Malware Analysis Report

2025-01-22 19:46

Sample ID 240601-qh99msea56
Target 2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike
SHA256 684b4ea17e85d2f3c4ee76ecc1608d9dee7d99bcfec76340a0e763b6ba850bca
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

684b4ea17e85d2f3c4ee76ecc1608d9dee7d99bcfec76340a0e763b6ba850bca

Threat Level: Known bad

The file 2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Xmrig family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 13:16

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 13:16

Reported

2024-06-01 13:19

Platform

win7-20240508-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GJJwvDq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vtEoxSk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GeFNKWV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GJhRSqk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gODShum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IeHIUyv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BNUBAbW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rzQZDCy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YXgtJQP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yYzttRK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RIjZdba.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eJvHJeh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kSKaBkg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ALfBKBe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\diEoxry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qcLKsyC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jneVQfv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YxDcDfx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NWLgVrz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iVzXQWY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RItvBYC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\YXgtJQP.exe
PID 2716 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\YXgtJQP.exe
PID 2716 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\YXgtJQP.exe
PID 2716 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJhRSqk.exe
PID 2716 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJhRSqk.exe
PID 2716 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJhRSqk.exe
PID 2716 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\RItvBYC.exe
PID 2716 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\RItvBYC.exe
PID 2716 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\RItvBYC.exe
PID 2716 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\jneVQfv.exe
PID 2716 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\jneVQfv.exe
PID 2716 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\jneVQfv.exe
PID 2716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\yYzttRK.exe
PID 2716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\yYzttRK.exe
PID 2716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\yYzttRK.exe
PID 2716 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJJwvDq.exe
PID 2716 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJJwvDq.exe
PID 2716 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJJwvDq.exe
PID 2716 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\vtEoxSk.exe
PID 2716 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\vtEoxSk.exe
PID 2716 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\vtEoxSk.exe
PID 2716 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\RIjZdba.exe
PID 2716 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\RIjZdba.exe
PID 2716 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\RIjZdba.exe
PID 2716 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJvHJeh.exe
PID 2716 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJvHJeh.exe
PID 2716 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJvHJeh.exe
PID 2716 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\gODShum.exe
PID 2716 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\gODShum.exe
PID 2716 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\gODShum.exe
PID 2716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\YxDcDfx.exe
PID 2716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\YxDcDfx.exe
PID 2716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\YxDcDfx.exe
PID 2716 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSKaBkg.exe
PID 2716 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSKaBkg.exe
PID 2716 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSKaBkg.exe
PID 2716 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\NWLgVrz.exe
PID 2716 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\NWLgVrz.exe
PID 2716 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\NWLgVrz.exe
PID 2716 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVzXQWY.exe
PID 2716 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVzXQWY.exe
PID 2716 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVzXQWY.exe
PID 2716 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALfBKBe.exe
PID 2716 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALfBKBe.exe
PID 2716 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALfBKBe.exe
PID 2716 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\diEoxry.exe
PID 2716 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\diEoxry.exe
PID 2716 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\diEoxry.exe
PID 2716 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\qcLKsyC.exe
PID 2716 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\qcLKsyC.exe
PID 2716 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\qcLKsyC.exe
PID 2716 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeHIUyv.exe
PID 2716 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeHIUyv.exe
PID 2716 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeHIUyv.exe
PID 2716 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GeFNKWV.exe
PID 2716 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GeFNKWV.exe
PID 2716 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GeFNKWV.exe
PID 2716 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNUBAbW.exe
PID 2716 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNUBAbW.exe
PID 2716 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNUBAbW.exe
PID 2716 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzQZDCy.exe
PID 2716 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzQZDCy.exe
PID 2716 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzQZDCy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YXgtJQP.exe

C:\Windows\System\YXgtJQP.exe

C:\Windows\System\GJhRSqk.exe

C:\Windows\System\GJhRSqk.exe

C:\Windows\System\RItvBYC.exe

C:\Windows\System\RItvBYC.exe

C:\Windows\System\jneVQfv.exe

C:\Windows\System\jneVQfv.exe

C:\Windows\System\yYzttRK.exe

C:\Windows\System\yYzttRK.exe

C:\Windows\System\GJJwvDq.exe

C:\Windows\System\GJJwvDq.exe

C:\Windows\System\vtEoxSk.exe

C:\Windows\System\vtEoxSk.exe

C:\Windows\System\RIjZdba.exe

C:\Windows\System\RIjZdba.exe

C:\Windows\System\eJvHJeh.exe

C:\Windows\System\eJvHJeh.exe

C:\Windows\System\gODShum.exe

C:\Windows\System\gODShum.exe

C:\Windows\System\YxDcDfx.exe

C:\Windows\System\YxDcDfx.exe

C:\Windows\System\kSKaBkg.exe

C:\Windows\System\kSKaBkg.exe

C:\Windows\System\NWLgVrz.exe

C:\Windows\System\NWLgVrz.exe

C:\Windows\System\iVzXQWY.exe

C:\Windows\System\iVzXQWY.exe

C:\Windows\System\ALfBKBe.exe

C:\Windows\System\ALfBKBe.exe

C:\Windows\System\diEoxry.exe

C:\Windows\System\diEoxry.exe

C:\Windows\System\qcLKsyC.exe

C:\Windows\System\qcLKsyC.exe

C:\Windows\System\IeHIUyv.exe

C:\Windows\System\IeHIUyv.exe

C:\Windows\System\GeFNKWV.exe

C:\Windows\System\GeFNKWV.exe

C:\Windows\System\BNUBAbW.exe

C:\Windows\System\BNUBAbW.exe

C:\Windows\System\rzQZDCy.exe

C:\Windows\System\rzQZDCy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2716-0-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2716-1-0x000000013FE00000-0x0000000140154000-memory.dmp

\Windows\system\YXgtJQP.exe

MD5 543a5feaeaffed8a5dfb57ac1d950535
SHA1 0cb8d40d1465d8e1daea9f39fe88e34b6f9e0826
SHA256 25ed217f757748ce4567cdff0ece1e1b097c34bb568846af8093919dc0b6f33a
SHA512 8a0ed3a5342736124844e35121042f8c8385d0a4ce9600ebc27fbb160ef913d1e421cd40fd945a50ef50bc269bb0f0bcaae1aac2fe4a2cbf543f0386fa980864

memory/2660-25-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2716-24-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2716-23-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\GJJwvDq.exe

MD5 96a3f5cf869e0454eb6807c17ed5b85c
SHA1 5c9e70c13b4f2bd53ae9aa3ff99b005fb41c0cd8
SHA256 4b2df80b32dc1fc79d12f4b01439227021312a37f2f94162d03c130c3208215c
SHA512 90a5515a15632fc38e8de45e5c6c84a120c4210b51a22dc872d0412e8698b0599ab01c4abaac68121c7904d540d7d21c7507ff682597642bd8d10355930d89f5

memory/2740-34-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2864-42-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\RIjZdba.exe

MD5 925526dbfe2dcb1b5e93fbd51a737ddb
SHA1 93fa881c308830482d5b0e134164d459d0b85a77
SHA256 a3b44813b67ce1396fc59cbee8728ff666e3ff189c39874511d682713df05838
SHA512 83208d540a9adc3fcb733ed38f61d71659acba76b13c0eb887f9ae0cfeb4910052d102b35353a2bca74d0177bc0d6b7645317ce1b183fa6542ec5d0f356aaa02

memory/2860-49-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2708-54-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2716-63-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\kSKaBkg.exe

MD5 0c78a95b2caae5f1fb3225af3bee6d76
SHA1 13c8b3524ce832abed8473e4918d03403a9019fe
SHA256 ea4b6e8f1639508161fca1e5799b179aa0aa965c5cf9fd54491b4211f633f67e
SHA512 9d6ced6c990f63672c004d3092c9ae3fdc800da75e78c633262738e9239413fbd7ad3f4dc891a03623af8b15c8b41a79f46801ee01595068af87b1e8c0bb6434

memory/2716-82-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2116-83-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2704-100-0x000000013F2F0000-0x000000013F644000-memory.dmp

C:\Windows\system\IeHIUyv.exe

MD5 cde9148e4cdf2820fb221e516bc3b3c8
SHA1 2e14beaf4d6433c078b98bbd9bd6a54815de845c
SHA256 29d56ccf7b445429ac77817f20f1ebe9ba277ae5254c46de0563f3e912dc7288
SHA512 7654ca88e28d06b3fd1b461b6ff4a840e6575d19cd3034532a40ec7fc3fce496917f2a2c0a5289ea97bacbc81c3bbc70c4e57bfc46c63828604fcc70d1ab4a06

\Windows\system\rzQZDCy.exe

MD5 d9c4c516e8864957b3727ab3ae965d7c
SHA1 9fd15e0585fe1564b9f83dae7098f3fe0afccc5e
SHA256 f7c3cae68847dd05ec537f4ec142dad0f2e8bfe1defb16a8e4cf28cf893e658b
SHA512 d65b5a80d3908400d94dd0e7006b589180cdcdfacf8d0147eb4f386191efc8fffe006d357b022d1497b0a2e350d7804ac3bcb7e5c3ff5712851b0a0c6333f1b2

C:\Windows\system\BNUBAbW.exe

MD5 a4e9949e32e9d79b69ada63dc77383ab
SHA1 2f8d1f9a39d513ff638a3bdb85222076486025c1
SHA256 b5203bc5ba2e931642582841244d5913e5724fe0f2b2144615594ac35a831f2f
SHA512 2edd417113d10cd28d05c1649624ac96bb72a1c6379f6477e7358f3107c86be7272953a3bbe65d44cb2ac61ddf4bffa4e66d1dcb5a7aab133e9143cd0a2e866a

C:\Windows\system\GeFNKWV.exe

MD5 7d984f8884e38a4f318a5b2d4c86bfcb
SHA1 2d14859bb700f2c049735a8895cdaf172f5bec1a
SHA256 e3cc7605afe78fbb5264ffbc0a333bdd1080c9d2eb873dd43d234ad38c0c68a2
SHA512 adff90d0ac620357ae6212d9f25c82f5a38bee04e420de4e37bd13d141e9c02b0b8cc9adfa374162a685f58d6df1faabcd3c8d3bf83b73afe1184b945510866d

C:\Windows\system\qcLKsyC.exe

MD5 4ce408eb4583e985b3a560b88427bb3c
SHA1 b8c541c7cb6d3bceddac583f79f9aa143babb760
SHA256 84b3416ae6544963edd0ae268a6eca0ca5e5ca62e97d0ab52ebf5cb3e1aa4ceb
SHA512 fa7db334d5267c526196037e580cc52bd7db183062407858f840615d313720e7bb3a96408265cd2864f1ed1f1020c7e594789f6e5fdb17e62ca7adb2ed2ba4d5

memory/2716-110-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2864-109-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\ALfBKBe.exe

MD5 687f44801581e95c78bfac6b345a91a6
SHA1 479bc8f6cb01e5afb72e28660d4dbd34cdca8af1
SHA256 2bc2a18878434499f65b0629e90d54be4c283866eebd122922291b790f8375ee
SHA512 58e8bf68cab4204294212af7dd1286012984d4ddc2ac2feeb4b012476ecbc6e250c096f41f39443693a6bd1017f372ee66d5bee748fcfd366deb705b89035838

C:\Windows\system\diEoxry.exe

MD5 0d36adc92ec893e382feaef56a7e3a8b
SHA1 06936a07b01c8a6298716ffcb319248ffddcf48c
SHA256 4a7a5698463c7169f2958249cbf15866c6ee7a63a5309007ce824f24d242fab9
SHA512 183753def518372d573752e77c217bb7ae303c4ca68ca6727830c00e6bae44c05fa5d69b1554d15ec1b96cce31a5e3af989f04787468901b07bff4026fd67885

memory/2860-140-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/1448-94-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2988-93-0x000000013FD40000-0x0000000140094000-memory.dmp

C:\Windows\system\NWLgVrz.exe

MD5 cb28281bf0c30c88b9c6911474849cde
SHA1 04f4f9b340fa931c489539404a372077638d462c
SHA256 cb0cb73458fd918c88bac8e42978cc7a746085def52d8e27eae93011a8d10661
SHA512 1a2d63662f0d736b73f1142400db4354c7f0c1961c7093bf791159e7988468849abcbec352a65246497d214e4f04906a5002bfa0095952d3e1271b5214281bd6

memory/2716-90-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2660-89-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2716-99-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2640-78-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2740-98-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2716-77-0x000000013F320000-0x000000013F674000-memory.dmp

C:\Windows\system\iVzXQWY.exe

MD5 c98c121099e52a2cc53b9ecf0739f2ef
SHA1 a4f088a225c525a3a155618bb51c7bc68f1c2ee7
SHA256 cb0959ee8035578d8e5466138149e4cb863eb2ecae9677a4a30cbd4923085527
SHA512 68d68f06649f443272deed914b6f7aae00814e704055806ea79e503ad4c391d663d32e378f4ee6e53eba607a4960a20555522eaa96ca1c963c97f2e33fcff558

memory/3028-76-0x000000013FEE0000-0x0000000140234000-memory.dmp

C:\Windows\system\YxDcDfx.exe

MD5 0fbca405fe49870c497b85bb3c25a128
SHA1 8c6cd5c4c1ab508b9d0c017743ead1130354cda9
SHA256 2e9908126db6a99bdcca82ed82d5820fe10a54c1064620cdc16e07878cd9f06b
SHA512 ae32f007ee89efe21c73e5289ed700f65ec98097356e174e24f5b2a9b2993a4f1228ed904b0438a19dbd435bd6bafb3e158e2bc085bf5dd2e0499fa025fe013f

memory/2208-64-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2544-70-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2152-62-0x000000013F530000-0x000000013F884000-memory.dmp

C:\Windows\system\gODShum.exe

MD5 7462ce2bf19997d400b0ead96e1fd253
SHA1 3f8933d4ec745cce97f38a32f11371a7f6089414
SHA256 fc1ed4e3d4c2ebdbe25c1e824b352dd6a1fc43d6dff8f9a0ee25c0aa398c0418
SHA512 3426162a8dc81f51086d008379aef31c191e7cc127fe0afbf00785f230fb77cd1c2e1cbc0ce1ce0f6bf3f74f7322ce787b6eb2179a7328625e4dfef75e99ef19

C:\Windows\system\eJvHJeh.exe

MD5 e65a92c089f736d3356509c90a32bc9d
SHA1 cbb4f9c3be46d13cd99a5ba3937216067f3d6aea
SHA256 3f4c3dad173dbf599eaabbc5ebab98c723e758ffeaed1bb34d717a17f90c0ad8
SHA512 815b83d1ce78afef51eb7fc7d5861a79f5f02a41eefb09bb909c8ea192ad150a723988e2e78714b6065a6239e8dbad7614b3322afcfdf2a11a3b144960f6ddc7

memory/2716-48-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2716-53-0x000000013FE00000-0x0000000140154000-memory.dmp

C:\Windows\system\vtEoxSk.exe

MD5 7ac12cd71b5af2c60271c83389375b51
SHA1 e587099e15ceb0a0e7ab6132dfbca1e0fb3d797c
SHA256 9bed54d569bdfd570feb75e4642f4e858e1c74c7210d3714093b162b6ac80b40
SHA512 7814bde4ace2c1bc2ff3200b5b3ead8b8d54330188ba630137c1865461c29a98ecc2a777a90511d420cbe0980d6dff9935a3e560d446e563752aca864196fe4a

memory/2716-39-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\yYzttRK.exe

MD5 c9ab3bfe867374613c60d0194423197a
SHA1 4032c5fc820f8385c2db2588a5e689a67e838fea
SHA256 6227ebe5e3b225f61387c9641cf22c4f3d0a55bfd65963c3bed1683055be8877
SHA512 694f35b216c1cdc45475649feae93b0327e7eb9c58dc31cca680bd109dbf35c3e1a14eca2e44b57e53bb35631d5bffc317a2765a2965e780f89cab526bf16bf8

memory/2988-32-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2716-30-0x000000013F400000-0x000000013F754000-memory.dmp

C:\Windows\system\RItvBYC.exe

MD5 b5aa1144cc4cdc0ba9fafd12c6d28ba6
SHA1 4fb0df5b63ddc981db20d82cfd697d6282c56a25
SHA256 1f4be72481521e4d20dccbbaedca9763d65e2f145d59b835b9141073a28a82ef
SHA512 56d1e39a6fcb0da249391438971c273cfe5ec8bb8aa4ee6ac2f2d3194a2732f9aa04a565c415eb57f8277a325d1e34ecd9f4cdbca193c968a8dfa18d18911fab

memory/2708-141-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/3028-18-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2152-15-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2716-6-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\jneVQfv.exe

MD5 2b9744e23d27ed6c37c4ddacf629565a
SHA1 93b909f8eedcdeda260bc7469c01d41b3fb12abf
SHA256 ae2e90d2b74b7a91247e630609a0a05f336604c48b40c2cbff85b6eac32f0051
SHA512 9c2142af4791755402b814197e981b540d0784f675b6d02486a0a30842680c919e2b74d71ffdea8806da8c49d52dbd3985a5b021ccdd3c0dc9113950cbfbfc86

C:\Windows\system\GJhRSqk.exe

MD5 7f50495d6ac587fa45cfa81fee445cc7
SHA1 10c60df794ff15478d76c1f843e3a6ec55179add
SHA256 89b6bbaca0ae3cc135c6a6e2918f182bcc6f2e7951a9b63e8d19e65c0d1c3139
SHA512 fe7ac4b32f34d6721e4a6d2310594b05631158e155bb29fefa5709cf9f55316abed4ace26681095525a98b33a5c69fc5151a60667cbff91971b8b5b3bd4899e9

memory/2208-143-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2716-142-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2544-144-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2716-145-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2640-146-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2716-147-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2116-148-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2716-149-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1448-150-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2716-151-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2704-152-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/3028-154-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2152-153-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2660-155-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2988-156-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2864-157-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2740-158-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2708-159-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2860-160-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2208-161-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2544-162-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2116-163-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2640-164-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2704-165-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1448-166-0x000000013F340000-0x000000013F694000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 13:16

Reported

2024-06-01 13:19

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QyBfxXb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TsaRUZh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AAVaLqN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\glnXpEj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ksFRhSP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rLGaJpu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KjMCWBn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mGsAMTB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GdRtOTh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cAIYbjH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JbnkJkC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FeBQpIl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jYUdilw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AoUbqyO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DtYoCNP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OzwoHrF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DJjBySs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UWbrxxl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zsIzNPO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NaeHcPB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JnHflGp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\cAIYbjH.exe
PID 1148 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\cAIYbjH.exe
PID 1148 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsaRUZh.exe
PID 1148 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsaRUZh.exe
PID 1148 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAVaLqN.exe
PID 1148 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAVaLqN.exe
PID 1148 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\JnHflGp.exe
PID 1148 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\JnHflGp.exe
PID 1148 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzwoHrF.exe
PID 1148 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzwoHrF.exe
PID 1148 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\JbnkJkC.exe
PID 1148 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\JbnkJkC.exe
PID 1148 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeBQpIl.exe
PID 1148 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeBQpIl.exe
PID 1148 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYUdilw.exe
PID 1148 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYUdilw.exe
PID 1148 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\glnXpEj.exe
PID 1148 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\glnXpEj.exe
PID 1148 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\AoUbqyO.exe
PID 1148 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\AoUbqyO.exe
PID 1148 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\DJjBySs.exe
PID 1148 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\DJjBySs.exe
PID 1148 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\ksFRhSP.exe
PID 1148 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\ksFRhSP.exe
PID 1148 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWbrxxl.exe
PID 1148 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWbrxxl.exe
PID 1148 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\KjMCWBn.exe
PID 1148 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\KjMCWBn.exe
PID 1148 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\zsIzNPO.exe
PID 1148 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\zsIzNPO.exe
PID 1148 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGsAMTB.exe
PID 1148 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGsAMTB.exe
PID 1148 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GdRtOTh.exe
PID 1148 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\GdRtOTh.exe
PID 1148 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\NaeHcPB.exe
PID 1148 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\NaeHcPB.exe
PID 1148 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\rLGaJpu.exe
PID 1148 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\rLGaJpu.exe
PID 1148 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\QyBfxXb.exe
PID 1148 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\QyBfxXb.exe
PID 1148 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtYoCNP.exe
PID 1148 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtYoCNP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ee51cd4f6a46750a9ac060be06217906_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\cAIYbjH.exe

C:\Windows\System\cAIYbjH.exe

C:\Windows\System\TsaRUZh.exe

C:\Windows\System\TsaRUZh.exe

C:\Windows\System\AAVaLqN.exe

C:\Windows\System\AAVaLqN.exe

C:\Windows\System\JnHflGp.exe

C:\Windows\System\JnHflGp.exe

C:\Windows\System\OzwoHrF.exe

C:\Windows\System\OzwoHrF.exe

C:\Windows\System\JbnkJkC.exe

C:\Windows\System\JbnkJkC.exe

C:\Windows\System\FeBQpIl.exe

C:\Windows\System\FeBQpIl.exe

C:\Windows\System\jYUdilw.exe

C:\Windows\System\jYUdilw.exe

C:\Windows\System\glnXpEj.exe

C:\Windows\System\glnXpEj.exe

C:\Windows\System\AoUbqyO.exe

C:\Windows\System\AoUbqyO.exe

C:\Windows\System\DJjBySs.exe

C:\Windows\System\DJjBySs.exe

C:\Windows\System\ksFRhSP.exe

C:\Windows\System\ksFRhSP.exe

C:\Windows\System\UWbrxxl.exe

C:\Windows\System\UWbrxxl.exe

C:\Windows\System\KjMCWBn.exe

C:\Windows\System\KjMCWBn.exe

C:\Windows\System\zsIzNPO.exe

C:\Windows\System\zsIzNPO.exe

C:\Windows\System\mGsAMTB.exe

C:\Windows\System\mGsAMTB.exe

C:\Windows\System\GdRtOTh.exe

C:\Windows\System\GdRtOTh.exe

C:\Windows\System\NaeHcPB.exe

C:\Windows\System\NaeHcPB.exe

C:\Windows\System\rLGaJpu.exe

C:\Windows\System\rLGaJpu.exe

C:\Windows\System\QyBfxXb.exe

C:\Windows\System\QyBfxXb.exe

C:\Windows\System\DtYoCNP.exe

C:\Windows\System\DtYoCNP.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

memory/1148-0-0x00007FF729A90000-0x00007FF729DE4000-memory.dmp

memory/1148-1-0x00000165F1AF0000-0x00000165F1B00000-memory.dmp

C:\Windows\System\cAIYbjH.exe

MD5 15de25dfd2adbe7a66fbd85259a64e5c
SHA1 f8400ee3517f769cc53c9a8c9cd256737562dd01
SHA256 9dde33f7839e6327229aa5e0e0e1ea1510eeebc143b42c43bc8c8a9e3c6b2ef0
SHA512 8a4e9f73640c91346e7b536492515ee900bea208ff4e2db4857a173567d027d998a535ebc6134d7dfd2540f63cdc6d52ac69795c87673176141a34a1933ac5b1

memory/3176-8-0x00007FF6E95B0000-0x00007FF6E9904000-memory.dmp

C:\Windows\System\TsaRUZh.exe

MD5 aace8a803ab2b5fe62d7cf64a61c429b
SHA1 7884d4b1ec1a0982a6ed94bd67124fd698cfd7ea
SHA256 c2aad50a306bdb2c6e335ad0bdab11a86eb08fdc0fa5e30f0282d7473689b027
SHA512 1d0a8843e871e27e88b2f6bc764facaa5410d8d5051ded5b6301e01a8e496814a3cbbdea0c8b413deab6c440a0fecc3638d5587bdf33eb45c65abfa78f38e7e4

C:\Windows\System\AAVaLqN.exe

MD5 6e3418517e4ed2f0ef2819e292cca27f
SHA1 8c17a59b6cbf1db79eb49a27557b9b8ce9635d7c
SHA256 c0f9b1cb7a5dd2b3619386269a9d5ee6d55cb54d42041dfec5bf3ef6887cf6b4
SHA512 4232babccc17e5bc12bb53c92cf18c06536571b27f0748be9964c1593c4d92a83c7d5d6278aa6ff07cf568d510e26c2c5143fab2ee8073f6f3b774d16166549d

memory/2564-14-0x00007FF7E6F20000-0x00007FF7E7274000-memory.dmp

memory/4964-20-0x00007FF60F430000-0x00007FF60F784000-memory.dmp

C:\Windows\System\JnHflGp.exe

MD5 e251ad1d30b89d4f299cf1db7f02454e
SHA1 f45641d2812247a51c2222c8442b19665ac1f924
SHA256 c86b07628b75056b45af0348a1644158dbe1e1fe11932f4e37330076cfe22160
SHA512 7c9c53345f8ba2647530d373dc9236772059042d21392972168c0f4f579e6eae282536aed337b819454b9e737e86d512a3f7e747da6b522e0f28105edacc310a

memory/3000-26-0x00007FF7695F0000-0x00007FF769944000-memory.dmp

C:\Windows\System\OzwoHrF.exe

MD5 278cc231cf1b79db83146424d384ec30
SHA1 8f83e6174393a61517e868c6043e494ba69073f7
SHA256 efdf15276518032f441a813d6b9f6f8d6cc03578d5a84885992103d270f77d9d
SHA512 8c0d0b3ad660d0d19d30abc28dac5e69b05a3c047098b63ce41cf8c72a7f79589ce09dd95471da31adc82a705ce9e3b850d79d91b2b8151646a86eded200b8c1

memory/4652-32-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp

C:\Windows\System\JbnkJkC.exe

MD5 4bc4e6d9ef409d8fdf9b01c903337391
SHA1 ca3de0f2cfb3b5f6d8b8f7d6efb8cd27e329d5ac
SHA256 26cceadadf5c9ced24ea014bee3ba7cb4e79d34b6435fd9b4a9a94f48b8e4ec3
SHA512 ef966fdf5da0ebacbd76370ccc9fe2f960ee9c133dbbaa01a8f0c05138bcb32d37f5903760766a7dfdd961987ed41551e8fda4b73966bbf1f3ab0169188128d1

memory/4832-35-0x00007FF73C990000-0x00007FF73CCE4000-memory.dmp

C:\Windows\System\FeBQpIl.exe

MD5 99aedb50262054a910205026df3a9a18
SHA1 7fe274ce9ac9f8e996caed2dc7131be34c1f43d2
SHA256 e5f41e744cab7ddba35d8c307748658430d225e68f066ee1b68521a2ed1ae82e
SHA512 f5a2a78d753e67d0f451bcff2123d3e0fb17989aa2ff4b1eb2899bc36d508c36b6b5d81ce9e8dea74c50137bea78f92a49c6b87bb04bb1a428ee83e4b7218090

memory/960-56-0x00007FF6A0C10000-0x00007FF6A0F64000-memory.dmp

C:\Windows\System\DJjBySs.exe

MD5 fbd5821c6dd523390deee6a64d8af791
SHA1 48c3be4dccc9442c5e58ed5db9b7292032feac3d
SHA256 44c3e5368d2af20fa8350c26c77f07a5cfc0825f663364bc9dac068fe9d8db6f
SHA512 8bedaea77bb841920573f3e71a00390b9ad5a793d49de844f484e366f07be2832e53ebaf0ad01f8dd9c490b7069583335d9a63f04efb0858e59d720a8a0d7d4e

C:\Windows\System\AoUbqyO.exe

MD5 913994b6ae0dcdaa9a6232d8bd364a91
SHA1 a06f8be08b2a95e451f4a52d75a6cbc7feff2507
SHA256 4e09b0baba76942e17dac44dc3441d417e5a6947763429f2c01cb20dbfa2428b
SHA512 da94b0b6217a4f412b7bf9b43bb8cf48a00f57dd2145fe9a39aae66253a6137fc358f6c654a6fe93acf2fc55c8c801c659c8e1a146dd01eccdde33e62741b1a7

memory/1996-70-0x00007FF656960000-0x00007FF656CB4000-memory.dmp

C:\Windows\System\ksFRhSP.exe

MD5 6c3a7f44033e91227cc588584a96006c
SHA1 03c66fa8de9b86a9f0fd070783b12280ef6cddf0
SHA256 5edcee9667e08861fe9a99e05587d971210c63048fc44c35579895e9410c958c
SHA512 a6371631ccb1b02a5d6122b21233a1d7f8f64dd06bf703dfe10f91caa10eedf47ef17743cbb005feccbab339de6eb53f8e028e3800e7d95ad0a7777056c44bee

C:\Windows\System\UWbrxxl.exe

MD5 95fd5fa863f83aeaad71483a57be5660
SHA1 97736caec39856813ea9de0ca1aacd89e9f37c30
SHA256 cd374d8e4c9ef9fcd4e42b8ef72821a39e783e7d373a6822f5c6c49a44edb865
SHA512 761f307c95aa6ff8e43eef1954f5d51ac7bf6e8114093cb620433791b6fa1c85e4bb3a2300023db01622542650b42d2289d1fbb325e1424adca5decd515f45f0

C:\Windows\System\zsIzNPO.exe

MD5 bbc049f82386594b3693ad642effd7ad
SHA1 6675da6401da651fba0ee9fbf8e33012cb019e7b
SHA256 663d01ca9e5cfa2adb0d1b2edbf1581ac5932a5a3a2fc003a68afd4c86eda31e
SHA512 bd71014c4039edc3c5532526b58323b574dda1233de44996ace404ab69a53d8244411c612afdb14c92a1693d229598305a51b5969104919041f3a99059a2bfe1

C:\Windows\System\NaeHcPB.exe

MD5 888db79dd5fdb6476dde00b27da27c80
SHA1 ff0f298a6c528d4f7178c17ace0981eae50fc5b3
SHA256 3aa188ab8c0a85b111ede22cff834b0b6b5fc960ddf790bf8d694b335020b188
SHA512 2f26597070fb2b8905db62bc2e82959710179c734722d3c93dc7620ba271158b023a3179e961df273f4e417efd22fd94008c8a99fd367d96696764c4431ce8bb

C:\Windows\System\rLGaJpu.exe

MD5 4346a99a700558b3c4cf2f7458aeabcf
SHA1 5d7bab08dc7e9a11babf56b5aacc48a84e2b99e8
SHA256 b56cfddea8348d89de4b431c313408d7e72968a09fd387c8bada0ba5050a375e
SHA512 99abd96bb1d8ed6d219c671ad53a7b01a68d9fafaa76ada9c76233fefe05648d329b07971883f9b763a7615c55f5b0f25c2e8b5fb17b5534b1908b2425480874

C:\Windows\System\GdRtOTh.exe

MD5 9b932dadbbdbb5f12b8b696a18b325bb
SHA1 7b6908afae668885fac5f2e71ace947d9231fa25
SHA256 3bb5741b194b909c64bcf491b46e28ca6a58cd51c4dea4f965e27190b9a98eab
SHA512 5a825984673dcb15f1e4ff4edba88b53fba013e97de1ce4e35f47e3c1fbdb5a1a0a50e3d04feec95b7128d03f76632bd4495b099c0239ef3766df50007447dc8

C:\Windows\System\DtYoCNP.exe

MD5 016e0e2ef61640b041220c6cc535d0e9
SHA1 e399810f70a3ad5ba4abe6d08a6e90d9e1a4f86c
SHA256 75243843504ee84d3703875f22525693284474d6fddadf384f776470cbf5da89
SHA512 d3f072ce9331df778b969c922cb53184a57a75418353b92ee2367ce8b281f5f1f44b092f603e541d7845679819614f8900e3fa051f9cbbcbff2a1ae662a0fc1b

C:\Windows\System\QyBfxXb.exe

MD5 ac52493e7142c695840c3531b1f83ba3
SHA1 1c9441aa6dd8bcad91c32394197233f7dfbc5ba7
SHA256 d12b16d2d5d5b3e74b3074a5e1413bc6f74204245ace17e3071742c32c1bcd74
SHA512 75db85d3f05678fb1b464b69980cf1d1407d4f8c03a6b3dcbc3e77769b7e8b231ff058214d0fab9eeef074dc45a93d931ac22be6c6c3f8b3f2ce421584cb0201

C:\Windows\System\KjMCWBn.exe

MD5 339e41bda5230d1e8fa02e15f5e47257
SHA1 93ed46a8e8ce2c8c39d4ff01008911a408164442
SHA256 25586ed52097dd127a2ce63d2fc00ee3171d8fb447560ae2540e7e3bb59cba13
SHA512 c6e0a4264836c71961861f49fb20b8d619c6abd601bb50d412eb65b761d4e559f14de0a108384707e2876a651856cfea4ac7384f375372c7614f5c162587f182

C:\Windows\System\mGsAMTB.exe

MD5 0abb24030c085b55bd392b3a02b9889c
SHA1 28dcbd4cba04ecccfb3161d7f991a7e0c1bbe245
SHA256 06b435955ae766be7a795141f3c8c65a8e30368ec449e3298eb439f075f634fc
SHA512 81dc08598d50b8e76cb71da8ad97566b2d4127461b76408b749c8edea7871953d0d343512346fb56347a316adddff693952a095cdb0cf5e12e6a84babc9669ae

memory/1888-88-0x00007FF7EB470000-0x00007FF7EB7C4000-memory.dmp

memory/1460-65-0x00007FF63E640000-0x00007FF63E994000-memory.dmp

memory/5112-62-0x00007FF66FD40000-0x00007FF670094000-memory.dmp

memory/2272-60-0x00007FF6797C0000-0x00007FF679B14000-memory.dmp

C:\Windows\System\glnXpEj.exe

MD5 747931d9a2b301a4e8dbf6ff417bf13d
SHA1 b2b0ce784d197a874d737deda6cf5adf62891622
SHA256 5531c18a15c5b31e270185efe731cc72845b9495a0eb43160718833c3506f55d
SHA512 15e3f5eeb1baca15f532e1930ca82379c1f3cf7df9817dd9f4218472774c8e17c0f8de495ba5fe1fcca9d703291030fd86cfc507c68e7f756e8bc09cec214d32

C:\Windows\System\jYUdilw.exe

MD5 b9380ad91b193901065c913952bb3710
SHA1 63df448433c7c0575f16a7de09477179ed15e3c6
SHA256 e7ff8073b5738ad0e3750314411f2db6bc9fa59ed58caa6e07fa47488308f8f0
SHA512 321304037507185dbf86a851d6c631e0db91fff2e1584b801ab596a88ca635ece5ca63b6782c7d9caf0c0f009295bc3fecdf025abd278dff913a071af3974248

memory/1468-119-0x00007FF696B00000-0x00007FF696E54000-memory.dmp

memory/3852-120-0x00007FF7B2C20000-0x00007FF7B2F74000-memory.dmp

memory/648-121-0x00007FF6C32B0000-0x00007FF6C3604000-memory.dmp

memory/3056-122-0x00007FF644A40000-0x00007FF644D94000-memory.dmp

memory/4084-124-0x00007FF770860000-0x00007FF770BB4000-memory.dmp

memory/4808-123-0x00007FF6CDEA0000-0x00007FF6CE1F4000-memory.dmp

memory/2100-125-0x00007FF681F50000-0x00007FF6822A4000-memory.dmp

memory/1148-126-0x00007FF729A90000-0x00007FF729DE4000-memory.dmp

memory/4772-127-0x00007FF6A7E10000-0x00007FF6A8164000-memory.dmp

memory/4220-128-0x00007FF7966F0000-0x00007FF796A44000-memory.dmp

memory/4964-129-0x00007FF60F430000-0x00007FF60F784000-memory.dmp

memory/3000-130-0x00007FF7695F0000-0x00007FF769944000-memory.dmp

memory/4652-131-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp

memory/4832-132-0x00007FF73C990000-0x00007FF73CCE4000-memory.dmp

memory/5112-133-0x00007FF66FD40000-0x00007FF670094000-memory.dmp

memory/1996-134-0x00007FF656960000-0x00007FF656CB4000-memory.dmp

memory/1888-135-0x00007FF7EB470000-0x00007FF7EB7C4000-memory.dmp

memory/1468-136-0x00007FF696B00000-0x00007FF696E54000-memory.dmp

memory/3176-137-0x00007FF6E95B0000-0x00007FF6E9904000-memory.dmp

memory/2564-138-0x00007FF7E6F20000-0x00007FF7E7274000-memory.dmp

memory/4964-139-0x00007FF60F430000-0x00007FF60F784000-memory.dmp

memory/3000-140-0x00007FF7695F0000-0x00007FF769944000-memory.dmp

memory/4652-141-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp

memory/4832-142-0x00007FF73C990000-0x00007FF73CCE4000-memory.dmp

memory/960-143-0x00007FF6A0C10000-0x00007FF6A0F64000-memory.dmp

memory/1460-144-0x00007FF63E640000-0x00007FF63E994000-memory.dmp

memory/2272-145-0x00007FF6797C0000-0x00007FF679B14000-memory.dmp

memory/5112-146-0x00007FF66FD40000-0x00007FF670094000-memory.dmp

memory/1996-147-0x00007FF656960000-0x00007FF656CB4000-memory.dmp

memory/1468-148-0x00007FF696B00000-0x00007FF696E54000-memory.dmp

memory/648-149-0x00007FF6C32B0000-0x00007FF6C3604000-memory.dmp

memory/1888-150-0x00007FF7EB470000-0x00007FF7EB7C4000-memory.dmp

memory/4808-156-0x00007FF6CDEA0000-0x00007FF6CE1F4000-memory.dmp

memory/2100-157-0x00007FF681F50000-0x00007FF6822A4000-memory.dmp

memory/4220-155-0x00007FF7966F0000-0x00007FF796A44000-memory.dmp

memory/3056-154-0x00007FF644A40000-0x00007FF644D94000-memory.dmp

memory/4084-153-0x00007FF770860000-0x00007FF770BB4000-memory.dmp

memory/3852-152-0x00007FF7B2C20000-0x00007FF7B2F74000-memory.dmp

memory/4772-151-0x00007FF6A7E10000-0x00007FF6A8164000-memory.dmp