Malware Analysis Report

2025-01-22 19:53

Sample ID 240601-s3kwlafg7t
Target 2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike
SHA256 5da0d276e024f8a63516198ab8051c2bdfcca53108909d14513ec43fb8067af9
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5da0d276e024f8a63516198ab8051c2bdfcca53108909d14513ec43fb8067af9

Threat Level: Known bad

The file 2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

Xmrig family

XMRig Miner payload

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:39

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:39

Reported

2024-06-01 15:41

Platform

win7-20240221-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\thboYoh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATVUtml.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BujVIrY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IfjfIDU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XXXdBIw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UlrearW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZlbNNk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FOtcJLv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NCNEZjC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DxMiLQm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\shjAinu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yrfJqno.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WwWbjOm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yKIDUex.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LPptXGb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HXwtbYf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\txxvGpT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uTLexuA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NpQlSIr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\saLGqkN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Qsgncri.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\thboYoh.exe
PID 2104 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\thboYoh.exe
PID 2104 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\thboYoh.exe
PID 2104 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrfJqno.exe
PID 2104 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrfJqno.exe
PID 2104 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrfJqno.exe
PID 2104 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpQlSIr.exe
PID 2104 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpQlSIr.exe
PID 2104 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpQlSIr.exe
PID 2104 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\saLGqkN.exe
PID 2104 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\saLGqkN.exe
PID 2104 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\saLGqkN.exe
PID 2104 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\XXXdBIw.exe
PID 2104 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\XXXdBIw.exe
PID 2104 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\XXXdBIw.exe
PID 2104 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 2104 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 2104 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 2104 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwWbjOm.exe
PID 2104 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwWbjOm.exe
PID 2104 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwWbjOm.exe
PID 2104 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\BujVIrY.exe
PID 2104 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\BujVIrY.exe
PID 2104 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\BujVIrY.exe
PID 2104 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\UlrearW.exe
PID 2104 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\UlrearW.exe
PID 2104 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\UlrearW.exe
PID 2104 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKIDUex.exe
PID 2104 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKIDUex.exe
PID 2104 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKIDUex.exe
PID 2104 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\LPptXGb.exe
PID 2104 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\LPptXGb.exe
PID 2104 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\LPptXGb.exe
PID 2104 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZlbNNk.exe
PID 2104 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZlbNNk.exe
PID 2104 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZlbNNk.exe
PID 2104 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXwtbYf.exe
PID 2104 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXwtbYf.exe
PID 2104 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXwtbYf.exe
PID 2104 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOtcJLv.exe
PID 2104 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOtcJLv.exe
PID 2104 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOtcJLv.exe
PID 2104 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NCNEZjC.exe
PID 2104 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NCNEZjC.exe
PID 2104 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NCNEZjC.exe
PID 2104 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\txxvGpT.exe
PID 2104 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\txxvGpT.exe
PID 2104 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\txxvGpT.exe
PID 2104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\Qsgncri.exe
PID 2104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\Qsgncri.exe
PID 2104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\Qsgncri.exe
PID 2104 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\IfjfIDU.exe
PID 2104 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\IfjfIDU.exe
PID 2104 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\IfjfIDU.exe
PID 2104 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxMiLQm.exe
PID 2104 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxMiLQm.exe
PID 2104 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxMiLQm.exe
PID 2104 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\shjAinu.exe
PID 2104 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\shjAinu.exe
PID 2104 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\shjAinu.exe
PID 2104 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTLexuA.exe
PID 2104 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTLexuA.exe
PID 2104 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTLexuA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\thboYoh.exe

C:\Windows\System\thboYoh.exe

C:\Windows\System\yrfJqno.exe

C:\Windows\System\yrfJqno.exe

C:\Windows\System\NpQlSIr.exe

C:\Windows\System\NpQlSIr.exe

C:\Windows\System\saLGqkN.exe

C:\Windows\System\saLGqkN.exe

C:\Windows\System\XXXdBIw.exe

C:\Windows\System\XXXdBIw.exe

C:\Windows\System\ATVUtml.exe

C:\Windows\System\ATVUtml.exe

C:\Windows\System\WwWbjOm.exe

C:\Windows\System\WwWbjOm.exe

C:\Windows\System\BujVIrY.exe

C:\Windows\System\BujVIrY.exe

C:\Windows\System\UlrearW.exe

C:\Windows\System\UlrearW.exe

C:\Windows\System\yKIDUex.exe

C:\Windows\System\yKIDUex.exe

C:\Windows\System\LPptXGb.exe

C:\Windows\System\LPptXGb.exe

C:\Windows\System\YZlbNNk.exe

C:\Windows\System\YZlbNNk.exe

C:\Windows\System\HXwtbYf.exe

C:\Windows\System\HXwtbYf.exe

C:\Windows\System\FOtcJLv.exe

C:\Windows\System\FOtcJLv.exe

C:\Windows\System\NCNEZjC.exe

C:\Windows\System\NCNEZjC.exe

C:\Windows\System\txxvGpT.exe

C:\Windows\System\txxvGpT.exe

C:\Windows\System\Qsgncri.exe

C:\Windows\System\Qsgncri.exe

C:\Windows\System\IfjfIDU.exe

C:\Windows\System\IfjfIDU.exe

C:\Windows\System\DxMiLQm.exe

C:\Windows\System\DxMiLQm.exe

C:\Windows\System\shjAinu.exe

C:\Windows\System\shjAinu.exe

C:\Windows\System\uTLexuA.exe

C:\Windows\System\uTLexuA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2104-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2104-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\thboYoh.exe

MD5 19fc825792fbeb428b90e5b01477ae27
SHA1 51f35522c26deccf11552b30b73ec960d912ec54
SHA256 32fdf928bab4b8fd871936d998cd8ddcf7bd7272b31a1de3f81403c349338e7f
SHA512 db6f1ef138e4fc40a1f4ac53667311c33e825f864fc00d68d75949f15f24607a2f5f5249003bc73bfc4d1cd2a7a7eb03106e2b258f8fb53ce9ddd9c5d96f373b

memory/2104-8-0x000000013F230000-0x000000013F584000-memory.dmp

memory/1280-9-0x000000013F230000-0x000000013F584000-memory.dmp

\Windows\system\yrfJqno.exe

MD5 6bfc5c4eed9b5d650750844c0992f9da
SHA1 102cc969fd759a12d57c4e652739d6331466b01a
SHA256 e888e0f803740b295021af5ff20826546bd22202298034870ae85f06e239c25a
SHA512 62463c7525ba855ce694b7d1be1ab738019fccbd68cf4e39a68c5b17a49cde18d1800bb088533076f76afa2019301f24c3c3ab5378db95b492938ea246e491d3

C:\Windows\system\NpQlSIr.exe

MD5 7a3efd7ceeb3e0a574d91d58a0c91902
SHA1 41805fdd542a28e838c114ad8e3fe2d741f57078
SHA256 fe025e05ec52801f26099b95d1507f2e7bb6685e097df43546d2e5bbc81a419a
SHA512 41fc09fdc9030c3c6b5a467a91e24116647768216d2553454ba4be63bfacb965443c279bdde09e3739e9cff89e525acda4a429eacecd71c61d39f23ed2f4c9be

C:\Windows\system\saLGqkN.exe

MD5 645e8aa94fe7cd4bd07bdbd3de16ddfa
SHA1 3b77cc0a035e4c75e2373fa2aa217dfb910b8841
SHA256 11d93871ee0bab198492953b97f64a038781918f7f156cf8da793ddf851bd9c0
SHA512 660600023b1501bec3bb8afe2eda02a703ca47547721a6f476439c4f0308c3f59aad26f1de15f812ca945cb54979a9bb9afd736c0dda1b9785d4e037fb508656

memory/2104-25-0x0000000002350000-0x00000000026A4000-memory.dmp

C:\Windows\system\XXXdBIw.exe

MD5 85eccccbb1250e3222c58a5b88fed533
SHA1 0c0e907717c392596916d16e9663c2103357d598
SHA256 7fd65186b4b72a9ff3e1405c4a543212067c8f14b91958a6abbebac19db9757e
SHA512 d4a2851084a4a95cb09e8e21e21a9a6fde01c358a20e711175f4cb75771ee926f719043936cbf2db761bbba160038d8365c63df789a8cb6a1b581d43cb7c6741

C:\Windows\system\ATVUtml.exe

MD5 d1c275b4ff948787d3cbd22dc382c9a8
SHA1 395e30e173d18fe486709517227be4a0056b940e
SHA256 54ece5e7c69bc7b751d58c78b0b51880aa07f5f2ec3c389742597b351718c672
SHA512 be68386a39afe13a34c0591e29e8942738230aa5ad432dd9fbf1002edc1b1e984c624ff1f2f52011d8072693e5f7f80ba6d08fd2ceb33a4e3f80ef3977de7a71

C:\Windows\system\WwWbjOm.exe

MD5 5eb2fec7abee44b8589abf9fee9378e5
SHA1 fc3cec07657ec0dd3194b0555508198815bc85ee
SHA256 4856208d65cc4f4aab1fc4eef247f2d6b5bea9a416013cb3386e37daa4a0e53c
SHA512 637c01cdf98477b0463d7ec530fb50566b7f040e9b017e60253a72a8c00755a67f7a7baecc6e7e970be496ad36f460bb9800075de41b0bf7f0fed0eece204655

C:\Windows\system\BujVIrY.exe

MD5 7e99c3b703cdc180b4b120e55836c224
SHA1 59297a5adab8e9a77ef19b5c8351130509682d1e
SHA256 64f279afefb27af97e019fda4312ad225ebc4560728516aa14dcb1599456b3ce
SHA512 3b03d9129e42b31213aa6f8ee9ddc8b0132fceed126bab111890381c5940d01860810fb00444a37088967c8da1df229bc21543fe3043612a002f8a766d25d5a9

C:\Windows\system\yKIDUex.exe

MD5 9aaae56723c8fffedfe04a65e23aef84
SHA1 26fef1c7ceabec621090bf73d6c865b17ce55738
SHA256 cb87f9079cddca379b59ad7d48c210a31da62cffdc4f9bfe2b4ac66a30dff5fa
SHA512 f52058d059ffb6a7889c6c52dea41d813ecf22d160ca07e77888a19d270bc71317832a2708ae8aee3db57989a0de27bf8cd6a92aa6b9130399c767966f6d544b

\Windows\system\LPptXGb.exe

MD5 9a4c1d2f7d40ebb5241d72b4d8db04ac
SHA1 b102b3e8c307ecd3521a55d54d06625dd0733d73
SHA256 9afdf13b8184f937a29d2c16b49d272dc118167941a417cbb6dd6b6d4ed2bdb9
SHA512 6bb07fea0b015f6bd33bdf7fa7fe539d4103ca63c63edcc6ceed6e0f6ccc53a2e2484ca4b6e238beef9e6f58d601487342018b9c17af5b19ee26775a4cab805f

C:\Windows\system\YZlbNNk.exe

MD5 130dccc9a6b6dd57b4b13d8795a633ca
SHA1 b190e4e8499eae4461a18b73f61c8afa90210943
SHA256 ff833de57fcc04c64834bcebea10cfa0e88228799c604df29e1b92ba65fb67af
SHA512 3cb28994a1b90198edc4241c64c04a97d978d4635b97a3c5bcf781d59ebc7bc64c7b59271e0d06c290272957807f55c1c93a830dba6f9e52db62dd16242772b2

C:\Windows\system\HXwtbYf.exe

MD5 68120a00a3e8fb9a31143f4d45a7cb7e
SHA1 ad3b2d15cfb8ef55aaff36d4932558046de65b43
SHA256 988215d3ba7d02951e2b6484a5d86735aed3a1e0f0286a68ea78db499472a7e0
SHA512 f667c55aa2cd22e2ba8e3d5c1a4626111e822ca3e156f771e0c8c6d756bf00ae4d6b26874e5575c132caa6f54b0c9249ebfc2e6d2a8b286c444e602990ad70ad

\Windows\system\txxvGpT.exe

MD5 de6341e22383910b8abfca582b1c7986
SHA1 8636525a4d222b9234f73576db0385ab3bfa414e
SHA256 2e99d16e3eed682fa947fcc0bb39c083fc80289d0ed8b4be96f5f418f8bfce32
SHA512 356364cf013caf9384f3f9ea189c81687b8e7c9a4e895cfc01437e228ed8c3aa7eaf088b71d64a4676087f8dc61c8d896d5664b486cd7a6c409f7632a203f9c8

C:\Windows\system\Qsgncri.exe

MD5 82b0085353cb4f703cafa3cd0becc6f7
SHA1 40b763bce89cc05b40c6198f9801a149e1f97268
SHA256 7d3ff6d99fb448f59439f806f9161db3a8c40c42dbbdb606c60e6f886263172d
SHA512 c65773c2a748c37d578f4c9e20b694285f9f21085b79b7613b18b1644304530b6828be1d709f069abfa04d05fb4fc8175ee72be6f9291f0529449f35d1046104

C:\Windows\system\DxMiLQm.exe

MD5 3aa068d3f8ed2e7a5570289317e13893
SHA1 f77527e26278302f066d890732410fd678f344a6
SHA256 2ebadd57f3b4c1941a140a40b944df7b9f7216f85a25d60b0f8802e30a4bbd53
SHA512 dcd3e8a2859c96b8f2e99766201ef6af31c6840b6fb38b95a6f20ca9fc393aeacbeb50dfcc8f425ab20fee6158347c7b0239ea501a60397efa08cf61bc4dfbf2

C:\Windows\system\shjAinu.exe

MD5 5c76d96bfa875aecc458a2631c3fc4f6
SHA1 0f00738780e86665b0241c54150b36513187a2c7
SHA256 17314d8a95fde16ab4733745b354b3843f7e06fa62835e4c11260d6f159142f0
SHA512 5500cde194be1ac2c22a2407fb23f434a1304251f9535bf71ec6d5563e0d832b26e981b405a9ec54d33fce6cd377a0b7014fd731edf07c89c50da42eec85bb58

\Windows\system\uTLexuA.exe

MD5 a715782ae1bf352aedece4bced8e13ea
SHA1 91b94523a967357499c0acc13acb6b8aca6ccbc7
SHA256 e164ff535c6965f809a31a5267ed2aea07e35835b6ee0172f5b9ee91d7ea1f42
SHA512 b8edc6ab94819c6c1c5992c5428bac1f4289cd40e4b31fdac1e23bf9110e20fc4410a77754f7b2b3466cfc4e3836dd383b81e3ad10ee91f583fbe8b7f637274e

C:\Windows\system\IfjfIDU.exe

MD5 6e6bc0c2085372124d779c9f81405e6f
SHA1 eee4acc3ae9dde3794321aee0fa5888db2fb3d2b
SHA256 06b783a55bf887a6c41f8661aa9a8f336d219f0c1e3cb5ab98d38624bbf66702
SHA512 6bc826369531907b9ac16bc704b5db55a8ce31fcb17d58267dc01031a4a28749ac8cfa355066edd949833b961340a7c996be2cc8458d29b321832fca227a0098

C:\Windows\system\NCNEZjC.exe

MD5 ac2f282ef13ebfb665a414af9d782e15
SHA1 5ee155f4944e8e9c968ba33819c32c806eff0eb0
SHA256 0fb87a613af11ab55bb74045b0dd56b90ac5636849f333ee5505eaa4e08e5d33
SHA512 2183f88fc858716dd0cec09afaaf789be577a97b6a03042ab24628ab7e20b06e226a9261bea6c55bebb8263e64ed7d1c6b1556abe744c0f85c56eb5c7e875fb5

C:\Windows\system\FOtcJLv.exe

MD5 f4eb0da452b9c6ada173e41c25004a63
SHA1 4e450ab08cd58e1f217dcbc92062738dc3e09055
SHA256 a50a04e3b389b64ec168de54e20ea7fa4160c03b2a7eb864bf6e661e8ff758c7
SHA512 bc112d0c0729c0153a94cf3fd418e02b192b99d33cc024b666975840e896ad1b8a3b52d02ae7f054268a72f8a29d148fd39eec1f541c6660e154ca06a24402a0

C:\Windows\system\UlrearW.exe

MD5 91ee3b93a1e80bb4a28847c3928fa8db
SHA1 64c9411edfbbfac24d9520eb38e9e21bcd031338
SHA256 9683dd894c61978029217acd614c631d1bbf46dc4430a9a8d52c120644bf6b06
SHA512 2592b7d7ae4e64960ac2e003f72e982e2bf70e93f6fa206b7a3958c655640d1411e7a326e568c81ab398b80a5e53f67439c5c322a338f802b51dfdf1ae598084

memory/2072-110-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2568-112-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2104-111-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2264-113-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2104-114-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/2280-115-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2104-119-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2104-122-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2436-121-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/1860-120-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2460-118-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2104-117-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2776-116-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2104-124-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2500-123-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2956-125-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2060-126-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2104-127-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/1508-128-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/3068-129-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2104-130-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2104-131-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2104-132-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/1280-133-0x000000013F230000-0x000000013F584000-memory.dmp

memory/3068-134-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2568-135-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2072-136-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2264-137-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2280-138-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2776-139-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2460-140-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/1860-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2436-142-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2500-143-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2956-144-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2060-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/1508-146-0x000000013F0C0000-0x000000013F414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:39

Reported

2024-06-01 15:41

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\saLGqkN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UlrearW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LPptXGb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZlbNNk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IfjfIDU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\shjAinu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATVUtml.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WwWbjOm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NpQlSIr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BujVIrY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NCNEZjC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uTLexuA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\thboYoh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yrfJqno.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HXwtbYf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FOtcJLv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\txxvGpT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Qsgncri.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DxMiLQm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XXXdBIw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yKIDUex.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\thboYoh.exe
PID 4192 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\thboYoh.exe
PID 4192 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrfJqno.exe
PID 4192 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrfJqno.exe
PID 4192 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpQlSIr.exe
PID 4192 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpQlSIr.exe
PID 4192 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\saLGqkN.exe
PID 4192 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\saLGqkN.exe
PID 4192 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\XXXdBIw.exe
PID 4192 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\XXXdBIw.exe
PID 4192 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 4192 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 4192 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwWbjOm.exe
PID 4192 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwWbjOm.exe
PID 4192 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\BujVIrY.exe
PID 4192 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\BujVIrY.exe
PID 4192 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\UlrearW.exe
PID 4192 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\UlrearW.exe
PID 4192 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKIDUex.exe
PID 4192 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKIDUex.exe
PID 4192 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\LPptXGb.exe
PID 4192 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\LPptXGb.exe
PID 4192 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZlbNNk.exe
PID 4192 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZlbNNk.exe
PID 4192 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXwtbYf.exe
PID 4192 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXwtbYf.exe
PID 4192 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOtcJLv.exe
PID 4192 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOtcJLv.exe
PID 4192 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NCNEZjC.exe
PID 4192 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\NCNEZjC.exe
PID 4192 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\txxvGpT.exe
PID 4192 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\txxvGpT.exe
PID 4192 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\Qsgncri.exe
PID 4192 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\Qsgncri.exe
PID 4192 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\IfjfIDU.exe
PID 4192 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\IfjfIDU.exe
PID 4192 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxMiLQm.exe
PID 4192 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxMiLQm.exe
PID 4192 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\shjAinu.exe
PID 4192 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\shjAinu.exe
PID 4192 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTLexuA.exe
PID 4192 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTLexuA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85962f264c99b9950dddfb474c113937_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\thboYoh.exe

C:\Windows\System\thboYoh.exe

C:\Windows\System\yrfJqno.exe

C:\Windows\System\yrfJqno.exe

C:\Windows\System\NpQlSIr.exe

C:\Windows\System\NpQlSIr.exe

C:\Windows\System\saLGqkN.exe

C:\Windows\System\saLGqkN.exe

C:\Windows\System\XXXdBIw.exe

C:\Windows\System\XXXdBIw.exe

C:\Windows\System\ATVUtml.exe

C:\Windows\System\ATVUtml.exe

C:\Windows\System\WwWbjOm.exe

C:\Windows\System\WwWbjOm.exe

C:\Windows\System\BujVIrY.exe

C:\Windows\System\BujVIrY.exe

C:\Windows\System\UlrearW.exe

C:\Windows\System\UlrearW.exe

C:\Windows\System\yKIDUex.exe

C:\Windows\System\yKIDUex.exe

C:\Windows\System\LPptXGb.exe

C:\Windows\System\LPptXGb.exe

C:\Windows\System\YZlbNNk.exe

C:\Windows\System\YZlbNNk.exe

C:\Windows\System\HXwtbYf.exe

C:\Windows\System\HXwtbYf.exe

C:\Windows\System\FOtcJLv.exe

C:\Windows\System\FOtcJLv.exe

C:\Windows\System\NCNEZjC.exe

C:\Windows\System\NCNEZjC.exe

C:\Windows\System\txxvGpT.exe

C:\Windows\System\txxvGpT.exe

C:\Windows\System\Qsgncri.exe

C:\Windows\System\Qsgncri.exe

C:\Windows\System\IfjfIDU.exe

C:\Windows\System\IfjfIDU.exe

C:\Windows\System\DxMiLQm.exe

C:\Windows\System\DxMiLQm.exe

C:\Windows\System\shjAinu.exe

C:\Windows\System\shjAinu.exe

C:\Windows\System\uTLexuA.exe

C:\Windows\System\uTLexuA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp

Files

memory/4192-0-0x00007FF752F10000-0x00007FF753264000-memory.dmp

memory/4192-1-0x000001ACF2B80000-0x000001ACF2B90000-memory.dmp

C:\Windows\System\thboYoh.exe

MD5 19fc825792fbeb428b90e5b01477ae27
SHA1 51f35522c26deccf11552b30b73ec960d912ec54
SHA256 32fdf928bab4b8fd871936d998cd8ddcf7bd7272b31a1de3f81403c349338e7f
SHA512 db6f1ef138e4fc40a1f4ac53667311c33e825f864fc00d68d75949f15f24607a2f5f5249003bc73bfc4d1cd2a7a7eb03106e2b258f8fb53ce9ddd9c5d96f373b

memory/1424-6-0x00007FF6D7060000-0x00007FF6D73B4000-memory.dmp

C:\Windows\System\yrfJqno.exe

MD5 6bfc5c4eed9b5d650750844c0992f9da
SHA1 102cc969fd759a12d57c4e652739d6331466b01a
SHA256 e888e0f803740b295021af5ff20826546bd22202298034870ae85f06e239c25a
SHA512 62463c7525ba855ce694b7d1be1ab738019fccbd68cf4e39a68c5b17a49cde18d1800bb088533076f76afa2019301f24c3c3ab5378db95b492938ea246e491d3

memory/4936-14-0x00007FF7C9BF0000-0x00007FF7C9F44000-memory.dmp

C:\Windows\System\NpQlSIr.exe

MD5 7a3efd7ceeb3e0a574d91d58a0c91902
SHA1 41805fdd542a28e838c114ad8e3fe2d741f57078
SHA256 fe025e05ec52801f26099b95d1507f2e7bb6685e097df43546d2e5bbc81a419a
SHA512 41fc09fdc9030c3c6b5a467a91e24116647768216d2553454ba4be63bfacb965443c279bdde09e3739e9cff89e525acda4a429eacecd71c61d39f23ed2f4c9be

memory/1188-18-0x00007FF7306C0000-0x00007FF730A14000-memory.dmp

C:\Windows\System\saLGqkN.exe

MD5 645e8aa94fe7cd4bd07bdbd3de16ddfa
SHA1 3b77cc0a035e4c75e2373fa2aa217dfb910b8841
SHA256 11d93871ee0bab198492953b97f64a038781918f7f156cf8da793ddf851bd9c0
SHA512 660600023b1501bec3bb8afe2eda02a703ca47547721a6f476439c4f0308c3f59aad26f1de15f812ca945cb54979a9bb9afd736c0dda1b9785d4e037fb508656

memory/3740-24-0x00007FF695F50000-0x00007FF6962A4000-memory.dmp

C:\Windows\System\XXXdBIw.exe

MD5 85eccccbb1250e3222c58a5b88fed533
SHA1 0c0e907717c392596916d16e9663c2103357d598
SHA256 7fd65186b4b72a9ff3e1405c4a543212067c8f14b91958a6abbebac19db9757e
SHA512 d4a2851084a4a95cb09e8e21e21a9a6fde01c358a20e711175f4cb75771ee926f719043936cbf2db761bbba160038d8365c63df789a8cb6a1b581d43cb7c6741

C:\Windows\System\ATVUtml.exe

MD5 d1c275b4ff948787d3cbd22dc382c9a8
SHA1 395e30e173d18fe486709517227be4a0056b940e
SHA256 54ece5e7c69bc7b751d58c78b0b51880aa07f5f2ec3c389742597b351718c672
SHA512 be68386a39afe13a34c0591e29e8942738230aa5ad432dd9fbf1002edc1b1e984c624ff1f2f52011d8072693e5f7f80ba6d08fd2ceb33a4e3f80ef3977de7a71

C:\Windows\System\WwWbjOm.exe

MD5 5eb2fec7abee44b8589abf9fee9378e5
SHA1 fc3cec07657ec0dd3194b0555508198815bc85ee
SHA256 4856208d65cc4f4aab1fc4eef247f2d6b5bea9a416013cb3386e37daa4a0e53c
SHA512 637c01cdf98477b0463d7ec530fb50566b7f040e9b017e60253a72a8c00755a67f7a7baecc6e7e970be496ad36f460bb9800075de41b0bf7f0fed0eece204655

memory/3232-41-0x00007FF6512B0000-0x00007FF651604000-memory.dmp

memory/4740-40-0x00007FF7F53B0000-0x00007FF7F5704000-memory.dmp

memory/2332-32-0x00007FF63AB50000-0x00007FF63AEA4000-memory.dmp

C:\Windows\System\BujVIrY.exe

MD5 7e99c3b703cdc180b4b120e55836c224
SHA1 59297a5adab8e9a77ef19b5c8351130509682d1e
SHA256 64f279afefb27af97e019fda4312ad225ebc4560728516aa14dcb1599456b3ce
SHA512 3b03d9129e42b31213aa6f8ee9ddc8b0132fceed126bab111890381c5940d01860810fb00444a37088967c8da1df229bc21543fe3043612a002f8a766d25d5a9

memory/1776-50-0x00007FF783FE0000-0x00007FF784334000-memory.dmp

C:\Windows\System\UlrearW.exe

MD5 91ee3b93a1e80bb4a28847c3928fa8db
SHA1 64c9411edfbbfac24d9520eb38e9e21bcd031338
SHA256 9683dd894c61978029217acd614c631d1bbf46dc4430a9a8d52c120644bf6b06
SHA512 2592b7d7ae4e64960ac2e003f72e982e2bf70e93f6fa206b7a3958c655640d1411e7a326e568c81ab398b80a5e53f67439c5c322a338f802b51dfdf1ae598084

memory/2240-56-0x00007FF7DD840000-0x00007FF7DDB94000-memory.dmp

C:\Windows\System\yKIDUex.exe

MD5 9aaae56723c8fffedfe04a65e23aef84
SHA1 26fef1c7ceabec621090bf73d6c865b17ce55738
SHA256 cb87f9079cddca379b59ad7d48c210a31da62cffdc4f9bfe2b4ac66a30dff5fa
SHA512 f52058d059ffb6a7889c6c52dea41d813ecf22d160ca07e77888a19d270bc71317832a2708ae8aee3db57989a0de27bf8cd6a92aa6b9130399c767966f6d544b

memory/2364-62-0x00007FF632F00000-0x00007FF633254000-memory.dmp

C:\Windows\System\LPptXGb.exe

MD5 9a4c1d2f7d40ebb5241d72b4d8db04ac
SHA1 b102b3e8c307ecd3521a55d54d06625dd0733d73
SHA256 9afdf13b8184f937a29d2c16b49d272dc118167941a417cbb6dd6b6d4ed2bdb9
SHA512 6bb07fea0b015f6bd33bdf7fa7fe539d4103ca63c63edcc6ceed6e0f6ccc53a2e2484ca4b6e238beef9e6f58d601487342018b9c17af5b19ee26775a4cab805f

C:\Windows\System\YZlbNNk.exe

MD5 130dccc9a6b6dd57b4b13d8795a633ca
SHA1 b190e4e8499eae4461a18b73f61c8afa90210943
SHA256 ff833de57fcc04c64834bcebea10cfa0e88228799c604df29e1b92ba65fb67af
SHA512 3cb28994a1b90198edc4241c64c04a97d978d4635b97a3c5bcf781d59ebc7bc64c7b59271e0d06c290272957807f55c1c93a830dba6f9e52db62dd16242772b2

memory/448-72-0x00007FF7ACBB0000-0x00007FF7ACF04000-memory.dmp

memory/3400-75-0x00007FF601290000-0x00007FF6015E4000-memory.dmp

C:\Windows\System\HXwtbYf.exe

MD5 68120a00a3e8fb9a31143f4d45a7cb7e
SHA1 ad3b2d15cfb8ef55aaff36d4932558046de65b43
SHA256 988215d3ba7d02951e2b6484a5d86735aed3a1e0f0286a68ea78db499472a7e0
SHA512 f667c55aa2cd22e2ba8e3d5c1a4626111e822ca3e156f771e0c8c6d756bf00ae4d6b26874e5575c132caa6f54b0c9249ebfc2e6d2a8b286c444e602990ad70ad

memory/1424-73-0x00007FF6D7060000-0x00007FF6D73B4000-memory.dmp

memory/4192-66-0x00007FF752F10000-0x00007FF753264000-memory.dmp

C:\Windows\System\FOtcJLv.exe

MD5 f4eb0da452b9c6ada173e41c25004a63
SHA1 4e450ab08cd58e1f217dcbc92062738dc3e09055
SHA256 a50a04e3b389b64ec168de54e20ea7fa4160c03b2a7eb864bf6e661e8ff758c7
SHA512 bc112d0c0729c0153a94cf3fd418e02b192b99d33cc024b666975840e896ad1b8a3b52d02ae7f054268a72f8a29d148fd39eec1f541c6660e154ca06a24402a0

C:\Windows\System\NCNEZjC.exe

MD5 ac2f282ef13ebfb665a414af9d782e15
SHA1 5ee155f4944e8e9c968ba33819c32c806eff0eb0
SHA256 0fb87a613af11ab55bb74045b0dd56b90ac5636849f333ee5505eaa4e08e5d33
SHA512 2183f88fc858716dd0cec09afaaf789be577a97b6a03042ab24628ab7e20b06e226a9261bea6c55bebb8263e64ed7d1c6b1556abe744c0f85c56eb5c7e875fb5

C:\Windows\System\txxvGpT.exe

MD5 de6341e22383910b8abfca582b1c7986
SHA1 8636525a4d222b9234f73576db0385ab3bfa414e
SHA256 2e99d16e3eed682fa947fcc0bb39c083fc80289d0ed8b4be96f5f418f8bfce32
SHA512 356364cf013caf9384f3f9ea189c81687b8e7c9a4e895cfc01437e228ed8c3aa7eaf088b71d64a4676087f8dc61c8d896d5664b486cd7a6c409f7632a203f9c8

memory/1432-100-0x00007FF7CE2C0000-0x00007FF7CE614000-memory.dmp

memory/1712-101-0x00007FF6F3630000-0x00007FF6F3984000-memory.dmp

memory/3740-99-0x00007FF695F50000-0x00007FF6962A4000-memory.dmp

memory/3616-91-0x00007FF627F40000-0x00007FF628294000-memory.dmp

memory/1188-88-0x00007FF7306C0000-0x00007FF730A14000-memory.dmp

memory/4676-84-0x00007FF617FA0000-0x00007FF6182F4000-memory.dmp

memory/4936-82-0x00007FF7C9BF0000-0x00007FF7C9F44000-memory.dmp

C:\Windows\System\Qsgncri.exe

MD5 82b0085353cb4f703cafa3cd0becc6f7
SHA1 40b763bce89cc05b40c6198f9801a149e1f97268
SHA256 7d3ff6d99fb448f59439f806f9161db3a8c40c42dbbdb606c60e6f886263172d
SHA512 c65773c2a748c37d578f4c9e20b694285f9f21085b79b7613b18b1644304530b6828be1d709f069abfa04d05fb4fc8175ee72be6f9291f0529449f35d1046104

C:\Windows\System\DxMiLQm.exe

MD5 3aa068d3f8ed2e7a5570289317e13893
SHA1 f77527e26278302f066d890732410fd678f344a6
SHA256 2ebadd57f3b4c1941a140a40b944df7b9f7216f85a25d60b0f8802e30a4bbd53
SHA512 dcd3e8a2859c96b8f2e99766201ef6af31c6840b6fb38b95a6f20ca9fc393aeacbeb50dfcc8f425ab20fee6158347c7b0239ea501a60397efa08cf61bc4dfbf2

C:\Windows\System\shjAinu.exe

MD5 5c76d96bfa875aecc458a2631c3fc4f6
SHA1 0f00738780e86665b0241c54150b36513187a2c7
SHA256 17314d8a95fde16ab4733745b354b3843f7e06fa62835e4c11260d6f159142f0
SHA512 5500cde194be1ac2c22a2407fb23f434a1304251f9535bf71ec6d5563e0d832b26e981b405a9ec54d33fce6cd377a0b7014fd731edf07c89c50da42eec85bb58

memory/3232-122-0x00007FF6512B0000-0x00007FF651604000-memory.dmp

C:\Windows\System\IfjfIDU.exe

MD5 6e6bc0c2085372124d779c9f81405e6f
SHA1 eee4acc3ae9dde3794321aee0fa5888db2fb3d2b
SHA256 06b783a55bf887a6c41f8661aa9a8f336d219f0c1e3cb5ab98d38624bbf66702
SHA512 6bc826369531907b9ac16bc704b5db55a8ce31fcb17d58267dc01031a4a28749ac8cfa355066edd949833b961340a7c996be2cc8458d29b321832fca227a0098

memory/4268-114-0x00007FF61BA90000-0x00007FF61BDE4000-memory.dmp

memory/4540-113-0x00007FF7EE020000-0x00007FF7EE374000-memory.dmp

memory/5008-127-0x00007FF6D45B0000-0x00007FF6D4904000-memory.dmp

C:\Windows\System\uTLexuA.exe

MD5 a715782ae1bf352aedece4bced8e13ea
SHA1 91b94523a967357499c0acc13acb6b8aca6ccbc7
SHA256 e164ff535c6965f809a31a5267ed2aea07e35835b6ee0172f5b9ee91d7ea1f42
SHA512 b8edc6ab94819c6c1c5992c5428bac1f4289cd40e4b31fdac1e23bf9110e20fc4410a77754f7b2b3466cfc4e3836dd383b81e3ad10ee91f583fbe8b7f637274e

memory/944-128-0x00007FF728380000-0x00007FF7286D4000-memory.dmp

memory/3940-133-0x00007FF608CB0000-0x00007FF609004000-memory.dmp

memory/3400-134-0x00007FF601290000-0x00007FF6015E4000-memory.dmp

memory/3616-135-0x00007FF627F40000-0x00007FF628294000-memory.dmp

memory/1712-136-0x00007FF6F3630000-0x00007FF6F3984000-memory.dmp

memory/4540-137-0x00007FF7EE020000-0x00007FF7EE374000-memory.dmp

memory/4268-138-0x00007FF61BA90000-0x00007FF61BDE4000-memory.dmp

memory/1424-139-0x00007FF6D7060000-0x00007FF6D73B4000-memory.dmp

memory/4936-140-0x00007FF7C9BF0000-0x00007FF7C9F44000-memory.dmp

memory/1188-141-0x00007FF7306C0000-0x00007FF730A14000-memory.dmp

memory/3740-142-0x00007FF695F50000-0x00007FF6962A4000-memory.dmp

memory/2332-143-0x00007FF63AB50000-0x00007FF63AEA4000-memory.dmp

memory/4740-144-0x00007FF7F53B0000-0x00007FF7F5704000-memory.dmp

memory/3232-145-0x00007FF6512B0000-0x00007FF651604000-memory.dmp

memory/1776-146-0x00007FF783FE0000-0x00007FF784334000-memory.dmp

memory/2240-147-0x00007FF7DD840000-0x00007FF7DDB94000-memory.dmp

memory/2364-148-0x00007FF632F00000-0x00007FF633254000-memory.dmp

memory/448-149-0x00007FF7ACBB0000-0x00007FF7ACF04000-memory.dmp

memory/3400-150-0x00007FF601290000-0x00007FF6015E4000-memory.dmp

memory/4676-151-0x00007FF617FA0000-0x00007FF6182F4000-memory.dmp

memory/3616-152-0x00007FF627F40000-0x00007FF628294000-memory.dmp

memory/1432-153-0x00007FF7CE2C0000-0x00007FF7CE614000-memory.dmp

memory/1712-154-0x00007FF6F3630000-0x00007FF6F3984000-memory.dmp

memory/4268-155-0x00007FF61BA90000-0x00007FF61BDE4000-memory.dmp

memory/4540-156-0x00007FF7EE020000-0x00007FF7EE374000-memory.dmp

memory/5008-158-0x00007FF6D45B0000-0x00007FF6D4904000-memory.dmp

memory/944-157-0x00007FF728380000-0x00007FF7286D4000-memory.dmp

memory/3940-159-0x00007FF608CB0000-0x00007FF609004000-memory.dmp