Malware Analysis Report

2024-10-24 18:16

Sample ID 240607-b7s94aff4s
Target 2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike
SHA256 2dca2e8cf5dd6fc063d4dc31d399a827c7ea0e47ec656b2e0b8bd806b8d92889
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dca2e8cf5dd6fc063d4dc31d399a827c7ea0e47ec656b2e0b8bd806b8d92889

Threat Level: Known bad

The file 2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Cobaltstrike family

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 01:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 01:47

Reported

2024-06-07 01:51

Platform

win7-20240221-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HupOEJI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\toLRptS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vYbRskT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YkIknQD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OiVNvFh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KHzrnIM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aeYsMzY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pejAGaK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sQnLggh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yfwVZbR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pBcFozo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cuudpeR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Lnrlcyn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jaZbkpe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jTXhOjc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kLIuTHN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KNBuwDC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KssUXHo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GakQuKf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rhZLlrm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYEhFcf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pBcFozo.exe
PID 2904 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pBcFozo.exe
PID 2904 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pBcFozo.exe
PID 2904 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pejAGaK.exe
PID 2904 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pejAGaK.exe
PID 2904 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pejAGaK.exe
PID 2904 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQnLggh.exe
PID 2904 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQnLggh.exe
PID 2904 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQnLggh.exe
PID 2904 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNBuwDC.exe
PID 2904 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNBuwDC.exe
PID 2904 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNBuwDC.exe
PID 2904 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYEhFcf.exe
PID 2904 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYEhFcf.exe
PID 2904 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYEhFcf.exe
PID 2904 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuudpeR.exe
PID 2904 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuudpeR.exe
PID 2904 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuudpeR.exe
PID 2904 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KssUXHo.exe
PID 2904 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KssUXHo.exe
PID 2904 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KssUXHo.exe
PID 2904 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Lnrlcyn.exe
PID 2904 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Lnrlcyn.exe
PID 2904 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Lnrlcyn.exe
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aeYsMzY.exe
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aeYsMzY.exe
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aeYsMzY.exe
PID 2904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GakQuKf.exe
PID 2904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GakQuKf.exe
PID 2904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GakQuKf.exe
PID 2904 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HupOEJI.exe
PID 2904 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HupOEJI.exe
PID 2904 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HupOEJI.exe
PID 2904 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfwVZbR.exe
PID 2904 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfwVZbR.exe
PID 2904 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfwVZbR.exe
PID 2904 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\toLRptS.exe
PID 2904 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\toLRptS.exe
PID 2904 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\toLRptS.exe
PID 2904 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\vYbRskT.exe
PID 2904 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\vYbRskT.exe
PID 2904 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\vYbRskT.exe
PID 2904 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaZbkpe.exe
PID 2904 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaZbkpe.exe
PID 2904 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaZbkpe.exe
PID 2904 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTXhOjc.exe
PID 2904 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTXhOjc.exe
PID 2904 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTXhOjc.exe
PID 2904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLIuTHN.exe
PID 2904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLIuTHN.exe
PID 2904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLIuTHN.exe
PID 2904 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhZLlrm.exe
PID 2904 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhZLlrm.exe
PID 2904 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhZLlrm.exe
PID 2904 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkIknQD.exe
PID 2904 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkIknQD.exe
PID 2904 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkIknQD.exe
PID 2904 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiVNvFh.exe
PID 2904 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiVNvFh.exe
PID 2904 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiVNvFh.exe
PID 2904 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHzrnIM.exe
PID 2904 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHzrnIM.exe
PID 2904 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHzrnIM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pBcFozo.exe

C:\Windows\System\pBcFozo.exe

C:\Windows\System\pejAGaK.exe

C:\Windows\System\pejAGaK.exe

C:\Windows\System\sQnLggh.exe

C:\Windows\System\sQnLggh.exe

C:\Windows\System\KNBuwDC.exe

C:\Windows\System\KNBuwDC.exe

C:\Windows\System\xYEhFcf.exe

C:\Windows\System\xYEhFcf.exe

C:\Windows\System\cuudpeR.exe

C:\Windows\System\cuudpeR.exe

C:\Windows\System\KssUXHo.exe

C:\Windows\System\KssUXHo.exe

C:\Windows\System\Lnrlcyn.exe

C:\Windows\System\Lnrlcyn.exe

C:\Windows\System\aeYsMzY.exe

C:\Windows\System\aeYsMzY.exe

C:\Windows\System\GakQuKf.exe

C:\Windows\System\GakQuKf.exe

C:\Windows\System\HupOEJI.exe

C:\Windows\System\HupOEJI.exe

C:\Windows\System\yfwVZbR.exe

C:\Windows\System\yfwVZbR.exe

C:\Windows\System\toLRptS.exe

C:\Windows\System\toLRptS.exe

C:\Windows\System\vYbRskT.exe

C:\Windows\System\vYbRskT.exe

C:\Windows\System\jaZbkpe.exe

C:\Windows\System\jaZbkpe.exe

C:\Windows\System\jTXhOjc.exe

C:\Windows\System\jTXhOjc.exe

C:\Windows\System\kLIuTHN.exe

C:\Windows\System\kLIuTHN.exe

C:\Windows\System\rhZLlrm.exe

C:\Windows\System\rhZLlrm.exe

C:\Windows\System\YkIknQD.exe

C:\Windows\System\YkIknQD.exe

C:\Windows\System\OiVNvFh.exe

C:\Windows\System\OiVNvFh.exe

C:\Windows\System\KHzrnIM.exe

C:\Windows\System\KHzrnIM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2904-0-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\pBcFozo.exe

MD5 ba3d9aa69fe53304dd9ca64e09b21d68
SHA1 0bebf7693de82cbe42b3f53a7c5f71932aaa648c
SHA256 e99b1fe33dd9d830986edaafe0f2b38910ab19e422713d07d58ed3f52e8cf924
SHA512 94c2186c1e96d4437afd567f1bb8b2282b464ae2c0dfd271b9dfc42f797ab2c6fe73182fa8b7db8db0524e1aa7ce70556998f076b670b5eacc6a4b03b2a82f52

C:\Windows\system\pejAGaK.exe

MD5 10c143471c4880e216dbc792bdb0d743
SHA1 a74fc8636fdf29dfa29c69a8d4cd7008d1785363
SHA256 0852b8ef449070e31a624a65c53d27bc01ac75ea8563f25b1f94f12333d8230c
SHA512 bf3aaf6bd95e84bd2c612b98b7b03e64b31f01cb8e822a9f2558352577fa952d7ad5f46fea3efa97dfdc83482be3af758c23a17b45ca8410fb14ba5a2b3fef41

memory/2208-19-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

C:\Windows\system\KNBuwDC.exe

MD5 d0620ff9a8055ceb4fe534006bdbbab6
SHA1 e0ab7da50a91428a1977c9865daaa894968de9a6
SHA256 eac2c8890610ac783f50d6ed027ae7699811672c1baf27f0ea88f8a9935975aa
SHA512 5c453037f4d3e033be0bd64e56509927d32391111912059d5dff1a1f421f995f2dcc960c28e1e5d38dfc2d214603f35a4f627bd9d779b8b45ea5e5397034c94b

memory/2904-112-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/876-111-0x000000013F170000-0x000000013F4C4000-memory.dmp

\Windows\system\yfwVZbR.exe

MD5 98f208871c52ae60578ac7e13b438cbf
SHA1 057f87fb08aaf9a527b956a8ca1ae9c7915ac6b1
SHA256 a066aba08d3ac632c65aba757e963f657ccf7915b875a88d5bad4e8210b26b2a
SHA512 1f5f783d2f21d859fea4ed696562b1a5fbb8e3cb38e818f79897eaa3e7eb62d26f453b2e166f5d7f8b31b27b3de6ad35ea75cf308199ab7c9d57c23219c2cc0e

C:\Windows\system\OiVNvFh.exe

MD5 aa7276424b22bd506d9e49f4a1f004dc
SHA1 b267f48e25b143c6b59251672b605d92190682d3
SHA256 b740bbd030b332b83bc971b28be45ab32870142be670aa0d606db95797b184a6
SHA512 128566ed56abcc6caa761e208215cc4ccc4ea3668dfe94ea669cf41cf0fe442b07819430baded1978cef448ea4b4887162beef47135338f7fe7f9a0820fae472

C:\Windows\system\rhZLlrm.exe

MD5 514212617b306b179fddbec0f2e871ce
SHA1 db33c9cfce662f9a5c92fc9a4c5606cae816fa00
SHA256 e35bcbf45215a83f0aff789346075978e1d045ee1e7597a327ee45d3f34b9c4d
SHA512 afae7a35641041b425471a489fedfe2f0e7349e91868606282e277830dd18da7ed767e51fad638f422134f1e3b366bdcc6240ac7e161681244760484a1e0f684

C:\Windows\system\jTXhOjc.exe

MD5 9eba0dd7f139129ca693c1320143b19a
SHA1 aceb77914d12f5352ed148355a1890b4a77e1254
SHA256 ac0aca614ee48804b2967ae66b60fe6533545c6b067b1aa54ff416b4dfd28c53
SHA512 b2e8aca9a74525f08703713e3ee0c85b81f9853a2ae0a9a98dc4de1d50f501289937f8832a3b5736e3728311ba0779f547e3b5f24c8c5783d671d3f012cf8ec8

C:\Windows\system\vYbRskT.exe

MD5 4b85f29ca8660cbc56b8ce79158b522d
SHA1 9e56eb0ad5c6034582ef98c40761a647269323d4
SHA256 d2fafe1098681c01e3b9c43bcf3a8dbfcc7430f745756a961d949cd09f706cce
SHA512 d834246a508d1494295cae7742c65db0cdeaa041428502e4a771ff9946126407d11b4e9e7908267584c4218fb0d5011fc27f12c51e028710cfdbdacf17bac862

C:\Windows\system\GakQuKf.exe

MD5 b7ae8586c7c3ca8017843e24dcdd5840
SHA1 f14325444837f22c447597c61d14f41dc333d608
SHA256 393065f03389936526f6684094df6aeac11b27164ae192ad92e68943597f8da7
SHA512 f26911be8a3a10d82f3c21125ac74b4b8f10d6087caca3452fe4dea1c30c12a143757e8a317bea814a07a96ee8f8025b5c002fdd1c3f2e044a2e4d9ee847dc2e

C:\Windows\system\jaZbkpe.exe

MD5 77f2b54b52c95fd8ff636efe585b2dae
SHA1 1ff3b41e4ac582bb68c94ae61a86b9c505342f1f
SHA256 7ac327ae5348e0e0a0d174fe0798bfa1e88cb1e7c71f3f914780cb86777a210b
SHA512 5a9d94b616833fc700ba46df23cf912c790a7b418f6e13767276c0553c29e43740d2dfd40d32ea192b1fcba5c0cfc05ce70c59cd877282c643062c0bef690f2f

C:\Windows\system\toLRptS.exe

MD5 30c944bbca6340e2d2f4b9fd41bcf883
SHA1 f2141818e7c5114bef314d97d77f813a4ac2dbd1
SHA256 0391ac3b8e055e9fe8b1da6d94162564b1729f342822b313304804545b54d21b
SHA512 5b908322ea98b9dc855bf0f1232de60d24e2519f25e7ac6b20febccc80d97113230c1303325bd9d860d11fccd44f45bf86ceff860647ad6d4559722da8e7e04b

memory/2904-89-0x00000000021D0000-0x0000000002524000-memory.dmp

C:\Windows\system\HupOEJI.exe

MD5 b5bc3a1113c117b8b9b43988ec039549
SHA1 eab0f7801e679d32d407c9d281e220d876af8b30
SHA256 fe296d1c788609c968848db668af99f1151ff3d51717153744bbc8bdb4fd8f75
SHA512 a24f8e2b89eee68c77f7c9ba8517026e06fef7dcc4cdc010612de3d77ef068788422072e3e5a158a7728a9c17a74a067c0fd03175de00c524d87735cc5d93c04

memory/2904-79-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2904-117-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2488-115-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2904-45-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2904-114-0x000000013FE50000-0x00000001401A4000-memory.dmp

\Windows\system\Lnrlcyn.exe

MD5 5145daeb233da2307ae96af2901140a8
SHA1 60c5538e2688642a1798d4e1523ec8fb7a822826
SHA256 e24f73c3fd91523acbd5cd690b8deafe224aaf9b328080f7ac1dcb70729be2f7
SHA512 22e1a90e1b00a44a56e5d5446609bf0ff997552a7c3fb866a5d4a3e75991bb890495255c1ae95d5a8f91ec42031fd531b9bce00d55066cb15fe232b37e4cdb80

C:\Windows\system\KHzrnIM.exe

MD5 dd5b8c5921966d6fa586f9ddbd460a88
SHA1 abaa7d99db91b82d6658f62a7c92030cbb5883fa
SHA256 9f70391f601068632cc989f0ae1c6c6e6d7691608828fb0afef5c4d9e8d2283d
SHA512 edc06bc74d861514aa6e6eadc83149d843bad1a9358bcf750d07cad0d7ffa71d977ecd8a1e098e27be066f74310de29c592b32324b68653b0afb1df70fb813bc

memory/2904-107-0x000000013FFC0000-0x0000000140314000-memory.dmp

C:\Windows\system\YkIknQD.exe

MD5 5d6762e701c398fd5c356b9a98705537
SHA1 5e1bdfc55cd1f2ca59355515cad5a966cdee1e7a
SHA256 90d3c1aaaec600759715a54a28c68bb9e55f3517b04b6f2e9c9e068427399397
SHA512 42cf279bee0d6d2f807cef8732116cd34c18380de7d50f50ca04b921000e4f12647a5e959161b2cab2eef46efc0ae3c5fb906ebda7d781bfcd0a0cbed19ac9b9

memory/2904-104-0x00000000021D0000-0x0000000002524000-memory.dmp

C:\Windows\system\kLIuTHN.exe

MD5 f44fd02b30dea5e263ee5ac6cc65442e
SHA1 d6c6a43a055a27fe2e7f461ff2e7e9fc6ed56ae0
SHA256 3bb508d0f77ecb18a62432dfe522235eab6a74952ff03998d656eba7e523e065
SHA512 6cbee548ab004dda8e23b0b8c7cb378ce150f22a60d872a24694b354a11f3d32c453032e7e3eb29b30fcd3baf4597063db98594257983089b53f91d245906b1b

memory/2904-94-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2736-84-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2904-73-0x00000000021D0000-0x0000000002524000-memory.dmp

memory/2532-67-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2556-58-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2656-53-0x000000013F7D0000-0x000000013FB24000-memory.dmp

C:\Windows\system\aeYsMzY.exe

MD5 a324b2d7fecd648356bda65b799a6b4d
SHA1 23cb0e65d476c1bf07fc04897fc61f6153054e0f
SHA256 1b052ed4ccdfcb7fea92e9543d89a356eb34dc7e1ad38976152443f788741dfc
SHA512 19733413b96b128797ffd8634f6fbb5ea999083ec6215e7466c25895b5ed007404fa971df141f262531923ba922854256bd36637ee70cd7bb71220e091775871

memory/2904-50-0x00000000021D0000-0x0000000002524000-memory.dmp

memory/2636-46-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2904-41-0x00000000021D0000-0x0000000002524000-memory.dmp

C:\Windows\system\KssUXHo.exe

MD5 59b706dbb0262b17a7941698ce60993a
SHA1 db3af5ee2b78dee9423dc8982fed8171eb8bac59
SHA256 6e37c04efeda03ed9c32dea1be046e82f44634175b6ed8a86b12020e92d194ed
SHA512 2864d996b7294d50af061673d5e90273490ec04b9d472a93b6b2f8aab9ace8d3b6f3fb4140f715e617389d9b7ee0a24bd63919edfdd4448db3399cea751dc599

C:\Windows\system\cuudpeR.exe

MD5 d45afabd9b01eb461b33fe8359a0a1e7
SHA1 a03c7ebbf8740ad7ed1de9e7178e9d8ffe6c88f9
SHA256 d70753f6fd07fc178b650d5f6e4b9e98f1e52d8e1648ec6799c6c806203a241f
SHA512 35520ee49e39b3c9b34722f30064a941966ac831a160205c91d2ab3698f9bf5567b17d619470c03445e080f76a65474bb5ef314664aa6bcf079092565f53cd7a

C:\Windows\system\xYEhFcf.exe

MD5 d25a964a9e60ab9f15fc0052b3298ee2
SHA1 d29e1f775175bf41ed6e4e09e1147704b9f3ef88
SHA256 1c9577b53a6ecdc8bf4b2105b8657c94f485c6d7a3b3c44eaa87c6e56126fa4b
SHA512 f977d3583e0b8bb6809d0724ba346dd90845c6da161ec211aedfbd3c1d8cc2f54b550bc2c0d0f615d1a0abd6d39aa6681e3c10ea28a56abccabea8c9945c2b3b

memory/2988-22-0x000000013F9D0000-0x000000013FD24000-memory.dmp

C:\Windows\system\sQnLggh.exe

MD5 a69d522edc097b92b7f262cec4d37390
SHA1 1e1716a2281f4e21b055d9280c1fa4bdcb4b547a
SHA256 455f4d620c571e74ecf2f11c5af7c301a03e3af237c1355a6b8b7b3d7509b56e
SHA512 231adb24cd3b571782c5e1f08ccbe755cc6a0ea03d43372264bf6897b2cc7f9a163a4220991e03a36570cd48902bc7888fa6f41d09217186cbc7d78f535bf5fa

memory/2388-14-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2904-9-0x00000000021D0000-0x0000000002524000-memory.dmp

memory/2904-130-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2904-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

memory/2904-131-0x00000000021D0000-0x0000000002524000-memory.dmp

memory/2388-132-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2208-133-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2988-134-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2636-137-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2656-136-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2556-138-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2736-139-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2488-141-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/876-140-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2532-135-0x000000013FDF0000-0x0000000140144000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 01:47

Reported

2024-06-07 01:51

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pBcFozo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYEhFcf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KssUXHo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\toLRptS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pejAGaK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sQnLggh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aeYsMzY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GakQuKf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HupOEJI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vYbRskT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rhZLlrm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Lnrlcyn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jTXhOjc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kLIuTHN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OiVNvFh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KNBuwDC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cuudpeR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yfwVZbR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jaZbkpe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YkIknQD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KHzrnIM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pBcFozo.exe
PID 764 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pBcFozo.exe
PID 764 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pejAGaK.exe
PID 764 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pejAGaK.exe
PID 764 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQnLggh.exe
PID 764 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQnLggh.exe
PID 764 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNBuwDC.exe
PID 764 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNBuwDC.exe
PID 764 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYEhFcf.exe
PID 764 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYEhFcf.exe
PID 764 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuudpeR.exe
PID 764 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuudpeR.exe
PID 764 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KssUXHo.exe
PID 764 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KssUXHo.exe
PID 764 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Lnrlcyn.exe
PID 764 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Lnrlcyn.exe
PID 764 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aeYsMzY.exe
PID 764 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aeYsMzY.exe
PID 764 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GakQuKf.exe
PID 764 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GakQuKf.exe
PID 764 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HupOEJI.exe
PID 764 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HupOEJI.exe
PID 764 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfwVZbR.exe
PID 764 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfwVZbR.exe
PID 764 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\toLRptS.exe
PID 764 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\toLRptS.exe
PID 764 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\vYbRskT.exe
PID 764 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\vYbRskT.exe
PID 764 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaZbkpe.exe
PID 764 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaZbkpe.exe
PID 764 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTXhOjc.exe
PID 764 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTXhOjc.exe
PID 764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLIuTHN.exe
PID 764 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLIuTHN.exe
PID 764 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhZLlrm.exe
PID 764 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhZLlrm.exe
PID 764 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkIknQD.exe
PID 764 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkIknQD.exe
PID 764 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiVNvFh.exe
PID 764 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiVNvFh.exe
PID 764 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHzrnIM.exe
PID 764 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHzrnIM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pBcFozo.exe

C:\Windows\System\pBcFozo.exe

C:\Windows\System\pejAGaK.exe

C:\Windows\System\pejAGaK.exe

C:\Windows\System\sQnLggh.exe

C:\Windows\System\sQnLggh.exe

C:\Windows\System\KNBuwDC.exe

C:\Windows\System\KNBuwDC.exe

C:\Windows\System\xYEhFcf.exe

C:\Windows\System\xYEhFcf.exe

C:\Windows\System\cuudpeR.exe

C:\Windows\System\cuudpeR.exe

C:\Windows\System\KssUXHo.exe

C:\Windows\System\KssUXHo.exe

C:\Windows\System\Lnrlcyn.exe

C:\Windows\System\Lnrlcyn.exe

C:\Windows\System\aeYsMzY.exe

C:\Windows\System\aeYsMzY.exe

C:\Windows\System\GakQuKf.exe

C:\Windows\System\GakQuKf.exe

C:\Windows\System\HupOEJI.exe

C:\Windows\System\HupOEJI.exe

C:\Windows\System\yfwVZbR.exe

C:\Windows\System\yfwVZbR.exe

C:\Windows\System\toLRptS.exe

C:\Windows\System\toLRptS.exe

C:\Windows\System\vYbRskT.exe

C:\Windows\System\vYbRskT.exe

C:\Windows\System\jaZbkpe.exe

C:\Windows\System\jaZbkpe.exe

C:\Windows\System\jTXhOjc.exe

C:\Windows\System\jTXhOjc.exe

C:\Windows\System\kLIuTHN.exe

C:\Windows\System\kLIuTHN.exe

C:\Windows\System\rhZLlrm.exe

C:\Windows\System\rhZLlrm.exe

C:\Windows\System\YkIknQD.exe

C:\Windows\System\YkIknQD.exe

C:\Windows\System\OiVNvFh.exe

C:\Windows\System\OiVNvFh.exe

C:\Windows\System\KHzrnIM.exe

C:\Windows\System\KHzrnIM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/764-0-0x00007FF64DC30000-0x00007FF64DF84000-memory.dmp

memory/764-1-0x0000016563D20000-0x0000016563D30000-memory.dmp

C:\Windows\System\pBcFozo.exe

MD5 ba3d9aa69fe53304dd9ca64e09b21d68
SHA1 0bebf7693de82cbe42b3f53a7c5f71932aaa648c
SHA256 e99b1fe33dd9d830986edaafe0f2b38910ab19e422713d07d58ed3f52e8cf924
SHA512 94c2186c1e96d4437afd567f1bb8b2282b464ae2c0dfd271b9dfc42f797ab2c6fe73182fa8b7db8db0524e1aa7ce70556998f076b670b5eacc6a4b03b2a82f52

memory/756-8-0x00007FF7BD640000-0x00007FF7BD994000-memory.dmp

C:\Windows\System\pejAGaK.exe

MD5 10c143471c4880e216dbc792bdb0d743
SHA1 a74fc8636fdf29dfa29c69a8d4cd7008d1785363
SHA256 0852b8ef449070e31a624a65c53d27bc01ac75ea8563f25b1f94f12333d8230c
SHA512 bf3aaf6bd95e84bd2c612b98b7b03e64b31f01cb8e822a9f2558352577fa952d7ad5f46fea3efa97dfdc83482be3af758c23a17b45ca8410fb14ba5a2b3fef41

memory/1228-16-0x00007FF690020000-0x00007FF690374000-memory.dmp

C:\Windows\System\sQnLggh.exe

MD5 a69d522edc097b92b7f262cec4d37390
SHA1 1e1716a2281f4e21b055d9280c1fa4bdcb4b547a
SHA256 455f4d620c571e74ecf2f11c5af7c301a03e3af237c1355a6b8b7b3d7509b56e
SHA512 231adb24cd3b571782c5e1f08ccbe755cc6a0ea03d43372264bf6897b2cc7f9a163a4220991e03a36570cd48902bc7888fa6f41d09217186cbc7d78f535bf5fa

C:\Windows\System\KNBuwDC.exe

MD5 d0620ff9a8055ceb4fe534006bdbbab6
SHA1 e0ab7da50a91428a1977c9865daaa894968de9a6
SHA256 eac2c8890610ac783f50d6ed027ae7699811672c1baf27f0ea88f8a9935975aa
SHA512 5c453037f4d3e033be0bd64e56509927d32391111912059d5dff1a1f421f995f2dcc960c28e1e5d38dfc2d214603f35a4f627bd9d779b8b45ea5e5397034c94b

C:\Windows\System\xYEhFcf.exe

MD5 d25a964a9e60ab9f15fc0052b3298ee2
SHA1 d29e1f775175bf41ed6e4e09e1147704b9f3ef88
SHA256 1c9577b53a6ecdc8bf4b2105b8657c94f485c6d7a3b3c44eaa87c6e56126fa4b
SHA512 f977d3583e0b8bb6809d0724ba346dd90845c6da161ec211aedfbd3c1d8cc2f54b550bc2c0d0f615d1a0abd6d39aa6681e3c10ea28a56abccabea8c9945c2b3b

memory/3476-28-0x00007FF60B190000-0x00007FF60B4E4000-memory.dmp

memory/2776-18-0x00007FF7E2E40000-0x00007FF7E3194000-memory.dmp

C:\Windows\System\cuudpeR.exe

MD5 d45afabd9b01eb461b33fe8359a0a1e7
SHA1 a03c7ebbf8740ad7ed1de9e7178e9d8ffe6c88f9
SHA256 d70753f6fd07fc178b650d5f6e4b9e98f1e52d8e1648ec6799c6c806203a241f
SHA512 35520ee49e39b3c9b34722f30064a941966ac831a160205c91d2ab3698f9bf5567b17d619470c03445e080f76a65474bb5ef314664aa6bcf079092565f53cd7a

C:\Windows\System\KssUXHo.exe

MD5 59b706dbb0262b17a7941698ce60993a
SHA1 db3af5ee2b78dee9423dc8982fed8171eb8bac59
SHA256 6e37c04efeda03ed9c32dea1be046e82f44634175b6ed8a86b12020e92d194ed
SHA512 2864d996b7294d50af061673d5e90273490ec04b9d472a93b6b2f8aab9ace8d3b6f3fb4140f715e617389d9b7ee0a24bd63919edfdd4448db3399cea751dc599

memory/3960-51-0x00007FF6B51B0000-0x00007FF6B5504000-memory.dmp

C:\Windows\System\Lnrlcyn.exe

MD5 5145daeb233da2307ae96af2901140a8
SHA1 60c5538e2688642a1798d4e1523ec8fb7a822826
SHA256 e24f73c3fd91523acbd5cd690b8deafe224aaf9b328080f7ac1dcb70729be2f7
SHA512 22e1a90e1b00a44a56e5d5446609bf0ff997552a7c3fb866a5d4a3e75991bb890495255c1ae95d5a8f91ec42031fd531b9bce00d55066cb15fe232b37e4cdb80

memory/3796-56-0x00007FF6ACDF0000-0x00007FF6AD144000-memory.dmp

memory/2312-62-0x00007FF6969A0000-0x00007FF696CF4000-memory.dmp

C:\Windows\System\toLRptS.exe

MD5 30c944bbca6340e2d2f4b9fd41bcf883
SHA1 f2141818e7c5114bef314d97d77f813a4ac2dbd1
SHA256 0391ac3b8e055e9fe8b1da6d94162564b1729f342822b313304804545b54d21b
SHA512 5b908322ea98b9dc855bf0f1232de60d24e2519f25e7ac6b20febccc80d97113230c1303325bd9d860d11fccd44f45bf86ceff860647ad6d4559722da8e7e04b

C:\Windows\System\vYbRskT.exe

MD5 4b85f29ca8660cbc56b8ce79158b522d
SHA1 9e56eb0ad5c6034582ef98c40761a647269323d4
SHA256 d2fafe1098681c01e3b9c43bcf3a8dbfcc7430f745756a961d949cd09f706cce
SHA512 d834246a508d1494295cae7742c65db0cdeaa041428502e4a771ff9946126407d11b4e9e7908267584c4218fb0d5011fc27f12c51e028710cfdbdacf17bac862

memory/4584-88-0x00007FF6D8290000-0x00007FF6D85E4000-memory.dmp

memory/448-87-0x00007FF7B27D0000-0x00007FF7B2B24000-memory.dmp

memory/2408-86-0x00007FF70CFF0000-0x00007FF70D344000-memory.dmp

memory/1136-81-0x00007FF7A82A0000-0x00007FF7A85F4000-memory.dmp

memory/756-80-0x00007FF7BD640000-0x00007FF7BD994000-memory.dmp

C:\Windows\System\yfwVZbR.exe

MD5 98f208871c52ae60578ac7e13b438cbf
SHA1 057f87fb08aaf9a527b956a8ca1ae9c7915ac6b1
SHA256 a066aba08d3ac632c65aba757e963f657ccf7915b875a88d5bad4e8210b26b2a
SHA512 1f5f783d2f21d859fea4ed696562b1a5fbb8e3cb38e818f79897eaa3e7eb62d26f453b2e166f5d7f8b31b27b3de6ad35ea75cf308199ab7c9d57c23219c2cc0e

C:\Windows\System\HupOEJI.exe

MD5 b5bc3a1113c117b8b9b43988ec039549
SHA1 eab0f7801e679d32d407c9d281e220d876af8b30
SHA256 fe296d1c788609c968848db668af99f1151ff3d51717153744bbc8bdb4fd8f75
SHA512 a24f8e2b89eee68c77f7c9ba8517026e06fef7dcc4cdc010612de3d77ef068788422072e3e5a158a7728a9c17a74a067c0fd03175de00c524d87735cc5d93c04

C:\Windows\System\aeYsMzY.exe

MD5 a324b2d7fecd648356bda65b799a6b4d
SHA1 23cb0e65d476c1bf07fc04897fc61f6153054e0f
SHA256 1b052ed4ccdfcb7fea92e9543d89a356eb34dc7e1ad38976152443f788741dfc
SHA512 19733413b96b128797ffd8634f6fbb5ea999083ec6215e7466c25895b5ed007404fa971df141f262531923ba922854256bd36637ee70cd7bb71220e091775871

C:\Windows\System\GakQuKf.exe

MD5 b7ae8586c7c3ca8017843e24dcdd5840
SHA1 f14325444837f22c447597c61d14f41dc333d608
SHA256 393065f03389936526f6684094df6aeac11b27164ae192ad92e68943597f8da7
SHA512 f26911be8a3a10d82f3c21125ac74b4b8f10d6087caca3452fe4dea1c30c12a143757e8a317bea814a07a96ee8f8025b5c002fdd1c3f2e044a2e4d9ee847dc2e

memory/764-57-0x00007FF64DC30000-0x00007FF64DF84000-memory.dmp

memory/968-49-0x00007FF761CC0000-0x00007FF762014000-memory.dmp

memory/1340-40-0x00007FF78B610000-0x00007FF78B964000-memory.dmp

memory/1452-37-0x00007FF7CCF10000-0x00007FF7CD264000-memory.dmp

C:\Windows\System\jaZbkpe.exe

MD5 77f2b54b52c95fd8ff636efe585b2dae
SHA1 1ff3b41e4ac582bb68c94ae61a86b9c505342f1f
SHA256 7ac327ae5348e0e0a0d174fe0798bfa1e88cb1e7c71f3f914780cb86777a210b
SHA512 5a9d94b616833fc700ba46df23cf912c790a7b418f6e13767276c0553c29e43740d2dfd40d32ea192b1fcba5c0cfc05ce70c59cd877282c643062c0bef690f2f

C:\Windows\System\rhZLlrm.exe

MD5 514212617b306b179fddbec0f2e871ce
SHA1 db33c9cfce662f9a5c92fc9a4c5606cae816fa00
SHA256 e35bcbf45215a83f0aff789346075978e1d045ee1e7597a327ee45d3f34b9c4d
SHA512 afae7a35641041b425471a489fedfe2f0e7349e91868606282e277830dd18da7ed767e51fad638f422134f1e3b366bdcc6240ac7e161681244760484a1e0f684

C:\Windows\System\YkIknQD.exe

MD5 5d6762e701c398fd5c356b9a98705537
SHA1 5e1bdfc55cd1f2ca59355515cad5a966cdee1e7a
SHA256 90d3c1aaaec600759715a54a28c68bb9e55f3517b04b6f2e9c9e068427399397
SHA512 42cf279bee0d6d2f807cef8732116cd34c18380de7d50f50ca04b921000e4f12647a5e959161b2cab2eef46efc0ae3c5fb906ebda7d781bfcd0a0cbed19ac9b9

C:\Windows\System\YkIknQD.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

C:\Windows\System\OiVNvFh.exe

MD5 aa7276424b22bd506d9e49f4a1f004dc
SHA1 b267f48e25b143c6b59251672b605d92190682d3
SHA256 b740bbd030b332b83bc971b28be45ab32870142be670aa0d606db95797b184a6
SHA512 128566ed56abcc6caa761e208215cc4ccc4ea3668dfe94ea669cf41cf0fe442b07819430baded1978cef448ea4b4887162beef47135338f7fe7f9a0820fae472

memory/5076-126-0x00007FF726550000-0x00007FF7268A4000-memory.dmp

memory/2368-131-0x00007FF650C40000-0x00007FF650F94000-memory.dmp

memory/4976-130-0x00007FF680150000-0x00007FF6804A4000-memory.dmp

C:\Windows\System\KHzrnIM.exe

MD5 dd5b8c5921966d6fa586f9ddbd460a88
SHA1 abaa7d99db91b82d6658f62a7c92030cbb5883fa
SHA256 9f70391f601068632cc989f0ae1c6c6e6d7691608828fb0afef5c4d9e8d2283d
SHA512 edc06bc74d861514aa6e6eadc83149d843bad1a9358bcf750d07cad0d7ffa71d977ecd8a1e098e27be066f74310de29c592b32324b68653b0afb1df70fb813bc

memory/4784-125-0x00007FF7E2E60000-0x00007FF7E31B4000-memory.dmp

memory/3540-119-0x00007FF650030000-0x00007FF650384000-memory.dmp

memory/4816-114-0x00007FF71A310000-0x00007FF71A664000-memory.dmp

C:\Windows\System\jTXhOjc.exe

MD5 9eba0dd7f139129ca693c1320143b19a
SHA1 aceb77914d12f5352ed148355a1890b4a77e1254
SHA256 ac0aca614ee48804b2967ae66b60fe6533545c6b067b1aa54ff416b4dfd28c53
SHA512 b2e8aca9a74525f08703713e3ee0c85b81f9853a2ae0a9a98dc4de1d50f501289937f8832a3b5736e3728311ba0779f547e3b5f24c8c5783d671d3f012cf8ec8

C:\Windows\System\kLIuTHN.exe

MD5 f44fd02b30dea5e263ee5ac6cc65442e
SHA1 d6c6a43a055a27fe2e7f461ff2e7e9fc6ed56ae0
SHA256 3bb508d0f77ecb18a62432dfe522235eab6a74952ff03998d656eba7e523e065
SHA512 6cbee548ab004dda8e23b0b8c7cb378ce150f22a60d872a24694b354a11f3d32c453032e7e3eb29b30fcd3baf4597063db98594257983089b53f91d245906b1b

memory/2776-102-0x00007FF7E2E40000-0x00007FF7E3194000-memory.dmp

C:\Windows\System\jaZbkpe.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/5004-97-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp

memory/1228-94-0x00007FF690020000-0x00007FF690374000-memory.dmp

memory/968-132-0x00007FF761CC0000-0x00007FF762014000-memory.dmp

memory/3960-133-0x00007FF6B51B0000-0x00007FF6B5504000-memory.dmp

memory/3796-134-0x00007FF6ACDF0000-0x00007FF6AD144000-memory.dmp

memory/2312-135-0x00007FF6969A0000-0x00007FF696CF4000-memory.dmp

memory/4816-137-0x00007FF71A310000-0x00007FF71A664000-memory.dmp

memory/5004-136-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp

memory/756-138-0x00007FF7BD640000-0x00007FF7BD994000-memory.dmp

memory/1228-139-0x00007FF690020000-0x00007FF690374000-memory.dmp

memory/3476-141-0x00007FF60B190000-0x00007FF60B4E4000-memory.dmp

memory/1452-142-0x00007FF7CCF10000-0x00007FF7CD264000-memory.dmp

memory/2776-140-0x00007FF7E2E40000-0x00007FF7E3194000-memory.dmp

memory/1340-143-0x00007FF78B610000-0x00007FF78B964000-memory.dmp

memory/968-144-0x00007FF761CC0000-0x00007FF762014000-memory.dmp

memory/3796-145-0x00007FF6ACDF0000-0x00007FF6AD144000-memory.dmp

memory/3960-146-0x00007FF6B51B0000-0x00007FF6B5504000-memory.dmp

memory/1136-148-0x00007FF7A82A0000-0x00007FF7A85F4000-memory.dmp

memory/2408-149-0x00007FF70CFF0000-0x00007FF70D344000-memory.dmp

memory/2312-147-0x00007FF6969A0000-0x00007FF696CF4000-memory.dmp

memory/4584-151-0x00007FF6D8290000-0x00007FF6D85E4000-memory.dmp

memory/448-150-0x00007FF7B27D0000-0x00007FF7B2B24000-memory.dmp

memory/5004-152-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp

memory/4816-154-0x00007FF71A310000-0x00007FF71A664000-memory.dmp

memory/4784-155-0x00007FF7E2E60000-0x00007FF7E31B4000-memory.dmp

memory/3540-153-0x00007FF650030000-0x00007FF650384000-memory.dmp

memory/5076-156-0x00007FF726550000-0x00007FF7268A4000-memory.dmp

memory/2368-158-0x00007FF650C40000-0x00007FF650F94000-memory.dmp

memory/4976-157-0x00007FF680150000-0x00007FF6804A4000-memory.dmp