8

C:\Windows\System\AvXVapN.exe

MD5 90ea43c71382dad6eb1350b9a883d1ac
SHA1 58aaba066e573d724fb11e4ce151c127d881f071
SHA256 5b3b55e0d1e69c35e32a2036dfe6d228dc78d92512e12eb631180e78b2cc750b
SHA512 bf6eb637e73c7e4a7193c54d6222ba7d077424b5fa8f6ffafef40c6c17d42a306916a07210ad194a91078e20fb9ffa442896a2cf12bcc0143909d5784fc92790

C:\Windows\System\VpdLTGA.exe

MD5 552d3b414a03ae066b4b36d10f72468b
SHA1 74287a0953ae646774eeebc565970b0392ec558e
SHA256 7ff9614c92900d50045b38f8f796560c20ce49867def1a00d7993e765a0a0edc
SHA512 39d37e8904ca31403897990797ce422ad2c428feacd50202f45ee588ba50059c2f4eb8880631ce20b179cd403a31e957631bfc1e9838dc6171c980a453b630cd

C:\Windows\System\IWyeWTz.exe

MD5 4a72fa5b8a0b7740edb5a63221243112
SHA1 8022148a0a3c006656d198312cc87b5e376d1fa7
SHA256 467ee9cbd8a4cde5a68d31988cfdb05c79ce77295639987915c2115cba2538a6
SHA512 202706f1c4a1608ed8e888fb87b566196a2e2ed9f902b0233544a92a44967231e7412038dbedd5f251f322ba0f59312a8f22d8979894ff71f3079624c4227eb2

memory/3160-90-0x00007FF775240000-0x00007FF775594000-memory.dmp

memory/432-94-0x00007FF61B400000-0x00007FF61B754000-memory.dmp

memory/1552-91-0x00007FF75E7F0000-0x00007FF75EB44000-memory.dmp

memory/2936-89-0x00007FF6501F0000-0x00007FF650544000-memory.dmp

memory/3872-79-0x00007FF63C460000-0x00007FF63C7B4000-memory.dmp

memory/2880-74-0x00007FF62C4F0000-0x00007FF62C844000-memory.dmp

memory/2900-73-0x00007FF697ED0000-0x00007FF698224000-memory.dmp

C:\Windows\System\nRBnuCT.exe

MD5 3497fa2cf67576bf1d81ebf9c5d83327
SHA1 31f7567504bbda55ab95584ac4e0569b7cf87608
SHA256 377d134565cb373fa6747e71d3d6b762b0efa0d295fb86e7dbdc039aa5f20d7e
SHA512 0828b27adbd1e40125aa0efb8ca16427a0403941237173c4edfdf84e8ca988199c1562c4e46c0564c83a4812e9a5538c3e767239b2f228a932be4137f97dece3

memory/2668-103-0x00007FF710260000-0x00007FF7105B4000-memory.dmp

C:\Windows\System\KpceKKC.exe

MD5 9fdde5067f13dd8bb7fdded00668384c
SHA1 36188759d73915ff1a3eae8cc3b35ea85d647045
SHA256 b822eb68995f301205e3cea10944f39d2d080ddd038dd64f5518cc9547db0d6d
SHA512 2e0bbb8fb74293b4a10af25b0e6223b19da660abf4f373777088b94fd783bd736d11643dc33fffdaf1e4cfea1a240123ad6f228f92947491f6a5035fca3af7ca

memory/3672-105-0x00007FF73E6D0000-0x00007FF73EA24000-memory.dmp

memory/4684-112-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp

memory/4936-111-0x00007FF71B230000-0x00007FF71B584000-memory.dmp

C:\Windows\System\yrzbtNS.exe

MD5 7ae813ed58146cc05df068f3c3b70f8d
SHA1 bc834f1861d6b26fe59d65f05ed309f749e60ea5
SHA256 c1379cd5c4803d02b1f499a4710549739c18f84b7080605aaa4c4832c6d012b7
SHA512 c3c8b579a869aa78ebf98e50623fc5764b7654dac3a7e5417fa3cd9656227d36c06de6c19e8b9964cc107a270d4d9e991c60641e2bc906b04f63d63f23418ae2

memory/4872-100-0x00007FF724DF0000-0x00007FF725144000-memory.dmp

C:\Windows\System\uNLbGBJ.exe

MD5 c49e5b4e0a0eb63f8a4e2c80598bb837
SHA1 94776bb6ba62cf5972d328b28623168d56d57a8e
SHA256 877afef1395ec3a477aaf306a9327fbd9d52390ebb5b6731cbb3457d025c8aa0
SHA512 21b1386ad78630fbdbb9aac3f228a226da341f77db8748ba7c81eafb642339191e0180574a57501beb837c87f7ca1a1ce70e20d1ad1acacc4bed6214712102a0

memory/4852-122-0x00007FF653680000-0x00007FF6539D4000-memory.dmp

C:\Windows\System\tGmSUYt.exe

MD5 5a69f5dbf16bcb32a957c1ffd23644d3
SHA1 f7b0f5a8beb5e5e9a43418fc6b897a44719b5aba
SHA256 d4a43012783b4e3cd5e34ff98c813514642e7862c1b66eeb81e5fa0f517ccbc6
SHA512 ee87a3ac0688dd054ee1716ef9057bbbc2735cb7a77aa3d9c92b28c05983f274d9e56ae0081cea8b285fc7e1c105179dd11c6a09e985d1af3d8221fd8538d799

memory/4840-129-0x00007FF697ED0000-0x00007FF698224000-memory.dmp

memory/1940-131-0x00007FF7B70F0000-0x00007FF7B7444000-memory.dmp

C:\Windows\System\uoLcJiF.exe

MD5 fa338d7cd13c26f588222e4ce34fc46d
SHA1 bf6cb85d30cb64bf01bf336453b7f521ee4dfe53
SHA256 56f3c09a532895e2d4335cec3d4ceba0ff87cc2528a8fb3d949d065fab3ff188
SHA512 ebeaa505ad3d33741290c31125765840d713e1b506fe1be522e1bd3838704b474e464b4ef25cd63fda18b243142680a4b40abe138b26f99d153b70a18e78ab6d

memory/4092-118-0x00007FF6606D0000-0x00007FF660A24000-memory.dmp

memory/2864-133-0x00007FF7DE860000-0x00007FF7DEBB4000-memory.dmp

memory/2900-134-0x00007FF697ED0000-0x00007FF698224000-memory.dmp

memory/432-135-0x00007FF61B400000-0x00007FF61B754000-memory.dmp

memory/4936-136-0x00007FF71B230000-0x00007FF71B584000-memory.dmp

memory/4684-137-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp

memory/4852-138-0x00007FF653680000-0x00007FF6539D4000-memory.dmp

memory/4840-139-0x00007FF697ED0000-0x00007FF698224000-memory.dmp

memory/3160-140-0x00007FF775240000-0x00007FF775594000-memory.dmp

memory/2324-141-0x00007FF703620000-0x00007FF703974000-memory.dmp

memory/4872-142-0x00007FF724DF0000-0x00007FF725144000-memory.dmp

memory/3672-143-0x00007FF73E6D0000-0x00007FF73EA24000-memory.dmp

memory/1516-144-0x00007FF62C720000-0x00007FF62CA74000-memory.dmp

memory/4092-145-0x00007FF6606D0000-0x00007FF660A24000-memory.dmp

memory/2068-147-0x00007FF76F340000-0x00007FF76F694000-memory.dmp

memory/1968-146-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp

memory/2864-148-0x00007FF7DE860000-0x00007FF7DEBB4000-memory.dmp

memory/4348-149-0x00007FF6D2F00000-0x00007FF6D3254000-memory.dmp

memory/3872-150-0x00007FF63C460000-0x00007FF63C7B4000-memory.dmp

memory/1552-151-0x00007FF75E7F0000-0x00007FF75EB44000-memory.dmp

memory/2900-152-0x00007FF697ED0000-0x00007FF698224000-memory.dmp

memory/2936-153-0x00007FF6501F0000-0x00007FF650544000-memory.dmp

memory/432-154-0x00007FF61B400000-0x00007FF61B754000-memory.dmp

memory/2668-155-0x00007FF710260000-0x00007FF7105B4000-memory.dmp

memory/4936-156-0x00007FF71B230000-0x00007FF71B584000-memory.dmp

memory/4684-157-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp

memory/4852-158-0x00007FF653680000-0x00007FF6539D4000-memory.dmp

memory/1940-159-0x00007FF7B70F0000-0x00007FF7B7444000-memory.dmp

memory/4840-160-0x00007FF697ED0000-0x00007FF698224000-memory.dmp