Malware Analysis Report

2025-01-22 19:34

Sample ID 240601-s6n3esfh4z
Target 2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike
SHA256 658bb064a71cdeed04bacab4a98e00228b3252097af2775470dcbea194ff0beb
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

658bb064a71cdeed04bacab4a98e00228b3252097af2775470dcbea194ff0beb

Threat Level: Known bad

The file 2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:44

Reported

2024-06-01 15:47

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wEAalbW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGcWAnI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oADsMrp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VKxqRIA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NnCeTDQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CjZBfMz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ETueuDE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QbgLdiy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NSWEnfq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PiEIIpt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tuQtNjv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CbGBqYo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dgxWphE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OTcOmsH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KZTikVi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XmEdtDP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mNzwjnS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vUJXcAk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\thWdDUG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SVmYDKc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LZvcqqV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVmYDKc.exe
PID 2812 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVmYDKc.exe
PID 2812 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVmYDKc.exe
PID 2812 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZTikVi.exe
PID 2812 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZTikVi.exe
PID 2812 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZTikVi.exe
PID 2812 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGcWAnI.exe
PID 2812 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGcWAnI.exe
PID 2812 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGcWAnI.exe
PID 2812 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\LZvcqqV.exe
PID 2812 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\LZvcqqV.exe
PID 2812 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\LZvcqqV.exe
PID 2812 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmEdtDP.exe
PID 2812 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmEdtDP.exe
PID 2812 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmEdtDP.exe
PID 2812 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSWEnfq.exe
PID 2812 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSWEnfq.exe
PID 2812 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSWEnfq.exe
PID 2812 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\PiEIIpt.exe
PID 2812 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\PiEIIpt.exe
PID 2812 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\PiEIIpt.exe
PID 2812 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\oADsMrp.exe
PID 2812 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\oADsMrp.exe
PID 2812 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\oADsMrp.exe
PID 2812 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuQtNjv.exe
PID 2812 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuQtNjv.exe
PID 2812 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuQtNjv.exe
PID 2812 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\ETueuDE.exe
PID 2812 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\ETueuDE.exe
PID 2812 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\ETueuDE.exe
PID 2812 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\CbGBqYo.exe
PID 2812 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\CbGBqYo.exe
PID 2812 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\CbGBqYo.exe
PID 2812 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\QbgLdiy.exe
PID 2812 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\QbgLdiy.exe
PID 2812 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\QbgLdiy.exe
PID 2812 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNzwjnS.exe
PID 2812 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNzwjnS.exe
PID 2812 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNzwjnS.exe
PID 2812 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUJXcAk.exe
PID 2812 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUJXcAk.exe
PID 2812 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUJXcAk.exe
PID 2812 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKxqRIA.exe
PID 2812 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKxqRIA.exe
PID 2812 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKxqRIA.exe
PID 2812 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\dgxWphE.exe
PID 2812 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\dgxWphE.exe
PID 2812 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\dgxWphE.exe
PID 2812 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnCeTDQ.exe
PID 2812 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnCeTDQ.exe
PID 2812 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnCeTDQ.exe
PID 2812 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTcOmsH.exe
PID 2812 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTcOmsH.exe
PID 2812 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTcOmsH.exe
PID 2812 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjZBfMz.exe
PID 2812 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjZBfMz.exe
PID 2812 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjZBfMz.exe
PID 2812 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\wEAalbW.exe
PID 2812 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\wEAalbW.exe
PID 2812 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\wEAalbW.exe
PID 2812 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\thWdDUG.exe
PID 2812 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\thWdDUG.exe
PID 2812 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\thWdDUG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SVmYDKc.exe

C:\Windows\System\SVmYDKc.exe

C:\Windows\System\KZTikVi.exe

C:\Windows\System\KZTikVi.exe

C:\Windows\System\eGcWAnI.exe

C:\Windows\System\eGcWAnI.exe

C:\Windows\System\LZvcqqV.exe

C:\Windows\System\LZvcqqV.exe

C:\Windows\System\XmEdtDP.exe

C:\Windows\System\XmEdtDP.exe

C:\Windows\System\NSWEnfq.exe

C:\Windows\System\NSWEnfq.exe

C:\Windows\System\PiEIIpt.exe

C:\Windows\System\PiEIIpt.exe

C:\Windows\System\oADsMrp.exe

C:\Windows\System\oADsMrp.exe

C:\Windows\System\tuQtNjv.exe

C:\Windows\System\tuQtNjv.exe

C:\Windows\System\ETueuDE.exe

C:\Windows\System\ETueuDE.exe

C:\Windows\System\CbGBqYo.exe

C:\Windows\System\CbGBqYo.exe

C:\Windows\System\QbgLdiy.exe

C:\Windows\System\QbgLdiy.exe

C:\Windows\System\mNzwjnS.exe

C:\Windows\System\mNzwjnS.exe

C:\Windows\System\vUJXcAk.exe

C:\Windows\System\vUJXcAk.exe

C:\Windows\System\VKxqRIA.exe

C:\Windows\System\VKxqRIA.exe

C:\Windows\System\dgxWphE.exe

C:\Windows\System\dgxWphE.exe

C:\Windows\System\NnCeTDQ.exe

C:\Windows\System\NnCeTDQ.exe

C:\Windows\System\OTcOmsH.exe

C:\Windows\System\OTcOmsH.exe

C:\Windows\System\CjZBfMz.exe

C:\Windows\System\CjZBfMz.exe

C:\Windows\System\wEAalbW.exe

C:\Windows\System\wEAalbW.exe

C:\Windows\System\thWdDUG.exe

C:\Windows\System\thWdDUG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2812-100-0x000000013F0C0000-0x000000013F414000-memory.dmp

\Windows\system\wEAalbW.exe

MD5 602b48e9eb19e8d414c1d7cdb1cdd207
SHA1 9c05495a066ec79735c6ce6d3cbb4d51b188e670
SHA256 871415aa691150f1caae76a2a45434bb2b37cb83a6c6eb380c710fda50048a18
SHA512 8f0615b55da4d5c5269cc5224fe37a5b7e5ddbff439142b7aed4f01733bdcbc52ec84171245a27008fe0e9c60eef3b1fe688fc172a274bb2c65f61fe07718d46

\Windows\system\OTcOmsH.exe

MD5 a1b96ae0c6073330c8caa1cbe3f0305e
SHA1 9737077a09c37aa70f6353ee3a47d7738a68306c
SHA256 1921652161a9aefd8973d47713f3ce5186c846349c0a0740ebf6c9cad57f748b
SHA512 370d0e600bbe246cdfbe58d109780176dcef1478e77337c8e9007775da67d0dfa821789c87055e0b984427bbbbf754a665e3582bcda1122fc21b8816d6256b06

memory/2524-80-0x000000013F3D0000-0x000000013F724000-memory.dmp

C:\Windows\system\VKxqRIA.exe

MD5 e7639dde0775c87b28fe06afba2a5d48
SHA1 766b135a0134680c6a22f9a49d4d1e768ca59209
SHA256 ebba1ed0a2f6ae99867f54f01673e5730198e10d5c9b095ba3d8744dc97a345b
SHA512 d8cd623d2eab8859c446e1494c3c6538f5185118b97ed0005b579be6679500a696fe019ba4d35e5b44bd333ca67eb7846555cd86f0f873eeb7cd2baf0b43dd1f

\Windows\system\dgxWphE.exe

MD5 9559f2bab0e4fcdd776af89df79f2915
SHA1 e8e553e575570213f933c1778a28e75d54b798f7
SHA256 8a0badfae3f6bd2f119bcbfffd99f849c665b22d3153ce8281fd127334942f1a
SHA512 822a43efdb2d03e600ad292ce00964735d4ddce6d9ec8d13bf126623b99f4485ed15120dc1413587cee2f1bfbcecce69a637c82d7bfedc7dd50fbabdc7b9a942

C:\Windows\system\ETueuDE.exe

MD5 d5dfdf6ae0df82a8f958baee3b9a262a
SHA1 863762adcedf1ef6d642bedd245214838d6f5552
SHA256 62eb70d722ddca4468d3070fbe44fbad4c1ae8d093d3b0cbd9c4701b8ecfef9c
SHA512 8d9682d4994d56f0d82378c74148788bf7caa348a94dfe91cb45b73c45904d0e110ef9673e477e4653a8e31ca76d9c640d8a51255e52d0ad9fe4f108fdd8b2cd

\Windows\system\vUJXcAk.exe

MD5 c3ead84f56b44323c3c65f6e08c8e0a8
SHA1 851e28e92275a17bf74256b5fc852f351c5ab018
SHA256 5240257908e43e7502b28c3f1a5b8a7e7850adc146209169b8f9b703e919579e
SHA512 8c76c82ed698393f7bcd90f4e906b92a9c21e29c52f7ff634d6bef108f1f66c6d4613c012c8e9d439aec4007f502306615f1ec58cdcae800d62e576266cfa26f

\Windows\system\QbgLdiy.exe

MD5 ca3b719414faa82c1d5bc5ef8a286c59
SHA1 bc3929c94d4bcda57087fa4340f61aa14bd1f3d1
SHA256 e0872c121c8d0b7126694f1ca4b36dc2aaf5ac4f57e8779fe665a36fb17cdaba
SHA512 6004ceae9870de82d362e063005e8ea7b9b58ac1e256d4a05cd6c6216a6ce6b21783e614b07f814cdbab95749c329171c802d1a10efc2437905e677d2353d942

memory/2812-119-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2372-118-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2624-117-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2812-116-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2812-115-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2228-114-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1856-113-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2812-112-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2640-111-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2328-110-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2812-109-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2812-108-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2872-107-0x000000013FBE0000-0x000000013FF34000-memory.dmp

C:\Windows\system\thWdDUG.exe

MD5 837efcf40c972c6b740b59aa57072228
SHA1 d3e1e124a1ad6e4e131fb18a9abb0a22989b6d74
SHA256 8480c276942c643aa93676df8a5437acd1b79dd46a495701dd75d136da06f783
SHA512 211c7dd68adf81910f1544f04e0873942c8c1556cad4940ac450b6ced46186d9a6d4cee554e97bf2c1483ba95e11735c0b4abae2e020987988d877a1403710d5

memory/2812-104-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2620-94-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\CjZBfMz.exe

MD5 d04713d9cb735e0d39bb347c042458a9
SHA1 4549de79ac84bb98b9df7d712e9d70f69ff54454
SHA256 df52e41e2532388d11908bd93835fb44ebd28715dd05e86e0c1739fd21275c61
SHA512 48a7940fcf5547a86ade3b3a5072ca8f4371a24b820841793c78e5f29f4474ce90eb9ed66778ee443cec66e7574662c13f252a5945c7914ca5e391b59682dc5f

memory/2812-88-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\NnCeTDQ.exe

MD5 368cdd1d043afa6c8f51af156838b334
SHA1 2eab6c112d6ddbc96faba6bfbb286ed1570f7e75
SHA256 9657be0e1ffad702d07f56f18a19de1eb3e992846cc9c8d49c633a1d0b640c9e
SHA512 380c2ce417a99a781085694973589f56da1f2f54c64fea7475a3eeb2b8fe293d2bfc8893517dc69eb87002be1e08f1e2d17a546bfc22164f72d68c5f54889292

memory/2700-84-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2812-68-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2436-66-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\mNzwjnS.exe

MD5 489ab0c2b618198c26c367a627365b4e
SHA1 e6770ad9964604824cb7f31d08f382b8a613a955
SHA256 a4d2ebc649cd420d1a8d0e493f36a9eef53e231c38f4be1f447e2ab01fb3ac6f
SHA512 75ade5313ed4dd1124c22a5971bfaa4320e9b36d5cf9f76e3649d14f885393b4fe473ef929b472c970ea4e7f4acd50ffb16c9353e983c125a19cf4ac336fc65f

C:\Windows\system\CbGBqYo.exe

MD5 cf3a268d12d3848e97a9557e76c528e5
SHA1 b6a24c843ee3108c1391cdd2da134a799b8ba5c9
SHA256 bba12122134faec278ab0d91feb498bfc3977fa50fab8769019e514462e2d273
SHA512 0ff342a4665526ef201ed727aa69b78e36dfc536162e5cb18514657620e326f06b1f01f06349554c626462cf0d633d03b44f5a654844fa0ec99a977fa8f9cdeb

memory/2424-61-0x000000013F950000-0x000000013FCA4000-memory.dmp

C:\Windows\system\oADsMrp.exe

MD5 22b579f2a4f58053f53acbc54d06eabb
SHA1 f8c89e523d5978c51ce8228624d3bfb348cfc273
SHA256 c11ff34308137e01d376af68b041c13722636bffce105ad37a9960724ca382ed
SHA512 14d7f4d634026ba5e8112d30db995907fa8832a227d1bc594f8aede053c8782a7009a9f85c4d0bbefd4e73acd2d54ccdc03098d81a2f1879b7f93c24f73128f1

C:\Windows\system\tuQtNjv.exe

MD5 c80adb28155129411cda60066758f6df
SHA1 336f28b8b1a7a1670f939fb840a9a3d28eadde35
SHA256 e652e08227f9e6a104c016692ffe302ead4ef575c9af4b0e3cd21c1b8be1db2a
SHA512 7462e03fad53d95553761971a182704e87142a5474bdb143ee083faa11bae5d9006e537bec8065179a95729e5c3d57e295f13b4ea47fa6875518d17f649407e9

C:\Windows\system\NSWEnfq.exe

MD5 cb315404fce91eb3f46d51354e391254
SHA1 32eaa9e9fe64afd266c25ddb0ef3126f6f50c717
SHA256 21f0db38236cf6035ab039a3e993f48dc3d8015b28096b9a0c280ad3e8e981d5
SHA512 c120bdbba705e7a0a6d655708ba7ccc9c6aca08afa5b3e83dc57eec0e046af6d1311fc3c26f8776cbfbcbb90593d8cfa54221cfcb77b83d31ec0d40739f2a1ab

C:\Windows\system\PiEIIpt.exe

MD5 07d224cf70e7066237080f4bc9afa910
SHA1 1b801e0dda721cd638b3091ca5461f44fda51c2f
SHA256 aa434ca0b50b9fc6723447c6e4b0efda392f20a3b9ed0c479cb49d248bcca9d8
SHA512 a326229abc018cb5eaff23567173e799e5a9fa8c5bf8a9815d2a54e1125d1e224e07d85ec48056111ecfa886c16bb95ba291f1ac1f62d13aa009085ba5fea767

memory/2812-29-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\XmEdtDP.exe

MD5 c7d01b3f25948bca4ab178bf90c6231c
SHA1 adc6bbb4a523a46af0be205ee67e6695fc5db1ea
SHA256 8cb554f15a18064fc3d332bbbbf55d29edbe1b9ed319dda8fb8ee899a4f900ba
SHA512 9c0025cb26642ff30e3feada8c9c1f1f5f9a3b7c0c235764bdd5bcaa3593e6c09cd6b4add1b660cb30561bea0e9b019fe68b5852afd930566c3916641c7347f2

C:\Windows\system\LZvcqqV.exe

MD5 f58eaac99555aeb6b0e06561dc1133ac
SHA1 0f7408d362515e5ec0df8193c2fa9a64fcf97d92
SHA256 652ce6ec63dfeaa9ad5e5ac2e8083340b533c2ff8766625a85bb5982d63f028d
SHA512 2ae4147c963987c0bc99a08dc5552b1bf1d19e460c34b9dcb9724a68d32335f77d87d23eec3a1c1721d43e7504f2e79136ffee1271f38a20a459b4d2edbafadb

memory/2812-131-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\eGcWAnI.exe

MD5 ff539277909ce930a817053771dbfa40
SHA1 c5a3b06801d89616bb4a66e4ef934977aa7128c0
SHA256 74df70996e5a4cebdb93bdc40d5d4c64263c66a0300f16a4e3cf312de1543273
SHA512 53f35ab8f3727e086e7965d098ce096227679b0f0cb35fd6e0230e15c42f8f31aab6773d7d019db0dd4d698f7880c33a148bfddda5fe84d4423b7374830dc300

C:\Windows\system\KZTikVi.exe

MD5 773ce3453a1edc2ed67e074f6ff3fe5a
SHA1 d504f5c60b7cafb6c1a7616c3720bca966afcef6
SHA256 8cd31d60238a1de7e6cc6c4d23b6081c971f20b5907c5a68e1a66a4dd153923d
SHA512 9a6c84ab82c9bf97bd86e6b3cc202d0494bce421917b5522a85638e052bede22f55e0d7a15fa85b8780b68b38772e2b0635f406b679d8fb090eba52594395740

memory/1896-11-0x000000013F5E0000-0x000000013F934000-memory.dmp

C:\Windows\system\SVmYDKc.exe

MD5 749159174fb92fa703e2fccbd242f548
SHA1 4ca865e5ac5d524ae65b8f88bfdab0a63f01e3b1
SHA256 b741aac1dcecf514150c0b56dca6561efabc21308b6757e929573e266c924f41
SHA512 572979f74a7f795218d233d37516c9ce27b2b3d6e12d4168f5a9a00e6c34ca61c0e9076f4faa1b86f0ee2db5093162d57b25de61fa575ba2fafdd74725e7ce6f

memory/2812-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2812-0-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2812-133-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2812-132-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2812-134-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1856-135-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1896-136-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2228-138-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2424-137-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2436-139-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2524-140-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2620-141-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2624-142-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2700-143-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2328-145-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2872-144-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2372-146-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2640-147-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/1856-148-0x000000013FD10000-0x0000000140064000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:44

Reported

2024-06-01 15:47

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IYWbHqy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JQmaebP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lsVMocZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\njOnVvD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WvkjKTd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KrDoDmI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\StNAhPX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kWnwVcV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vxhsMZx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uxoCLfM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OewGOei.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LsyUovz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Gaioxiy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NjDEbqV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YItwdjz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YarFXZE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PldVxsa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lfrhIHq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dSBofDE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\boDNTOA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vuhXzAs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4528 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYWbHqy.exe
PID 4528 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYWbHqy.exe
PID 4528 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQmaebP.exe
PID 4528 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQmaebP.exe
PID 4528 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfrhIHq.exe
PID 4528 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfrhIHq.exe
PID 4528 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\dSBofDE.exe
PID 4528 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\dSBofDE.exe
PID 4528 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\StNAhPX.exe
PID 4528 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\StNAhPX.exe
PID 4528 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\Gaioxiy.exe
PID 4528 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\Gaioxiy.exe
PID 4528 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsVMocZ.exe
PID 4528 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsVMocZ.exe
PID 4528 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\kWnwVcV.exe
PID 4528 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\kWnwVcV.exe
PID 4528 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\vxhsMZx.exe
PID 4528 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\vxhsMZx.exe
PID 4528 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\NjDEbqV.exe
PID 4528 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\NjDEbqV.exe
PID 4528 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\njOnVvD.exe
PID 4528 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\njOnVvD.exe
PID 4528 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\YItwdjz.exe
PID 4528 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\YItwdjz.exe
PID 4528 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\boDNTOA.exe
PID 4528 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\boDNTOA.exe
PID 4528 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvkjKTd.exe
PID 4528 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvkjKTd.exe
PID 4528 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\YarFXZE.exe
PID 4528 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\YarFXZE.exe
PID 4528 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\uxoCLfM.exe
PID 4528 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\uxoCLfM.exe
PID 4528 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\PldVxsa.exe
PID 4528 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\PldVxsa.exe
PID 4528 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\OewGOei.exe
PID 4528 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\OewGOei.exe
PID 4528 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\vuhXzAs.exe
PID 4528 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\vuhXzAs.exe
PID 4528 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrDoDmI.exe
PID 4528 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrDoDmI.exe
PID 4528 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsyUovz.exe
PID 4528 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsyUovz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\IYWbHqy.exe

C:\Windows\System\IYWbHqy.exe

C:\Windows\System\JQmaebP.exe

C:\Windows\System\JQmaebP.exe

C:\Windows\System\lfrhIHq.exe

C:\Windows\System\lfrhIHq.exe

C:\Windows\System\dSBofDE.exe

C:\Windows\System\dSBofDE.exe

C:\Windows\System\StNAhPX.exe

C:\Windows\System\StNAhPX.exe

C:\Windows\System\Gaioxiy.exe

C:\Windows\System\Gaioxiy.exe

C:\Windows\System\lsVMocZ.exe

C:\Windows\System\lsVMocZ.exe

C:\Windows\System\kWnwVcV.exe

C:\Windows\System\kWnwVcV.exe

C:\Windows\System\vxhsMZx.exe

C:\Windows\System\vxhsMZx.exe

C:\Windows\System\NjDEbqV.exe

C:\Windows\System\NjDEbqV.exe

C:\Windows\System\njOnVvD.exe

C:\Windows\System\njOnVvD.exe

C:\Windows\System\YItwdjz.exe

C:\Windows\System\YItwdjz.exe

C:\Windows\System\boDNTOA.exe

C:\Windows\System\boDNTOA.exe

C:\Windows\System\WvkjKTd.exe

C:\Windows\System\WvkjKTd.exe

C:\Windows\System\YarFXZE.exe

C:\Windows\System\YarFXZE.exe

C:\Windows\System\uxoCLfM.exe

C:\Windows\System\uxoCLfM.exe

C:\Windows\System\PldVxsa.exe

C:\Windows\System\PldVxsa.exe

C:\Windows\System\OewGOei.exe

C:\Windows\System\OewGOei.exe

C:\Windows\System\vuhXzAs.exe

C:\Windows\System\vuhXzAs.exe

C:\Windows\System\KrDoDmI.exe

C:\Windows\System\KrDoDmI.exe

C:\Windows\System\LsyUovz.exe

C:\Windows\System\LsyUovz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4528-0-0x00007FF685DB0000-0x00007FF686104000-memory.dmp

memory/4528-1-0x0000022ED6A00000-0x0000022ED6A10000-memory.dmp

C:\Windows\System\IYWbHqy.exe

MD5 d9dea36648f68cc4e250f9c3c41026a5
SHA1 65fe9ccec7a9ebedb7f495af059dda329a3e0cc9
SHA256 f6df7f7ceb0a99bf33f320a5d9fe4efe4cf3825b34d83c12dfb3b04ded5278f5
SHA512 c4cc67389e830345c0ec611ca94b3783fdfafb3715bf3ecb7d30064d651fc1153a5bdf31d6e17eb3658968cba385b8a1f786bd0a77dff46a4e14371ecec476cc

C:\Windows\System\lfrhIHq.exe

MD5 53f2404f924a72af125ec2cc68c13710
SHA1 cd46f30a8fce1a4ac545330562f2d9999d707ca4
SHA256 d8ab6defc0b0df29f616b37e648c7233aae7950afdcafcf7f4246f043a4b032f
SHA512 9dd68ec0cb0c5527db3a1faeb2ba0ae3db1a36a076a76cbaa7eede274df8cb2a1d91031ca93304e55fde7e5ad699fb357747b56a21e431a248edf62c5da53aa4

C:\Windows\System\dSBofDE.exe

MD5 11d4b827aa1241aa9fd4d9f32ae41a8f
SHA1 1ed1c66b48b2d474822dd5074e1e18f10a515a7a
SHA256 aac0ce5ee3450098426a74524d2051a3bbf53a207a036b94f63d70f054e76609
SHA512 5d52e7caf8e885a02606933c36cc893591025307af077eac841e2753e1fc50717391e9db88b547a2ba8f41e5c7f0e88632236d5c22b44d1721612b1c3fd12b41

memory/1820-22-0x00007FF64D270000-0x00007FF64D5C4000-memory.dmp

memory/2684-17-0x00007FF685C30000-0x00007FF685F84000-memory.dmp

C:\Windows\System\JQmaebP.exe

MD5 03581e2289b485462a1b595ef25827d1
SHA1 b619e73faecaa40a52cce34238d754b3932c78ae
SHA256 312bfb222e53ae1391267bac9f6d64357dd0588f5420c5b2dea9066cf6fa5a8e
SHA512 2f9859a928fa99404f26567ac9c77fa6025c9b5e2e1aaef4f60944e61d1d4227deaf8ecfa0b33f007f56568b5545b9356d142c1a95df203ef8a4f983905ad33d

memory/4212-10-0x00007FF7AD690000-0x00007FF7AD9E4000-memory.dmp

memory/4720-29-0x00007FF61C1C0000-0x00007FF61C514000-memory.dmp

C:\Windows\System\StNAhPX.exe

MD5 51972d6a072c514ac680d84047d21fbe
SHA1 dfc87a009b40a8976c10cc31836045648927ac69
SHA256 1b17e4a2b9c1f06f9d1b701b7fea53be6094fd362424d497e31a063525361aec
SHA512 f09553aed2dd43dbbcbf6de64e710e28e5da2b1ec38e3f859d3ad4f0c7658d9f4db8e6a280d2ce3a4d852cab39092a04364705becad186a5581b038ce21bb8d2

memory/4740-45-0x00007FF633220000-0x00007FF633574000-memory.dmp

memory/3512-51-0x00007FF74CE20000-0x00007FF74D174000-memory.dmp

C:\Windows\System\vxhsMZx.exe

MD5 a51bc24c34431e64cea87b205dc0c55e
SHA1 a57235717c5bb62022749d3272b6e98f14e4a6be
SHA256 bcafb06b316a73a98544852df42bdbd84eb7f974ac76b70ea600a89de4c73406
SHA512 516b9a2304101c6c9e595f3b8faab4bdd4abc47a237510fc85ef9edb01f7ec51c1d7e5dddabea0cb604fe9884943d0fac6f4e8545c9eb3b71a68f6ea0b402fe4

C:\Windows\System\kWnwVcV.exe

MD5 e0b74196415c1d77a5cc03a0a879998b
SHA1 56fcce11811714694917020fc6776b5af5b046c9
SHA256 0325f71eb320cd2782ba7af9f0dafd3c898633e23a0464f1249402f3f4eeb297
SHA512 05d47fcf920ade330556d6068c2ab897e67d342a1fffbd06d98ab1cf19d3f9016c22ec679ae447b8761ffaf1126e1fd813344c961dda0ab8e8c486aadaaccf39

memory/3356-52-0x00007FF766560000-0x00007FF7668B4000-memory.dmp

memory/2084-50-0x00007FF73B0B0000-0x00007FF73B404000-memory.dmp

C:\Windows\System\lsVMocZ.exe

MD5 16f8c4f36a1eb13fac45feb24b6ff31a
SHA1 0508f361cbda222d43ad21c0faa9ad57cf803f8c
SHA256 3a78ec15f44f537b4c5cdc9fee5478cd3d2bda4f00f196c849976b472b7eed35
SHA512 daa73c5a847126a0dfb2d0e7d5f8fbbd9b37c8975c1b8528e1b68ddca47c162cd6f2876de67375c0958de78ae3dfcc9790c66751f995d85a4a5b3f7ab36455f1

C:\Windows\System\Gaioxiy.exe

MD5 4e011b34ccc6c0f38377eb4cd9ce2b9f
SHA1 f6585e5f89c3bdf25a24630e605472dd296905c4
SHA256 ad10a626c2cf6a484a1086ba3d4dc7f1273190635b20247697006043a5c3e185
SHA512 f19ecda9b1b50b467a058f80c56e43bf2c39ab2137ec2d123aa6563ef2c244a9e93f54d986f7338a5ec09e3c2a8d6282d81084417dae34946e108129b30f18bb

memory/3048-32-0x00007FF6C57E0000-0x00007FF6C5B34000-memory.dmp

C:\Windows\System\NjDEbqV.exe

MD5 7ccc69b7ccd45ee983e704040763a4ef
SHA1 494922cd48754143184207922dd4e9031924c4f1
SHA256 675d63ca290df0b4c8f77b96008a3a6cd3dca11331cf7462786132f5db44b20c
SHA512 cdac545cb3c2b65d7fb18035a6fab3b9a4c7cd8024d87362f9792e84def29e6dc0b5476d00c3dda6adf57ef276ddbc9381944c702600966c8753e88d2a471ae8

memory/4460-62-0x00007FF604450000-0x00007FF6047A4000-memory.dmp

C:\Windows\System\njOnVvD.exe

MD5 5f12d7a7cd10b11921baade753c5a732
SHA1 da639f98f2dbdd19bd3082a606f528a62ade85c2
SHA256 5babe8e8d9407711b569be6e23d9acea02c4cafc389fa70968e65ebbfa9b857e
SHA512 9cd9ab3f458dd25b77126839ce4c989d51c40fd7e40228e76c1eca90ec272c79f4acf36f6d9604b64f3f09032980fa15143445dac0c262def498a43700f7452a

memory/2368-71-0x00007FF7A23F0000-0x00007FF7A2744000-memory.dmp

memory/4212-73-0x00007FF7AD690000-0x00007FF7AD9E4000-memory.dmp

C:\Windows\System\YItwdjz.exe

MD5 351498bb7a418347eaf211af64cbeee5
SHA1 63cfa7ac0307060146612f14795b68851fc2ce03
SHA256 06779319118c638ffdebc02b46b463e4ec3d73763f2cdbe5970e66d3e18bcbd5
SHA512 fd311f529e0c3aec247755074f212355ea8390dc29237e6496fea9c94f7bf32d5f77c5a8340e646a3a8ee03adbb37f1cb4958418a264dd8352c1896c073fbf9b

memory/4420-74-0x00007FF6518D0000-0x00007FF651C24000-memory.dmp

C:\Windows\System\boDNTOA.exe

MD5 b51657c366236640ebd57032c98cc2a8
SHA1 5c2762337a66d5be67993a65b45c475666459c60
SHA256 f131e6e02de94073ea9d2f53a674941d95f15c04cb9c28570560590d78c34068
SHA512 4f4699c549b5233517f6c0d6938f47b54f5cba86567b5cabb005735d177b071f5dafbacf97c66b1d078ed42c6706cc455c9599fcee0c5bec1c44edb0462efc07

C:\Windows\System\YarFXZE.exe

MD5 51c62903824a938f3d2545899c0fdb7f
SHA1 5c2586d8cb8acbe1d9e70492721abea6f5e20fe6
SHA256 1a1704548cae72d042e206ea7a26766219434a91d6109da702f63f3bbf97db2b
SHA512 af56f2e8e67dfc60795080c159ddebb0ed8147a9aaa3bca101e517365902912ad14a090b21ecd5ae4d46e8de7631fa2ed452c709fb85bab097b2d1bb367ed04d

C:\Windows\System\uxoCLfM.exe

MD5 ed0508f20ed63c4fcbbc3e1704f5f7d5
SHA1 32c7b2f7b28c675051ec0580e3893bbc47735b5d
SHA256 6dc38ea46626ec2bd10ed409df57d252da720cfab0ae5857e4b4823ad880b1af
SHA512 ee26229df23991f6c023979151d09f81e6a6f02a140297d952b8508074603e683696f90bfd33d278e3d8398f934e2d678e0470fe33636630d54e25184594bbd2

memory/1740-101-0x00007FF7E95F0000-0x00007FF7E9944000-memory.dmp

C:\Windows\System\PldVxsa.exe

MD5 1c8a3389420360f3424879e1c75db82a
SHA1 3ca65691a8d10e2c8cfb26eee804a8f7838fde00
SHA256 2e4122efb51c3c663e6ef76aebbdc7a26ff778473e02cbd428390dcfe01a6d4d
SHA512 5077639635331d5806173f8ded12db94bf3a836650f6685030be9995dc7be526d0b70ae4fb73eaa163d2b34e43ed08a7473cdebf044ed7f4bfcc148d4582141b

memory/332-103-0x00007FF7E6C60000-0x00007FF7E6FB4000-memory.dmp

memory/4944-102-0x00007FF68F1B0000-0x00007FF68F504000-memory.dmp

memory/3048-100-0x00007FF6C57E0000-0x00007FF6C5B34000-memory.dmp

C:\Windows\System\WvkjKTd.exe

MD5 a966cc57bcfe705c16747cc3af958b15
SHA1 e617ed52b01efa79ef6590b437bd848df44fec1c
SHA256 fb40218e5677c3f20c1fca7f7d6f9fc1fd2f36fd5ac72415a94fbbaec795faac
SHA512 92dd47e7e4ee6a22481b0cc57afe3ebec6f1b67ac3e8d7f842b5a8de539b16827b2bebfcbc2cbbec5449167d4450e52f9f8f10aa9f70021fcfff092594186304

memory/2948-90-0x00007FF695690000-0x00007FF6959E4000-memory.dmp

memory/4720-87-0x00007FF61C1C0000-0x00007FF61C514000-memory.dmp

memory/1820-86-0x00007FF64D270000-0x00007FF64D5C4000-memory.dmp

memory/4512-80-0x00007FF6586C0000-0x00007FF658A14000-memory.dmp

memory/4528-69-0x00007FF685DB0000-0x00007FF686104000-memory.dmp

C:\Windows\System\OewGOei.exe

MD5 7eaffc70a799a8c373d48b64b2b3283c
SHA1 96b0b81f17ca5a92a77de9a5d0cc84c2312392ec
SHA256 a9444e1ae87c28e8dbacce5fd33334daef9195f3fb120609087d4685d2f84c93
SHA512 eaf64972cadbd09160d62054c67fa0f6d85862ebd98a024d79c20e762363bf37263169bba66d3a5a8eeb7caa6d581989227239dfe158f30dc561cc3510731509

C:\Windows\System\KrDoDmI.exe

MD5 95192ef64b3986a6b5d712d3200f3435
SHA1 f84b8e860c077b23d20db4c6d5b544244f806586
SHA256 81ca36ce60e272a4eef7a12d846721fd3d2833dfaa098cd485244d6d4bdd11db
SHA512 680d0dd9758184d1a86de8726abd786ec182d2bd629c3cf18629994b67458a0fe5455410ce341d4930c721f48e4095e1b010ac689ba3a700799a40fd0d4fe9b7

memory/4740-115-0x00007FF633220000-0x00007FF633574000-memory.dmp

memory/2064-121-0x00007FF6D36B0000-0x00007FF6D3A04000-memory.dmp

memory/3512-127-0x00007FF74CE20000-0x00007FF74D174000-memory.dmp

memory/2724-130-0x00007FF769D30000-0x00007FF76A084000-memory.dmp

C:\Windows\System\LsyUovz.exe

MD5 92dd9f64b2298a8eb24155d77fe84cd1
SHA1 65fc2bece4843c5279ce9aa99c1cc8f11c6bb511
SHA256 ecbcf769b780d81cf979a594b526c28d879e44a90931b5f896d3fbc810d3605d
SHA512 7c6567c3041f00724d686d9cd31ac4165c65c7df4a74e0431f39700c65085aa1482d94da4fe86dd7f0b3c854d4f212fe3422dc523084533e2e5dcf231b6e2180

memory/4956-126-0x00007FF7731E0000-0x00007FF773534000-memory.dmp

memory/728-125-0x00007FF77FD10000-0x00007FF780064000-memory.dmp

C:\Windows\System\vuhXzAs.exe

MD5 d3dbf6ba367b2905d9a94bbf0007aed1
SHA1 2f057304ccc3d1f7754a8e13bd1999815080db40
SHA256 3bb0d153b8ba072e5e4ee059cd681bd365072e4ae9e5f943989396699962a9be
SHA512 ed4e3ad3ebcc66dc9cca063db3b4aec72a2067d6e26cc81eec8f5999bb90f8f17e5cf039f25db7fe4fa6836f41b1082617444e044aae2416c57c9226bbe5e57c

memory/3356-135-0x00007FF766560000-0x00007FF7668B4000-memory.dmp

memory/4420-136-0x00007FF6518D0000-0x00007FF651C24000-memory.dmp

memory/4512-137-0x00007FF6586C0000-0x00007FF658A14000-memory.dmp

memory/2948-138-0x00007FF695690000-0x00007FF6959E4000-memory.dmp

memory/1740-139-0x00007FF7E95F0000-0x00007FF7E9944000-memory.dmp

memory/4944-140-0x00007FF68F1B0000-0x00007FF68F504000-memory.dmp

memory/2064-142-0x00007FF6D36B0000-0x00007FF6D3A04000-memory.dmp

memory/332-141-0x00007FF7E6C60000-0x00007FF7E6FB4000-memory.dmp

memory/728-143-0x00007FF77FD10000-0x00007FF780064000-memory.dmp

memory/4956-144-0x00007FF7731E0000-0x00007FF773534000-memory.dmp

memory/2724-145-0x00007FF769D30000-0x00007FF76A084000-memory.dmp

memory/4212-146-0x00007FF7AD690000-0x00007FF7AD9E4000-memory.dmp

memory/2684-147-0x00007FF685C30000-0x00007FF685F84000-memory.dmp

memory/1820-148-0x00007FF64D270000-0x00007FF64D5C4000-memory.dmp

memory/3048-149-0x00007FF6C57E0000-0x00007FF6C5B34000-memory.dmp

memory/4720-150-0x00007FF61C1C0000-0x00007FF61C514000-memory.dmp

memory/2084-152-0x00007FF73B0B0000-0x00007FF73B404000-memory.dmp

memory/4740-151-0x00007FF633220000-0x00007FF633574000-memory.dmp

memory/3512-153-0x00007FF74CE20000-0x00007FF74D174000-memory.dmp

memory/3356-154-0x00007FF766560000-0x00007FF7668B4000-memory.dmp

memory/4460-155-0x00007FF604450000-0x00007FF6047A4000-memory.dmp

memory/2368-156-0x00007FF7A23F0000-0x00007FF7A2744000-memory.dmp

memory/4420-157-0x00007FF6518D0000-0x00007FF651C24000-memory.dmp

memory/4512-158-0x00007FF6586C0000-0x00007FF658A14000-memory.dmp

memory/2948-159-0x00007FF695690000-0x00007FF6959E4000-memory.dmp

memory/332-160-0x00007FF7E6C60000-0x00007FF7E6FB4000-memory.dmp

memory/4944-162-0x00007FF68F1B0000-0x00007FF68F504000-memory.dmp

memory/1740-161-0x00007FF7E95F0000-0x00007FF7E9944000-memory.dmp

memory/728-163-0x00007FF77FD10000-0x00007FF780064000-memory.dmp

memory/2724-165-0x00007FF769D30000-0x00007FF76A084000-memory.dmp

memory/4956-164-0x00007FF7731E0000-0x00007FF773534000-memory.dmp

memory/2064-166-0x00007FF6D36B0000-0x00007FF6D3A04000-memory.dmp