Malware Analysis Report

2025-01-22 19:53

Sample ID 240601-jeaw2seh94
Target 2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike
SHA256 b65b7af14ff62a5b4943785c3f139c9b23c68e19356840c9144ad3bedf3b40c7
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b65b7af14ff62a5b4943785c3f139c9b23c68e19356840c9144ad3bedf3b40c7

Threat Level: Known bad

The file 2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:34

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:34

Reported

2024-06-01 07:37

Platform

win7-20240221-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FOkezlw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UYsBRyI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SxOtOqC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nuUqQtT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZIQTDkj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YSMkvHT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGQAUmn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pGoYkLA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\huJvoPv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sRBkjSL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BclHVGt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YEYjzhI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NlIVGjj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OgzzDAv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hcGxqYK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QcdjHIn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PtEBxIU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rbANYjy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Fkueppw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HIKZdSN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uDTfnMq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QcdjHIn.exe
PID 2032 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QcdjHIn.exe
PID 2032 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QcdjHIn.exe
PID 2032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BclHVGt.exe
PID 2032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BclHVGt.exe
PID 2032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BclHVGt.exe
PID 2032 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGQAUmn.exe
PID 2032 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGQAUmn.exe
PID 2032 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGQAUmn.exe
PID 2032 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtEBxIU.exe
PID 2032 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtEBxIU.exe
PID 2032 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtEBxIU.exe
PID 2032 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlIVGjj.exe
PID 2032 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlIVGjj.exe
PID 2032 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlIVGjj.exe
PID 2032 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HIKZdSN.exe
PID 2032 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HIKZdSN.exe
PID 2032 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HIKZdSN.exe
PID 2032 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGoYkLA.exe
PID 2032 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGoYkLA.exe
PID 2032 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGoYkLA.exe
PID 2032 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDTfnMq.exe
PID 2032 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDTfnMq.exe
PID 2032 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDTfnMq.exe
PID 2032 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOkezlw.exe
PID 2032 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOkezlw.exe
PID 2032 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOkezlw.exe
PID 2032 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YEYjzhI.exe
PID 2032 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YEYjzhI.exe
PID 2032 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YEYjzhI.exe
PID 2032 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UYsBRyI.exe
PID 2032 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UYsBRyI.exe
PID 2032 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UYsBRyI.exe
PID 2032 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OgzzDAv.exe
PID 2032 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OgzzDAv.exe
PID 2032 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OgzzDAv.exe
PID 2032 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcGxqYK.exe
PID 2032 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcGxqYK.exe
PID 2032 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcGxqYK.exe
PID 2032 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxOtOqC.exe
PID 2032 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxOtOqC.exe
PID 2032 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxOtOqC.exe
PID 2032 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuUqQtT.exe
PID 2032 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuUqQtT.exe
PID 2032 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuUqQtT.exe
PID 2032 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\huJvoPv.exe
PID 2032 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\huJvoPv.exe
PID 2032 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\huJvoPv.exe
PID 2032 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rbANYjy.exe
PID 2032 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rbANYjy.exe
PID 2032 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rbANYjy.exe
PID 2032 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\Fkueppw.exe
PID 2032 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\Fkueppw.exe
PID 2032 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\Fkueppw.exe
PID 2032 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRBkjSL.exe
PID 2032 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRBkjSL.exe
PID 2032 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRBkjSL.exe
PID 2032 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZIQTDkj.exe
PID 2032 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZIQTDkj.exe
PID 2032 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZIQTDkj.exe
PID 2032 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSMkvHT.exe
PID 2032 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSMkvHT.exe
PID 2032 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSMkvHT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\QcdjHIn.exe

C:\Windows\System\QcdjHIn.exe

C:\Windows\System\BclHVGt.exe

C:\Windows\System\BclHVGt.exe

C:\Windows\System\eGQAUmn.exe

C:\Windows\System\eGQAUmn.exe

C:\Windows\System\PtEBxIU.exe

C:\Windows\System\PtEBxIU.exe

C:\Windows\System\NlIVGjj.exe

C:\Windows\System\NlIVGjj.exe

C:\Windows\System\HIKZdSN.exe

C:\Windows\System\HIKZdSN.exe

C:\Windows\System\pGoYkLA.exe

C:\Windows\System\pGoYkLA.exe

C:\Windows\System\uDTfnMq.exe

C:\Windows\System\uDTfnMq.exe

C:\Windows\System\FOkezlw.exe

C:\Windows\System\FOkezlw.exe

C:\Windows\System\YEYjzhI.exe

C:\Windows\System\YEYjzhI.exe

C:\Windows\System\UYsBRyI.exe

C:\Windows\System\UYsBRyI.exe

C:\Windows\System\OgzzDAv.exe

C:\Windows\System\OgzzDAv.exe

C:\Windows\System\hcGxqYK.exe

C:\Windows\System\hcGxqYK.exe

C:\Windows\System\SxOtOqC.exe

C:\Windows\System\SxOtOqC.exe

C:\Windows\System\nuUqQtT.exe

C:\Windows\System\nuUqQtT.exe

C:\Windows\System\huJvoPv.exe

C:\Windows\System\huJvoPv.exe

C:\Windows\System\rbANYjy.exe

C:\Windows\System\rbANYjy.exe

C:\Windows\System\Fkueppw.exe

C:\Windows\System\Fkueppw.exe

C:\Windows\System\sRBkjSL.exe

C:\Windows\System\sRBkjSL.exe

C:\Windows\System\ZIQTDkj.exe

C:\Windows\System\ZIQTDkj.exe

C:\Windows\System\YSMkvHT.exe

C:\Windows\System\YSMkvHT.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2032-1-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2032-0-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\QcdjHIn.exe

MD5 d1c5c63a156f4ce14c6790bb5c580507
SHA1 c450f9aff7b1f060afcf2a5963e9103c92e4ab4f
SHA256 2644e4b05cb618e89722468a3f91e884b7c725a857efb9b9ce709a4b07fc4de0
SHA512 d9d9f093a5b07f16480ee8827c68b88d259a999b29c012fa5c082a8e2d45b17112261c62c35e1f77da49964f1c5503c69ad0383f4328652d5a10df8a0764753b

memory/2032-7-0x000000013FD30000-0x0000000140084000-memory.dmp

\Windows\system\eGQAUmn.exe

MD5 9925944a3fd26d955463a9ff240ec871
SHA1 3a5693d6fbb14a6bac64e0980d8249855e402f6a
SHA256 7d6b2cc6e816776208e8780a3741cdaad3fcb924b8ad3297ef1dc700b3a5e1b5
SHA512 378b481131fafcfce1c4321bc3597e502c024813a2ca4512d66c4c6dbf76f239df74d4e5a7741403f477d71998f247e1fd2d195909d7f5de9f6c15444645aa96

C:\Windows\system\PtEBxIU.exe

MD5 45a46c3b5667481220ad40cd8a42b02e
SHA1 fa7c2fd5bbf920284b9c9fcb087736d71fe732f4
SHA256 ff288c8498afec76ac48648258ff5724716d21fb2b4cd2e833c004ae04e70bd3
SHA512 fbf0356e8caf59d70dcff7cea22a6e00e21d760c9b27fd1e01ea59c89ecde828a4be28b40ba25bcbf0525b8a4cdb40f34e195263c66a402d7846a5a1a35f0b2c

memory/2032-29-0x000000013FC80000-0x000000013FFD4000-memory.dmp

C:\Windows\system\BclHVGt.exe

MD5 dd3fa5b33f40ed02ec10343b0b025e87
SHA1 b37392a9f2c83244d3189e75cb53243c9bf5bacd
SHA256 738e69e6b8f31d61557655c1a3fb587c51633dde2a9c433feabfae38a90be8c7
SHA512 948c5d767cafa329df09e2563310493d5b8b5707568b9fba4bc8ad1d9ee33597a0ebbb9d6037b0299c6b20556904eeb5aba88ed30b3c4827bd62350969ae07f2

memory/1948-30-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2032-28-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2292-26-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2308-15-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/3052-24-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2032-22-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2032-36-0x0000000002460000-0x00000000027B4000-memory.dmp

C:\Windows\system\NlIVGjj.exe

MD5 9ba9ecbeecb00a0151e61dc87be01b5d
SHA1 11ed426e1845c247138e28adb142fc383c7c786d
SHA256 04cdf4d529b6a4fae5d7a17f2c78c102c29d5c159c95bd1d687020a331e58fb8
SHA512 666628fbe610f86c131a8d4efcf4c4c36a9623467123e95c8263f42db7807fb799254a04730c8a3b8b7ef07ad9d99c7e7bf36c6923a368a03f288733998e8f5a

C:\Windows\system\HIKZdSN.exe

MD5 93aabf81b35b459238c8f48742fa7cf6
SHA1 5616f7b6b5d76c5340e367bd91b7c97f8712e125
SHA256 827099dd62ca67d3ca10e94b3d3b5aa62579f97c27c79c47b11c7878731f4335
SHA512 5e62fc09eb7d8c7547c77aab8c1d60d32e3671e42e7b75650b0284f71fd0dcd7a48ee18e848c77e46a30a7fb729a6c75dfc422d6a558b0f71170698b21f8d132

memory/2612-37-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2032-42-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2576-44-0x000000013F150000-0x000000013F4A4000-memory.dmp

C:\Windows\system\pGoYkLA.exe

MD5 7e85c3e211fcaeb05edbac378287c238
SHA1 ba8066e514190a6cab03eebc0e142836b18a8953
SHA256 7cc07ff96659515bff34f098e258fbf8c6a562f49b6737ac9076cc2a5f818b8a
SHA512 a7f40b34eceda9e37a6bd15764e4f5d041e73d5e8f12eda3db09ba4aef0214564eae239097fc2811d496e6f93be0be57880dfa5035c2f1151703aff8da5d3337

C:\Windows\system\uDTfnMq.exe

MD5 4281a4a31e44be08fa1a975540a187c7
SHA1 0a6abe24f37d6ebd1fddecc7d7ee06d99a70c5cb
SHA256 7dbf38b74e350e71766a60f71112d2400fd9c7a9a97318890aa11540605dab33
SHA512 317647fc7cb277fc79cc0a386f9dc7d68f204272bf95fb069904e514c6dbb6e85f83480177d53441d6103a29e48f0655047a9f09b9264aff0a580f573501a6d7

memory/2032-56-0x000000013FD90000-0x00000001400E4000-memory.dmp

C:\Windows\system\YEYjzhI.exe

MD5 120423817be1f1e7ad75ce271ed96e63
SHA1 62b60830399c174b5c0da1482a861abf4c739f89
SHA256 bccb8604bbe563493ca7fb808fc29191713b300fb0cdcada2f3cbfad31968a43
SHA512 4642d8641cd4b44a37a40e1135e96c3a9ba1afab7b060e00f2f869941d1d1a7f9a8bf55ef93fd42ed6d45865ed8543f8b9a1056af000af006bc3adb95395469c

C:\Windows\system\FOkezlw.exe

MD5 1903df7d9fb2c3d38dcebe2f2a4d6a80
SHA1 59850838f51511ae0ef58686a9b25545a70a1347
SHA256 94d5b7d1da9f783e6e6a116a164398f08eaad46041fcdaa9702e692e4b0f48e4
SHA512 21e82bf5041dd5bc84a7b37b9ca7fa3fa2c9f8f6b8e18bf9d1ca270dfe812153e6ca62ce22fb0a5ae0d072c6ad5eb7a8ed0d838bf7c52531bff467516bbf4514

C:\Windows\system\UYsBRyI.exe

MD5 a52ae52ef4a305c11cfc8bd2611b51ad
SHA1 9f3fbe44e8758050733cf2c0e5fa140c706b0dc5
SHA256 fe8a712e043f8b7bfe7203036133c4adc70b548dcc4c13dbdf2b9d17c3803cdc
SHA512 c5476b4c23c628b3dfbd63bd8df6bd803e28eff6be463bba426777511f67085b8bb4f221a74ddd074bd554c788fd7b21b164e28d46bcd3d4101f345cc7400ee6

memory/1888-81-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2032-80-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2032-79-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2092-78-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2032-77-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2508-76-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2032-75-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2032-61-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2648-59-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2852-50-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2032-49-0x000000013FF70000-0x00000001402C4000-memory.dmp

C:\Windows\system\hcGxqYK.exe

MD5 405dcf88680a8d97819cac59fd1831a3
SHA1 8766df17911e7186f438a0ff3345d9658acb3922
SHA256 79f29580341b8aa68c33448cca2d3ea6046a064b15fb97133e9e113cdb395739
SHA512 ced496ebb66db9d13bbdf24776cf24d87d90843fdf37fa262b4d2d3b4b6d4f965b9b6a3c9410e9251a36e528f1a06a2a0f8da810cafc175a257fe5be6860eca7

C:\Windows\system\SxOtOqC.exe

MD5 09b7e3bcb79aba2545177c92ec3fbc3c
SHA1 a744e85e72aec6e05842f32154b521504bff0e17
SHA256 553416d05518eb7184d5d4a81ff5600d65c491c7ece25610e9eba83b8f3290a5
SHA512 8ed0fc77ea689b22296b8a5c47284a772d0ed61f4a5f35bc601710ea22c774b25f1696674a68debd3b7d841945ac302e806b0cbd79cafce43e5caabbf88d3939

\Windows\system\huJvoPv.exe

MD5 906d98b55ddc5811d72f5aea60c351ce
SHA1 7b3a0d605014f9702315c3bf4c380946157bd738
SHA256 b8b7f4d6834143e436c374d9fd876db7500210a6ad398f8b731cfc803b93822e
SHA512 e59fdab14fbe8753e4903d53d412dfaec5cfd204312598f4c9c69b68d396a6a6c7c8ac51afc7d87b2ec0b080f23e131f1eef6b7dec179002dac82ad2b3d8c782

\Windows\system\Fkueppw.exe

MD5 7562a9f555968c0992d8cbddf4d123c2
SHA1 154986e04670f14636b3e2869825bf2e5a79ad71
SHA256 67cbc1b33a107a9d0b9375b55497ecf340b777f43c90de1b52de56cd8fa34c3c
SHA512 9e03d25564a2a2b070527ba9759537ddcceef226617494919be61b1227c202e91ac8e580584a0b04f07e1252a6333715e659b477575a33291a55ffc5c0903f83

C:\Windows\system\rbANYjy.exe

MD5 59763d6bb3065d35945b683be5a3df4a
SHA1 25bb19bbe347f5a45b3afde1e6a300ecae622867
SHA256 a340484c9272018e01f6f84831a1447cc220c8e8802471d46ccd7996df38db37
SHA512 29c23527865212dc0ae6923553cb1bfedd5164f7e8b8185f6e9d4d63fedfc09db0e3ad4577dfa111090d36891a193d299cb0e41f9f9113ce15d289d4a03336cc

C:\Windows\system\sRBkjSL.exe

MD5 95c8e780974f7230ebab9aac223e2e83
SHA1 09c54c4e2cde3e0033a4105f84ee225c4bd36ad7
SHA256 1a9ea97d22bb378a9f3ae2947d7164ef74413553771c382f32b18907bf2d7c60
SHA512 ed132f4d1c8cab3e7350277fdbe0c8d22b5c3e246df601773e3e088ce8ac285f23f639be04b5b4dffc14baf4f9d9c7839f3e7784ea5277cd54d9f2709392bf16

C:\Windows\system\ZIQTDkj.exe

MD5 2413f00314fdb96eadd4e723370d059b
SHA1 d0607782b11c36080b062b8df571240673a8258e
SHA256 3e4fc6bc3b03ec0498a700d87e833703f598e2a784195bace7b0c75b72300837
SHA512 716119fc29404292cefd7909e60bf6f5658007f4f929f33f7de539d8dcfc70022bd653a4d2eb90c4792dbc1aaf7cb71759530fd6b374d753c0307f9f61803942

\Windows\system\YSMkvHT.exe

MD5 a2da3ed02c42a52615854aeea4c31f0a
SHA1 e2db795e0c46f2437ddf4bd1cb6cbc2f97a11a90
SHA256 3b02e380bfaa5ae7e40496ffb3eed4c985cbcfbfe4383561a3ce632252895cd4
SHA512 5fb06dc3822bfe7d07b17587cf9e56f70f1cdb6394e9f32ba176722df4fae7aca0c0cdc70c7a6980bf0f4d8d55b1176122f2b9b16a7a8ad32f548abc835ac3da

C:\Windows\system\nuUqQtT.exe

MD5 7922df03355836ca712de5f73243ff5f
SHA1 97bf643a92c49985e3d0482b4ef714d667b86e55
SHA256 5a0a9193919cd7ce6e8e2b84c6b46d8b6eed3e87d1fcb0e375715c1e82c9e2a7
SHA512 c4a619a7ecd6d87ee9fed996935aa717b7207f6f8b29ac6a2e6e64b77b8fc0385cd1e3e27f8e168dba12493cceda5f5575a13f729572f3d32c5fabc0d6fb86fc

memory/2308-94-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\OgzzDAv.exe

MD5 cde70140cfd5053b5462b89746b9c31a
SHA1 e212350bc0191c2f9ead5754e9f2171f9a03b509
SHA256 d630b21e0e4db87768c32e12dd9f5fb4dc3f4fa85892f45bef6604afb986e18e
SHA512 2b36163f9a25ae825895b08eed42c5862f479349f3e3576638da4773c6504364daa82ed20bccbd81ec5638e8eec077290e3e22c7a0a64e79cb6fe96f3052dbad

memory/2864-133-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2032-134-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2120-137-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2956-136-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2032-135-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2032-132-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2576-138-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2852-139-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2308-140-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/3052-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2292-142-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1948-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2612-144-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2576-145-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2648-146-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2508-147-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/1888-148-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2092-149-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2852-150-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2864-151-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2956-152-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2120-153-0x000000013F340000-0x000000013F694000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:34

Reported

2024-06-01 07:37

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ohaKvPt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MiUANhl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WQZDiAm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zyeDKas.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QcTnXZQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OZqXPRV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IdveGfH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XYBJYDB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XpZtsJY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iuYPaZX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uvCLxqg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JUisUiT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NEErzoy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JjbIUds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\usudejq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kyqdOOf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XAMWmLr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gaqXpYp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EGHASpO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vlfbodt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vFcWKdI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XpZtsJY.exe
PID 5032 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XpZtsJY.exe
PID 5032 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\iuYPaZX.exe
PID 5032 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\iuYPaZX.exe
PID 5032 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohaKvPt.exe
PID 5032 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohaKvPt.exe
PID 5032 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XAMWmLr.exe
PID 5032 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XAMWmLr.exe
PID 5032 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvCLxqg.exe
PID 5032 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvCLxqg.exe
PID 5032 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MiUANhl.exe
PID 5032 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MiUANhl.exe
PID 5032 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUisUiT.exe
PID 5032 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUisUiT.exe
PID 5032 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gaqXpYp.exe
PID 5032 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gaqXpYp.exe
PID 5032 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JjbIUds.exe
PID 5032 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JjbIUds.exe
PID 5032 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGHASpO.exe
PID 5032 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGHASpO.exe
PID 5032 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NEErzoy.exe
PID 5032 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NEErzoy.exe
PID 5032 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OZqXPRV.exe
PID 5032 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OZqXPRV.exe
PID 5032 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\usudejq.exe
PID 5032 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\usudejq.exe
PID 5032 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WQZDiAm.exe
PID 5032 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WQZDiAm.exe
PID 5032 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyqdOOf.exe
PID 5032 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyqdOOf.exe
PID 5032 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyeDKas.exe
PID 5032 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyeDKas.exe
PID 5032 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QcTnXZQ.exe
PID 5032 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QcTnXZQ.exe
PID 5032 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IdveGfH.exe
PID 5032 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IdveGfH.exe
PID 5032 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XYBJYDB.exe
PID 5032 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XYBJYDB.exe
PID 5032 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlfbodt.exe
PID 5032 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlfbodt.exe
PID 5032 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFcWKdI.exe
PID 5032 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFcWKdI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\XpZtsJY.exe

C:\Windows\System\XpZtsJY.exe

C:\Windows\System\iuYPaZX.exe

C:\Windows\System\iuYPaZX.exe

C:\Windows\System\ohaKvPt.exe

C:\Windows\System\ohaKvPt.exe

C:\Windows\System\XAMWmLr.exe

C:\Windows\System\XAMWmLr.exe

C:\Windows\System\uvCLxqg.exe

C:\Windows\System\uvCLxqg.exe

C:\Windows\System\MiUANhl.exe

C:\Windows\System\MiUANhl.exe

C:\Windows\System\JUisUiT.exe

C:\Windows\System\JUisUiT.exe

C:\Windows\System\gaqXpYp.exe

C:\Windows\System\gaqXpYp.exe

C:\Windows\System\JjbIUds.exe

C:\Windows\System\JjbIUds.exe

C:\Windows\System\EGHASpO.exe

C:\Windows\System\EGHASpO.exe

C:\Windows\System\NEErzoy.exe

C:\Windows\System\NEErzoy.exe

C:\Windows\System\OZqXPRV.exe

C:\Windows\System\OZqXPRV.exe

C:\Windows\System\usudejq.exe

C:\Windows\System\usudejq.exe

C:\Windows\System\WQZDiAm.exe

C:\Windows\System\WQZDiAm.exe

C:\Windows\System\kyqdOOf.exe

C:\Windows\System\kyqdOOf.exe

C:\Windows\System\zyeDKas.exe

C:\Windows\System\zyeDKas.exe

C:\Windows\System\QcTnXZQ.exe

C:\Windows\System\QcTnXZQ.exe

C:\Windows\System\IdveGfH.exe

C:\Windows\System\IdveGfH.exe

C:\Windows\System\XYBJYDB.exe

C:\Windows\System\XYBJYDB.exe

C:\Windows\System\vlfbodt.exe

C:\Windows\System\vlfbodt.exe

C:\Windows\System\vFcWKdI.exe

C:\Windows\System\vFcWKdI.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5032-0-0x00007FF62FB60000-0x00007FF62FEB4000-memory.dmp

memory/5032-1-0x00000201D0600000-0x00000201D0610000-memory.dmp

C:\Windows\System\XpZtsJY.exe

MD5 7f5e47de49a804a3a368618ee1f353a5
SHA1 516b6d98beffe30a823e495548dafe193187b2f8
SHA256 639cf91809f5ab0269931b60d2ed24d342baa1646d047e89050c9d5130e0e66e
SHA512 75e5ba733cb34d21bec1a2621d2040afbd6914b56af55a63193a8ccb6c0f02c1762cd6a5d4bd3804a2b7cf55f538023590fead3d0a32c1da9fcead72b576a310

memory/3960-7-0x00007FF679260000-0x00007FF6795B4000-memory.dmp

C:\Windows\System\iuYPaZX.exe

MD5 a4b3ecb49345bbd554e4b525e2c457ad
SHA1 ff85345d2f8a6eeeab13ec0035fc93d8beef1368
SHA256 a4b1ef238950f20fead0c7a87e91ac5038e40f59e67dd7b7325e4586cb18cbd7
SHA512 040ba6a57b56ef717acae135e86fa0f6ed6fe94ea7fe6e4162896e502074d4aa407df7f01833c8a13cedb2a0838cf28a37de140c5a648e21012c31c677946cae

memory/4520-12-0x00007FF673440000-0x00007FF673794000-memory.dmp

C:\Windows\System\ohaKvPt.exe

MD5 365aad327ae875da2854bc5c0f17aeaa
SHA1 48ecfa27ffb48b7b35dff43f125e809897fd13af
SHA256 eb7f05461b1a10c60a1650d2b08faa7118e2bfdc4c1ef2eb13b2c92813595acb
SHA512 fe2b8eb3837c7973d5917dbb6adef1b6a0365d8e19172d507113453b5bee8d4ff9e65b254113378b0250bc548a5d51d41d8368461d55461e09932ff3f2616b15

C:\Windows\System\XAMWmLr.exe

MD5 3b352e6ea4b397cb5d47d736a19fb5fd
SHA1 275c617e971711b521d9032ac07cb898255ffd1c
SHA256 022f8d89c6f95c8e327d82ce6d1dd63dd0396ecfe70daf9e4377c579993db037
SHA512 fc52d4b0ef2c9e1713953e2baa10387bb7a16daa38b1b7761cd1cb3c275172058e6ce627a37a858b0961c94825fa9cb348884654fb4aeea90d2b4afa150a8fd1

memory/2344-26-0x00007FF7BD080000-0x00007FF7BD3D4000-memory.dmp

C:\Windows\System\uvCLxqg.exe

MD5 34b680adadddfa80345e08ed115298d2
SHA1 f34146a8ae7703b92d8bae3305b75b933c33c466
SHA256 21e3d1e4e590ae73fefda82b9a1875e5ffb3c73007937b0396a0948cdcb8a2f3
SHA512 2d3600c2d74226202745ad59b6c6af443b5d634e7965eeb7b52096d463dc664a36870dd84da68f808884e031de52b1eef88ff8db2476f7e4f76a183ceb16df47

C:\Windows\System\MiUANhl.exe

MD5 51c23dcf6b27ce20e727f3a786c04dc5
SHA1 ccea09efc1a799ddc2d29a1497e34f34bfe96aaa
SHA256 bb0656a8920f295c6b52f2546fce4a552b0037a8989c28107c553987e262d961
SHA512 a69513e0a7afd5d67d019e5f0896b72774201d9d5d597e29a46b5282ac835e78deb51168897f126de8bc48fbcd0b914e5e86dd61cac21ecf9f1fd0601e0033c2

memory/4452-32-0x00007FF6BD910000-0x00007FF6BDC64000-memory.dmp

memory/3248-19-0x00007FF77E4B0000-0x00007FF77E804000-memory.dmp

memory/1104-38-0x00007FF776650000-0x00007FF7769A4000-memory.dmp

C:\Windows\System\gaqXpYp.exe

MD5 aed26ea43f6bf71ca90d12d2ca108c0d
SHA1 0f9f58c45b0ac7d96a74845ddb926a39bb4c8c41
SHA256 3825ce21b8f1e45aa7b120e1be5ea22af658f78593f0d018d07445c570b32cab
SHA512 adcf5be77f41a6821da3a33c4f5273802ef59f71e467b0faad6fa0db5d170e9479b3e9ed0d606f4e320a0b03cc2f28db322ee3f357e68344511df1fbda8ca5cc

memory/5056-45-0x00007FF6188E0000-0x00007FF618C34000-memory.dmp

memory/1712-50-0x00007FF715A90000-0x00007FF715DE4000-memory.dmp

C:\Windows\System\JjbIUds.exe

MD5 24aa833e5fbe54f62126700f29d84b48
SHA1 74412851142ceea8d367de3bea1116dab3f7fc5b
SHA256 4fa84b78bc33103f229ac881bd1cb8518a450622a02c3dc6bc30117162ab9274
SHA512 04fec20e0c8b9ee61d949539e257a1e1174c1947020dd53a6a9477143c6eaa31731404f74e01744484d4e58fd7d26c55b0a4217f3ab26692d66000d42c04cae2

memory/4940-54-0x00007FF6177A0000-0x00007FF617AF4000-memory.dmp

C:\Windows\System\EGHASpO.exe

MD5 c41a406791c772bac8cc93c8e65c85d3
SHA1 35fe9e006ec8ef45d825f7039850727e42e5c575
SHA256 50364acb49491c0233bfeb94df36605be15526e8ba657b3c3f3f8361236116a6
SHA512 de17bdb00d3fb94eabaa631e61ad3a9fdba484461d004a4c9c175e88050376610c51a6a0b16f4bdef1960baf7001aaae6c09ff57217f00d679f97cb3fd2c76f9

memory/4680-65-0x00007FF7A3560000-0x00007FF7A38B4000-memory.dmp

C:\Windows\System\OZqXPRV.exe

MD5 548a272e64ec13bfe627f00c751c816e
SHA1 82b051de3fc65047927558f0127eb61d543866af
SHA256 d57a85b4f5a9c327054b9741855a735944555c894d9e4be014ebfaa8d9d21c77
SHA512 83dbb89beffd822777381caced9163919ceb147d5f6782f74746629a4674e745a386f66f229d235aa5e1cae1012b9d63f36e311580d33c5480d0a024a91d1626

C:\Windows\System\NEErzoy.exe

MD5 2c7bad89c1384e3f95df63a560433cbd
SHA1 9c19d1055532c21f7dcb38a577a04905d3020a01
SHA256 9916fddf6f5f23bb75256a39b9463bd1d9afbe1d4d8f2b13c2da981acb300a20
SHA512 170f536718bd89e19dd7769df16601e8c2b75059b50cfb57b3654286e9f562be21b9f0a4e372b60210b381be2a13ad3f25744c8255bd0fe2f76316a59e1ca1f4

memory/5040-80-0x00007FF74DED0000-0x00007FF74E224000-memory.dmp

C:\Windows\System\WQZDiAm.exe

MD5 3cbc20ad710ae20cda836cdd5e6d0f67
SHA1 0fd3031cbc1eb37084dc82d7528bba1be10900c3
SHA256 7df6465fcdf6b4bf7fd562c9a11924677eecc296f8dbb0470d63d1cf5aeb9b79
SHA512 e7eca429f9273ac35965f194ea23942c281a702a5b1de09a6fb5f18f0a84d95cfa7b9da1f8d6b925870a84724bf4817a034fb7c22d020a9d3133a7436edbd09f

C:\Windows\System\usudejq.exe

MD5 8e5a9a7f5bc6ab847b270103e5a1b90a
SHA1 116a804d0628328c771b9397b1aca3a607eb4e4f
SHA256 f6a7abce2517a3622f356906d629dc424678ff4911801901c5a0d01e0ab688fe
SHA512 66188db436ad57a4030603482f6841a0a58fd71e2e1e98405d54d164443bde1e50eb2b65621eb473edc5df3e6dfeb3bc7a3bce7ac4bc92c944d79cc39abd42a3

memory/3224-83-0x00007FF6527C0000-0x00007FF652B14000-memory.dmp

memory/3960-82-0x00007FF679260000-0x00007FF6795B4000-memory.dmp

memory/2536-81-0x00007FF7796B0000-0x00007FF779A04000-memory.dmp

memory/5032-77-0x00007FF62FB60000-0x00007FF62FEB4000-memory.dmp

memory/3128-67-0x00007FF6D6020000-0x00007FF6D6374000-memory.dmp

C:\Windows\System\JUisUiT.exe

MD5 1074e7fd8a28207c2f971c643e32e321
SHA1 b7bce7df2b48b9d77281dccb873d1cea1a29c6d3
SHA256 f320b78f9c2032db8546b6fa5019395dd589dbb85e93bd65ea6f9b1d56fc332e
SHA512 cda8cdb2320068995f8291ef9607673fd9362106346940324b02a15f1cf21d2521cc3920d6202df05f28e443c58b12bd62819bb198c12add72322ae692cfa854

C:\Windows\System\kyqdOOf.exe

MD5 5a3ae66b2e551eb0722fe9f31ecf9f73
SHA1 88a14e0f189f72e35947bb9e2193b2f929ba7efb
SHA256 2c1369e5c814d2a88deab94650c6b352a2b407a9336dc137a59f1886a88f600c
SHA512 f322f8b220694aab020b0fb517af670319b0c7b583c161e20a168fcc8bb5f99edeba628bd10e1dd2c550c3259e71f231ec5367951c576a32fe4da246d84231ba

memory/4520-91-0x00007FF673440000-0x00007FF673794000-memory.dmp

memory/2476-92-0x00007FF611AB0000-0x00007FF611E04000-memory.dmp

C:\Windows\System\zyeDKas.exe

MD5 19bcb0cb52a1a9ce4cada3ee41b87a5b
SHA1 9c5a4188c37c7a457662874d5333c8f3fa1abbba
SHA256 920c3e0727dc8a91c348594ade98fbd0e6fc687b768b3157be40d67576fc4705
SHA512 78cb547866357aa726efed49467fd4af1a4058d2362db5e8e36b98457ad453f6bccb761aee5fbb3c2961ff394a3a7e532c3108096d51b0f1c2a8e8d04e520aed

C:\Windows\System\IdveGfH.exe

MD5 399c0751c24fc18cccf75b7750de4966
SHA1 7ac870796499d213fc753d783ebad0d670b56ef8
SHA256 46805bbd9e83bafed069a29eaf4a55c5a7140f391ba0d1e49154b83b2fe9a8fb
SHA512 d86ef2e17fc8f567bfc2d837173cb424850cf71ad66e24be79b5652f632c434a180c87a5e42e0a96f92a405bffd7d8449673880f9a20904efd56d6d48a5d3010

C:\Windows\System\QcTnXZQ.exe

MD5 ce62272065d93c232a68e404f68af60d
SHA1 62e07e074f14fb57d9cd17b6a4e99af440607f42
SHA256 c7b5a755664708e1ec08c60d378ba75b387089859d250a69198629abc71dae18
SHA512 29cd8192bd596c5ae6fed02acaf3313d7231614713bd8cb2bc3215fed551aee2d1db5200089d06b006cc668a717bd14430faa41f32e9be4e3fa7b309956458e0

memory/1320-118-0x00007FF77C680000-0x00007FF77C9D4000-memory.dmp

C:\Windows\System\XYBJYDB.exe

MD5 6ab6c427b4a6118b0b2dd227b3540d34
SHA1 1f134623e129521254d54aae7ceb8aa719623203
SHA256 52b3c26c96c3b041f89575812b27fc4bac10f45a6e5813e24ea87fca808c2de7
SHA512 0a661b8e109d6e2b7c646b6a2744b6a74c31688124953ece584b471d50c157f4e8ba3250910556bd6ee1023f54d6d297fc5383654c8f4713f6779f483eb76c47

memory/2420-129-0x00007FF69DD70000-0x00007FF69E0C4000-memory.dmp

C:\Windows\System\vFcWKdI.exe

MD5 478857d68fd049185d30177988a2c4b5
SHA1 ef5e2d564c4171dcf331c46d0f89f60847440640
SHA256 ff29712b4544749708b8e723ee6506f5dd7e87b8f28a05df5fea12800c80d4b3
SHA512 a8f6f5843ac59850fe4eb91d08bf2861b9226e50efa3350e66b501503125cebbd6c48cfe473463b9dfc201cfdaa9cf9f303c80fa8db57feb26b4729ad1b4abd5

C:\Windows\System\vlfbodt.exe

MD5 23d4ab547ab15024fd1f834435c450bc
SHA1 c69707c22e6991c5de2ef1dbaed0ebdaa02eba65
SHA256 2fe2f823e39f79b04e91a169b5c93b0999421bdd0717c6b2ec84902762ecf23e
SHA512 97cc986c0721487ed0855c2d1355f8fd03f68915ae48722ea5dc01099f444783635ea306b40ebfb65b29975d233854058cb70b73301b5ee0d01dfdbd1fdea7b7

memory/1712-121-0x00007FF715A90000-0x00007FF715DE4000-memory.dmp

memory/4000-119-0x00007FF737680000-0x00007FF7379D4000-memory.dmp

memory/2248-108-0x00007FF79ECA0000-0x00007FF79EFF4000-memory.dmp

memory/4804-100-0x00007FF713400000-0x00007FF713754000-memory.dmp

memory/3248-99-0x00007FF77E4B0000-0x00007FF77E804000-memory.dmp

memory/5056-132-0x00007FF6188E0000-0x00007FF618C34000-memory.dmp

memory/4448-133-0x00007FF6D6620000-0x00007FF6D6974000-memory.dmp

memory/4940-134-0x00007FF6177A0000-0x00007FF617AF4000-memory.dmp

memory/3128-135-0x00007FF6D6020000-0x00007FF6D6374000-memory.dmp

memory/2536-136-0x00007FF7796B0000-0x00007FF779A04000-memory.dmp

memory/3224-137-0x00007FF6527C0000-0x00007FF652B14000-memory.dmp

memory/2476-138-0x00007FF611AB0000-0x00007FF611E04000-memory.dmp

memory/4804-139-0x00007FF713400000-0x00007FF713754000-memory.dmp

memory/2248-140-0x00007FF79ECA0000-0x00007FF79EFF4000-memory.dmp

memory/1320-141-0x00007FF77C680000-0x00007FF77C9D4000-memory.dmp

memory/4000-142-0x00007FF737680000-0x00007FF7379D4000-memory.dmp

memory/2420-143-0x00007FF69DD70000-0x00007FF69E0C4000-memory.dmp

memory/3960-144-0x00007FF679260000-0x00007FF6795B4000-memory.dmp

memory/4520-145-0x00007FF673440000-0x00007FF673794000-memory.dmp

memory/3248-146-0x00007FF77E4B0000-0x00007FF77E804000-memory.dmp

memory/2344-147-0x00007FF7BD080000-0x00007FF7BD3D4000-memory.dmp

memory/4452-148-0x00007FF6BD910000-0x00007FF6BDC64000-memory.dmp

memory/1104-149-0x00007FF776650000-0x00007FF7769A4000-memory.dmp

memory/5056-150-0x00007FF6188E0000-0x00007FF618C34000-memory.dmp

memory/1712-151-0x00007FF715A90000-0x00007FF715DE4000-memory.dmp

memory/4940-152-0x00007FF6177A0000-0x00007FF617AF4000-memory.dmp

memory/4680-153-0x00007FF7A3560000-0x00007FF7A38B4000-memory.dmp

memory/5040-154-0x00007FF74DED0000-0x00007FF74E224000-memory.dmp

memory/3128-155-0x00007FF6D6020000-0x00007FF6D6374000-memory.dmp

memory/3224-156-0x00007FF6527C0000-0x00007FF652B14000-memory.dmp

memory/2536-157-0x00007FF7796B0000-0x00007FF779A04000-memory.dmp

memory/2476-158-0x00007FF611AB0000-0x00007FF611E04000-memory.dmp

memory/4804-159-0x00007FF713400000-0x00007FF713754000-memory.dmp

memory/2248-160-0x00007FF79ECA0000-0x00007FF79EFF4000-memory.dmp

memory/1320-161-0x00007FF77C680000-0x00007FF77C9D4000-memory.dmp

memory/4000-162-0x00007FF737680000-0x00007FF7379D4000-memory.dmp

memory/4448-164-0x00007FF6D6620000-0x00007FF6D6974000-memory.dmp

memory/2420-163-0x00007FF69DD70000-0x00007FF69E0C4000-memory.dmp