Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-ws29nsag52
Target 2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike
SHA256 621a81ec8425add43765485f46ddcfcc840bcbefda882294d59403952e7ec77c
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

621a81ec8425add43765485f46ddcfcc840bcbefda882294d59403952e7ec77c

Threat Level: Known bad

The file 2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Xmrig family

xmrig

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 18:11

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 18:11

Reported

2024-06-06 18:14

Platform

win7-20231129-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sYBDghE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fouapfc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QpAAkzm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GKzqwFE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IzmiAzz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xIiUAuH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HlIZaDe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bALEYcf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GMxKwzl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WuyQiwi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JgWwIVq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jAqsgyV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kcEZGMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tcSyuTQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TgNnMaW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EwdlsjB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DyCtiPk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fgSEgCt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UizWXZt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\scqzlcp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AIrQWOH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALEYcf.exe
PID 2332 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALEYcf.exe
PID 2332 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALEYcf.exe
PID 2332 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GMxKwzl.exe
PID 2332 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GMxKwzl.exe
PID 2332 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GMxKwzl.exe
PID 2332 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwdlsjB.exe
PID 2332 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwdlsjB.exe
PID 2332 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwdlsjB.exe
PID 2332 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIiUAuH.exe
PID 2332 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIiUAuH.exe
PID 2332 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIiUAuH.exe
PID 2332 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyCtiPk.exe
PID 2332 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyCtiPk.exe
PID 2332 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyCtiPk.exe
PID 2332 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuyQiwi.exe
PID 2332 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuyQiwi.exe
PID 2332 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuyQiwi.exe
PID 2332 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYBDghE.exe
PID 2332 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYBDghE.exe
PID 2332 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYBDghE.exe
PID 2332 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fouapfc.exe
PID 2332 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fouapfc.exe
PID 2332 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fouapfc.exe
PID 2332 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\JgWwIVq.exe
PID 2332 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\JgWwIVq.exe
PID 2332 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\JgWwIVq.exe
PID 2332 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAqsgyV.exe
PID 2332 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAqsgyV.exe
PID 2332 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAqsgyV.exe
PID 2332 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpAAkzm.exe
PID 2332 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpAAkzm.exe
PID 2332 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpAAkzm.exe
PID 2332 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgSEgCt.exe
PID 2332 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgSEgCt.exe
PID 2332 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgSEgCt.exe
PID 2332 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\kcEZGMJ.exe
PID 2332 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\kcEZGMJ.exe
PID 2332 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\kcEZGMJ.exe
PID 2332 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\UizWXZt.exe
PID 2332 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\UizWXZt.exe
PID 2332 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\UizWXZt.exe
PID 2332 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlIZaDe.exe
PID 2332 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlIZaDe.exe
PID 2332 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlIZaDe.exe
PID 2332 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\scqzlcp.exe
PID 2332 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\scqzlcp.exe
PID 2332 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\scqzlcp.exe
PID 2332 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\tcSyuTQ.exe
PID 2332 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\tcSyuTQ.exe
PID 2332 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\tcSyuTQ.exe
PID 2332 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKzqwFE.exe
PID 2332 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKzqwFE.exe
PID 2332 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKzqwFE.exe
PID 2332 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzmiAzz.exe
PID 2332 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzmiAzz.exe
PID 2332 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzmiAzz.exe
PID 2332 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIrQWOH.exe
PID 2332 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIrQWOH.exe
PID 2332 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIrQWOH.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgNnMaW.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgNnMaW.exe
PID 2332 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgNnMaW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bALEYcf.exe

C:\Windows\System\bALEYcf.exe

C:\Windows\System\GMxKwzl.exe

C:\Windows\System\GMxKwzl.exe

C:\Windows\System\EwdlsjB.exe

C:\Windows\System\EwdlsjB.exe

C:\Windows\System\xIiUAuH.exe

C:\Windows\System\xIiUAuH.exe

C:\Windows\System\DyCtiPk.exe

C:\Windows\System\DyCtiPk.exe

C:\Windows\System\WuyQiwi.exe

C:\Windows\System\WuyQiwi.exe

C:\Windows\System\sYBDghE.exe

C:\Windows\System\sYBDghE.exe

C:\Windows\System\fouapfc.exe

C:\Windows\System\fouapfc.exe

C:\Windows\System\JgWwIVq.exe

C:\Windows\System\JgWwIVq.exe

C:\Windows\System\jAqsgyV.exe

C:\Windows\System\jAqsgyV.exe

C:\Windows\System\QpAAkzm.exe

C:\Windows\System\QpAAkzm.exe

C:\Windows\System\fgSEgCt.exe

C:\Windows\System\fgSEgCt.exe

C:\Windows\System\kcEZGMJ.exe

C:\Windows\System\kcEZGMJ.exe

C:\Windows\System\UizWXZt.exe

C:\Windows\System\UizWXZt.exe

C:\Windows\System\HlIZaDe.exe

C:\Windows\System\HlIZaDe.exe

C:\Windows\System\scqzlcp.exe

C:\Windows\System\scqzlcp.exe

C:\Windows\System\tcSyuTQ.exe

C:\Windows\System\tcSyuTQ.exe

C:\Windows\System\GKzqwFE.exe

C:\Windows\System\GKzqwFE.exe

C:\Windows\System\IzmiAzz.exe

C:\Windows\System\IzmiAzz.exe

C:\Windows\System\AIrQWOH.exe

C:\Windows\System\AIrQWOH.exe

C:\Windows\System\TgNnMaW.exe

C:\Windows\System\TgNnMaW.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2332-0-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2332-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\bALEYcf.exe

MD5 bc2e8eb24e020ea8a2198c69a024c356
SHA1 c3db9d35eff52dc586280b186faac67d81b7cafb
SHA256 cb5342726530cd9ae4adc64efd96ea2d2b44ba374cfd09580eea2dbe48dec338
SHA512 8422ab103e09f64faea87f77e7cd346f155dd46f0c4c553c1d5648f4274dfabcfcca86f9302b5ef7f51161fc81d0838d485ca1a7c120ce13bad91ebe96c6c49a

memory/2836-21-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2332-20-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\xIiUAuH.exe

MD5 230179b3d640f46a004430d258c4438f
SHA1 3dcaaffe21f7208cc684870044e51ce922462ecb
SHA256 cf8f582e7b7af394b9ea5f1eadd4486afac3c4f332eec03a4cf00170f8661de9
SHA512 0a1d70b9d9bbc9e092b93cffdc395667ba05f8d098154cb750f3347b33e8c4e885375c7393e6411c4003df5d7e260b4df7a5e436ac8455401ec8d573393348bb

memory/2904-27-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1840-29-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2332-24-0x00000000023B0000-0x0000000002704000-memory.dmp

C:\Windows\system\EwdlsjB.exe

MD5 73e4872ef83d79caf8441044d2acc835
SHA1 b2fb75ad1f4a3afa5d2b82a220b6637fe59a4d29
SHA256 0f0a2c04d7e8a2a7d601c790a344504f7bab15341e77c8ee6bc12d7062e16919
SHA512 b264729424fd08962efab3f7a500cbeaaa6d6882718c0bee06f50db8b062ac9c4943c337dbf90bfe1f38a6a9b006badb584a0c97edbeaedb18c24856839fff9d

memory/2624-36-0x000000013F200000-0x000000013F554000-memory.dmp

\Windows\system\WuyQiwi.exe

MD5 f9d83230b4da4e26c393cbf3f54b386d
SHA1 7f7700f2f5597e43c05213f8158a598e5bd3f4ef
SHA256 066bc33cf4464942d808adbb9c7c64c6f47350e02aa07f186dd0f11074a16ab5
SHA512 2cabe3fb93197f5dbbf4aaff697a94bad27641a55df34fdfcbd06fa8b2858114d1333d2dc2498f814435a3d3d908031cdfc59264e77b435a844677d71fe53eaf

memory/2332-39-0x000000013FC80000-0x000000013FFD4000-memory.dmp

C:\Windows\system\DyCtiPk.exe

MD5 e8c2cc1accc07e91d7e189222d94c8d5
SHA1 a33c0c82b12e6d103c5d62c5c602ec90c56c3efe
SHA256 1526b8a1e26fe19cf1647e8e2f793b316e9e379e13fd09b5f97760557f34df2c
SHA512 b9a5231efa2cf0b7d4c727805d8c7b316d2051840524288775ac12181c23804a8ed95b2ab67f499e5fb78b9d8dd9093cbe6dd0f7869d9e7f7f5d8be78bc506b1

memory/2332-31-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2332-18-0x000000013FD60000-0x00000001400B4000-memory.dmp

C:\Windows\system\GMxKwzl.exe

MD5 ae30f64bf92fbebec4f42bc20139a14a
SHA1 4235e37553e784877d331e9a073a2ffa36cc01bf
SHA256 169bc841093c73c9ee79176a342516508f517e9ba11d10f426b2903281face78
SHA512 ac4181741b56a826429a8450f041afed88db99c097ec753a2df78e383728c718e01dc310e7faae3f53fdbe4478383515d501dc056ee366346a42a00bfec7d971

memory/1672-15-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2332-7-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2332-48-0x000000013F700000-0x000000013FA54000-memory.dmp

C:\Windows\system\sYBDghE.exe

MD5 00612aa8175ebc0cd82cb83b4ea39797
SHA1 60540662107925586e57503c323824d9c42b8f66
SHA256 d877f86866259c7b39332b4ebce0b82c002f5480d182e3353e32c563f58315ba
SHA512 65b6f3fa0b56de0701e308823a5030f78a4043cd424643b74c7aca98e79633b0408a1a081f47eda843e617d09527433e1cc45c2a3ab1751376ec42db472ebad8

\Windows\system\fouapfc.exe

MD5 65e4c23c4db0b1599033863385b7cf04
SHA1 d93eac517b3df0aa2c89f4d597da1142af0ea8d4
SHA256 89fbfcd2cc95e309ca0a86fb3e5941dd53a6cdbd6f3cb3a3f970af07f2f224dd
SHA512 5d40c8cbce6ac8478f574c24ccaaac2f7d9e59f39193b72d6709c9c68a2db68dd8f57c3578db5e1392aea0281ed97212ac4bbca1d56e56dc1a0af4825e3367a1

memory/2696-57-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/1672-58-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2680-56-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2620-55-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2332-64-0x000000013FD60000-0x00000001400B4000-memory.dmp

C:\Windows\system\JgWwIVq.exe

MD5 811c73440fd3dd9686d034532f0286d7
SHA1 fd341f02abe07c44f8bbfc2c4c7955cee8d9c05c
SHA256 892c27f4f39565197000397e13be6e6c45de34e03790b9b98e83635d959163f0
SHA512 31da888549913ebe4b0f13bdfe926ceb117be1818e365c037a41331d55ad6392f89dd9ab2922dcc6c15b693840abf2cdc4286e0edfec8d1c28a479e23b048b53

memory/2424-65-0x000000013F280000-0x000000013F5D4000-memory.dmp

\Windows\system\jAqsgyV.exe

MD5 eb6a18fca5cf1c3569ad5bda73993e49
SHA1 03c169ddcf889d1b22291dd4383221184dff2c38
SHA256 02ec1548b70e8aae7fb9cc650810b59cbfae078d9a4fce603be88844382f38c2
SHA512 13e880347e13fbae4c3b590d233d076d310765c6f56d7182a21e4da3f3e5b0255b123628bafa6a7259b95d727392e52ee3af706843275a392b3012c56b32c290

C:\Windows\system\fgSEgCt.exe

MD5 58a7618183405220b2148339d949f2bb
SHA1 74fcafe4502d37c71b5fe5b63b047b77ad5756fa
SHA256 ea0596a67e6660ba0388e4af548c437d84cc8a598adee1f4eeaaf69b038b89e1
SHA512 88287bd704eb0a847e04a51023e08c2b1d82452596b768afa2e37c9465ea590b7eb7d0b3194b5872896268591b5a3c680cd0176a7e5f1e53c251ae8920cee8d1

C:\Windows\system\UizWXZt.exe

MD5 a79b14b23a83f7d6c2084f271246e0d9
SHA1 c4e509673bfa3f8fd48f88a509e2a2167e4fb4f1
SHA256 a6989e73bad041eb580a6a9fbba007bd1ea4074589e64590c3489df65649f200
SHA512 6cd8d8f706e9743cbd78f97b4a87b355bffb3f308ee5ec39e454899237209fa2473c61e177aa68f07274c6b5d5105472285806255d44b61f2e6057c2038c5d43

\Windows\system\scqzlcp.exe

MD5 7b70f7351e1edc9157d84430cba6b07b
SHA1 72c40b4523f9aafb7cbac5fd4d35d5bff66d2bd5
SHA256 1de655c2399f09af23290f5046a807386a899f84b761c5061395dc4427253164
SHA512 fc4a8980341ff6773077eaf888cfbdd7b5a91b8f17d06d97949e93b18806b760177607f06219369c4137ce04e89204c666abc232fc0da2b31a73e86307911bdd

C:\Windows\system\AIrQWOH.exe

MD5 c320988290cea88cf183e1f064aec30e
SHA1 260af7a4c2bafc4dc1cc7d0654b593a852bf24bc
SHA256 3f113eaf92c82a9ae3a7a0a47c0a29850c45e8960826f6d9d536e2fb0f4c71c8
SHA512 f818e5aacd3f9c63e7e413b7c0a1214181224d05d4c069bd1da0e97b038396e7c701e3cb4178fb118c0199decc0dc3f469b8b5c4049b3faac85e4110f0bcec6d

C:\Windows\system\TgNnMaW.exe

MD5 b69fccfb0a86b7cc987b23f8becd3484
SHA1 1305c8db2364303b6c6090a3d30137ce660c82bb
SHA256 94f04a3d36afff498b09564f3ae7e7ec0fcb9d3b40e79415784a8630df5ed5a5
SHA512 dd3adcf0b77f618c79988560f0eea63f2806067df094662aa55e41cad69f0defc89fea673e24fe0086919ad4a83003497fce359fd228f4adde9579b580058382

C:\Windows\system\IzmiAzz.exe

MD5 3b70652c69b7af4bd0438ada00dee6a4
SHA1 3db19647a8c3fa943a17d910246d92fcb6574585
SHA256 98821e380bf786e9470a0a97f2d9fd09849401ea31f517d97db893cb2bbc62e3
SHA512 6a85d66828a38f9d25baff4408c8d58c9d0195ce90e113585e23813e7d856b517a2b01c13fd2549590ff45caf039abafaff489f9c9353610259fd131ba57dd5c

C:\Windows\system\tcSyuTQ.exe

MD5 060e14ddea4d54b41c63e47755f3807c
SHA1 abd08b36443b44349b63976c133abc4830546946
SHA256 1e3999fede9b8308d768392c6dcb23c09ecfd2a012188de23303093639b2fd10
SHA512 aacfeadcf173e2b5da3e02e088fbf99f35db06772a2b0a6d683500055d0f83f2ec10265e243685c880b2af07471e7c9c94fd0e0585be9b8232379ff85e72767a

C:\Windows\system\GKzqwFE.exe

MD5 91fcbf617b8acdd8b6ca2a398a3b39b5
SHA1 a8c0d4928abd6293c688a3bff8e27dbb45cc5916
SHA256 ab92f4b8684dd015102c385e48d275d96106d406192a963a90441ededef377ae
SHA512 7146b767a3f626a305d22dc29953b2976a5277d1cf5f9d76be9eca7245863b8af710e50d7719e944c73c677cdcf42bac9d84277d7e6678d7263befbb81d08f5d

C:\Windows\system\HlIZaDe.exe

MD5 7cf3c9d43cbc91854e9a00fa735ae71b
SHA1 bf795e931e3064bc0e30b4e80ae8d56d16c2c356
SHA256 fac71c6da3a63a32aa71ee8e24019821e166354311a706ec074c66bd9701642d
SHA512 efe6803c8409f2abb9f53856ac4a2885d3c6fe5603b9776d070e7711f5e832e177367fb5b3abd726fdb8a505f2f521264e6e91d01f5e1126db35f991a68ca6f1

C:\Windows\system\kcEZGMJ.exe

MD5 2c7cd24cfa545b99a4b44927c72805af
SHA1 baf3df5b31ba7998cea9a4e3d6f2457134f984e7
SHA256 09ec736b58d1df1de5e5fda4fa263edbfbf9960a4db21288fd6fd4bd0b4c76da
SHA512 7a0bc1696792b6b5fa3fca31c40359a3610eec19bb447bb8fd3dff08722723228aa5b09725ced4c4367346f3f2f7e5180a111794ae325c908024462928f51571

C:\Windows\system\QpAAkzm.exe

MD5 175d0896d53efd6832e2a466bc76f72d
SHA1 29726ba22a752dcb4e06dd72d90d95a7779c2612
SHA256 38c762f84dda3ce8ca21a2c84a247c69edafed1218d757173eef9b4dabc10e8e
SHA512 84897bcd80c394cddf09ca5e8440267cd64a9613d2be00519df24fa4a47ae6cb64772afc1b7a1a00ea2323e6d85369aea505fbf9a5429b89873d4f2ea78b4813

memory/2332-127-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2864-126-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2544-125-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2108-128-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2332-130-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2332-133-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2332-132-0x000000013F200000-0x000000013F554000-memory.dmp

memory/1452-131-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1824-129-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1840-134-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2332-135-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2332-136-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2332-137-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1672-138-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2836-139-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2904-140-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2624-141-0x000000013F200000-0x000000013F554000-memory.dmp

memory/1840-142-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2620-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2680-144-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2696-145-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2424-146-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2544-147-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2108-149-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2864-148-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/1824-150-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1452-151-0x000000013FFF0000-0x0000000140344000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 18:11

Reported

2024-06-06 18:14

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JgWwIVq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jAqsgyV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QpAAkzm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HlIZaDe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bALEYcf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GMxKwzl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EwdlsjB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DyCtiPk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IzmiAzz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\scqzlcp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xIiUAuH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fouapfc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fgSEgCt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UizWXZt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WuyQiwi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sYBDghE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TgNnMaW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kcEZGMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tcSyuTQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GKzqwFE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AIrQWOH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALEYcf.exe
PID 4272 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALEYcf.exe
PID 4272 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GMxKwzl.exe
PID 4272 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GMxKwzl.exe
PID 4272 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwdlsjB.exe
PID 4272 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwdlsjB.exe
PID 4272 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIiUAuH.exe
PID 4272 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIiUAuH.exe
PID 4272 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyCtiPk.exe
PID 4272 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyCtiPk.exe
PID 4272 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuyQiwi.exe
PID 4272 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuyQiwi.exe
PID 4272 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYBDghE.exe
PID 4272 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYBDghE.exe
PID 4272 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fouapfc.exe
PID 4272 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fouapfc.exe
PID 4272 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\JgWwIVq.exe
PID 4272 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\JgWwIVq.exe
PID 4272 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAqsgyV.exe
PID 4272 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAqsgyV.exe
PID 4272 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpAAkzm.exe
PID 4272 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpAAkzm.exe
PID 4272 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgSEgCt.exe
PID 4272 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgSEgCt.exe
PID 4272 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\kcEZGMJ.exe
PID 4272 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\kcEZGMJ.exe
PID 4272 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\UizWXZt.exe
PID 4272 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\UizWXZt.exe
PID 4272 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlIZaDe.exe
PID 4272 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlIZaDe.exe
PID 4272 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\scqzlcp.exe
PID 4272 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\scqzlcp.exe
PID 4272 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\tcSyuTQ.exe
PID 4272 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\tcSyuTQ.exe
PID 4272 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKzqwFE.exe
PID 4272 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKzqwFE.exe
PID 4272 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzmiAzz.exe
PID 4272 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzmiAzz.exe
PID 4272 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIrQWOH.exe
PID 4272 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIrQWOH.exe
PID 4272 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgNnMaW.exe
PID 4272 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgNnMaW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3de061ce53321d017af3ba04d0897105_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bALEYcf.exe

C:\Windows\System\bALEYcf.exe

C:\Windows\System\GMxKwzl.exe

C:\Windows\System\GMxKwzl.exe

C:\Windows\System\EwdlsjB.exe

C:\Windows\System\EwdlsjB.exe

C:\Windows\System\xIiUAuH.exe

C:\Windows\System\xIiUAuH.exe

C:\Windows\System\DyCtiPk.exe

C:\Windows\System\DyCtiPk.exe

C:\Windows\System\WuyQiwi.exe

C:\Windows\System\WuyQiwi.exe

C:\Windows\System\sYBDghE.exe

C:\Windows\System\sYBDghE.exe

C:\Windows\System\fouapfc.exe

C:\Windows\System\fouapfc.exe

C:\Windows\System\JgWwIVq.exe

C:\Windows\System\JgWwIVq.exe

C:\Windows\System\jAqsgyV.exe

C:\Windows\System\jAqsgyV.exe

C:\Windows\System\QpAAkzm.exe

C:\Windows\System\QpAAkzm.exe

C:\Windows\System\fgSEgCt.exe

C:\Windows\System\fgSEgCt.exe

C:\Windows\System\kcEZGMJ.exe

C:\Windows\System\kcEZGMJ.exe

C:\Windows\System\UizWXZt.exe

C:\Windows\System\UizWXZt.exe

C:\Windows\System\HlIZaDe.exe

C:\Windows\System\HlIZaDe.exe

C:\Windows\System\scqzlcp.exe

C:\Windows\System\scqzlcp.exe

C:\Windows\System\tcSyuTQ.exe

C:\Windows\System\tcSyuTQ.exe

C:\Windows\System\GKzqwFE.exe

C:\Windows\System\GKzqwFE.exe

C:\Windows\System\IzmiAzz.exe

C:\Windows\System\IzmiAzz.exe

C:\Windows\System\AIrQWOH.exe

C:\Windows\System\AIrQWOH.exe

C:\Windows\System\TgNnMaW.exe

C:\Windows\System\TgNnMaW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.229.43:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4272-0-0x00007FF66F5A0000-0x00007FF66F8F4000-memory.dmp

memory/4272-1-0x00000271B8410000-0x00000271B8420000-memory.dmp

C:\Windows\System\bALEYcf.exe

MD5 bc2e8eb24e020ea8a2198c69a024c356
SHA1 c3db9d35eff52dc586280b186faac67d81b7cafb
SHA256 cb5342726530cd9ae4adc64efd96ea2d2b44ba374cfd09580eea2dbe48dec338
SHA512 8422ab103e09f64faea87f77e7cd346f155dd46f0c4c553c1d5648f4274dfabcfcca86f9302b5ef7f51161fc81d0838d485ca1a7c120ce13bad91ebe96c6c49a

C:\Windows\System\EwdlsjB.exe

MD5 73e4872ef83d79caf8441044d2acc835
SHA1 b2fb75ad1f4a3afa5d2b82a220b6637fe59a4d29
SHA256 0f0a2c04d7e8a2a7d601c790a344504f7bab15341e77c8ee6bc12d7062e16919
SHA512 b264729424fd08962efab3f7a500cbeaaa6d6882718c0bee06f50db8b062ac9c4943c337dbf90bfe1f38a6a9b006badb584a0c97edbeaedb18c24856839fff9d

C:\Windows\System\GMxKwzl.exe

MD5 ae30f64bf92fbebec4f42bc20139a14a
SHA1 4235e37553e784877d331e9a073a2ffa36cc01bf
SHA256 169bc841093c73c9ee79176a342516508f517e9ba11d10f426b2903281face78
SHA512 ac4181741b56a826429a8450f041afed88db99c097ec753a2df78e383728c718e01dc310e7faae3f53fdbe4478383515d501dc056ee366346a42a00bfec7d971

memory/1148-10-0x00007FF684520000-0x00007FF684874000-memory.dmp

C:\Windows\System\xIiUAuH.exe

MD5 230179b3d640f46a004430d258c4438f
SHA1 3dcaaffe21f7208cc684870044e51ce922462ecb
SHA256 cf8f582e7b7af394b9ea5f1eadd4486afac3c4f332eec03a4cf00170f8661de9
SHA512 0a1d70b9d9bbc9e092b93cffdc395667ba05f8d098154cb750f3347b33e8c4e885375c7393e6411c4003df5d7e260b4df7a5e436ac8455401ec8d573393348bb

memory/1628-20-0x00007FF6285C0000-0x00007FF628914000-memory.dmp

C:\Windows\System\DyCtiPk.exe

MD5 e8c2cc1accc07e91d7e189222d94c8d5
SHA1 a33c0c82b12e6d103c5d62c5c602ec90c56c3efe
SHA256 1526b8a1e26fe19cf1647e8e2f793b316e9e379e13fd09b5f97760557f34df2c
SHA512 b9a5231efa2cf0b7d4c727805d8c7b316d2051840524288775ac12181c23804a8ed95b2ab67f499e5fb78b9d8dd9093cbe6dd0f7869d9e7f7f5d8be78bc506b1

C:\Windows\System\WuyQiwi.exe

MD5 f9d83230b4da4e26c393cbf3f54b386d
SHA1 7f7700f2f5597e43c05213f8158a598e5bd3f4ef
SHA256 066bc33cf4464942d808adbb9c7c64c6f47350e02aa07f186dd0f11074a16ab5
SHA512 2cabe3fb93197f5dbbf4aaff697a94bad27641a55df34fdfcbd06fa8b2858114d1333d2dc2498f814435a3d3d908031cdfc59264e77b435a844677d71fe53eaf

C:\Windows\System\fouapfc.exe

MD5 65e4c23c4db0b1599033863385b7cf04
SHA1 d93eac517b3df0aa2c89f4d597da1142af0ea8d4
SHA256 89fbfcd2cc95e309ca0a86fb3e5941dd53a6cdbd6f3cb3a3f970af07f2f224dd
SHA512 5d40c8cbce6ac8478f574c24ccaaac2f7d9e59f39193b72d6709c9c68a2db68dd8f57c3578db5e1392aea0281ed97212ac4bbca1d56e56dc1a0af4825e3367a1

C:\Windows\System\JgWwIVq.exe

MD5 811c73440fd3dd9686d034532f0286d7
SHA1 fd341f02abe07c44f8bbfc2c4c7955cee8d9c05c
SHA256 892c27f4f39565197000397e13be6e6c45de34e03790b9b98e83635d959163f0
SHA512 31da888549913ebe4b0f13bdfe926ceb117be1818e365c037a41331d55ad6392f89dd9ab2922dcc6c15b693840abf2cdc4286e0edfec8d1c28a479e23b048b53

memory/2720-58-0x00007FF6BBBF0000-0x00007FF6BBF44000-memory.dmp

memory/5016-62-0x00007FF6D73C0000-0x00007FF6D7714000-memory.dmp

memory/3920-65-0x00007FF7639D0000-0x00007FF763D24000-memory.dmp

memory/3256-68-0x00007FF787DF0000-0x00007FF788144000-memory.dmp

memory/996-67-0x00007FF7C4750000-0x00007FF7C4AA4000-memory.dmp

memory/4180-66-0x00007FF62D980000-0x00007FF62DCD4000-memory.dmp

C:\Windows\System\QpAAkzm.exe

MD5 175d0896d53efd6832e2a466bc76f72d
SHA1 29726ba22a752dcb4e06dd72d90d95a7779c2612
SHA256 38c762f84dda3ce8ca21a2c84a247c69edafed1218d757173eef9b4dabc10e8e
SHA512 84897bcd80c394cddf09ca5e8440267cd64a9613d2be00519df24fa4a47ae6cb64772afc1b7a1a00ea2323e6d85369aea505fbf9a5429b89873d4f2ea78b4813

C:\Windows\System\jAqsgyV.exe

MD5 eb6a18fca5cf1c3569ad5bda73993e49
SHA1 03c169ddcf889d1b22291dd4383221184dff2c38
SHA256 02ec1548b70e8aae7fb9cc650810b59cbfae078d9a4fce603be88844382f38c2
SHA512 13e880347e13fbae4c3b590d233d076d310765c6f56d7182a21e4da3f3e5b0255b123628bafa6a7259b95d727392e52ee3af706843275a392b3012c56b32c290

memory/3232-59-0x00007FF76FF80000-0x00007FF7702D4000-memory.dmp

memory/1320-53-0x00007FF7C3BC0000-0x00007FF7C3F14000-memory.dmp

C:\Windows\System\sYBDghE.exe

MD5 00612aa8175ebc0cd82cb83b4ea39797
SHA1 60540662107925586e57503c323824d9c42b8f66
SHA256 d877f86866259c7b39332b4ebce0b82c002f5480d182e3353e32c563f58315ba
SHA512 65b6f3fa0b56de0701e308823a5030f78a4043cd424643b74c7aca98e79633b0408a1a081f47eda843e617d09527433e1cc45c2a3ab1751376ec42db472ebad8

memory/1020-29-0x00007FF798E80000-0x00007FF7991D4000-memory.dmp

C:\Windows\System\fgSEgCt.exe

MD5 58a7618183405220b2148339d949f2bb
SHA1 74fcafe4502d37c71b5fe5b63b047b77ad5756fa
SHA256 ea0596a67e6660ba0388e4af548c437d84cc8a598adee1f4eeaaf69b038b89e1
SHA512 88287bd704eb0a847e04a51023e08c2b1d82452596b768afa2e37c9465ea590b7eb7d0b3194b5872896268591b5a3c680cd0176a7e5f1e53c251ae8920cee8d1

memory/5020-79-0x00007FF6B0340000-0x00007FF6B0694000-memory.dmp

C:\Windows\System\scqzlcp.exe

MD5 7b70f7351e1edc9157d84430cba6b07b
SHA1 72c40b4523f9aafb7cbac5fd4d35d5bff66d2bd5
SHA256 1de655c2399f09af23290f5046a807386a899f84b761c5061395dc4427253164
SHA512 fc4a8980341ff6773077eaf888cfbdd7b5a91b8f17d06d97949e93b18806b760177607f06219369c4137ce04e89204c666abc232fc0da2b31a73e86307911bdd

C:\Windows\System\UizWXZt.exe

MD5 a79b14b23a83f7d6c2084f271246e0d9
SHA1 c4e509673bfa3f8fd48f88a509e2a2167e4fb4f1
SHA256 a6989e73bad041eb580a6a9fbba007bd1ea4074589e64590c3489df65649f200
SHA512 6cd8d8f706e9743cbd78f97b4a87b355bffb3f308ee5ec39e454899237209fa2473c61e177aa68f07274c6b5d5105472285806255d44b61f2e6057c2038c5d43

memory/3972-96-0x00007FF764840000-0x00007FF764B94000-memory.dmp

C:\Windows\System\GKzqwFE.exe

MD5 91fcbf617b8acdd8b6ca2a398a3b39b5
SHA1 a8c0d4928abd6293c688a3bff8e27dbb45cc5916
SHA256 ab92f4b8684dd015102c385e48d275d96106d406192a963a90441ededef377ae
SHA512 7146b767a3f626a305d22dc29953b2976a5277d1cf5f9d76be9eca7245863b8af710e50d7719e944c73c677cdcf42bac9d84277d7e6678d7263befbb81d08f5d

memory/1496-112-0x00007FF66C1D0000-0x00007FF66C524000-memory.dmp

C:\Windows\System\IzmiAzz.exe

MD5 3b70652c69b7af4bd0438ada00dee6a4
SHA1 3db19647a8c3fa943a17d910246d92fcb6574585
SHA256 98821e380bf786e9470a0a97f2d9fd09849401ea31f517d97db893cb2bbc62e3
SHA512 6a85d66828a38f9d25baff4408c8d58c9d0195ce90e113585e23813e7d856b517a2b01c13fd2549590ff45caf039abafaff489f9c9353610259fd131ba57dd5c

C:\Windows\System\AIrQWOH.exe

MD5 c320988290cea88cf183e1f064aec30e
SHA1 260af7a4c2bafc4dc1cc7d0654b593a852bf24bc
SHA256 3f113eaf92c82a9ae3a7a0a47c0a29850c45e8960826f6d9d536e2fb0f4c71c8
SHA512 f818e5aacd3f9c63e7e413b7c0a1214181224d05d4c069bd1da0e97b038396e7c701e3cb4178fb118c0199decc0dc3f469b8b5c4049b3faac85e4110f0bcec6d

C:\Windows\System\TgNnMaW.exe

MD5 b69fccfb0a86b7cc987b23f8becd3484
SHA1 1305c8db2364303b6c6090a3d30137ce660c82bb
SHA256 94f04a3d36afff498b09564f3ae7e7ec0fcb9d3b40e79415784a8630df5ed5a5
SHA512 dd3adcf0b77f618c79988560f0eea63f2806067df094662aa55e41cad69f0defc89fea673e24fe0086919ad4a83003497fce359fd228f4adde9579b580058382

memory/948-118-0x00007FF660CE0000-0x00007FF661034000-memory.dmp

memory/1172-106-0x00007FF779410000-0x00007FF779764000-memory.dmp

C:\Windows\System\tcSyuTQ.exe

MD5 060e14ddea4d54b41c63e47755f3807c
SHA1 abd08b36443b44349b63976c133abc4830546946
SHA256 1e3999fede9b8308d768392c6dcb23c09ecfd2a012188de23303093639b2fd10
SHA512 aacfeadcf173e2b5da3e02e088fbf99f35db06772a2b0a6d683500055d0f83f2ec10265e243685c880b2af07471e7c9c94fd0e0585be9b8232379ff85e72767a

C:\Windows\System\HlIZaDe.exe

MD5 7cf3c9d43cbc91854e9a00fa735ae71b
SHA1 bf795e931e3064bc0e30b4e80ae8d56d16c2c356
SHA256 fac71c6da3a63a32aa71ee8e24019821e166354311a706ec074c66bd9701642d
SHA512 efe6803c8409f2abb9f53856ac4a2885d3c6fe5603b9776d070e7711f5e832e177367fb5b3abd726fdb8a505f2f521264e6e91d01f5e1126db35f991a68ca6f1

memory/4004-91-0x00007FF65BB80000-0x00007FF65BED4000-memory.dmp

memory/908-87-0x00007FF627680000-0x00007FF6279D4000-memory.dmp

memory/3344-86-0x00007FF79C920000-0x00007FF79CC74000-memory.dmp

C:\Windows\System\kcEZGMJ.exe

MD5 2c7cd24cfa545b99a4b44927c72805af
SHA1 baf3df5b31ba7998cea9a4e3d6f2457134f984e7
SHA256 09ec736b58d1df1de5e5fda4fa263edbfbf9960a4db21288fd6fd4bd0b4c76da
SHA512 7a0bc1696792b6b5fa3fca31c40359a3610eec19bb447bb8fd3dff08722723228aa5b09725ced4c4367346f3f2f7e5180a111794ae325c908024462928f51571

memory/4272-126-0x00007FF66F5A0000-0x00007FF66F8F4000-memory.dmp

memory/3984-127-0x00007FF77B3D0000-0x00007FF77B724000-memory.dmp

memory/1360-128-0x00007FF628F10000-0x00007FF629264000-memory.dmp

memory/1320-129-0x00007FF7C3BC0000-0x00007FF7C3F14000-memory.dmp

memory/5016-130-0x00007FF6D73C0000-0x00007FF6D7714000-memory.dmp

memory/908-131-0x00007FF627680000-0x00007FF6279D4000-memory.dmp

memory/4004-132-0x00007FF65BB80000-0x00007FF65BED4000-memory.dmp

memory/3972-133-0x00007FF764840000-0x00007FF764B94000-memory.dmp

memory/1496-134-0x00007FF66C1D0000-0x00007FF66C524000-memory.dmp

memory/1148-135-0x00007FF684520000-0x00007FF684874000-memory.dmp

memory/1628-136-0x00007FF6285C0000-0x00007FF628914000-memory.dmp

memory/3920-137-0x00007FF7639D0000-0x00007FF763D24000-memory.dmp

memory/1020-138-0x00007FF798E80000-0x00007FF7991D4000-memory.dmp

memory/4180-139-0x00007FF62D980000-0x00007FF62DCD4000-memory.dmp

memory/2720-141-0x00007FF6BBBF0000-0x00007FF6BBF44000-memory.dmp

memory/996-143-0x00007FF7C4750000-0x00007FF7C4AA4000-memory.dmp

memory/1320-142-0x00007FF7C3BC0000-0x00007FF7C3F14000-memory.dmp

memory/3232-140-0x00007FF76FF80000-0x00007FF7702D4000-memory.dmp

memory/3256-144-0x00007FF787DF0000-0x00007FF788144000-memory.dmp

memory/5016-145-0x00007FF6D73C0000-0x00007FF6D7714000-memory.dmp

memory/5020-146-0x00007FF6B0340000-0x00007FF6B0694000-memory.dmp

memory/3344-147-0x00007FF79C920000-0x00007FF79CC74000-memory.dmp

memory/908-148-0x00007FF627680000-0x00007FF6279D4000-memory.dmp

memory/3972-149-0x00007FF764840000-0x00007FF764B94000-memory.dmp

memory/1172-150-0x00007FF779410000-0x00007FF779764000-memory.dmp

memory/4004-152-0x00007FF65BB80000-0x00007FF65BED4000-memory.dmp

memory/1496-151-0x00007FF66C1D0000-0x00007FF66C524000-memory.dmp

memory/948-153-0x00007FF660CE0000-0x00007FF661034000-memory.dmp

memory/3984-154-0x00007FF77B3D0000-0x00007FF77B724000-memory.dmp

memory/1360-155-0x00007FF628F10000-0x00007FF629264000-memory.dmp