Malware Analysis Report

2025-01-22 19:52

Sample ID 240601-jr6t9aef5w
Target 2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike
SHA256 a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460

Threat Level: Known bad

The file 2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

xmrig

UPX dump on OEP (original entry point)

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:55

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:55

Reported

2024-06-01 07:57

Platform

win7-20240221-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CvTGqli.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xhhoTDZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pQCqbUI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\spITKIO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XmCidiP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Dkwkpja.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\crYhWcN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hyROmcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SqxHQsW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ygnCTRw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YifVxuv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nwXurGG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vjfpiKj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lxmwTDG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EzPKnMd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eIyTbXF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JaEGPYq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rlYnjPy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NlMZJXD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZNbjOHL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VXteBTM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwXurGG.exe
PID 2168 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwXurGG.exe
PID 2168 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwXurGG.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjfpiKj.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjfpiKj.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjfpiKj.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\lxmwTDG.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\lxmwTDG.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\lxmwTDG.exe
PID 2168 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhhoTDZ.exe
PID 2168 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhhoTDZ.exe
PID 2168 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhhoTDZ.exe
PID 2168 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQCqbUI.exe
PID 2168 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQCqbUI.exe
PID 2168 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQCqbUI.exe
PID 2168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\JaEGPYq.exe
PID 2168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\JaEGPYq.exe
PID 2168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\JaEGPYq.exe
PID 2168 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzPKnMd.exe
PID 2168 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzPKnMd.exe
PID 2168 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzPKnMd.exe
PID 2168 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIyTbXF.exe
PID 2168 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIyTbXF.exe
PID 2168 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIyTbXF.exe
PID 2168 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\spITKIO.exe
PID 2168 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\spITKIO.exe
PID 2168 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\spITKIO.exe
PID 2168 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmCidiP.exe
PID 2168 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmCidiP.exe
PID 2168 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmCidiP.exe
PID 2168 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\Dkwkpja.exe
PID 2168 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\Dkwkpja.exe
PID 2168 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\Dkwkpja.exe
PID 2168 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\crYhWcN.exe
PID 2168 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\crYhWcN.exe
PID 2168 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\crYhWcN.exe
PID 2168 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyROmcJ.exe
PID 2168 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyROmcJ.exe
PID 2168 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyROmcJ.exe
PID 2168 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\CvTGqli.exe
PID 2168 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\CvTGqli.exe
PID 2168 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\CvTGqli.exe
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\YifVxuv.exe
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\YifVxuv.exe
PID 2168 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\YifVxuv.exe
PID 2168 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlYnjPy.exe
PID 2168 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlYnjPy.exe
PID 2168 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlYnjPy.exe
PID 2168 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlMZJXD.exe
PID 2168 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlMZJXD.exe
PID 2168 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlMZJXD.exe
PID 2168 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqxHQsW.exe
PID 2168 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqxHQsW.exe
PID 2168 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqxHQsW.exe
PID 2168 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygnCTRw.exe
PID 2168 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygnCTRw.exe
PID 2168 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygnCTRw.exe
PID 2168 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNbjOHL.exe
PID 2168 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNbjOHL.exe
PID 2168 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNbjOHL.exe
PID 2168 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VXteBTM.exe
PID 2168 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VXteBTM.exe
PID 2168 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VXteBTM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\nwXurGG.exe

C:\Windows\System\nwXurGG.exe

C:\Windows\System\vjfpiKj.exe

C:\Windows\System\vjfpiKj.exe

C:\Windows\System\lxmwTDG.exe

C:\Windows\System\lxmwTDG.exe

C:\Windows\System\xhhoTDZ.exe

C:\Windows\System\xhhoTDZ.exe

C:\Windows\System\pQCqbUI.exe

C:\Windows\System\pQCqbUI.exe

C:\Windows\System\JaEGPYq.exe

C:\Windows\System\JaEGPYq.exe

C:\Windows\System\EzPKnMd.exe

C:\Windows\System\EzPKnMd.exe

C:\Windows\System\eIyTbXF.exe

C:\Windows\System\eIyTbXF.exe

C:\Windows\System\spITKIO.exe

C:\Windows\System\spITKIO.exe

C:\Windows\System\XmCidiP.exe

C:\Windows\System\XmCidiP.exe

C:\Windows\System\Dkwkpja.exe

C:\Windows\System\Dkwkpja.exe

C:\Windows\System\crYhWcN.exe

C:\Windows\System\crYhWcN.exe

C:\Windows\System\hyROmcJ.exe

C:\Windows\System\hyROmcJ.exe

C:\Windows\System\CvTGqli.exe

C:\Windows\System\CvTGqli.exe

C:\Windows\System\YifVxuv.exe

C:\Windows\System\YifVxuv.exe

C:\Windows\System\rlYnjPy.exe

C:\Windows\System\rlYnjPy.exe

C:\Windows\System\NlMZJXD.exe

C:\Windows\System\NlMZJXD.exe

C:\Windows\System\SqxHQsW.exe

C:\Windows\System\SqxHQsW.exe

C:\Windows\System\ygnCTRw.exe

C:\Windows\System\ygnCTRw.exe

C:\Windows\System\ZNbjOHL.exe

C:\Windows\System\ZNbjOHL.exe

C:\Windows\System\VXteBTM.exe

C:\Windows\System\VXteBTM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2168-0-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2168-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\nwXurGG.exe

MD5 994522398ae191b66f69e51a7690acf2
SHA1 9f6421dd86f7d7535b432ee22554ae82eccc1f1a
SHA256 3cf1b91646ff6b0668a8d609d921e2e2d230a147af7ee0ae2f339bbd2570fdde
SHA512 a5c8cc8f02b354b986f4e3771da723d922f265c000d64a3fcc54fd6d8eb03db516a5dbbf4c676189d68704132c858fbdfe098a2b00b3e66e662ba327635327ef

memory/2168-10-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\vjfpiKj.exe

MD5 3f3646bfe6804464aeffa74775e6d467
SHA1 4c8f52df72a0bfdf52532a6d07adfcabc1583f5d
SHA256 e4e6a8963686dc5de0cae2391b34b83b769453705175767ee7f13f0891e5059a
SHA512 70df58226a7fa8e9f1bec50283aba087c17d6dfef0d3de579754b1a31482d1dd8934363521b5ee767677a33229cee66c159164e64ba639b824da08fd7dfa171b

\Windows\system\lxmwTDG.exe

MD5 00f15ea89575beddd36e4d7032fb3b71
SHA1 cc77865324d5b5279ee53aca63131421d443404c
SHA256 0981356f56551cf834ca7a0a45eef7de5bc75265bfcb9a452226b62b136cbdc8
SHA512 3b1663ad125990cf3ca0eca7ae8ece82e27e2eaad5fa170880f2b9962454c3660e7cf0c7b5d2c3779e841c61fa0af9e141f58180256a50fafaf01222b30414cd

\Windows\system\pQCqbUI.exe

MD5 deb3fcd767824dfd29dbf3980f4c3b87
SHA1 dca2a9de42993fe9db59bc487447d62b031d0b32
SHA256 1a1f0cc23c07f93d40e7c338ad7d80813c5b930ad8c5893bf76e9ec03d86131a
SHA512 5442dbcc61d58043eb64eb4a9b18522f1cf25e5ef962f2dd5c3c7e57121633538e81720fcb268b66f2152a1cbe1599a3a101755f0001ab24fc0d271d829ae70c

memory/2168-108-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2680-30-0x000000013F5B0000-0x000000013F904000-memory.dmp

\Windows\system\ZNbjOHL.exe

MD5 a37c6dbde1497148d9d27da5f7a6a362
SHA1 efd7a8bc3f9542577630fe280a00953ae6d85242
SHA256 5341dbbb7afe6a3d77c32109e67d23f0e8d71c64dcb2c31eec77089882f9d971
SHA512 8f78799fd2425755dbe57417bf8efaa47ef246f2e6cc454c301736cc4db2ec38287a4fc4000508ded071e4e5526f60529e098ac47b8742fa1ce3cdc95a53b1fe

\Windows\system\SqxHQsW.exe

MD5 6c68dd93ac8fefa088ef32305fa7d744
SHA1 19c60962175b192978ab217e8e8cd1f7466b8250
SHA256 c93138d754424aa1f8c25b848c820c867393e96bb6fa89ba80d93b2b9d40e896
SHA512 140ee9de2a67145ee76f4525f13c77ee1ad508b23fa3380c34138093bbb2c5a1e7e0ca636d40933815051a8b82b0666920fbdd11a5ef1d0cfd1acea4b099ab20

C:\Windows\system\YifVxuv.exe

MD5 db75e535a5027a7448365404dbb81e6f
SHA1 e66f999d52a569d87c8336fe5184407065ef3251
SHA256 c5c096504677d7c004c11a5ec0c71b4438901748bcdd423dfb834b03272b91b5
SHA512 716f703c0c1c92886fa189d44d661e0cec91da63c2c9a8b1373e66754b1f705be264915e8c5239306787041d527878ead6e59d82ec1bfb6cb0366a1e5b0e8849

memory/2168-84-0x00000000022F0000-0x0000000002644000-memory.dmp

\Windows\system\rlYnjPy.exe

MD5 891addbc3c65ef8728a5516812fb4f09
SHA1 92513288c85d09b90475e00f44dd0a802414b6bd
SHA256 fe49342ff03d7d19a1ba468f0c11c6210c9f7ae3aabbc5d8183cf91026fc8df4
SHA512 53cf714f3f9b7454ccae1d5a4e8534d8ba828ba45f040de03007d76a8dec7d41a91502dcd9d680c679a68721bbf027ffc00fe70363d51d5657c66474636b07b6

\Windows\system\CvTGqli.exe

MD5 56232a305a5335e7d5ea74fe9c0cd5b3
SHA1 195a7da44778fcfe6c70b8e5ee4916d30fba5733
SHA256 8ddd4d599904fc01e5b11436a6ff05b55dd7fc6268a40acd8ec6b9c91ee37ad8
SHA512 a96da6436029c0d86408f3b7321b402eb255b1a14e3a011e2eeca81a1aed6cfb037cba0121e1b6d32653372f7ce62293062fca37cc6700ee3cdccfdfc1c2e170

memory/2916-69-0x000000013FA90000-0x000000013FDE4000-memory.dmp

\Windows\system\crYhWcN.exe

MD5 572bb2d1d2eaf64d1f192f65b933571a
SHA1 0014628254d810159618ffe4b1a54aa4650df5d4
SHA256 490a2d07c6c52c6f983e8ef24a7d78f91a516f645f02edbefdee9608188b7baa
SHA512 f92653b101e8c9c884dd557f577eaa0ea5adc2ceb26dbff61cddd9acba27e1c5ce04e024ad4cadd132c7005a0dc0a2fdf946f2d44d404c95ff6cdad737e3b792

memory/2512-58-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2168-55-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2648-54-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2168-53-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2168-52-0x00000000022F0000-0x0000000002644000-memory.dmp

\Windows\system\XmCidiP.exe

MD5 2304ced457c0d9188dedb06240724895
SHA1 e673a4c389cd038277a5ec3d696eba29538df0a8
SHA256 4c9e9bf2f975d53ac6ee5ce8386630c27750c1f2a522d613fb3dc789619fea51
SHA512 768226945e5e19e872d820d914daab5d63415816a53863ea3a894d84793ef1aae9f0e88c9cbce293badb313f4576e1dc0358a4922cd6abe5fc513a57fff90188

memory/2100-40-0x000000013F370000-0x000000013F6C4000-memory.dmp

\Windows\system\eIyTbXF.exe

MD5 c2f39a1b516d6fc28724409f181a0359
SHA1 72b31ee42948e0eab80874552018a83dd820e527
SHA256 36a10304b92f6a35db4055373bb317e402a784405581970f95ff801c58934f72
SHA512 2d5fb231e28a8639bb671820b326081a5047a2eee8f0f145f78af5de8c02d5d88a38d00da181948011c99715421e40b0067ea53d2a28a9f172ca2958e810724f

\Windows\system\JaEGPYq.exe

MD5 366d8c39001f0baa6229236ee73b4928
SHA1 020b695f9ae160c1fcd925fbdee4b133cb7cbc74
SHA256 13d850de87da981a25db92e64f10801f7895599175e228dbe722a089023acc50
SHA512 253d97f767649f82a33761aebfedafa563e9c476649dd9ef4f71359c329f4f857d110f2d85461af07005e8b3d25cd562deda481c40e67a113c0230b57497d35e

memory/2168-111-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2168-110-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2516-109-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\VXteBTM.exe

MD5 66abf6a354d18d4d35d5f97c25069766
SHA1 7cb446acfe066b761e56fe44e638b1c5f0dc0182
SHA256 96ff70003e45815518b15b49584d2cae1e65312d0edeb08171ea56663ffdc8be
SHA512 d632391070e3d77a094780e4f9198f05347b48ed30ce75160abc14bca4394338dc62a6dd2b164e7eda1857fecf2170bd9d9d3adf8974075aee1a67ba5412e3c8

memory/2472-106-0x000000013F430000-0x000000013F784000-memory.dmp

memory/1048-100-0x000000013FD20000-0x0000000140074000-memory.dmp

C:\Windows\system\ygnCTRw.exe

MD5 3a6d0c8e39f21cebba8e37a201f2ce2b
SHA1 ce589f6ac472840d6691ae9655dd4b64a632f80a
SHA256 5447419736df3b37b75ce91e37f766c082d606d9cd51df6484d523083c8be060
SHA512 886e6bfac764a43b548e5cad158a54d5d79b0e03ac9bc6b35c09629067fba09c2ba0447bdfa2f2710c05fa03cffbe0654b01216df692eba37546ad35692364dd

memory/2168-92-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\NlMZJXD.exe

MD5 5d75dc81af6e56c54d8135e7c7d929f9
SHA1 59704ac4f7ac299dca734b3942ed571241f9878a
SHA256 3524b52172f1d81e55c049af1558fa2094c2b177f563ffa4a15c7d3e757679b1
SHA512 98ba4ae7023b52ecef9c630a18539e02e4decc03a4911b66793fe8c5fdefb2b9cd228d42401d7165eb0f45fa54f82206001c452a97e32f279d2f22a72873ec11

C:\Windows\system\hyROmcJ.exe

MD5 246f692d6d65696b5b6259c29ebed2d6
SHA1 5cf0739b55bd741137f623b68126dec070629111
SHA256 63ea67ad79ff7cd2cdf06353eab32f9589f1c0d9a3c0627c7f878e0acfb282ae
SHA512 c7a103f29cdbefc4f1cfd7fd0848f76d3181e5824f99cd3245eb0e18eb51cf922a0a13aae48d441a0b9320a279d36bcebd81dee9fafff0392da6ad519747ba1d

memory/2168-71-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2168-65-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2212-64-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2168-63-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\Dkwkpja.exe

MD5 374d5bf070fcc8127008b4fc06ddac2c
SHA1 96d3430bce4b7bb4520d3bd74ca1560d270eb4c4
SHA256 3e6aa417ba8939696e098b516f79a8adf6e10b2f7ae5f0ba9a106c91d646e70d
SHA512 a767eb0b347e63b9bb2992df5d422f02125989680742fd9bb282704fbc06f4ee699ebcc1ffcdd00f0e66f61ce8711713f5b52348b4f467ed825d30ca03b4c6c3

memory/1680-50-0x000000013FE60000-0x00000001401B4000-memory.dmp

C:\Windows\system\xhhoTDZ.exe

MD5 bda0a571ed25ea208320140fa7090e2e
SHA1 e2c39d13a0f703bb5344819f7ebca4c4e126825d
SHA256 5ce5ed8215ad02571321ef59e7c81cbcb2c940866ade19f705782fb1a7d6ad0f
SHA512 da15383157a4579ac7dff48e9f8e936f4d0d8c1d39ae8c54a72c9f2885730af3c4d4a2b50165e9ff8df3f8e9bafbe4d7785c0ffbd8a50c233d7ef6c90591fda5

memory/2168-46-0x000000013FE60000-0x00000001401B4000-memory.dmp

C:\Windows\system\spITKIO.exe

MD5 2a64e38fc0d1b28b61f1f8e6e33cc802
SHA1 c70dd255857bc46deeb51b17615b36ececacb7f1
SHA256 6a3fcb06668d3c9c8d1d7d4c19dfbae67a0dc70a7d4cc943ca5cb21ee36f2d69
SHA512 4fd8c5d7664ee4cb4c80ddc37d90ca0b8218905614f4abf5429a66cb99e6ac1a5fba68d817963450c5f11e62ba0d27b2d9134fdcefe600f27e37afc1f4c31e3f

memory/1292-22-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\EzPKnMd.exe

MD5 dc7ae8bb90a816f0d08c56a046b3a990
SHA1 a955f5f5bad762a245383ce47582e0b988f8bfb3
SHA256 d1a809b025cb916668ca1fe8d6384ea763a8f9a81382d34ff01eb68fa672bb5c
SHA512 4423e99ed88a404d9e5f818004f3c730af67e478f77896ecd070a3c84e36fee406c6af0d0c60c277a02edc9c6c8f2b498e239926ca0230be075908b45460f38d

memory/2168-34-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2168-132-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2212-133-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/1048-134-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2516-135-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2168-136-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1292-137-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2680-138-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2100-140-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1680-139-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2512-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2648-143-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2916-142-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2472-144-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2212-145-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/1048-147-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2516-146-0x000000013F1D0000-0x000000013F524000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:55

Reported

2024-06-01 07:57

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gtEeUGp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kZlSWlG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VXDSYDj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PbfQnDO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sXTFXnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\upRrRbF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\msZRRyQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fKKBCVp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VYMfWLr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SBJAjdx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jzvQnFo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dzHwvll.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jxhkDLA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nreVmuG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tjyicQQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWBHcYw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HZoAJQJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iAXOKzK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SfiYkIk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ICOTGVy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gAdxgSF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\dzHwvll.exe
PID 1264 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\dzHwvll.exe
PID 1264 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjyicQQ.exe
PID 1264 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjyicQQ.exe
PID 1264 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWBHcYw.exe
PID 1264 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWBHcYw.exe
PID 1264 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\HZoAJQJ.exe
PID 1264 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\HZoAJQJ.exe
PID 1264 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXTFXnQ.exe
PID 1264 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXTFXnQ.exe
PID 1264 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\upRrRbF.exe
PID 1264 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\upRrRbF.exe
PID 1264 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAXOKzK.exe
PID 1264 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAXOKzK.exe
PID 1264 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfiYkIk.exe
PID 1264 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfiYkIk.exe
PID 1264 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\msZRRyQ.exe
PID 1264 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\msZRRyQ.exe
PID 1264 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKKBCVp.exe
PID 1264 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKKBCVp.exe
PID 1264 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtEeUGp.exe
PID 1264 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtEeUGp.exe
PID 1264 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZlSWlG.exe
PID 1264 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZlSWlG.exe
PID 1264 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VYMfWLr.exe
PID 1264 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VYMfWLr.exe
PID 1264 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VXDSYDj.exe
PID 1264 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VXDSYDj.exe
PID 1264 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\jxhkDLA.exe
PID 1264 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\jxhkDLA.exe
PID 1264 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ICOTGVy.exe
PID 1264 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ICOTGVy.exe
PID 1264 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbfQnDO.exe
PID 1264 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbfQnDO.exe
PID 1264 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\SBJAjdx.exe
PID 1264 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\SBJAjdx.exe
PID 1264 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzvQnFo.exe
PID 1264 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzvQnFo.exe
PID 1264 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\gAdxgSF.exe
PID 1264 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\gAdxgSF.exe
PID 1264 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\nreVmuG.exe
PID 1264 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe C:\Windows\System\nreVmuG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_76afd126978e3bad2a81a8e9c07ebc31_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dzHwvll.exe

C:\Windows\System\dzHwvll.exe

C:\Windows\System\tjyicQQ.exe

C:\Windows\System\tjyicQQ.exe

C:\Windows\System\sWBHcYw.exe

C:\Windows\System\sWBHcYw.exe

C:\Windows\System\HZoAJQJ.exe

C:\Windows\System\HZoAJQJ.exe

C:\Windows\System\sXTFXnQ.exe

C:\Windows\System\sXTFXnQ.exe

C:\Windows\System\upRrRbF.exe

C:\Windows\System\upRrRbF.exe

C:\Windows\System\iAXOKzK.exe

C:\Windows\System\iAXOKzK.exe

C:\Windows\System\SfiYkIk.exe

C:\Windows\System\SfiYkIk.exe

C:\Windows\System\msZRRyQ.exe

C:\Windows\System\msZRRyQ.exe

C:\Windows\System\fKKBCVp.exe

C:\Windows\System\fKKBCVp.exe

C:\Windows\System\gtEeUGp.exe

C:\Windows\System\gtEeUGp.exe

C:\Windows\System\kZlSWlG.exe

C:\Windows\System\kZlSWlG.exe

C:\Windows\System\VYMfWLr.exe

C:\Windows\System\VYMfWLr.exe

C:\Windows\System\VXDSYDj.exe

C:\Windows\System\VXDSYDj.exe

C:\Windows\System\jxhkDLA.exe

C:\Windows\System\jxhkDLA.exe

C:\Windows\System\ICOTGVy.exe

C:\Windows\System\ICOTGVy.exe

C:\Windows\System\PbfQnDO.exe

C:\Windows\System\PbfQnDO.exe

C:\Windows\System\SBJAjdx.exe

C:\Windows\System\SBJAjdx.exe

C:\Windows\System\jzvQnFo.exe

C:\Windows\System\jzvQnFo.exe

C:\Windows\System\gAdxgSF.exe

C:\Windows\System\gAdxgSF.exe

C:\Windows\System\nreVmuG.exe

C:\Windows\System\nreVmuG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/1264-0-0x00007FF6F9C70000-0x00007FF6F9FC4000-memory.dmp

memory/1264-1-0x0000022EC2340000-0x0000022EC2350000-memory.dmp

C:\Windows\System\dzHwvll.exe

MD5 a66b16604e11f10a297e926e59ce0d3b
SHA1 da96f86381d8d90cb242322b7c519c3e03223359
SHA256 e8c5010b502d62aa2cae01e56a46e3f91a199bafdf7ca868dfaeb46ac8ab0b99
SHA512 2a70722914c2fdbfb404973d3bb4669956d42c12d4445a95b8cca09661b95c3c81dd6d78cd78fdab7397c4aa41e4d3f5e18e5675a0d2961e48a96999f8daa689

memory/2160-8-0x00007FF7EF860000-0x00007FF7EFBB4000-memory.dmp

C:\Windows\System\tjyicQQ.exe

MD5 efa1b33ea63360d48a2068534ada84fa
SHA1 105cf9b2c0c9c4bfad8c5111b559a28a2b5b40d5
SHA256 c509934cc7cdaf6b145eeab2e8e2e4053d5571a7b88412e4fc5a36124cdbb830
SHA512 719ca4f65eb058210fc2df797ca2e8cba4a1fe02cc34ff8d29a895bf424b9fdeafeb1e3b3ae941ac59fb73460af07e5daa747260e84a3f9befa118f037ec7927

C:\Windows\System\sWBHcYw.exe

MD5 4d332f469dcf25e6c3f4c4a4ffeb9567
SHA1 9105d90a1e3bfde4499d78bfbd5efc7b4f0113fe
SHA256 4121caad301ea8825719c190a274695ad7d5ea20270322e77e14718dd2777e80
SHA512 a153516cf870b88816939ef08f430479f7d2cbb6659eeef863cf3d6a821d4331d0381cb5830a916055a6eea413e80a1085291b353bfbbafe7aaf8a34591110d5

memory/4032-14-0x00007FF7ADBB0000-0x00007FF7ADF04000-memory.dmp

memory/1724-20-0x00007FF6F1AA0000-0x00007FF6F1DF4000-memory.dmp

memory/216-24-0x00007FF7A10A0000-0x00007FF7A13F4000-memory.dmp

C:\Windows\System\HZoAJQJ.exe

MD5 f99ec68f264cc8ae37cee8b6bb5b40ff
SHA1 b32a2933a14135e32208d927e900293ef0ce512a
SHA256 f18693b6b85c4d0b909450d9dc6436e35d6c32453c672a0e730fddbd8edb0a2b
SHA512 4c50f29e5e7acfb8fa10e1b86756f4adffca6c8a112c48fef047bcf80224dd5dd145938c068f60e6529e074888219c517e3d58e585c7a54d3049e9b29ca5e47a

C:\Windows\System\sXTFXnQ.exe

MD5 1efe67f13b56a98f47cb94ca65a711c2
SHA1 80f43627a06848379b754ba4ce194eef72ff2521
SHA256 e1dfc099dd1a40a1172493c7fba447b288b7b310aefcddd070e7a8809a398ac2
SHA512 eb5082ca75ed291cc2f397f5fe18738df90262f4c6fa11dc09398c820512143918b2c346e1bba93fd9f36642c2befa4dfd45b1605ec4a7e313c0a1239a029b82

C:\Windows\System\upRrRbF.exe

MD5 48d906119af73706e0b1c02974a86049
SHA1 95c768ef439df97e8d30830a1742183800f00024
SHA256 f3c6b1fba19791dba6187b7e5db3b055c12f80f73bba894d4ecb55e994ed923a
SHA512 71ff00f00848d67986db7b11fa87ba8ced70b80bc1b5aa22317528073dcf68d6f582f491c61f4b4d519d69f6168a563e823d68b86195782fc08e4e74c9dc73fe

C:\Windows\System\iAXOKzK.exe

MD5 b9f7c9d85d7a02f0c061ff11f5b0052d
SHA1 8951e0b1d146f464c62215f423bfb6e5a292d630
SHA256 cf86dd56a8921d61c1134e1d95413c665b552c4751d65d480c0c68bf4fe091ee
SHA512 cf09d7ae91925fc3ac27879a18255566f2d89945c6ea349d094c4cbe56badf610ffe8f881ddf43c6c36fb653b4928e24b47d9f4d091e50f8c938b5b937901b61

memory/4964-36-0x00007FF65CD70000-0x00007FF65D0C4000-memory.dmp

memory/4844-32-0x00007FF792C20000-0x00007FF792F74000-memory.dmp

memory/1316-43-0x00007FF7299D0000-0x00007FF729D24000-memory.dmp

C:\Windows\System\SfiYkIk.exe

MD5 c18ed23b34a651f51def1292837b2bf1
SHA1 61cdcf01f2722394c91cb8b7c19ef124d692e1e7
SHA256 63d5a3bc4d742198bba97350f23f8e6f4b871b7be4a071a818e3c5b863d80213
SHA512 8979fb39ad433d579f89980af17557987a2f87f02517c240776ca13c6da71aaa4fb920084917d943ada53fdbb5a4242f9b9b8e21982e80e135178bd32dfb3591

C:\Windows\System\msZRRyQ.exe

MD5 8f3b3dfd82813cd0711da7b6a3b65d61
SHA1 157ee6862c91191ae76291b766d220da230ff1c9
SHA256 5797f90518f54a187754463ed2d893d12f9d5f6673b09eaba2177519a9cbd1e4
SHA512 7c2bb15f0a3277357cb8b7454b4081b7f644834985e7c3285a913aacd20a3da0d73f63ace9fca3e39c1cfd246cfb660d3f723a61e4f81d3b6b7ac4926450ca21

C:\Windows\System\fKKBCVp.exe

MD5 309a9650d9597dc481f9b7964946a114
SHA1 aa601cf994467f0b256b59901acf644266dae677
SHA256 9034e348c9b5717b8ecc5c5e8ea64cb46002e8ee348903ff7efa4e552f3ca9fb
SHA512 b708876c731f725b3b28e849a94d432c15d04d28443391e293252456a35ae9d83148f3d87989e55796e02c1c11b4a7e36254dddbbbba9bcf718e391c9e1cc283

memory/2356-54-0x00007FF7F8A60000-0x00007FF7F8DB4000-memory.dmp

memory/2344-48-0x00007FF69C5B0000-0x00007FF69C904000-memory.dmp

memory/2468-63-0x00007FF774050000-0x00007FF7743A4000-memory.dmp

memory/1264-62-0x00007FF6F9C70000-0x00007FF6F9FC4000-memory.dmp

C:\Windows\System\gtEeUGp.exe

MD5 50f9747791af1d7163a981d2fc60bb9a
SHA1 3b2458481b2b7853433d9eb9780b65c88e4ce397
SHA256 b3d9f904f1ba42ee137b8512e2fbeb72b0de296c5949633c4cd20929473e98ab
SHA512 b5a4829d0b55856220e479fd9b44b5b371591a261ba5f37876ad193dbe28d59d614cf80ae8c20292eeba49fd02fcf2124b8247088662936f936ab33d72fcc4cf

C:\Windows\System\kZlSWlG.exe

MD5 dea2042370c36635650ead1894477de0
SHA1 51b7bde4b15457d5d67df3abc835e82594a7274a
SHA256 5b83c798554aa4bbdbf49657e2ef5a1d9c9c5d029e258f17e43debb1569063d0
SHA512 fa671e3dbf2a2cee9737a4257dd66ffdd45eb42008316a4c3c255e9406f6f9857aff71249f475536319dd52c87662dd128f39ba29629641a43620b28337af3a2

memory/2232-71-0x00007FF7C63D0000-0x00007FF7C6724000-memory.dmp

memory/4032-77-0x00007FF7ADBB0000-0x00007FF7ADF04000-memory.dmp

memory/4948-80-0x00007FF641270000-0x00007FF6415C4000-memory.dmp

C:\Windows\System\VYMfWLr.exe

MD5 dd0f540e902474692a7fe7deea99cc1a
SHA1 8a7ddcd6c1e12bf95adb6a07d6f5353884d574cb
SHA256 8b45369fffea56a1a460e45362b1d23f9f980d17655a9c8abb4925b2e3f6d032
SHA512 5ae4b8570eb0a2049a1709a86a55a2632a24ff035d008cdc538081e9983380c4ac6addcec5e115c42e632c5e44f8f11f23ee4b7c1255713bcdfe830bebef6ad2

C:\Windows\System\ICOTGVy.exe

MD5 4985de1a490c03af26ab69d8920702d8
SHA1 ec533ebc98a757bb4fe2088a4cdd1e78f3dc473e
SHA256 966be6a9ffbb451bb8eccc070c48e1c8ce420333aabfe8f3762fbbfd6eec0781
SHA512 d66569a98534f29ce4e096511551ca5c7fc46f89bfdbd4a510072143700e24252877fa614b367c80eb561be2dda7cabd301822d6da3e02d58b50da285be94ffb

memory/4728-100-0x00007FF6A1D70000-0x00007FF6A20C4000-memory.dmp

memory/4844-104-0x00007FF792C20000-0x00007FF792F74000-memory.dmp

C:\Windows\System\PbfQnDO.exe

MD5 33ff1cc3ec63b99edf5029d00a755097
SHA1 d5a9b7b873dc10be1ebddd2ad6871758378af17e
SHA256 c0b1ebf08d1c7a300a6a9b0472104efe17d6bc5b5f0dfa4cb6972e7a69c7ea4a
SHA512 8ba7d55beb6261924992dc9844f2e99478b721eda1f9005a65b8b32824220210a669478f7b2ae4b93ad342b36d6500a97440cfe363f3f24e541b95ee403303f0

memory/1448-105-0x00007FF6969E0000-0x00007FF696D34000-memory.dmp

memory/2192-103-0x00007FF6A4230000-0x00007FF6A4584000-memory.dmp

memory/3400-101-0x00007FF7EEA40000-0x00007FF7EED94000-memory.dmp

memory/216-96-0x00007FF7A10A0000-0x00007FF7A13F4000-memory.dmp

C:\Windows\System\jxhkDLA.exe

MD5 7c0401dd3ac1f2e92aed56f4865d65bf
SHA1 fe383aad72319c1d38262cf32085b5bc5c3ea6e1
SHA256 95c4407e19e72b2a1ec154233211eb5131daacec2970e54fba51eaeacd6cc465
SHA512 957bb2c979b401530e46c3b7fc37971974ffe3788a0dee2d9d8d0226e801191df58812b3c6cf880a9ae4a45e9418d00f68621690bbe31bb53ea69c1472b3b551

C:\Windows\System\VXDSYDj.exe

MD5 5fdda00f07edd2647ac00ac9d159b61e
SHA1 70ad902433a6c4c5a10af363f9301bfdac897db9
SHA256 dbcfc505a7d0c0ac575de3309c16d72bce94e356fa7b8c2823ab8e8c36d4bd97
SHA512 2509d0cacefde716b5a2e54090c0a46f3ae583d661e5fcbe26f8ccf7b18b86f13115e6d3fd04af90aed978def5f8720512f374c03d035e3577289546d413fa63

memory/5080-81-0x00007FF6CB2C0000-0x00007FF6CB614000-memory.dmp

memory/4964-114-0x00007FF65CD70000-0x00007FF65D0C4000-memory.dmp

C:\Windows\System\jzvQnFo.exe

MD5 2ecbfda96457574ad0c30b081afd06f1
SHA1 d7bda12856ab55a6be5f494acf0048d767398336
SHA256 c8315429133fe0dfa75aa6ae45401df6ab7698352de43a770782ebcd8c1eb999
SHA512 b96e83b16ead708cc709a471623f8e0cf6c3b78eee7cb88a7803787294067e3465c2b7c8e074d6aad0a0b48b7dff4b2b7845714eb166fad396fd8ce91e569f13

memory/1100-119-0x00007FF6E9260000-0x00007FF6E95B4000-memory.dmp

memory/1436-115-0x00007FF7003E0000-0x00007FF700734000-memory.dmp

C:\Windows\System\SBJAjdx.exe

MD5 63ed30d1e16279d00206bd6ce94fc5c4
SHA1 df9a433b4af7867bd1da3a55637d66cd28be74bb
SHA256 d6e031f37a5def990eff82847c837bb62128e6109a7977fd46fd8640b72d1438
SHA512 bf705d5f6421ddee1d9d7c8263f27c8cd36e11a2a9f59e129696ccf95f9a1fbec21fea9395b982a2d284fea0e4f26258915c8190e42635a74d3575dc04990de1

C:\Windows\System\gAdxgSF.exe

MD5 aa29ee563798727ad3c237abd2a0cee5
SHA1 a0ffda18e599eb67db64f45d5bee8a248e8ab185
SHA256 9f6ac87f1bc0c169d1f5e58c4d7069e4b5c6f065ea6c6669be1f0224059fc98c
SHA512 3dba8718271dea9472951e5a526b70fbc11bce0d5926a6ccac294470839a6e35aee93c87517423b8b13f912f815392bab6f3bb98500b430a59904a95060fccca

memory/3572-128-0x00007FF7EA450000-0x00007FF7EA7A4000-memory.dmp

memory/2344-126-0x00007FF69C5B0000-0x00007FF69C904000-memory.dmp

C:\Windows\System\nreVmuG.exe

MD5 320325f251515c77ad25a97a75ef049b
SHA1 363af2d0e1de7ebda16738c8d263dafd593b84ff
SHA256 3c00cee10b9093cc4621a7a99f81a0282cbb834f7461cfdaa7ec3c0c005dbc69
SHA512 2fd00dabe1a18723f5ce747a2bc0097fe6f3dff38fb0c535ef8522afe6e7cadb0ef36ea2af7c6dcf880db53f5978d7893657f6de533233fdc502aca760b1fb8b

memory/2356-133-0x00007FF7F8A60000-0x00007FF7F8DB4000-memory.dmp

memory/3184-134-0x00007FF682800000-0x00007FF682B54000-memory.dmp

memory/5080-135-0x00007FF6CB2C0000-0x00007FF6CB614000-memory.dmp

memory/2192-136-0x00007FF6A4230000-0x00007FF6A4584000-memory.dmp

memory/1448-137-0x00007FF6969E0000-0x00007FF696D34000-memory.dmp

memory/1100-138-0x00007FF6E9260000-0x00007FF6E95B4000-memory.dmp

memory/2160-139-0x00007FF7EF860000-0x00007FF7EFBB4000-memory.dmp

memory/4032-140-0x00007FF7ADBB0000-0x00007FF7ADF04000-memory.dmp

memory/1724-141-0x00007FF6F1AA0000-0x00007FF6F1DF4000-memory.dmp

memory/216-142-0x00007FF7A10A0000-0x00007FF7A13F4000-memory.dmp

memory/4844-143-0x00007FF792C20000-0x00007FF792F74000-memory.dmp

memory/4964-145-0x00007FF65CD70000-0x00007FF65D0C4000-memory.dmp

memory/1316-144-0x00007FF7299D0000-0x00007FF729D24000-memory.dmp

memory/2344-146-0x00007FF69C5B0000-0x00007FF69C904000-memory.dmp

memory/2468-147-0x00007FF774050000-0x00007FF7743A4000-memory.dmp

memory/2356-148-0x00007FF7F8A60000-0x00007FF7F8DB4000-memory.dmp

memory/2232-149-0x00007FF7C63D0000-0x00007FF7C6724000-memory.dmp

memory/4948-150-0x00007FF641270000-0x00007FF6415C4000-memory.dmp

memory/5080-152-0x00007FF6CB2C0000-0x00007FF6CB614000-memory.dmp

memory/4728-151-0x00007FF6A1D70000-0x00007FF6A20C4000-memory.dmp

memory/3400-153-0x00007FF7EEA40000-0x00007FF7EED94000-memory.dmp

memory/1448-154-0x00007FF6969E0000-0x00007FF696D34000-memory.dmp

memory/2192-155-0x00007FF6A4230000-0x00007FF6A4584000-memory.dmp

memory/1436-156-0x00007FF7003E0000-0x00007FF700734000-memory.dmp

memory/1100-157-0x00007FF6E9260000-0x00007FF6E95B4000-memory.dmp

memory/3572-158-0x00007FF7EA450000-0x00007FF7EA7A4000-memory.dmp

memory/3184-159-0x00007FF682800000-0x00007FF682B54000-memory.dmp