Malware Analysis Report

2025-01-22 19:48

Sample ID 240601-s357jafg8t
Target 2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike
SHA256 aa0bddc391aa36a4e213301052b32440d1e868a08a43196cf90afb6695ae462d
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa0bddc391aa36a4e213301052b32440d1e868a08a43196cf90afb6695ae462d

Threat Level: Known bad

The file 2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Cobaltstrike

Xmrig family

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:40

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:40

Reported

2024-06-01 15:42

Platform

win7-20240508-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HCILQDm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kUmIMBP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TOkTBVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wblswNl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iGNCJui.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DGNsnsH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GcwVrlq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gNMnDKc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RkRrGgr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hlxTyUA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bsbZZHW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XUStDOt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HVJdvkS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dlJDZhd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WfYFuks.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vqtGJMr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wyhtdEP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DtdzHGH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YStpPil.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vdxVNOc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kpYdbJD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\hlxTyUA.exe
PID 2052 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\hlxTyUA.exe
PID 2052 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\hlxTyUA.exe
PID 2052 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlJDZhd.exe
PID 2052 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlJDZhd.exe
PID 2052 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlJDZhd.exe
PID 2052 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\YStpPil.exe
PID 2052 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\YStpPil.exe
PID 2052 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\YStpPil.exe
PID 2052 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGNCJui.exe
PID 2052 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGNCJui.exe
PID 2052 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGNCJui.exe
PID 2052 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfYFuks.exe
PID 2052 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfYFuks.exe
PID 2052 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfYFuks.exe
PID 2052 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsbZZHW.exe
PID 2052 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsbZZHW.exe
PID 2052 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsbZZHW.exe
PID 2052 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\DGNsnsH.exe
PID 2052 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\DGNsnsH.exe
PID 2052 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\DGNsnsH.exe
PID 2052 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\XUStDOt.exe
PID 2052 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\XUStDOt.exe
PID 2052 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\XUStDOt.exe
PID 2052 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\vdxVNOc.exe
PID 2052 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\vdxVNOc.exe
PID 2052 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\vdxVNOc.exe
PID 2052 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\GcwVrlq.exe
PID 2052 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\GcwVrlq.exe
PID 2052 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\GcwVrlq.exe
PID 2052 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNMnDKc.exe
PID 2052 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNMnDKc.exe
PID 2052 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNMnDKc.exe
PID 2052 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpYdbJD.exe
PID 2052 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpYdbJD.exe
PID 2052 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpYdbJD.exe
PID 2052 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCILQDm.exe
PID 2052 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCILQDm.exe
PID 2052 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCILQDm.exe
PID 2052 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkRrGgr.exe
PID 2052 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkRrGgr.exe
PID 2052 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkRrGgr.exe
PID 2052 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUmIMBP.exe
PID 2052 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUmIMBP.exe
PID 2052 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUmIMBP.exe
PID 2052 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOkTBVQ.exe
PID 2052 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOkTBVQ.exe
PID 2052 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOkTBVQ.exe
PID 2052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyhtdEP.exe
PID 2052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyhtdEP.exe
PID 2052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyhtdEP.exe
PID 2052 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\wblswNl.exe
PID 2052 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\wblswNl.exe
PID 2052 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\wblswNl.exe
PID 2052 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtdzHGH.exe
PID 2052 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtdzHGH.exe
PID 2052 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtdzHGH.exe
PID 2052 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\vqtGJMr.exe
PID 2052 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\vqtGJMr.exe
PID 2052 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\vqtGJMr.exe
PID 2052 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVJdvkS.exe
PID 2052 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVJdvkS.exe
PID 2052 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVJdvkS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\hlxTyUA.exe

C:\Windows\System\hlxTyUA.exe

C:\Windows\System\dlJDZhd.exe

C:\Windows\System\dlJDZhd.exe

C:\Windows\System\YStpPil.exe

C:\Windows\System\YStpPil.exe

C:\Windows\System\iGNCJui.exe

C:\Windows\System\iGNCJui.exe

C:\Windows\System\WfYFuks.exe

C:\Windows\System\WfYFuks.exe

C:\Windows\System\bsbZZHW.exe

C:\Windows\System\bsbZZHW.exe

C:\Windows\System\DGNsnsH.exe

C:\Windows\System\DGNsnsH.exe

C:\Windows\System\XUStDOt.exe

C:\Windows\System\XUStDOt.exe

C:\Windows\System\vdxVNOc.exe

C:\Windows\System\vdxVNOc.exe

C:\Windows\System\GcwVrlq.exe

C:\Windows\System\GcwVrlq.exe

C:\Windows\System\gNMnDKc.exe

C:\Windows\System\gNMnDKc.exe

C:\Windows\System\kpYdbJD.exe

C:\Windows\System\kpYdbJD.exe

C:\Windows\System\HCILQDm.exe

C:\Windows\System\HCILQDm.exe

C:\Windows\System\RkRrGgr.exe

C:\Windows\System\RkRrGgr.exe

C:\Windows\System\kUmIMBP.exe

C:\Windows\System\kUmIMBP.exe

C:\Windows\System\TOkTBVQ.exe

C:\Windows\System\TOkTBVQ.exe

C:\Windows\System\wyhtdEP.exe

C:\Windows\System\wyhtdEP.exe

C:\Windows\System\wblswNl.exe

C:\Windows\System\wblswNl.exe

C:\Windows\System\DtdzHGH.exe

C:\Windows\System\DtdzHGH.exe

C:\Windows\System\vqtGJMr.exe

C:\Windows\System\vqtGJMr.exe

C:\Windows\System\HVJdvkS.exe

C:\Windows\System\HVJdvkS.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2052-0-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2052-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\hlxTyUA.exe

MD5 90a127000de6bed7dc23d876c7f8120b
SHA1 5a3294dd21f315028dcb108cbc4f1e3c11b7e0ae
SHA256 957005c437fa2418d0411c2effc8a920d8aba152de3187114c6c5c7dfaf13f8e
SHA512 3c46e21c150663a779d9646ed2c57ec6d156a23c38b986e85202d3457ac3c554877d0c2e71ffcd9daff8369aafef5385c6c535927dfe0238fda6811cc3d51c62

C:\Windows\system\dlJDZhd.exe

MD5 c61f3dc68b1bd73d9d0b8997bb1e7034
SHA1 cc5f6a4e82cab05873fcdc6b274c81df9fdb7133
SHA256 a78c5a2222a05fbf992c4fb2202f7e703da51df3dce9e30ffac9dc4aa20b022e
SHA512 287616f944386e50aa97d63eda8f5b68a45e0c8cb9fab7ed814febdd6c63a62393b8f804bb11ede3c3fbd7c4791551b86cad31ecf1cd78e57aa09f70d112a30a

memory/2304-13-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2052-11-0x000000013F140000-0x000000013F494000-memory.dmp

C:\Windows\system\WfYFuks.exe

MD5 d425fdeb1ab1799a84fb6a0e3bb79fc3
SHA1 e2234af4de154f6a431f5d3a0ede5b1b89be6971
SHA256 3aff755b20af669b54553f219a2656ea7ae7f238081f1f0ac6685a19e6dad23a
SHA512 c2cfcdbc8bcaa2a0db972b6f4afa7ae0ab9e84e5cad73ab1f00fecfe8af290df98b33046bf988ad37dea088e9e1daf4e0a9faa12d1fcc799451dcfcea912180f

C:\Windows\system\bsbZZHW.exe

MD5 10d7a963956bd3c006f48bd434730382
SHA1 f7d3cb5cc1d3871a8a6dbef73331b9f8d51a778d
SHA256 9e4dd1012d5c0d9a0b79753c7ab5da556e6577ad87f1fbedd550646f7657a98b
SHA512 f278806082d74e525fca89117564230559ad3b8bf2083196414e7c5897547079f36b2693e9bc13ed13699aa8bdde56955dbf4d263d1c5735982821176aacd736

C:\Windows\system\DGNsnsH.exe

MD5 3d120eac1731cfc408f2ec33d626c001
SHA1 8b8d99c42500f928dd372c6f444010b3925b906a
SHA256 1c0f347d4781802652c5abb13e4e785e72ceea6e2d5da9110246b1a186b8814c
SHA512 3d20db7d0223d7473f8e33bc36353770a7193312b9712acbce910881ec1fde4ce229b5b5efc651a1536d2e6d10464c0568085e2ff120c1461856b5f39c1e0384

C:\Windows\system\GcwVrlq.exe

MD5 96cee15aa9ab20448453eaf95256aa8e
SHA1 be54d4eaca065afaa55249f921f3f47e066d1595
SHA256 ca49349bf3ce418b082a4c3256e68c4bc0de9311c520133a2b1f7fb8c74512e4
SHA512 56903ee961bbe7b605ae7860d3230403af28e7219c92077415657a7db318026dc3ce3df1ebf5d76a81933d2c613718ff1392cb6eb1dd12c93781e09174323e0d

C:\Windows\system\kUmIMBP.exe

MD5 2dc83413f6d52fa108941beffae3f54b
SHA1 d6d0fb757ad80a4f3d5a1e8127ede48b8123c130
SHA256 a0151af54ba1ebae4be7dbb8a8ba62a51f9fd28a8b4b1130a7950668c734e0e4
SHA512 c72e8b9d2fcfcbd18e8a5c5089adcdc94d6880d81adf8f5d740d7e395207ed065a4bf582c40288f436de53a352d588eb0083d0dae12994a19441c0c85e070f3c

C:\Windows\system\wblswNl.exe

MD5 c9563851a8e255f851d679da59cb0d1b
SHA1 ebecf0275d68c559725c56f1ca2b94a78e39e634
SHA256 69b39057b5918e1d6604e74129729b6daab554d03e5e5d6c4bd2d0d5e9839b37
SHA512 2f403947b7808af9a7dbaad2f8b550686eb09c6b41c2e68c2a03df5e1a24ca763761f140973650d7e42967a847096d4aa1aa68b4eb8b257caf2e90aa7623fd7d

C:\Windows\system\DtdzHGH.exe

MD5 166f7ad3288607a7cf45c5b256069801
SHA1 3ee6bb4f168d4034664e688f6da7c071a1c8cb2b
SHA256 58b597a6023d1e758efc8a47d693f85780e252c41471c22da9d9d9fe0768b8a0
SHA512 b6c790310474a3b1162393517ad9d6761acffddd0bb2a8cbf83923e369b747dda7e845775b113f1c07878a19305f05ca72795c332428ed3f680063daece6e4c0

C:\Windows\system\vqtGJMr.exe

MD5 76c507b44cf7ce7394177c861ab07729
SHA1 264a9b49ea43dff802c2a533e9b845ac5a84cb01
SHA256 c70c081b9949efa121848ad5f94dda5bea173d103eee2e85d8e87e23e9042615
SHA512 24f9329dfca2d932bf8073e54ee1e69fb723178a42ead8f5c524cd65b89eb6614fc64ad7262ebe7522a9f92fe46662b2364560f5251c0d669666cb14e18c0d64

\Windows\system\HVJdvkS.exe

MD5 c5a19993849d123bc5990d7b47c38782
SHA1 0abd8c482e6b65dbf04a00f2e41acb37a5836cb9
SHA256 8341cc9851b34f138b9753c6c05dfe9a90017a6c5aa2132aaf4d8d84c98e1570
SHA512 775f93f693a50bfef99f2c3c37528a516ee9ee066e1ff88409f1fb04991456b46e6ec53cd30c0286098c1e9bd6ca012ce3b7e11f027e08021dabe5a49c1a323d

C:\Windows\system\wyhtdEP.exe

MD5 11b425867de760c0d373f3cdf7dd2b15
SHA1 cb2a2c5bb0381141f56ed59c3ee21855e2bd5e05
SHA256 671f158f4d56e683235cbec231ab4582395e1b3f217761d81594cb6db8136d89
SHA512 8c82b440e7b5a78d84b0f074994186a7ef6e95343af653f24e529a7f0be0606ab459b63a6e2978e519bcc8e042a1ce9d7f45d0e2eeae183accecf3e9d16fa60c

C:\Windows\system\TOkTBVQ.exe

MD5 bde8684434cff61149a69a212ae4c426
SHA1 b93afe775d48740768ae8185d361aba0aa07e9a9
SHA256 0658965831af4d4460131e6f2c8be8184f80043fb44fa9f4a30642ad6cdfa350
SHA512 09402c8bd73b0445604f2041af2a2daeed4796d77150f497ae048960058d5e391da10f97587a5ed4966b894eba9c761713ef152d6b13dc623730e1c3d8cdb5c0

C:\Windows\system\RkRrGgr.exe

MD5 64ac97bb50844e79f438418259f3f571
SHA1 b563aaec313a2392feaa5e153661b7c167e5480f
SHA256 ad170a9ea8c76b75ca34282c2fe5e316a88b813cfe9b9fbbb1a4714af0bb45ef
SHA512 1c307138df5195db7c87d168bd60660a8ac1b93deadee41b311c451f3be11563800d618dde29c9b9315d044c3e813262c0c261c0f0402fba047ad0c22d3011ab

C:\Windows\system\HCILQDm.exe

MD5 89ceb8c86d6bf1b66fabbbbfe0874ce0
SHA1 ad572003b2840d75899bed7116a4c79e9d42e90e
SHA256 0915eecfa0232333600b04972725b326a6a38007354ee75d521f1c0b136cea19
SHA512 c05d85c7ab3b405d5039399137a9ddd94feebab8ba5d1c3437749d1e730b72c8ef0a199181d6e0b3d6962467075092a48a934b6a6977e5d2636a1fc2b9bd0a69

C:\Windows\system\kpYdbJD.exe

MD5 a25c76d9e8080cc6dafd9da51daa4cc6
SHA1 07f5a96ff336114c6297d9fd5c69064ae9d47406
SHA256 2d154913fc32e7a864f9f882e1b72a329521d2660a78b967c2f65c3620d9253f
SHA512 5f471093212cf6c00756ae33c1eb8bd8ea5a7d3188ac0dd170ca7d8705e05c5e3a28fa67818a5df84144962023a53c7f40066b65384861240fe49188254b40fb

C:\Windows\system\gNMnDKc.exe

MD5 61088ac7daa0fca349b1b4a4a047e9cf
SHA1 17b6ff502249461bee0a2a1e123b417aed2fa411
SHA256 f00531ad7ff6b3e102f4ecc197cc4207347b0de8c2d0169f1e53b4cc86b40cde
SHA512 cbcbe44a5be199b34961fea356e95e3537e8e6f13321a61d6a336fe2657d566a31a3e8298c9e3028ef675ad482251689916ce5e2071f10fa8c3149fcef2a3259

C:\Windows\system\vdxVNOc.exe

MD5 3e04386912d52c7ed1af806465ff5e6c
SHA1 97e1a991dcc88587920d1322e8f4cb48ea1d914a
SHA256 f0c2f15884cd62d9954faaff4f60aabcf312571904173b0d00ea8b9034293cf2
SHA512 e0ca0692556a4bcdcd67534dbf21aeb2b20931f79bcc56b6a300a987e8e83b5868516353a593947d196b169aa2396f1514b131aaedf3905cf8608754f6ee2e58

C:\Windows\system\XUStDOt.exe

MD5 efbf7efe2c7bc1af23f2973ac636d0b8
SHA1 6a7e47975912dfeb0dfd9ab6f7fb04db5b292dce
SHA256 076fbfcc34110533558e1f0f7a93dd7d30f173eb445d76f8e7fcfd873ca8cd64
SHA512 882e1a7eed0da846ea6777dfbe214462dc5bf2521ca07837dda1d78a397ccb1b3cd1e7042d6265265df122ee6f160d6f5700eb4853bf90640a335f724fc53a97

C:\Windows\system\iGNCJui.exe

MD5 87142c986d7470dfef4d69c1c537ee7a
SHA1 6a44b2423a841e02d57abe4fb9e2f659bc9baff8
SHA256 a786e989c68cb95420cffc7cb7f00d5f16dc40de5ce6ded5f00d4f8793a670e8
SHA512 9dd2084fec4e4a793e722f22bf0de0272327d27c681dbdbe87753b3df79816d650f48c5e93ee0295ea866a309eafca146270a7dab81dbd945bc0551166a698ee

memory/2620-19-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\YStpPil.exe

MD5 c5e3c4f316b0ab3407e80ca35d5617d7
SHA1 77858b25cd95e7cfee1cb322bb3a61665358ce17
SHA256 6bb5bc02ae76b140ae742235cf960dc4776190fd2b21a664d262c719e1865a59
SHA512 aa89e6fbeca89b22ae9ee2aa8f0d6932eb93d281cde7c5648c10967e20be7d49a9557afbfe8dafe7ff2d96c578f3dbb1f05d742cef02023e8f2dacb00320ded4

memory/2052-6-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2632-111-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2664-112-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2584-114-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2052-113-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2052-117-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2772-120-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2484-121-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2488-124-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2896-126-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2052-125-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2052-123-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2436-122-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2052-119-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2736-118-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2568-116-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2052-115-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2052-129-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2396-128-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/3052-127-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2052-130-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2304-131-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2620-132-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2052-133-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2052-134-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2304-135-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2632-136-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2664-137-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2584-138-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2568-139-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2736-140-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2772-141-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2484-142-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2436-143-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2488-144-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2896-145-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/3052-146-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2396-147-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2620-148-0x000000013F300000-0x000000013F654000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:40

Reported

2024-06-01 15:42

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pTCDbIS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IGrUeWT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uONAQRn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DhsEqFX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kPULHkt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oadMxYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eKGMnpi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NrCcXiQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tpWVMLN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jBXxQHq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cuYXIxT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tXQzEmr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kOZyJvs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xNpktge.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NKZXlJY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NzvczZC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CjbkFIw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SOQADvj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HJVUgto.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qkLxAZP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SDNespT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kOZyJvs.exe
PID 1304 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kOZyJvs.exe
PID 1304 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\pTCDbIS.exe
PID 1304 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\pTCDbIS.exe
PID 1304 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJVUgto.exe
PID 1304 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJVUgto.exe
PID 1304 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGrUeWT.exe
PID 1304 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGrUeWT.exe
PID 1304 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\uONAQRn.exe
PID 1304 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\uONAQRn.exe
PID 1304 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKGMnpi.exe
PID 1304 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKGMnpi.exe
PID 1304 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\NrCcXiQ.exe
PID 1304 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\NrCcXiQ.exe
PID 1304 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkLxAZP.exe
PID 1304 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkLxAZP.exe
PID 1304 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNpktge.exe
PID 1304 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNpktge.exe
PID 1304 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDNespT.exe
PID 1304 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDNespT.exe
PID 1304 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\DhsEqFX.exe
PID 1304 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\DhsEqFX.exe
PID 1304 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kPULHkt.exe
PID 1304 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\kPULHkt.exe
PID 1304 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKZXlJY.exe
PID 1304 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKZXlJY.exe
PID 1304 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpWVMLN.exe
PID 1304 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpWVMLN.exe
PID 1304 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\jBXxQHq.exe
PID 1304 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\jBXxQHq.exe
PID 1304 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuYXIxT.exe
PID 1304 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuYXIxT.exe
PID 1304 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\NzvczZC.exe
PID 1304 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\NzvczZC.exe
PID 1304 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXQzEmr.exe
PID 1304 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXQzEmr.exe
PID 1304 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\oadMxYg.exe
PID 1304 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\oadMxYg.exe
PID 1304 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjbkFIw.exe
PID 1304 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjbkFIw.exe
PID 1304 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\SOQADvj.exe
PID 1304 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe C:\Windows\System\SOQADvj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_892fdc9f27183a07f36430bc33eb7385_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\kOZyJvs.exe

C:\Windows\System\kOZyJvs.exe

C:\Windows\System\pTCDbIS.exe

C:\Windows\System\pTCDbIS.exe

C:\Windows\System\HJVUgto.exe

C:\Windows\System\HJVUgto.exe

C:\Windows\System\IGrUeWT.exe

C:\Windows\System\IGrUeWT.exe

C:\Windows\System\uONAQRn.exe

C:\Windows\System\uONAQRn.exe

C:\Windows\System\eKGMnpi.exe

C:\Windows\System\eKGMnpi.exe

C:\Windows\System\NrCcXiQ.exe

C:\Windows\System\NrCcXiQ.exe

C:\Windows\System\qkLxAZP.exe

C:\Windows\System\qkLxAZP.exe

C:\Windows\System\xNpktge.exe

C:\Windows\System\xNpktge.exe

C:\Windows\System\SDNespT.exe

C:\Windows\System\SDNespT.exe

C:\Windows\System\DhsEqFX.exe

C:\Windows\System\DhsEqFX.exe

C:\Windows\System\kPULHkt.exe

C:\Windows\System\kPULHkt.exe

C:\Windows\System\NKZXlJY.exe

C:\Windows\System\NKZXlJY.exe

C:\Windows\System\tpWVMLN.exe

C:\Windows\System\tpWVMLN.exe

C:\Windows\System\jBXxQHq.exe

C:\Windows\System\jBXxQHq.exe

C:\Windows\System\cuYXIxT.exe

C:\Windows\System\cuYXIxT.exe

C:\Windows\System\NzvczZC.exe

C:\Windows\System\NzvczZC.exe

C:\Windows\System\tXQzEmr.exe

C:\Windows\System\tXQzEmr.exe

C:\Windows\System\oadMxYg.exe

C:\Windows\System\oadMxYg.exe

C:\Windows\System\CjbkFIw.exe

C:\Windows\System\CjbkFIw.exe

C:\Windows\System\SOQADvj.exe

C:\Windows\System\SOQADvj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1304-0-0x00007FF750B50000-0x00007FF750EA4000-memory.dmp

memory/1304-1-0x00000222B5080000-0x00000222B5090000-memory.dmp

C:\Windows\System\kOZyJvs.exe

MD5 e7bd2ad0130f55f7ac77b8b1d9ecf748
SHA1 5fbdd388396dfdf28d716b18da25e3a908e11d3a
SHA256 f45eb7a4e0447b26459258305b48cde9c417c0b2e19344683e5bcff00d868d3b
SHA512 d6104c2c45f5ce610d485c1bf94f5e3de9032cfd033135adbf979fac98c3d22722a57e48f987929a1377c40af5fa2e5204eb9d7ea5a90fc6063876634ccda9b6

C:\Windows\System\HJVUgto.exe

MD5 12982233d189123b00ee07f5ff5a0bc9
SHA1 a466ac4bba932786f32bd7a74b8a2d4eb1c87021
SHA256 c97ca526c44eb4baf0322587ac267d5868551da34525a932f789a0713fd13bc7
SHA512 8bcbd2c42512a73b369785daf4f8ca5c5a8becf77bd8896cf65523700cf4533f2688dea70aaf9fc4ea40c21a1a6330390f02bd1cad0f5a87dd69ffbea9873f45

C:\Windows\System\pTCDbIS.exe

MD5 db33333abab943f4016646368a752888
SHA1 2a048429138aadf1af1c55ad296da50493f4a2da
SHA256 5fbb369545744db49119318ef209abd6c5b1845aa996a0e94203d2ce75bd7a6f
SHA512 80c59a549db733d2517b9cb5800e9abf1c10d0df685177dd8215508fc7a6aea1edef6e1aed386d1b4b2b95eaf945cdc03f1695109171181ed9b894f6cffc3845

memory/2696-18-0x00007FF732510000-0x00007FF732864000-memory.dmp

memory/1692-12-0x00007FF633470000-0x00007FF6337C4000-memory.dmp

memory/1700-8-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp

C:\Windows\System\IGrUeWT.exe

MD5 9aec9a367ce771b3061a36839fe079a3
SHA1 726593ff856bce3d16e89765eff3a22f140a3e48
SHA256 dda4dfcbedaabc026f43a8010c4f58c18476896f68722e4b856b1f51dbc219d8
SHA512 57abca45ed39a7ee74df9dd2f07f4f7572e1e43974783afa802dcc2203de69d2fce78fb9186f7c0fb8e8113b005fd3658173490a6725b0a162b4e7c5d8e8a1a5

memory/4600-26-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp

C:\Windows\System\uONAQRn.exe

MD5 c0f0f64a525ee49c556c93eb212005dd
SHA1 f6815455c432958393eaf02e714fb6fb1a6e8127
SHA256 b7ae16843ea0b018feed4f53e48577492e40acc2238769368daac4cd58c1a466
SHA512 0d8492c420b8929ca15188cb8e58acfa1e8cbd30cdbe8429377f9eb9d0b6093a8882ba06dbf7c610c0c5d532eadbf8e4ae08173ed5e06ab88c6982bf32aeb507

memory/1356-32-0x00007FF6BE090000-0x00007FF6BE3E4000-memory.dmp

C:\Windows\System\eKGMnpi.exe

MD5 d9717006448d519df5948a2b73b69efc
SHA1 22335144d95a8daca4c2ca1353183dfa54ed67d8
SHA256 77831135786b0e5b45b94404a7dbc3d46d8a26165c69e307376f2b14fa3a1bbf
SHA512 b43f30cfbf6332913175f0dde111d9589f2455f263e6443f9445145fc9ca6730f19c43f763fdf17f53c0c03c89fb31e5d0f3ce3faa2c594039b8369b52d98f90

memory/2368-38-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp

C:\Windows\System\NrCcXiQ.exe

MD5 c79462f526af20cb8dd0529f2d9894f5
SHA1 3530f9c38d09d0c3c0715347896e958dd22536f4
SHA256 c538a02ef58e56853cf1b0835dc995a7b510ea18b802cad74bff45acade5bb3c
SHA512 d684b1be30ca7b536171a3bd05b8b9e38c3ccbd663a3fde0be4aaca4ad7b4ff84f178d77999eae362ab7464edb62f889e4360988da7be46714bb2d9e33a26060

memory/1036-44-0x00007FF7DD630000-0x00007FF7DD984000-memory.dmp

C:\Windows\System\qkLxAZP.exe

MD5 badc06c84ae9e9dcbedb28edc61735a4
SHA1 4ac936f9c05939ff2db168e5b3266f30bd27bdfb
SHA256 4d34ac92bdabfbb8a3b6f5d9a168f77e39cd4f35c7f1d1591280cb0d1b4433ed
SHA512 e09ca3283ec45a8108e09e5857f55f9a4f74a07de4778f08f83c9c569be63584ac7a3a3c0549c47d995f8d865f8a8605af4532af67dd674a0c884ce0c11cf83d

C:\Windows\System\xNpktge.exe

MD5 b7eac79daa3b1a8986ce994489e54035
SHA1 a1d59cd0d7922c7ba22522aa5bf8c576a90ea117
SHA256 f757439e57f7d51636b90cf46849a4e86992f91a6b3d9a04f4df9d56c009fb93
SHA512 5c083ab43277174a50e275452b5719a1a7123fdffa0cb4ba02c035ab6dad320eaaed20c95eb0e4977fbd7d00e9c54ff55be5d80a637f5f6c62eadddd0dc627be

C:\Windows\System\SDNespT.exe

MD5 4a580e3f3d2da5c0e79f894452bbb00e
SHA1 7ed20876ca495941b65e74c479f932e9bbd1980b
SHA256 6479d6f0178ad3decaff5d338d654359c0a159eac3d7b16847208a22a38fe0fc
SHA512 7f7d04dc07fbfcd4585c87eec99e0c01da357f0651cbcaf91d4b60a6cb0e9bc94699de440e662e4940fa0f9e752cd85cdbbb01b5b947f295f69d83676cfed407

memory/1952-58-0x00007FF7981D0000-0x00007FF798524000-memory.dmp

memory/460-59-0x00007FF6B7AE0000-0x00007FF6B7E34000-memory.dmp

memory/1684-51-0x00007FF767FB0000-0x00007FF768304000-memory.dmp

C:\Windows\System\DhsEqFX.exe

MD5 901e9062b1fb2dc4912085453497f099
SHA1 f43d42ef5e89fc677596f46c6f8f893780002b5c
SHA256 4315bcfe0e222d8ef3d480599f82c32e4ed41e820e9dc3bac49d4812b874fe87
SHA512 aaeed6323b36fe93904770a3be150ddec50eb1c6ce9f3b113b55e8301f4ca52ebcdb777e9e0ce3a841a4cb7ee05d45ea8a31340b525c69e91709f13d5f789d1e

C:\Windows\System\kPULHkt.exe

MD5 9bc132a3fa0369c8f92aa4349a84429c
SHA1 509961a61db38a053acc955a22e99c4fcfbc63e5
SHA256 4e1ed62e9a6566760f88a58e8b75e631c5cc8510f3d956f72822ecce91c9476d
SHA512 df062f6d75d3b81352e1781e1c5427cc0550a1389f1266364b7e9806e285aff07e0f11d92317611c4ca41171591a5e5b5a466933a71b31f7743a7b67d259605b

C:\Windows\System\NKZXlJY.exe

MD5 b7f0058f03e064fe335f79392745bb5e
SHA1 25932f0b5aa8923dd740ca9b412e0792aea764b1
SHA256 7fbcc7bd81646057c5161e3eeda144789ffecd63dd1376b3f9f9febd8f988544
SHA512 0e4a5a63cdb054da1269ab735ede9772f9ed31a6b34c540092bb33d88f9668ec5992611d713194865a8abbe02c1b6c6a702166a5065a0eb1a778c5bf64402de0

C:\Windows\System\tpWVMLN.exe

MD5 bf2f75694069b272d732f4a74305d25c
SHA1 f38ac77427402fb5c75f7d1ff43143372274913e
SHA256 420bc54ae1e7ebd54c63c2b6b05053afbd8ce421d9f2d55dceda67ba9baad30b
SHA512 f4ab45ace9552a8aec1f3dd994d91bb38780932eca8f3f6e0a7c4d156b17b83f5a44f972eafb443bacd7e4220eb978cf568845aec0fc8d429248547462511401

C:\Windows\System\jBXxQHq.exe

MD5 00047da54b68ffa0a5c5b818f8540478
SHA1 970515bede0b17e043a0b25ed148444cf41b34d0
SHA256 0e080e0308b2c9aee0a3ff3be01056dc629c2d19f69c2b7cb2bfcab08df2c926
SHA512 2db34332f5bfd4940f3a4906708386d6f6c890bbf005c08e71418a440e471e7ae69ec78ac97b1fbe5cdc75106b6432dc148155f4e01930453b34e47cc95e2f5e

memory/2368-114-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp

C:\Windows\System\oadMxYg.exe

MD5 c682def2ddc3a4fb38bccb214953daf4
SHA1 aa1f1ba2903ea699dbf36e59bc5b6e082ff896ad
SHA256 cddfd6f6498d73717f60bd5ae7b2ea720a3a442b42addfa440c2101ba271a24e
SHA512 d0f462fc56b1810ad27f2572c560ba1e6c005a91ff06753d94a9c7b748d24f343e246fcacbf767922aa03c7f1221f95fa469a1a2cf50ce2efc568f8c6c1f9a96

C:\Windows\System\tXQzEmr.exe

MD5 37d603ef41aa5cede9df8b010d438128
SHA1 cb042fa98e91810af059f628b2200416ca75280e
SHA256 0cd9a4e2f4f3355d6b95d074c235746e7540cb66e53823fff6d31fef067f6faf
SHA512 bbd781ad3b5bb2ea67e7123f86e942e10b15b066a93eddf007459fa8990866ad4a02dc54789c71f42ff65aedaa6e42dc4dbd1b3aed9d12fd95b8017363a846a3

memory/2760-118-0x00007FF633630000-0x00007FF633984000-memory.dmp

memory/3652-117-0x00007FF605270000-0x00007FF6055C4000-memory.dmp

C:\Windows\System\cuYXIxT.exe

MD5 29219fc0b641d64a56e907d665156e95
SHA1 8297cbfd77edecaeb59bc856bf3fb29045d7c33f
SHA256 be4ff9f49fc2518807daeba2ec3c5b7c88f74b260c5cb69d6387806e314478a3
SHA512 a7963f7224df8f78ed6125103492f03cdb6adbe34d6badd2e807e7a7e85f3491e948ec08d2aea517fdf3c15652faa440f46814f000db0109ed542691ee608f6e

memory/3768-112-0x00007FF7FF460000-0x00007FF7FF7B4000-memory.dmp

C:\Windows\System\NzvczZC.exe

MD5 20f5912ed3a91eef11f888dcffbd9618
SHA1 1cd7f38b5aad608c2573ec78d8d51ebc84d7d788
SHA256 a16c3a363a24410bac877e93fc1e20e5a39526e6d1945a377005fa3c27c8ae7b
SHA512 42003b35488e5846a43e2c4550ad50a11e00b1b169a0d175aaef09e3becd1d03093c98a3052ab04f6c865238bc8f7b966c5d19462aa7650b1b9baaaa20aabb0a

memory/4916-104-0x00007FF6402A0000-0x00007FF6405F4000-memory.dmp

memory/5072-99-0x00007FF72C990000-0x00007FF72CCE4000-memory.dmp

memory/4600-98-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp

memory/2696-89-0x00007FF732510000-0x00007FF732864000-memory.dmp

memory/1780-92-0x00007FF688AA0000-0x00007FF688DF4000-memory.dmp

memory/4720-81-0x00007FF671B70000-0x00007FF671EC4000-memory.dmp

memory/1692-77-0x00007FF633470000-0x00007FF6337C4000-memory.dmp

memory/1416-76-0x00007FF7E5BA0000-0x00007FF7E5EF4000-memory.dmp

memory/1700-73-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp

memory/752-72-0x00007FF630770000-0x00007FF630AC4000-memory.dmp

memory/1304-68-0x00007FF750B50000-0x00007FF750EA4000-memory.dmp

C:\Windows\System\CjbkFIw.exe

MD5 fcb44c8b87af60b3b94d59a745a3c5d5
SHA1 37df482c58d32f0aaa97efec9e2095c4f95ace31
SHA256 49d62a2cd8313563607570594962e010c19e6110c6bcee0dfa0621f831e0cbd2
SHA512 d5c9a8a25d6c1a0407870852b2b3dee54a25ed96f9d9232e848fd5b76b689a60eb6b6cc318a580daf831d25d6d23c75fb2f6ed764295d936f1fb6c63f5ea422f

C:\Windows\System\SOQADvj.exe

MD5 65928dbd6624d64ad7a865da133e0738
SHA1 a61130c6c1885d7d78ef829a2829d931bd231289
SHA256 cdde3b65a02775486e070232bc9e7ed804c01a1b738fb4be83caf5567db79cdf
SHA512 ac9c3998c738b5576ae154bd288e22c09ea44d93dda34dcfac75ac1760db541bc8c10d174af964e1f7d1b1556fac27987493976fb2888907387fec3a6f4a18ce

memory/2056-132-0x00007FF7B26F0000-0x00007FF7B2A44000-memory.dmp

memory/460-133-0x00007FF6B7AE0000-0x00007FF6B7E34000-memory.dmp

memory/2908-134-0x00007FF7D0E70000-0x00007FF7D11C4000-memory.dmp

memory/1416-135-0x00007FF7E5BA0000-0x00007FF7E5EF4000-memory.dmp

memory/4720-136-0x00007FF671B70000-0x00007FF671EC4000-memory.dmp

memory/5072-137-0x00007FF72C990000-0x00007FF72CCE4000-memory.dmp

memory/3768-138-0x00007FF7FF460000-0x00007FF7FF7B4000-memory.dmp

memory/4916-139-0x00007FF6402A0000-0x00007FF6405F4000-memory.dmp

memory/3652-140-0x00007FF605270000-0x00007FF6055C4000-memory.dmp

memory/2760-141-0x00007FF633630000-0x00007FF633984000-memory.dmp

memory/2056-142-0x00007FF7B26F0000-0x00007FF7B2A44000-memory.dmp

memory/1700-143-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp

memory/1692-144-0x00007FF633470000-0x00007FF6337C4000-memory.dmp

memory/2696-145-0x00007FF732510000-0x00007FF732864000-memory.dmp

memory/4600-146-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp

memory/1356-147-0x00007FF6BE090000-0x00007FF6BE3E4000-memory.dmp

memory/2368-148-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp

memory/1036-149-0x00007FF7DD630000-0x00007FF7DD984000-memory.dmp

memory/1684-150-0x00007FF767FB0000-0x00007FF768304000-memory.dmp

memory/1952-151-0x00007FF7981D0000-0x00007FF798524000-memory.dmp

memory/460-152-0x00007FF6B7AE0000-0x00007FF6B7E34000-memory.dmp

memory/752-153-0x00007FF630770000-0x00007FF630AC4000-memory.dmp

memory/1416-154-0x00007FF7E5BA0000-0x00007FF7E5EF4000-memory.dmp

memory/1780-156-0x00007FF688AA0000-0x00007FF688DF4000-memory.dmp

memory/4720-155-0x00007FF671B70000-0x00007FF671EC4000-memory.dmp

memory/5072-157-0x00007FF72C990000-0x00007FF72CCE4000-memory.dmp

memory/3768-158-0x00007FF7FF460000-0x00007FF7FF7B4000-memory.dmp

memory/4916-159-0x00007FF6402A0000-0x00007FF6405F4000-memory.dmp

memory/3652-160-0x00007FF605270000-0x00007FF6055C4000-memory.dmp

memory/2760-161-0x00007FF633630000-0x00007FF633984000-memory.dmp

memory/2056-162-0x00007FF7B26F0000-0x00007FF7B2A44000-memory.dmp

memory/2908-163-0x00007FF7D0E70000-0x00007FF7D11C4000-memory.dmp