Malware Analysis Report

2025-01-22 19:34

Sample ID 240601-vbgqzagh9s
Target 2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike
SHA256 f37a94fa043d2c79425689168d969c32b2c757bfa1b95f8d1bd44e5a9b261a88
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f37a94fa043d2c79425689168d969c32b2c757bfa1b95f8d1bd44e5a9b261a88

Threat Level: Known bad

The file 2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

Cobaltstrike

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 16:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 16:48

Reported

2024-06-01 16:51

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lQdBfMx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lnDtNYT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CsXcQPE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\THjbRFF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SgUCiNX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GJCAHZz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pjYUtuJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MBwCAbx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JOJZlmM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rDoqRsh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yblMukG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zWjhHTy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qwWaFWK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\imejPNm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nJQrqfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vNyrFbX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CkyoGJw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VQtxeYV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YYrxXNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fQEVZEe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bApIwnq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgUCiNX.exe
PID 4248 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgUCiNX.exe
PID 4248 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\zWjhHTy.exe
PID 4248 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\zWjhHTy.exe
PID 4248 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwWaFWK.exe
PID 4248 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwWaFWK.exe
PID 4248 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQtxeYV.exe
PID 4248 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQtxeYV.exe
PID 4248 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQdBfMx.exe
PID 4248 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQdBfMx.exe
PID 4248 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYrxXNZ.exe
PID 4248 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYrxXNZ.exe
PID 4248 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\imejPNm.exe
PID 4248 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\imejPNm.exe
PID 4248 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJQrqfZ.exe
PID 4248 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJQrqfZ.exe
PID 4248 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnDtNYT.exe
PID 4248 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnDtNYT.exe
PID 4248 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNyrFbX.exe
PID 4248 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNyrFbX.exe
PID 4248 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CsXcQPE.exe
PID 4248 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CsXcQPE.exe
PID 4248 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkyoGJw.exe
PID 4248 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkyoGJw.exe
PID 4248 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\rDoqRsh.exe
PID 4248 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\rDoqRsh.exe
PID 4248 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQEVZEe.exe
PID 4248 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQEVZEe.exe
PID 4248 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJCAHZz.exe
PID 4248 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJCAHZz.exe
PID 4248 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\pjYUtuJ.exe
PID 4248 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\pjYUtuJ.exe
PID 4248 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\THjbRFF.exe
PID 4248 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\THjbRFF.exe
PID 4248 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\bApIwnq.exe
PID 4248 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\bApIwnq.exe
PID 4248 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MBwCAbx.exe
PID 4248 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MBwCAbx.exe
PID 4248 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOJZlmM.exe
PID 4248 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOJZlmM.exe
PID 4248 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\yblMukG.exe
PID 4248 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\yblMukG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SgUCiNX.exe

C:\Windows\System\SgUCiNX.exe

C:\Windows\System\zWjhHTy.exe

C:\Windows\System\zWjhHTy.exe

C:\Windows\System\qwWaFWK.exe

C:\Windows\System\qwWaFWK.exe

C:\Windows\System\VQtxeYV.exe

C:\Windows\System\VQtxeYV.exe

C:\Windows\System\lQdBfMx.exe

C:\Windows\System\lQdBfMx.exe

C:\Windows\System\YYrxXNZ.exe

C:\Windows\System\YYrxXNZ.exe

C:\Windows\System\imejPNm.exe

C:\Windows\System\imejPNm.exe

C:\Windows\System\nJQrqfZ.exe

C:\Windows\System\nJQrqfZ.exe

C:\Windows\System\lnDtNYT.exe

C:\Windows\System\lnDtNYT.exe

C:\Windows\System\vNyrFbX.exe

C:\Windows\System\vNyrFbX.exe

C:\Windows\System\CsXcQPE.exe

C:\Windows\System\CsXcQPE.exe

C:\Windows\System\CkyoGJw.exe

C:\Windows\System\CkyoGJw.exe

C:\Windows\System\rDoqRsh.exe

C:\Windows\System\rDoqRsh.exe

C:\Windows\System\fQEVZEe.exe

C:\Windows\System\fQEVZEe.exe

C:\Windows\System\GJCAHZz.exe

C:\Windows\System\GJCAHZz.exe

C:\Windows\System\pjYUtuJ.exe

C:\Windows\System\pjYUtuJ.exe

C:\Windows\System\THjbRFF.exe

C:\Windows\System\THjbRFF.exe

C:\Windows\System\bApIwnq.exe

C:\Windows\System\bApIwnq.exe

C:\Windows\System\MBwCAbx.exe

C:\Windows\System\MBwCAbx.exe

C:\Windows\System\JOJZlmM.exe

C:\Windows\System\JOJZlmM.exe

C:\Windows\System\yblMukG.exe

C:\Windows\System\yblMukG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4248-0-0x00007FF646CD0000-0x00007FF647024000-memory.dmp

memory/4248-1-0x000001DD601F0000-0x000001DD60200000-memory.dmp

C:\Windows\System\SgUCiNX.exe

MD5 14f0a2de75e5873d58346f36aea61149
SHA1 09a24a54024ab92a995069d09e34a784ef7a8258
SHA256 89f74d8803ee4822fae710375c4a928f5360759d2c320be64cd7fef4f94c8c21
SHA512 043a9cf58f13adc4a99bfe528b8ff841fb5bb632dadfdcfc34298de99062df8c6798db5ff37353d3f99e0ab979998c98949bade048d6acbd1b5ce9242e55c889

memory/4232-8-0x00007FF63B2F0000-0x00007FF63B644000-memory.dmp

C:\Windows\System\qwWaFWK.exe

MD5 f8a8a855047ee0e084f6b121658baa21
SHA1 1629dc50bedb7565f6c4237ee5d08b43ce912089
SHA256 182615ebb6784d68ab53a5623de8c134ac128684201ec9ae82818a5e903ea4b9
SHA512 f804a460311bc0a23f4df806d4b26f9bd59099c12d18c12c6f4378dd613060ea96927a3d7a3d8bf7fb826ed60e188f27deb1b487cbda6c87d8964d79e34619d2

C:\Windows\System\zWjhHTy.exe

MD5 e089590e38b710c60464c4697d520f71
SHA1 4265eb0910724bf25c8713b18ec7ac74fb8751c1
SHA256 8867e52fcb133faea74cf9ed1776d58338041e968b1b3a165a6411a167410bc0
SHA512 8268399db04cc469920773a9cf59293bc5c7606f0d3ee3dff9e3ef7c9e5dd11a8a43517021b89616ace69375696da5ebae34ae5e7be80b7e4ec886dccb6e5203

memory/440-13-0x00007FF7906C0000-0x00007FF790A14000-memory.dmp

C:\Windows\System\VQtxeYV.exe

MD5 281f3774714e397fcdf4ab5d80fd50fe
SHA1 e1bd56125bde98d9880f5d0d1db962c2c9b1da65
SHA256 ee3ae50fd46c5fc45205f0a3d131feeef7c7ff998196c0a5d306abccd00b0b1e
SHA512 416479da23dacfb3bd2d87d31b20bbdc370eaefd313cb9495112eb4e550599ad3b6c6958b85de281e0ed42266ee8dbee10c4c56e0ad16304a2357ba7b47f1451

memory/1788-20-0x00007FF720A60000-0x00007FF720DB4000-memory.dmp

C:\Windows\System\lQdBfMx.exe

MD5 3bb4bc989a19c3d505b0dd5d1a0a2c55
SHA1 c807eda017f0af7f8e0b60343d2acddfc0d3013e
SHA256 6bd67fb28e8c49579ffbc30ea0ecac525505462ee00a3e0dc6148e32fa851922
SHA512 ac662d0432ce26b07816ef91d3d678f4802472b906b5c9ed1a52456ec59d2d8ce82eb6382f9b7f9d24cf258173b040325b4241b5c92682831c15dc5caf7d16a7

memory/4932-30-0x00007FF7DFE60000-0x00007FF7E01B4000-memory.dmp

C:\Windows\System\YYrxXNZ.exe

MD5 bf32b5b90ec74e6503a4cfb0020012b3
SHA1 46bb1109f784f2b816110e5c18bbff3f9458ca06
SHA256 061d79d896141e27f4ab7c507e883b801542d53060a5d2cf46a69837a3863ddb
SHA512 1535312b4cbe2db2387c34c5e54eb65ff03a38585f142af424304715789339cf2fa9f4ab72a902fc70a6d4590122e4d15c25494cc6b40b64e89e5b53c1c5d43d

C:\Windows\System\imejPNm.exe

MD5 9592292d3eddcf60bba82aff3865b5b0
SHA1 d8928b0e908aa3407ee35e2aff9ff0624425e558
SHA256 d5219543ff3c264bd629cb0e8b9f703586ac8b3c9f0eb743ea87f4a3f5a39d7b
SHA512 adf06c824110abce040391b8822c5ad0ed2aebb10453a872e1f833442262411531c8da8453ceddce3086d1ebc1b9970cae407170293cb5362230885f077e0bd0

memory/5104-45-0x00007FF719F60000-0x00007FF71A2B4000-memory.dmp

C:\Windows\System\vNyrFbX.exe

MD5 de3931cc82f6277cf7f846a91f7636e0
SHA1 14f13b30f26c0e0e28fba285e342126cffc2ff77
SHA256 eee1de82db4a94cffe6ef7e0582e79b376583f24f6f78c9e0ed7b3a2f5d6076a
SHA512 af28dd7b8b6cb646530fa59cbb552626ec4a9fbce3539d78b6e60cbe9ec0deb4ca5795430134236372130ec7710330beca616b6f7f71419165abd18a03b073e9

C:\Windows\System\CsXcQPE.exe

MD5 e2e20bd3c762817ac4ed1174e16179f2
SHA1 6044c7639fcd36169582d9bb026e7f5911a5b778
SHA256 ca2bbadd43b3b0c5b69d6df8af53dde23f904d016684afb83211b414eebdfe61
SHA512 1154910774a0a321be939396193fdd3b70054281fc951d1a4cf1eb9101b9029d14d0aa73851d9969e179a9e9d99424af51abca37afdccf9031a26320848f089c

C:\Windows\System\CkyoGJw.exe

MD5 c730a08b5d45e4c63c0fe10b5856d340
SHA1 2fc847dbefe3acb46f7dfb7850c58196249fe20c
SHA256 c07df06636df983da69f27649197d044bca9e4be090f567a1d6d1653b025405c
SHA512 ee89aacb15fd7dacf6f19c29d34cc85bbdac32f5a182ed4b72b63f6098f446e26cb631e36c5b5adedf00584b36eaa0cb939ea06bbf9f262acf38604c72b60087

C:\Windows\System\rDoqRsh.exe

MD5 a7a46c4828a1cfe74f8e96a56ab48411
SHA1 0e54663aaba90f9a7437e2af15f418e9ea80baf4
SHA256 50ec07e030526f721a73e9228c76ecf807ad2f3b66ede96eacb407d45fe89d73
SHA512 78bae16d40ff9dc0b2b83568d115f426a28aef2a9b2163d2a90f634ed3b7db68860fd55a3c9483fa490debdeed1b012ac031e1d0d3bfda2f9f1434e8c2da3a02

C:\Windows\System\fQEVZEe.exe

MD5 0d8274c0979bb517c56a28091e22b28e
SHA1 32f8fca820a2405833f58adee5bf8769fc1de651
SHA256 5f91764fe1abc2a6906462252f4d9ed0a879ea34b6abcb58d6de23763cd946f7
SHA512 5bcc7ce80303f28750f55240c5e05b920cffa181f1a1c9495e552959f38bbccc1b5ccde6f40c520cf937acf714662dd5f10c20e846f5685aac98f1cba67c97f7

C:\Windows\System\GJCAHZz.exe

MD5 ae45807c0741e11e25dd9992b95d3424
SHA1 b65028fe89aa55af83692c860413468cd0f787bb
SHA256 286a02c60ee4511a55d301cf4abac48c4a896ed64bd7e45db36ac3ae2eb9ece0
SHA512 9d0878941c558ae3cf944d3a3793d3553d4397a6faad9dcbc0ee4c59900af246a36d1dbe56712100f8f7ea8a471e0f5dc0d472f79acd19f88db4cdff0e967993

memory/4792-84-0x00007FF66D210000-0x00007FF66D564000-memory.dmp

memory/376-86-0x00007FF652BD0000-0x00007FF652F24000-memory.dmp

memory/3660-90-0x00007FF7A71B0000-0x00007FF7A7504000-memory.dmp

memory/2324-92-0x00007FF6F8E10000-0x00007FF6F9164000-memory.dmp

C:\Windows\System\THjbRFF.exe

MD5 3f035566ece671c0590652bfe1929d9e
SHA1 2db30e3267b2dd59c2c46f2069791016a032a4bb
SHA256 6082ec5c66795c1986c9fe628009bb12c6db5de04669a3356893382cb24cd11e
SHA512 4429490ac6beab0938c72d53c87dcb81827126aa736dddd15c6612ca4ed49d68efe131aac85694304bdd5ef1d407940a06df8f1c11464c495b134646e25e4a6a

C:\Windows\System\bApIwnq.exe

MD5 ad6f5948d885b5038cbc528df167adfa
SHA1 ea74aec07414f895d69dafba165d803b6d530773
SHA256 f8c1b1ebc72af16f38a8b9f17fe4dcd69dad0d5e808165d010e7168bfbb98b4b
SHA512 dcb35899c235b9e9a8860c2cd606cc39d8668120f93305cd7eacc5e5ce06c8263f3e6d8b8862377c0c7b9c252bab5dda8fb7ccc59e25cd0af18f9c91f8fb7a46

C:\Windows\System\JOJZlmM.exe

MD5 9bdde2f50477fdc0741f134357d9612c
SHA1 e0f097ece616194d31796745bf9304aa8c01f871
SHA256 f523c92934f960d6dd9cd6dc46d454938f2ffe246a2f5df15105a80a490f1dbc
SHA512 d085b7237c0d960c58ef311ec19fb177af60fb03a55b9ae5d75dc05db40f9bf47091f3cbbdb3e34d2e3338fdfc2faf5f378c5ee10a79fa11ec711841dab90d62

C:\Windows\System\yblMukG.exe

MD5 b5beb6ea041e1c9370e864af9bd33999
SHA1 e9ddf037352a48f93730392ff96f6a7073ce7c6f
SHA256 41b352668a63808bff28cb2f6c656f496f6eb2c45efbdfcfb8ea1f672fc39973
SHA512 9f700dbeec668aa5cd2edd9244daeb9b542955e955661cb44220de6cf87c6290ddca242b352f5dcf4c12cc551aefcc64e904bcb7a3ff18c9ad2939fde600b609

C:\Windows\System\MBwCAbx.exe

MD5 279b959f6eb0ded48f55cadb38bf5d52
SHA1 023f587873e12a5f384082ddcfcd95f7131f5b43
SHA256 62cd0f359fae9ebc1c91d929ddca29fad9907aaac2f3774bdea3a1aeffd0964a
SHA512 e8ffbc1d735981b9e0d2c4bc9264c4b54b3c25010cf0d906ab1a859a460259b0114eac6b4c45ac668ab5a08daaa8d114b1ea20611482192ae27e3f85493b2087

C:\Windows\System\pjYUtuJ.exe

MD5 38208a3c335205575e08d151f5addd6a
SHA1 4b280e2266b704d6f7819d717da797c3c5eafe59
SHA256 c9b11945e79252cea14a093c5ef4b82fe73b85fb7b9f7df9604de823418af8f9
SHA512 4a5867be06b648d22da0ca96d1ce2d0e6d001ad19ac2fd5f102c4660890a5ff3a307162fe7657790cd20dc5f299725e9a770f348e798d0c57507d389ffd6e473

memory/1256-100-0x00007FF7E4C90000-0x00007FF7E4FE4000-memory.dmp

memory/4424-98-0x00007FF77E1F0000-0x00007FF77E544000-memory.dmp

memory/3820-91-0x00007FF7555E0000-0x00007FF755934000-memory.dmp

memory/3468-87-0x00007FF76A410000-0x00007FF76A764000-memory.dmp

memory/4524-85-0x00007FF714EA0000-0x00007FF7151F4000-memory.dmp

memory/3880-75-0x00007FF6E7790000-0x00007FF6E7AE4000-memory.dmp

C:\Windows\System\lnDtNYT.exe

MD5 d8238a501b7bc8d859c65e14621242c4
SHA1 8a2516885783a88aa36c947e3206576f28297f78
SHA256 cc23c92e91d7da6626b1df309c6f5f2cb7082c1ba8d9eb509377b11835d74155
SHA512 1f855831c7f0d9915baf297e6bbd1005b4ef420ca9849220f9567f74e03206bea5f8ce006c0cac6a58ed41205bb5dc1c38cee548029fb647634d4145fd704e4b

C:\Windows\System\nJQrqfZ.exe

MD5 8ff9bc0ce8102c459c7b4de8f2507af0
SHA1 9bc615b42372ecebf7dbbf77d5764dc3c823018b
SHA256 b2a5984765dc08db697bb90cb88b3e3a60ff505c1c7d80e2069c1221cd2ec99d
SHA512 d3c381f488425f182279f8d854431d96491e45caa2f4adfa25d329cc1cad0b02b23ef15b723e9e259d8d21668122be2e7740a9a905c353740cff3bd8ba557528

memory/4992-34-0x00007FF743030000-0x00007FF743384000-memory.dmp

memory/4904-29-0x00007FF6BD6F0000-0x00007FF6BDA44000-memory.dmp

memory/4248-124-0x00007FF646CD0000-0x00007FF647024000-memory.dmp

memory/4828-126-0x00007FF78C4F0000-0x00007FF78C844000-memory.dmp

memory/4212-125-0x00007FF6528F0000-0x00007FF652C44000-memory.dmp

memory/2040-127-0x00007FF7E7430000-0x00007FF7E7784000-memory.dmp

memory/2248-128-0x00007FF777370000-0x00007FF7776C4000-memory.dmp

memory/4232-129-0x00007FF63B2F0000-0x00007FF63B644000-memory.dmp

memory/440-130-0x00007FF7906C0000-0x00007FF790A14000-memory.dmp

memory/4932-131-0x00007FF7DFE60000-0x00007FF7E01B4000-memory.dmp

memory/4992-132-0x00007FF743030000-0x00007FF743384000-memory.dmp

memory/3880-133-0x00007FF6E7790000-0x00007FF6E7AE4000-memory.dmp

memory/5104-134-0x00007FF719F60000-0x00007FF71A2B4000-memory.dmp

memory/4424-135-0x00007FF77E1F0000-0x00007FF77E544000-memory.dmp

memory/1256-136-0x00007FF7E4C90000-0x00007FF7E4FE4000-memory.dmp

memory/4232-137-0x00007FF63B2F0000-0x00007FF63B644000-memory.dmp

memory/440-138-0x00007FF7906C0000-0x00007FF790A14000-memory.dmp

memory/1788-139-0x00007FF720A60000-0x00007FF720DB4000-memory.dmp

memory/4904-140-0x00007FF6BD6F0000-0x00007FF6BDA44000-memory.dmp

memory/4932-142-0x00007FF7DFE60000-0x00007FF7E01B4000-memory.dmp

memory/4992-141-0x00007FF743030000-0x00007FF743384000-memory.dmp

memory/5104-144-0x00007FF719F60000-0x00007FF71A2B4000-memory.dmp

memory/3880-143-0x00007FF6E7790000-0x00007FF6E7AE4000-memory.dmp

memory/3820-145-0x00007FF7555E0000-0x00007FF755934000-memory.dmp

memory/4792-146-0x00007FF66D210000-0x00007FF66D564000-memory.dmp

memory/4524-148-0x00007FF714EA0000-0x00007FF7151F4000-memory.dmp

memory/376-147-0x00007FF652BD0000-0x00007FF652F24000-memory.dmp

memory/3468-149-0x00007FF76A410000-0x00007FF76A764000-memory.dmp

memory/3660-150-0x00007FF7A71B0000-0x00007FF7A7504000-memory.dmp

memory/2324-151-0x00007FF6F8E10000-0x00007FF6F9164000-memory.dmp

memory/4424-152-0x00007FF77E1F0000-0x00007FF77E544000-memory.dmp

memory/1256-153-0x00007FF7E4C90000-0x00007FF7E4FE4000-memory.dmp

memory/4212-154-0x00007FF6528F0000-0x00007FF652C44000-memory.dmp

memory/2040-156-0x00007FF7E7430000-0x00007FF7E7784000-memory.dmp

memory/4828-155-0x00007FF78C4F0000-0x00007FF78C844000-memory.dmp

memory/2248-157-0x00007FF777370000-0x00007FF7776C4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 16:48

Reported

2024-06-01 16:51

Platform

win7-20240221-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lUmKmzT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GXHhpsj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QlRtCOl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MQpBeye.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sBQsRUd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dXIDKnX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JCRimDX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\guioFQA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZqOteXM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YlAPdSU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nvvHYnk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uKliwXf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fGMfwQl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VGJpYwG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RHruOUX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FkJhEik.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iZJAjje.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WOTQjIP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BlZumim.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aSWbIma.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SMpoPYX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fGMfwQl.exe
PID 2692 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fGMfwQl.exe
PID 2692 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fGMfwQl.exe
PID 2692 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGJpYwG.exe
PID 2692 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGJpYwG.exe
PID 2692 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGJpYwG.exe
PID 2692 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHruOUX.exe
PID 2692 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHruOUX.exe
PID 2692 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHruOUX.exe
PID 2692 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\dXIDKnX.exe
PID 2692 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\dXIDKnX.exe
PID 2692 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\dXIDKnX.exe
PID 2692 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkJhEik.exe
PID 2692 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkJhEik.exe
PID 2692 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkJhEik.exe
PID 2692 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZJAjje.exe
PID 2692 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZJAjje.exe
PID 2692 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZJAjje.exe
PID 2692 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\WOTQjIP.exe
PID 2692 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\WOTQjIP.exe
PID 2692 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\WOTQjIP.exe
PID 2692 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCRimDX.exe
PID 2692 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCRimDX.exe
PID 2692 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCRimDX.exe
PID 2692 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lUmKmzT.exe
PID 2692 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lUmKmzT.exe
PID 2692 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lUmKmzT.exe
PID 2692 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXHhpsj.exe
PID 2692 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXHhpsj.exe
PID 2692 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXHhpsj.exe
PID 2692 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nvvHYnk.exe
PID 2692 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nvvHYnk.exe
PID 2692 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nvvHYnk.exe
PID 2692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlZumim.exe
PID 2692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlZumim.exe
PID 2692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlZumim.exe
PID 2692 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlRtCOl.exe
PID 2692 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlRtCOl.exe
PID 2692 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlRtCOl.exe
PID 2692 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\guioFQA.exe
PID 2692 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\guioFQA.exe
PID 2692 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\guioFQA.exe
PID 2692 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKliwXf.exe
PID 2692 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKliwXf.exe
PID 2692 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKliwXf.exe
PID 2692 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZqOteXM.exe
PID 2692 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZqOteXM.exe
PID 2692 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZqOteXM.exe
PID 2692 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSWbIma.exe
PID 2692 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSWbIma.exe
PID 2692 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSWbIma.exe
PID 2692 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlAPdSU.exe
PID 2692 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlAPdSU.exe
PID 2692 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlAPdSU.exe
PID 2692 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQpBeye.exe
PID 2692 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQpBeye.exe
PID 2692 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQpBeye.exe
PID 2692 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SMpoPYX.exe
PID 2692 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SMpoPYX.exe
PID 2692 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SMpoPYX.exe
PID 2692 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBQsRUd.exe
PID 2692 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBQsRUd.exe
PID 2692 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBQsRUd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_241159c2006967329eaace0e09b5f46e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fGMfwQl.exe

C:\Windows\System\fGMfwQl.exe

C:\Windows\System\VGJpYwG.exe

C:\Windows\System\VGJpYwG.exe

C:\Windows\System\RHruOUX.exe

C:\Windows\System\RHruOUX.exe

C:\Windows\System\dXIDKnX.exe

C:\Windows\System\dXIDKnX.exe

C:\Windows\System\FkJhEik.exe

C:\Windows\System\FkJhEik.exe

C:\Windows\System\iZJAjje.exe

C:\Windows\System\iZJAjje.exe

C:\Windows\System\WOTQjIP.exe

C:\Windows\System\WOTQjIP.exe

C:\Windows\System\JCRimDX.exe

C:\Windows\System\JCRimDX.exe

C:\Windows\System\lUmKmzT.exe

C:\Windows\System\lUmKmzT.exe

C:\Windows\System\GXHhpsj.exe

C:\Windows\System\GXHhpsj.exe

C:\Windows\System\nvvHYnk.exe

C:\Windows\System\nvvHYnk.exe

C:\Windows\System\BlZumim.exe

C:\Windows\System\BlZumim.exe

C:\Windows\System\QlRtCOl.exe

C:\Windows\System\QlRtCOl.exe

C:\Windows\System\guioFQA.exe

C:\Windows\System\guioFQA.exe

C:\Windows\System\uKliwXf.exe

C:\Windows\System\uKliwXf.exe

C:\Windows\System\ZqOteXM.exe

C:\Windows\System\ZqOteXM.exe

C:\Windows\System\aSWbIma.exe

C:\Windows\System\aSWbIma.exe

C:\Windows\System\YlAPdSU.exe

C:\Windows\System\YlAPdSU.exe

C:\Windows\System\MQpBeye.exe

C:\Windows\System\MQpBeye.exe

C:\Windows\System\SMpoPYX.exe

C:\Windows\System\SMpoPYX.exe

C:\Windows\System\sBQsRUd.exe

C:\Windows\System\sBQsRUd.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2692-0-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2692-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\fGMfwQl.exe

MD5 d280f46b91878c5a987e560b59bc9baf
SHA1 cc121de187294d41d2d2bf16caa81ed613bb404b
SHA256 b39489f0496da230a8842ef395c0799eb95fa453e9c694a2b07d4763dbb6dfa7
SHA512 544a1bf759ace2e3f444f69914aa583be88ab9c7077f3f2467815a3b16ce109e53923966b459b14053b2637b917174244d08b46202863bf3f1de75b2669e89c4

\Windows\system\VGJpYwG.exe

MD5 e6059f869286b97b3dc74d8b2c5074e2
SHA1 35c04df793699592eefcffae369ea264f1bf9df3
SHA256 e06915410c6a8d0e1ae2e341183764b45dab9c7072dc41789e473fc2eae5dac9
SHA512 e15698db7abde31b4bd42607f54f4d51689033d15029ce97271673b6e4be93ed8926b134cfb632b7ef2035e88b942272ea8131ccc493bfb4c4dec6697bba5e90

memory/2552-20-0x000000013FA50000-0x000000013FDA4000-memory.dmp

C:\Windows\system\RHruOUX.exe

MD5 b235a321c65f74abded93aeacd1ebc96
SHA1 579e3397570fe86db089e2a4f042146ccc63f389
SHA256 29e1714fb12a88055bac68d362689227aeac8dffdc1f9770a55e05bdc2954dcf
SHA512 3591f085aff65ecfddd48229cbf2d67c5e91083b3dc9367604744a20ec54b7640df173cde53bb0d4585dca7906fe6541293fad79d02fa04e3130b6cafb891331

memory/2512-27-0x000000013FA50000-0x000000013FDA4000-memory.dmp

C:\Windows\system\BlZumim.exe

MD5 fbb4a2ae501dde7a7a445df5c9b717d2
SHA1 9c3ff1e4c8420f8ed0d09ffa383ae66f72944905
SHA256 212cfdf680668f7528a6a5326aa2873ad3d7927ea5966ffe01208c61fb39aea5
SHA512 63edff134acfeef0f5121b16205158119288e4fe1f4178ad74fa25210dfa2e73364eaac6a4cc37f9d1f42efdb5b056d2e416d6dbc717392c5d1f907c0c0a0041

C:\Windows\system\MQpBeye.exe

MD5 51798b57a05aa497ea186f8107f196e1
SHA1 391fa5af9c65c3e17cb2e0bea5a189ad6633762f
SHA256 0fad7ef2529a37fbafd8950d1fd247f39e387257b437db9f5cac00fca493d640
SHA512 90dbf0f1c7d6f5040f6c942c7571fbdc9ef76a1f9fdef9646a43d91e03f379853f29eaf049df57d3441a4b9f3d7da5af0ec3d240106d2cea19204278bee7a4ba

\Windows\system\SMpoPYX.exe

MD5 685560f9a135c7f147fd7a4d548aa4b5
SHA1 28fb29a8581bd5f3571d49ca67b2f9817edd57ca
SHA256 28301abce7e2894cd842c1d8f2a1d3a42a1f8113f1e81a15ddeb0835898cb2ba
SHA512 1892d8e6a837f05c5a5c310ada55266663ce3ace040b9e7d0017c2f1c820476f373330f8863f8c2131926ee86c9ab96c2044bc19d73221e73d1a47891a0c620d

C:\Windows\system\aSWbIma.exe

MD5 f101d61b0de85ef30752252494268aa9
SHA1 ba9fefd83b4c9a83510dc62c879c28af1bd790b4
SHA256 935c5f381d6ed4da91ae4bf60ff5799dcc66276f887be69560fdd736cc981d82
SHA512 cbb21b9bd5c6b7fa24ad1d157fef555887b1330a5f24db986b3619961eba3dce45a39817ef378ae1c2124b42610a6753f92eff8fd41326b18754cb14f08c4435

\Windows\system\YlAPdSU.exe

MD5 3495c64900fc0833688ab98897ca5608
SHA1 9da5099058078d4657cdbb2eb58b31d2d7ff8beb
SHA256 6dea533b32aa8e185e9055ecec6fd36905bfe598b4c6620aad9a596ab31406c0
SHA512 66ebf4ae23b13c7021fd99ca9c2999f5527bbdfe2bed60e2752138d2be3bc87615da54a874f9161ebd39dfc98b3335595f1bcbe70f6e0a0d3b92ddf40cfb3d67

memory/2692-91-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2692-90-0x00000000022F0000-0x0000000002644000-memory.dmp

\Windows\system\ZqOteXM.exe

MD5 79d14d305ef674c67a18504f769caa8c
SHA1 9e4d6d907ee943f0f4d3715eac2c086188c37d95
SHA256 8e341b6cf601a51b957b07db45873d88436fc073421eb27ffd7868e11bcb6afa
SHA512 e3dbcef67530b83285609379bfdf66769414897f2e1bf954e73b6076d0b9bbea443b4510ce6975de3eefc04c402db79cb3222cf7d43b737a66b73ae624ca02bf

memory/2000-75-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2692-74-0x00000000022F0000-0x0000000002644000-memory.dmp

\Windows\system\guioFQA.exe

MD5 cb81442ffe14163fd9fde2c6796768d5
SHA1 6de55fec953e50fb67e40948ae062de1fc5361e0
SHA256 ae802bfdbb8bd76230c49616151cd0b706b2462be885d366d2ed0a4e2a3758fa
SHA512 e451b077821bf66dd50e41507af8c77454a41fa354d97b7d8f4aead1a48c25f81d706c32bebc4b34584851bafc0cb9cd95839c56e62ba82877fa10d9f75323e4

\Windows\system\GXHhpsj.exe

MD5 fdb0798fd6c01e6a30282d3595416b80
SHA1 c1d2bdb1db221f79ca1f910372ee22e263496632
SHA256 7829b3e7eb46815b1fcc03406e873c276513eded3573e7eaf5c2cb9cb80572e0
SHA512 2659a1198f4884d78f18a8bd1414acffacad704a25b86de9aa52932205699693a488a631042ce0947a67c0516af8bad6f064327b6d2eed91afe6ea499be5739e

\Windows\system\JCRimDX.exe

MD5 f01d81bf3cb2b3a6dfca320984f01dd2
SHA1 6c9117c5b5ed9e4cc735872e75ad3adef6f78338
SHA256 1a58e8f10cbffa91d2acfd14c6354085234fa0bf5b3fa1204977fa43f9747277
SHA512 32276cd2a767043393fa97adf9f31f0b173f27b772baf4a6329aa01bd8bd5fbdac1a34169d5e1dc33e35dfaab5bb532a4ef108d4afc55ba98a546157aeeae5ae

memory/2692-38-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2440-35-0x000000013FD70000-0x00000001400C4000-memory.dmp

\Windows\system\iZJAjje.exe

MD5 36f12896086f1be914352ab55b3361ed
SHA1 1b001cc8cabf96f8863d06b5527eca1d6ffb7397
SHA256 37099a6c2711389729d9a861436d3e1a798da7c4256e8e823cbe92b5bd0b93d1
SHA512 d582ffd0beb004889b3e5982bc4f03b2bf23c6150259f2e98e269a9ad31c956a7f6e34d46815a0718913667ab42f3fa8f9f04b34735d3bc10f58c42f68564bc0

memory/2692-114-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2692-113-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/572-112-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2692-111-0x000000013FC00000-0x000000013FF54000-memory.dmp

C:\Windows\system\sBQsRUd.exe

MD5 cab2652ea76a042ddecba4cec4339b60
SHA1 6427f640947e02b7d5eaa12436e230a0170a69e1
SHA256 97c495afc824543309352ea2f6ddf3a951c54e5f40ce24ba02466fb567bea498
SHA512 4a77fe62d0cb0f89bdc70078557ada6415762c00d66b11bb1164b287470955b683ffa526379192d13726072ac4357a860e4d449509c925dfd6bbf50ff6bc1278

memory/2692-103-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1228-95-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2552-133-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2428-86-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\uKliwXf.exe

MD5 f1e291c0ee4e84757dc540b0aad0153c
SHA1 f324953cfd6edcc2b80930311e2439c49d4b2630
SHA256 946b22621f961cbc3ada9ab7e200a5aa6afbeefb73170c0dbb5465aba8f42d82
SHA512 37f7af1dcdcc01c79cc25e77d444f5c62b0b9d4eb8a417516d3571f0cd2e9da81e488acdc1889c77094b72707509df14ba27a74f48fdac9690139bd90b5e7960

memory/2876-84-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2692-81-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2692-80-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2456-79-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2692-78-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2692-77-0x000000013F280000-0x000000013F5D4000-memory.dmp

C:\Windows\system\QlRtCOl.exe

MD5 f4aa658ff33d4e35bd545204781f0115
SHA1 2932fccb06ebfd8745dd86fb5f9ced227a4c98db
SHA256 5b1bd33e7cd46a191833431e0e711aac80006ed2b13a7ce63d82dd914255bc0e
SHA512 62d5ee47576917e987b8b43d3c29114eb18ae6a659f126acae8790ec8e1939858f852b3e5aa646e417985dd9bc4f742598af1116e9af7e53190115844ee10a68

C:\Windows\system\nvvHYnk.exe

MD5 69533e72307afa412ef384cf47c0ec17
SHA1 3d430e2984179c62ad3a64db66f541e073020ef2
SHA256 bd3aa128a3bb9ce7fb715f199139c5bbf1d1e10448d4adb072a11318102d0d22
SHA512 5c1d3fd22389d0c8bee34884ccb9b41cd84fab8b782a5ce2649136dd15a266ca01052f1911f055bcf3f0bf7b44118f0247e59737c7ffe0f8e1603090f0042fb4

C:\Windows\system\lUmKmzT.exe

MD5 dfd948c30a9879eccdc7af93c18e79f9
SHA1 bff1fff0a711fb1030ade2602e05269ac94a04a4
SHA256 bb0f6c3ad49d28d3190612295dde83ff3bfe13ed666dceb291460340f750d1ed
SHA512 bf4924846ecb4c09b110e3769411726c66845ed6633b2435a0eb11b107e72c08b9cc3c4069424b7faad283411e5799778b71c603d0abe18b06865f6fcaae8be1

C:\Windows\system\WOTQjIP.exe

MD5 3a178b2278ce317cfb73982b6568d62e
SHA1 d79fc494e9cdbb93d6e49c462bd24f4b26bb1467
SHA256 1893cdc9cd567dce7b418c065b7eba402987b38735e599a92aa8f88c1ec5396f
SHA512 42c0d9d1cdf4af480df788d121ea0a7122cc9142300627fe718a8684e764124da2f25823188b36e6dca2beff82cdd3a3e880b610466327bd5092f79be76d0083

memory/2692-32-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\FkJhEik.exe

MD5 e845b14f2f30c8ab538e8b92e80403d4
SHA1 5c0d17bbe12664790650df7c7a1fbd730adc908f
SHA256 2efc3b091df1af06c372d63099bd041e84e0ec613627bea5f482825b0a251937
SHA512 efacdc6abf74796234f0993060753c18f7dd97fe24c0d9dfdaed812be58fd4fb6881cc29f45d087270783733f660cdd6e5f50486215f2288410f9a328489415f

C:\Windows\system\dXIDKnX.exe

MD5 b3df85e85ed32c1edfdc806bc88d7bdd
SHA1 e62c5451ee2e26679d61e6415a1df747b163e481
SHA256 3a7ae0528f139d4a7972e8149ba7d9b11ddddfb68ec03763e64c544cda7a9a26
SHA512 aefc9301728ccf6f4021faad451fe4e8175a3091f08334890cb0472fec2712fb570bc9bfa894e30920f42bcdd020327106e5c29fd34a636d415ac1980ed44506

memory/2692-25-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2612-24-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/3016-11-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2692-16-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2512-134-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2440-135-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2692-136-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/572-137-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/3016-138-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2612-139-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2552-140-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2440-141-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2512-142-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2000-143-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2456-144-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2876-146-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2428-145-0x000000013F220000-0x000000013F574000-memory.dmp

memory/1228-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/572-148-0x000000013FC00000-0x000000013FF54000-memory.dmp