Malware Analysis Report

2025-01-22 19:35

Sample ID 240601-km26yafg2v
Target 2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike
SHA256 b31b2a4d38fd6dd946f48d4d19b21d49dfcc0642dc07cae2a08a64082b9c90f3
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b31b2a4d38fd6dd946f48d4d19b21d49dfcc0642dc07cae2a08a64082b9c90f3

Threat Level: Known bad

The file 2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

Cobaltstrike family

xmrig

Xmrig family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 08:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 08:43

Reported

2024-06-01 08:46

Platform

win7-20231129-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KwQPaPW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\blWjmTf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QoPMCzt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CTYwAJz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FtxDCRK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lJtiIJG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ksoeEmQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AQkuaDB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cxVATkh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UMzfgjU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kgpJXTZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TAdgTEk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JOROrYz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AxKuEBi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SxKUXWN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yDYaYNf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XpInwej.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RDOgMaN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ixUWkTl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sxETcai.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dqzEJoq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDYaYNf.exe
PID 2356 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDYaYNf.exe
PID 2356 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDYaYNf.exe
PID 2356 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxVATkh.exe
PID 2356 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxVATkh.exe
PID 2356 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxVATkh.exe
PID 2356 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQkuaDB.exe
PID 2356 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQkuaDB.exe
PID 2356 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQkuaDB.exe
PID 2356 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMzfgjU.exe
PID 2356 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMzfgjU.exe
PID 2356 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMzfgjU.exe
PID 2356 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwQPaPW.exe
PID 2356 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwQPaPW.exe
PID 2356 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwQPaPW.exe
PID 2356 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqzEJoq.exe
PID 2356 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqzEJoq.exe
PID 2356 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqzEJoq.exe
PID 2356 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgpJXTZ.exe
PID 2356 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgpJXTZ.exe
PID 2356 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgpJXTZ.exe
PID 2356 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixUWkTl.exe
PID 2356 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixUWkTl.exe
PID 2356 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixUWkTl.exe
PID 2356 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAdgTEk.exe
PID 2356 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAdgTEk.exe
PID 2356 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAdgTEk.exe
PID 2356 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\blWjmTf.exe
PID 2356 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\blWjmTf.exe
PID 2356 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\blWjmTf.exe
PID 2356 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOROrYz.exe
PID 2356 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOROrYz.exe
PID 2356 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOROrYz.exe
PID 2356 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoPMCzt.exe
PID 2356 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoPMCzt.exe
PID 2356 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoPMCzt.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CTYwAJz.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CTYwAJz.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CTYwAJz.exe
PID 2356 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FtxDCRK.exe
PID 2356 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FtxDCRK.exe
PID 2356 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FtxDCRK.exe
PID 2356 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RDOgMaN.exe
PID 2356 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RDOgMaN.exe
PID 2356 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RDOgMaN.exe
PID 2356 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxKuEBi.exe
PID 2356 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxKuEBi.exe
PID 2356 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxKuEBi.exe
PID 2356 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lJtiIJG.exe
PID 2356 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lJtiIJG.exe
PID 2356 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lJtiIJG.exe
PID 2356 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ksoeEmQ.exe
PID 2356 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ksoeEmQ.exe
PID 2356 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ksoeEmQ.exe
PID 2356 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XpInwej.exe
PID 2356 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XpInwej.exe
PID 2356 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XpInwej.exe
PID 2356 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxKUXWN.exe
PID 2356 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxKUXWN.exe
PID 2356 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxKUXWN.exe
PID 2356 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxETcai.exe
PID 2356 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxETcai.exe
PID 2356 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxETcai.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\yDYaYNf.exe

C:\Windows\System\yDYaYNf.exe

C:\Windows\System\cxVATkh.exe

C:\Windows\System\cxVATkh.exe

C:\Windows\System\AQkuaDB.exe

C:\Windows\System\AQkuaDB.exe

C:\Windows\System\UMzfgjU.exe

C:\Windows\System\UMzfgjU.exe

C:\Windows\System\KwQPaPW.exe

C:\Windows\System\KwQPaPW.exe

C:\Windows\System\dqzEJoq.exe

C:\Windows\System\dqzEJoq.exe

C:\Windows\System\kgpJXTZ.exe

C:\Windows\System\kgpJXTZ.exe

C:\Windows\System\ixUWkTl.exe

C:\Windows\System\ixUWkTl.exe

C:\Windows\System\TAdgTEk.exe

C:\Windows\System\TAdgTEk.exe

C:\Windows\System\blWjmTf.exe

C:\Windows\System\blWjmTf.exe

C:\Windows\System\JOROrYz.exe

C:\Windows\System\JOROrYz.exe

C:\Windows\System\QoPMCzt.exe

C:\Windows\System\QoPMCzt.exe

C:\Windows\System\CTYwAJz.exe

C:\Windows\System\CTYwAJz.exe

C:\Windows\System\FtxDCRK.exe

C:\Windows\System\FtxDCRK.exe

C:\Windows\System\RDOgMaN.exe

C:\Windows\System\RDOgMaN.exe

C:\Windows\System\AxKuEBi.exe

C:\Windows\System\AxKuEBi.exe

C:\Windows\System\lJtiIJG.exe

C:\Windows\System\lJtiIJG.exe

C:\Windows\System\ksoeEmQ.exe

C:\Windows\System\ksoeEmQ.exe

C:\Windows\System\XpInwej.exe

C:\Windows\System\XpInwej.exe

C:\Windows\System\SxKUXWN.exe

C:\Windows\System\SxKUXWN.exe

C:\Windows\System\sxETcai.exe

C:\Windows\System\sxETcai.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2356-0-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2356-1-0x0000000000090000-0x00000000000A0000-memory.dmp

\Windows\system\yDYaYNf.exe

MD5 aae767c47690ddae334784316c1f4b5a
SHA1 710b87b2bcbc5cbb30eee6245840add37a303011
SHA256 629e6d26b735fede060ec822c3aa2269b2d4a51ba909e867f9a2ccc3c9b11547
SHA512 2573383cd16dc6ba026806b36f3d854e32b2fba8a0d39801276f0ba2d44681ba2614ed40754182bfd26f4e15f6b51739c0d51e8599f531390ed418fe0b18979a

\Windows\system\cxVATkh.exe

MD5 987b05bdf5481ec52c74a303386176ed
SHA1 e1c991d61b45808fd192b6c4a620c12d911996d1
SHA256 c3749761cd318838da22c9e4c67fb23765ba7506967913ce201cb983159880ca
SHA512 3f3d075a507fd0aa33c13c06209558b8115218d52616f9fefecc05cdc24e5b64b010080ceb5be0006dc1ce9e4233686da59b8d7ad2e3512cade901898cfbc2a3

C:\Windows\system\AQkuaDB.exe

MD5 7515b6de61001508960c145ff04634b8
SHA1 cfc4a4c30ff83e6d8337931cc1ff9891bb5244d5
SHA256 f5ef1ace039562d07b1ee49b85c4efa4c0bfdbca2186dd73662317cf5334ad90
SHA512 f69cb4830642fc9799dbefc066b0481bc00f66e964c39bdfa6adfa685c05600bca6184f16502631c7891329a15fabc6c04d4114fa1d9a04f53aa4c423783a393

memory/2356-18-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\UMzfgjU.exe

MD5 a9929c082e1abf63e8c58edc136cca71
SHA1 50bfd3f7baa6d32e2d86e10dfbcecc5556e40d5d
SHA256 1c96b5c205e7c00632ce710ad67b9778057ce9dc0a0ba66e3cc873ec5b675158
SHA512 0fd973f94292cdba34fa6373c70f2dc45ad3bb54741f0beed9f26f8b027e6efa92982d9dd495af23649b96f9837b7dc0642ea2c27f9d3e015420aa61f45d5998

memory/1840-29-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2356-28-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\KwQPaPW.exe

MD5 09eb32c1be0aa9711a5a86171476a95e
SHA1 79716b8926af2dd735da8a15ada96fd945b0d9ab
SHA256 56eed499156557a25f2a9e52de8e986a47c026deef272387480ec1484555b5d6
SHA512 4f4b1a45a470ab3793090acc12b3e81cc3cbc8c1bb261212cbdf566a75a81315afaee5d071858f46f86624cad34a51c0374080c2fe0f4717ea2fc21a26c25184

memory/2644-39-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2716-41-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2356-40-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2356-38-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

C:\Windows\system\dqzEJoq.exe

MD5 03a6bd763b7dc848c9bd4252ff11fd7a
SHA1 d405bf4f64be7c195222d6a9b0474a5bcc42d573
SHA256 9357beb5878379a6d9bdc6a1fe6b099fbde5f6608434b6a27a84e3c0ceae1c81
SHA512 d267c7168ccbca287df7f014485753ff7456f52afa66d0b7bcd8e887369acfd772aa4c572839dff57f36adff2a4ca928afac75d7749a301fcefc727cc09b4596

memory/1716-22-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2212-21-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2356-9-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/804-15-0x000000013F940000-0x000000013FC94000-memory.dmp

C:\Windows\system\kgpJXTZ.exe

MD5 0d22683bf007be653a1d1297474ba5fa
SHA1 999fd28df620383518eb98461b3d631288063f0f
SHA256 c2071d6e3cc3d613e1216f7ac51a6d8ed9213d566d99499d00acb183a7b7cfa1
SHA512 0a5cab7697cbf836ce5ae831b83e592763e86cdc09fc94a9aef8f902e95cede289d04518a1dd364c9146d84e205683299c526fcf092c9e0a62212d54fbe578c2

memory/3032-49-0x000000013F370000-0x000000013F6C4000-memory.dmp

\Windows\system\ixUWkTl.exe

MD5 ee5b0b8b34b96948b287ef16bf9b215c
SHA1 f7d344f165699658fa22edaec26b441c702dbcbf
SHA256 48a17edb3dc3258c19a7f43015812459a3ae095afde23bc26e5de4fdefe09faf
SHA512 41ceba8e3bd75e2b9da51c14da15f8e8d301cd2c57a6ddfb12a4f62dfd56cc5a1b9a88c57f5384d92638f4162d9da0e38fb7deb4a98e530b8b955252f094b727

memory/2356-55-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2564-62-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2356-63-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2488-61-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\TAdgTEk.exe

MD5 00e2517f420913614d290cf285100818
SHA1 fa2790de80f69e5370b9fecf8a2560fa58deffea
SHA256 5ac5dd5630364035eb4242dbcab6d80204dec0c3edad5d71daaa866e7a1caa1f
SHA512 f1223d1d47ab94b016dfafd75977e5c01a4bb7e62cdd38f64f130d28b2db9efca37ec4efe1fa294a1e6d42ffbe4d57a3678d72dc99b1916d731b1de159eeb1e5

\Windows\system\blWjmTf.exe

MD5 39b0d25cd57cd2c2db37ba262fffd27e
SHA1 3b7125296f498d0984f71a89ef390dbf4fe2510a
SHA256 4a7890c2f2942b260531e5e96f478e2af1325f373d539f5f6250d3576af9d77e
SHA512 54f64c72ff050af1adccab988cbea3ac2d8f7b065949b1d50aa9130ba930541d87c0c9ae517dcfd4446ce0d9489f715f7907bcf83cf00eae74a88cbe98ec5f33

memory/2356-69-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2508-70-0x000000013FBB0000-0x000000013FF04000-memory.dmp

C:\Windows\system\JOROrYz.exe

MD5 e9aaa42e1bcdedb7047e9053e8536c0f
SHA1 c5f61d22196563507ef4b40ee5877dab18fa156c
SHA256 a8987703097cd088127396b1cd08da9ea7c7e5227eacbddd0d9b462ec1db9bf8
SHA512 6ee8b70513e536d40beb902dbaa4e60a9f3304d88905c149f0deecdf5066f0f68d301fd5471eb93d7d7b6fe95d7a7f2e30042eb5db66eabbf379c629053e18ef

memory/2356-76-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2492-77-0x000000013FD10000-0x0000000140064000-memory.dmp

C:\Windows\system\QoPMCzt.exe

MD5 c9850b5e2d789523f4291236f2e67c19
SHA1 4a91c74d29d0a9b3a9fd327d0e86660cc920a5df
SHA256 10e15ab56ce1a19874521fabe6fc62f9cbf410b18ede9c34db7a6d39b237516b
SHA512 50f8fdf010dec4e49ae4fc046cc531280ac498d269d8c2acdad1fe6936089b50a06b8f5b333cf84e449ef3054b5d6d64513565ff7861dbc093ab3e2943e2660e

memory/2088-84-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2356-83-0x0000000002420000-0x0000000002774000-memory.dmp

\Windows\system\RDOgMaN.exe

MD5 cbdeb598a5aad59ebe5e9a324ea83477
SHA1 35e5283227f3ec1a46f30c28b22f35100b91aa88
SHA256 4040c3a4a11582f94373a44e76aa06b07ec7848307a8514a0164513ef06568e5
SHA512 4093100c608c72bd77a0cdaba880efe34f43920f7c47a937c6e8edf40787e76f9c540f6e261695f4cc3fa143442e2e4a9e19b41682f51475e071e811ebdad0d6

C:\Windows\system\lJtiIJG.exe

MD5 70ab189ea0b705d72ee0914f87d24708
SHA1 c2a3d42b5fd2f6b7b8f7b8ae4451179cbdd28826
SHA256 47e90dc9aa49c84cb094d6293d7bc5ab7549adf5757beaa04bc4d5476ff0815f
SHA512 cb79693ac527b7d6c6f2a6d9103dcf6ced3ddeb07968811b370e86af329e5a5604469c199779d7ae3acd80de5df1ee54ff36116c417ca7bf75d6417177fcb5d9

\Windows\system\sxETcai.exe

MD5 8c195eab496b9f3f23aff7e0e17ea915
SHA1 6011041d19a9206de516c0de5f858d64ec3c64c6
SHA256 0f746dad550dc3cc72f1e29e87775d9d5e3ad6ec94c0ea1164d127e6bc7ffa3e
SHA512 af9eb53b286e96e8b6e7b71075966735f8d39491600790bbf83aedc9f55bf2fbba848f0f1f163b1353066e558a6a047adaba89f615e7d1a72bbc15df272c1fbf

\Windows\system\XpInwej.exe

MD5 9adc8e2fd0b70b58f22df66039784743
SHA1 70f3c9c33c5c988a4289e5e0701e9abfad8ea96e
SHA256 a9457ee68091f70d8ed66c2fe994cfb47f216ebb88030e5efeefd53cbc642829
SHA512 b4e809d3412efdc2cd00a71c2b4c52a0467ef772a3dd1d18a7678a70d5d55d56ba4450a936540e54742959e153d744d5620a3b511af23c05067c3ff259fabd69

memory/2356-129-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2356-126-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\SxKUXWN.exe

MD5 7396d5f014cfd259d9cebfc7c05ee9d5
SHA1 590aa19fdff84cedf1e4c69840c5b95a4b178531
SHA256 62b7ec99ea1a2479504746e5aa201999e5cbdbbf9b24c41dcfe7f3420d9dd4d0
SHA512 d82b6b630f644e42d26ec748d79e349b4a840545752574be6a90839eb0d003ce68f610832849df1cf501c57b5ede81cd5ea710a75224ebdfb38dd58164d723f1

C:\Windows\system\ksoeEmQ.exe

MD5 b745e05321da38d9d8d1320f46ca8385
SHA1 8f9b579a54a79ac887e8c2914f7f5a9eb020a629
SHA256 da651199b539c1ba75b2b7a1b9db4682e1e928dfe3ccca894f585e949fc8efc4
SHA512 6180b96bd1a0fdfe99c03362dbddde7b597bb3dfafaab75f927ac5a722615601fd66ab5548ab1ca66664b12f12ee057ea7ad6e3d732abfe4d63a52293a258261

memory/2788-117-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2356-104-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\AxKuEBi.exe

MD5 62e43212443fc0020b4a19a80faf1755
SHA1 265611f37a32d3e040e6bfef34ac52b116c6c480
SHA256 6b294f06e6246dd5021671878a749ed96bed1ad86401b9c0d9fde70e9cf03c56
SHA512 369a20b0c34d353398391288fa0cf411b63417c11c79979f95e2b1a2360adaa512dd041a193ca3250d4738387fc95b7aaac1e2b64cc0b5303a6b252c65f1c230

C:\Windows\system\FtxDCRK.exe

MD5 cdbb0e9d8835c1674001811a4232a262
SHA1 ffc8d606e4b3346cf9e93364cae5af4f96c7ccfc
SHA256 6e4bd1323d248cc522da06d30f042f1f11f78c2c4e298301bb254bdb608fcfa1
SHA512 57844d46f683e2238e9eeabf743c9b527dc32d17191147a05ec66cc1d5a571c9f9a2fa7b1e6e6ff13c49d4870167fa9ac8a92c0b4dae7a3e84001ccedf17cc4a

memory/2356-97-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\CTYwAJz.exe

MD5 743c728e67ff45da2e7e193e3655186c
SHA1 02f954684ecd05f2285d140320b048da8da3d1b8
SHA256 537e7f22c59a90c278f2a32cd0c7530cc09eb44e03cba138a378d6fcd2163b20
SHA512 1a073af85c0481f5818aa92c6b508db28a50bc938f2a2ae21aefd1758cd90089f4c8fd2e5998e11ec4ff3d9a0cfb31be1ef4145426f537d58ac0f95a2a7d0619

memory/2716-134-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2356-135-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2788-136-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2356-137-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/804-138-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2212-139-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/1716-140-0x000000013F110000-0x000000013F464000-memory.dmp

memory/1840-141-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2644-142-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2716-143-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/3032-144-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2488-145-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2564-146-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2508-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2492-148-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2088-149-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2788-150-0x000000013FB00000-0x000000013FE54000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 08:43

Reported

2024-06-01 08:46

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FtxDCRK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RDOgMaN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lJtiIJG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sxETcai.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cxVATkh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KwQPaPW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TAdgTEk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JOROrYz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SxKUXWN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AQkuaDB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UMzfgjU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ixUWkTl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AxKuEBi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XpInwej.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yDYaYNf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dqzEJoq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\blWjmTf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CTYwAJz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kgpJXTZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QoPMCzt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ksoeEmQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3924 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDYaYNf.exe
PID 3924 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDYaYNf.exe
PID 3924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxVATkh.exe
PID 3924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxVATkh.exe
PID 3924 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQkuaDB.exe
PID 3924 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQkuaDB.exe
PID 3924 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMzfgjU.exe
PID 3924 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMzfgjU.exe
PID 3924 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwQPaPW.exe
PID 3924 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwQPaPW.exe
PID 3924 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqzEJoq.exe
PID 3924 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqzEJoq.exe
PID 3924 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgpJXTZ.exe
PID 3924 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgpJXTZ.exe
PID 3924 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixUWkTl.exe
PID 3924 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixUWkTl.exe
PID 3924 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAdgTEk.exe
PID 3924 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAdgTEk.exe
PID 3924 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\blWjmTf.exe
PID 3924 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\blWjmTf.exe
PID 3924 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOROrYz.exe
PID 3924 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOROrYz.exe
PID 3924 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoPMCzt.exe
PID 3924 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoPMCzt.exe
PID 3924 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CTYwAJz.exe
PID 3924 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CTYwAJz.exe
PID 3924 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FtxDCRK.exe
PID 3924 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FtxDCRK.exe
PID 3924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RDOgMaN.exe
PID 3924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RDOgMaN.exe
PID 3924 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxKuEBi.exe
PID 3924 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxKuEBi.exe
PID 3924 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lJtiIJG.exe
PID 3924 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lJtiIJG.exe
PID 3924 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ksoeEmQ.exe
PID 3924 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ksoeEmQ.exe
PID 3924 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XpInwej.exe
PID 3924 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XpInwej.exe
PID 3924 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxKUXWN.exe
PID 3924 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxKUXWN.exe
PID 3924 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxETcai.exe
PID 3924 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxETcai.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\yDYaYNf.exe

C:\Windows\System\yDYaYNf.exe

C:\Windows\System\cxVATkh.exe

C:\Windows\System\cxVATkh.exe

C:\Windows\System\AQkuaDB.exe

C:\Windows\System\AQkuaDB.exe

C:\Windows\System\UMzfgjU.exe

C:\Windows\System\UMzfgjU.exe

C:\Windows\System\KwQPaPW.exe

C:\Windows\System\KwQPaPW.exe

C:\Windows\System\dqzEJoq.exe

C:\Windows\System\dqzEJoq.exe

C:\Windows\System\kgpJXTZ.exe

C:\Windows\System\kgpJXTZ.exe

C:\Windows\System\ixUWkTl.exe

C:\Windows\System\ixUWkTl.exe

C:\Windows\System\TAdgTEk.exe

C:\Windows\System\TAdgTEk.exe

C:\Windows\System\blWjmTf.exe

C:\Windows\System\blWjmTf.exe

C:\Windows\System\JOROrYz.exe

C:\Windows\System\JOROrYz.exe

C:\Windows\System\QoPMCzt.exe

C:\Windows\System\QoPMCzt.exe

C:\Windows\System\CTYwAJz.exe

C:\Windows\System\CTYwAJz.exe

C:\Windows\System\FtxDCRK.exe

C:\Windows\System\FtxDCRK.exe

C:\Windows\System\RDOgMaN.exe

C:\Windows\System\RDOgMaN.exe

C:\Windows\System\AxKuEBi.exe

C:\Windows\System\AxKuEBi.exe

C:\Windows\System\lJtiIJG.exe

C:\Windows\System\lJtiIJG.exe

C:\Windows\System\ksoeEmQ.exe

C:\Windows\System\ksoeEmQ.exe

C:\Windows\System\XpInwej.exe

C:\Windows\System\XpInwej.exe

C:\Windows\System\SxKUXWN.exe

C:\Windows\System\SxKUXWN.exe

C:\Windows\System\sxETcai.exe

C:\Windows\System\sxETcai.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3924-0-0x00007FF72ADE0000-0x00007FF72B134000-memory.dmp

memory/3924-1-0x00000251AFBD0000-0x00000251AFBE0000-memory.dmp

C:\Windows\System\yDYaYNf.exe

MD5 aae767c47690ddae334784316c1f4b5a
SHA1 710b87b2bcbc5cbb30eee6245840add37a303011
SHA256 629e6d26b735fede060ec822c3aa2269b2d4a51ba909e867f9a2ccc3c9b11547
SHA512 2573383cd16dc6ba026806b36f3d854e32b2fba8a0d39801276f0ba2d44681ba2614ed40754182bfd26f4e15f6b51739c0d51e8599f531390ed418fe0b18979a

C:\Windows\System\AQkuaDB.exe

MD5 7515b6de61001508960c145ff04634b8
SHA1 cfc4a4c30ff83e6d8337931cc1ff9891bb5244d5
SHA256 f5ef1ace039562d07b1ee49b85c4efa4c0bfdbca2186dd73662317cf5334ad90
SHA512 f69cb4830642fc9799dbefc066b0481bc00f66e964c39bdfa6adfa685c05600bca6184f16502631c7891329a15fabc6c04d4114fa1d9a04f53aa4c423783a393

C:\Windows\System\cxVATkh.exe

MD5 987b05bdf5481ec52c74a303386176ed
SHA1 e1c991d61b45808fd192b6c4a620c12d911996d1
SHA256 c3749761cd318838da22c9e4c67fb23765ba7506967913ce201cb983159880ca
SHA512 3f3d075a507fd0aa33c13c06209558b8115218d52616f9fefecc05cdc24e5b64b010080ceb5be0006dc1ce9e4233686da59b8d7ad2e3512cade901898cfbc2a3

memory/1448-13-0x00007FF7B3430000-0x00007FF7B3784000-memory.dmp

memory/4364-20-0x00007FF7AD590000-0x00007FF7AD8E4000-memory.dmp

memory/1616-19-0x00007FF7EFE50000-0x00007FF7F01A4000-memory.dmp

C:\Windows\System\UMzfgjU.exe

MD5 a9929c082e1abf63e8c58edc136cca71
SHA1 50bfd3f7baa6d32e2d86e10dfbcecc5556e40d5d
SHA256 1c96b5c205e7c00632ce710ad67b9778057ce9dc0a0ba66e3cc873ec5b675158
SHA512 0fd973f94292cdba34fa6373c70f2dc45ad3bb54741f0beed9f26f8b027e6efa92982d9dd495af23649b96f9837b7dc0642ea2c27f9d3e015420aa61f45d5998

memory/3468-27-0x00007FF7B1B90000-0x00007FF7B1EE4000-memory.dmp

C:\Windows\System\KwQPaPW.exe

MD5 09eb32c1be0aa9711a5a86171476a95e
SHA1 79716b8926af2dd735da8a15ada96fd945b0d9ab
SHA256 56eed499156557a25f2a9e52de8e986a47c026deef272387480ec1484555b5d6
SHA512 4f4b1a45a470ab3793090acc12b3e81cc3cbc8c1bb261212cbdf566a75a81315afaee5d071858f46f86624cad34a51c0374080c2fe0f4717ea2fc21a26c25184

C:\Windows\System\dqzEJoq.exe

MD5 03a6bd763b7dc848c9bd4252ff11fd7a
SHA1 d405bf4f64be7c195222d6a9b0474a5bcc42d573
SHA256 9357beb5878379a6d9bdc6a1fe6b099fbde5f6608434b6a27a84e3c0ceae1c81
SHA512 d267c7168ccbca287df7f014485753ff7456f52afa66d0b7bcd8e887369acfd772aa4c572839dff57f36adff2a4ca928afac75d7749a301fcefc727cc09b4596

memory/368-41-0x00007FF6D1910000-0x00007FF6D1C64000-memory.dmp

C:\Windows\System\kgpJXTZ.exe

MD5 0d22683bf007be653a1d1297474ba5fa
SHA1 999fd28df620383518eb98461b3d631288063f0f
SHA256 c2071d6e3cc3d613e1216f7ac51a6d8ed9213d566d99499d00acb183a7b7cfa1
SHA512 0a5cab7697cbf836ce5ae831b83e592763e86cdc09fc94a9aef8f902e95cede289d04518a1dd364c9146d84e205683299c526fcf092c9e0a62212d54fbe578c2

memory/396-50-0x00007FF736210000-0x00007FF736564000-memory.dmp

C:\Windows\System\ixUWkTl.exe

MD5 ee5b0b8b34b96948b287ef16bf9b215c
SHA1 f7d344f165699658fa22edaec26b441c702dbcbf
SHA256 48a17edb3dc3258c19a7f43015812459a3ae095afde23bc26e5de4fdefe09faf
SHA512 41ceba8e3bd75e2b9da51c14da15f8e8d301cd2c57a6ddfb12a4f62dfd56cc5a1b9a88c57f5384d92638f4162d9da0e38fb7deb4a98e530b8b955252f094b727

memory/3100-45-0x00007FF7862C0000-0x00007FF786614000-memory.dmp

memory/5016-38-0x00007FF7FAA10000-0x00007FF7FAD64000-memory.dmp

C:\Windows\System\TAdgTEk.exe

MD5 00e2517f420913614d290cf285100818
SHA1 fa2790de80f69e5370b9fecf8a2560fa58deffea
SHA256 5ac5dd5630364035eb4242dbcab6d80204dec0c3edad5d71daaa866e7a1caa1f
SHA512 f1223d1d47ab94b016dfafd75977e5c01a4bb7e62cdd38f64f130d28b2db9efca37ec4efe1fa294a1e6d42ffbe4d57a3678d72dc99b1916d731b1de159eeb1e5

C:\Windows\System\blWjmTf.exe

MD5 39b0d25cd57cd2c2db37ba262fffd27e
SHA1 3b7125296f498d0984f71a89ef390dbf4fe2510a
SHA256 4a7890c2f2942b260531e5e96f478e2af1325f373d539f5f6250d3576af9d77e
SHA512 54f64c72ff050af1adccab988cbea3ac2d8f7b065949b1d50aa9130ba930541d87c0c9ae517dcfd4446ce0d9489f715f7907bcf83cf00eae74a88cbe98ec5f33

C:\Windows\System\JOROrYz.exe

MD5 e9aaa42e1bcdedb7047e9053e8536c0f
SHA1 c5f61d22196563507ef4b40ee5877dab18fa156c
SHA256 a8987703097cd088127396b1cd08da9ea7c7e5227eacbddd0d9b462ec1db9bf8
SHA512 6ee8b70513e536d40beb902dbaa4e60a9f3304d88905c149f0deecdf5066f0f68d301fd5471eb93d7d7b6fe95d7a7f2e30042eb5db66eabbf379c629053e18ef

C:\Windows\System\QoPMCzt.exe

MD5 c9850b5e2d789523f4291236f2e67c19
SHA1 4a91c74d29d0a9b3a9fd327d0e86660cc920a5df
SHA256 10e15ab56ce1a19874521fabe6fc62f9cbf410b18ede9c34db7a6d39b237516b
SHA512 50f8fdf010dec4e49ae4fc046cc531280ac498d269d8c2acdad1fe6936089b50a06b8f5b333cf84e449ef3054b5d6d64513565ff7861dbc093ab3e2943e2660e

memory/4748-75-0x00007FF681850000-0x00007FF681BA4000-memory.dmp

memory/2164-84-0x00007FF6518E0000-0x00007FF651C34000-memory.dmp

memory/4936-88-0x00007FF60ECB0000-0x00007FF60F004000-memory.dmp

memory/2956-94-0x00007FF63D270000-0x00007FF63D5C4000-memory.dmp

memory/4104-99-0x00007FF664010000-0x00007FF664364000-memory.dmp

C:\Windows\System\AxKuEBi.exe

MD5 62e43212443fc0020b4a19a80faf1755
SHA1 265611f37a32d3e040e6bfef34ac52b116c6c480
SHA256 6b294f06e6246dd5021671878a749ed96bed1ad86401b9c0d9fde70e9cf03c56
SHA512 369a20b0c34d353398391288fa0cf411b63417c11c79979f95e2b1a2360adaa512dd041a193ca3250d4738387fc95b7aaac1e2b64cc0b5303a6b252c65f1c230

C:\Windows\System\RDOgMaN.exe

MD5 cbdeb598a5aad59ebe5e9a324ea83477
SHA1 35e5283227f3ec1a46f30c28b22f35100b91aa88
SHA256 4040c3a4a11582f94373a44e76aa06b07ec7848307a8514a0164513ef06568e5
SHA512 4093100c608c72bd77a0cdaba880efe34f43920f7c47a937c6e8edf40787e76f9c540f6e261695f4cc3fa143442e2e4a9e19b41682f51475e071e811ebdad0d6

C:\Windows\System\FtxDCRK.exe

MD5 cdbb0e9d8835c1674001811a4232a262
SHA1 ffc8d606e4b3346cf9e93364cae5af4f96c7ccfc
SHA256 6e4bd1323d248cc522da06d30f042f1f11f78c2c4e298301bb254bdb608fcfa1
SHA512 57844d46f683e2238e9eeabf743c9b527dc32d17191147a05ec66cc1d5a571c9f9a2fa7b1e6e6ff13c49d4870167fa9ac8a92c0b4dae7a3e84001ccedf17cc4a

C:\Windows\System\CTYwAJz.exe

MD5 743c728e67ff45da2e7e193e3655186c
SHA1 02f954684ecd05f2285d140320b048da8da3d1b8
SHA256 537e7f22c59a90c278f2a32cd0c7530cc09eb44e03cba138a378d6fcd2163b20
SHA512 1a073af85c0481f5818aa92c6b508db28a50bc938f2a2ae21aefd1758cd90089f4c8fd2e5998e11ec4ff3d9a0cfb31be1ef4145426f537d58ac0f95a2a7d0619

memory/1168-69-0x00007FF69F2A0000-0x00007FF69F5F4000-memory.dmp

memory/1240-66-0x00007FF7E1D00000-0x00007FF7E2054000-memory.dmp

memory/3924-64-0x00007FF72ADE0000-0x00007FF72B134000-memory.dmp

memory/4212-62-0x00007FF7EC400000-0x00007FF7EC754000-memory.dmp

C:\Windows\System\ksoeEmQ.exe

MD5 b745e05321da38d9d8d1320f46ca8385
SHA1 8f9b579a54a79ac887e8c2914f7f5a9eb020a629
SHA256 da651199b539c1ba75b2b7a1b9db4682e1e928dfe3ccca894f585e949fc8efc4
SHA512 6180b96bd1a0fdfe99c03362dbddde7b597bb3dfafaab75f927ac5a722615601fd66ab5548ab1ca66664b12f12ee057ea7ad6e3d732abfe4d63a52293a258261

memory/3680-108-0x00007FF661740000-0x00007FF661A94000-memory.dmp

memory/3100-105-0x00007FF7862C0000-0x00007FF786614000-memory.dmp

C:\Windows\System\lJtiIJG.exe

MD5 70ab189ea0b705d72ee0914f87d24708
SHA1 c2a3d42b5fd2f6b7b8f7b8ae4451179cbdd28826
SHA256 47e90dc9aa49c84cb094d6293d7bc5ab7549adf5757beaa04bc4d5476ff0815f
SHA512 cb79693ac527b7d6c6f2a6d9103dcf6ced3ddeb07968811b370e86af329e5a5604469c199779d7ae3acd80de5df1ee54ff36116c417ca7bf75d6417177fcb5d9

memory/396-116-0x00007FF736210000-0x00007FF736564000-memory.dmp

C:\Windows\System\SxKUXWN.exe

MD5 7396d5f014cfd259d9cebfc7c05ee9d5
SHA1 590aa19fdff84cedf1e4c69840c5b95a4b178531
SHA256 62b7ec99ea1a2479504746e5aa201999e5cbdbbf9b24c41dcfe7f3420d9dd4d0
SHA512 d82b6b630f644e42d26ec748d79e349b4a840545752574be6a90839eb0d003ce68f610832849df1cf501c57b5ede81cd5ea710a75224ebdfb38dd58164d723f1

C:\Windows\System\sxETcai.exe

MD5 8c195eab496b9f3f23aff7e0e17ea915
SHA1 6011041d19a9206de516c0de5f858d64ec3c64c6
SHA256 0f746dad550dc3cc72f1e29e87775d9d5e3ad6ec94c0ea1164d127e6bc7ffa3e
SHA512 af9eb53b286e96e8b6e7b71075966735f8d39491600790bbf83aedc9f55bf2fbba848f0f1f163b1353066e558a6a047adaba89f615e7d1a72bbc15df272c1fbf

memory/220-127-0x00007FF69CDA0000-0x00007FF69D0F4000-memory.dmp

memory/228-120-0x00007FF61BC10000-0x00007FF61BF64000-memory.dmp

C:\Windows\System\XpInwej.exe

MD5 9adc8e2fd0b70b58f22df66039784743
SHA1 70f3c9c33c5c988a4289e5e0701e9abfad8ea96e
SHA256 a9457ee68091f70d8ed66c2fe994cfb47f216ebb88030e5efeefd53cbc642829
SHA512 b4e809d3412efdc2cd00a71c2b4c52a0467ef772a3dd1d18a7678a70d5d55d56ba4450a936540e54742959e153d744d5620a3b511af23c05067c3ff259fabd69

memory/3252-112-0x00007FF7500B0000-0x00007FF750404000-memory.dmp

memory/3844-130-0x00007FF6101E0000-0x00007FF610534000-memory.dmp

memory/1168-131-0x00007FF69F2A0000-0x00007FF69F5F4000-memory.dmp

memory/2164-132-0x00007FF6518E0000-0x00007FF651C34000-memory.dmp

memory/4936-133-0x00007FF60ECB0000-0x00007FF60F004000-memory.dmp

memory/2956-134-0x00007FF63D270000-0x00007FF63D5C4000-memory.dmp

memory/4104-135-0x00007FF664010000-0x00007FF664364000-memory.dmp

memory/228-136-0x00007FF61BC10000-0x00007FF61BF64000-memory.dmp

memory/220-137-0x00007FF69CDA0000-0x00007FF69D0F4000-memory.dmp

memory/1448-138-0x00007FF7B3430000-0x00007FF7B3784000-memory.dmp

memory/1616-139-0x00007FF7EFE50000-0x00007FF7F01A4000-memory.dmp

memory/4364-140-0x00007FF7AD590000-0x00007FF7AD8E4000-memory.dmp

memory/3468-141-0x00007FF7B1B90000-0x00007FF7B1EE4000-memory.dmp

memory/5016-142-0x00007FF7FAA10000-0x00007FF7FAD64000-memory.dmp

memory/368-143-0x00007FF6D1910000-0x00007FF6D1C64000-memory.dmp

memory/3100-145-0x00007FF7862C0000-0x00007FF786614000-memory.dmp

memory/396-144-0x00007FF736210000-0x00007FF736564000-memory.dmp

memory/4212-146-0x00007FF7EC400000-0x00007FF7EC754000-memory.dmp

memory/1240-147-0x00007FF7E1D00000-0x00007FF7E2054000-memory.dmp

memory/1168-148-0x00007FF69F2A0000-0x00007FF69F5F4000-memory.dmp

memory/4748-149-0x00007FF681850000-0x00007FF681BA4000-memory.dmp

memory/2164-150-0x00007FF6518E0000-0x00007FF651C34000-memory.dmp

memory/4936-151-0x00007FF60ECB0000-0x00007FF60F004000-memory.dmp

memory/2956-152-0x00007FF63D270000-0x00007FF63D5C4000-memory.dmp

memory/4104-153-0x00007FF664010000-0x00007FF664364000-memory.dmp

memory/3680-154-0x00007FF661740000-0x00007FF661A94000-memory.dmp

memory/3252-155-0x00007FF7500B0000-0x00007FF750404000-memory.dmp

memory/228-156-0x00007FF61BC10000-0x00007FF61BF64000-memory.dmp

memory/220-157-0x00007FF69CDA0000-0x00007FF69D0F4000-memory.dmp

memory/3844-158-0x00007FF6101E0000-0x00007FF610534000-memory.dmp