Malware Analysis Report

2024-10-16 03:09

Sample ID 240609-dj99tacf8s
Target 2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike
SHA256 77365bbe3797d7a048e83f2f634be853d6d5d8e1728580c74161226814d26130
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77365bbe3797d7a048e83f2f634be853d6d5d8e1728580c74161226814d26130

Threat Level: Known bad

The file 2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 03:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 03:03

Reported

2024-06-09 03:07

Platform

win7-20240221-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\symRklM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WaxeNyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BbBoVnF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sZpCIiX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IlBTeNl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gGFyegf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gUYWEXL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YYxoHYl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TRYBSVU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wvgBkIp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SwzxbVZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aSQtAuI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pIpVhnD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HCelRQk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kxpovlP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pIewjZz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gPuvRur.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OAuocsi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNQNKhM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LSUOzyP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mCrqWzt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPuvRur.exe
PID 1996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPuvRur.exe
PID 1996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPuvRur.exe
PID 1996 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAuocsi.exe
PID 1996 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAuocsi.exe
PID 1996 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAuocsi.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZpCIiX.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZpCIiX.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZpCIiX.exe
PID 1996 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNQNKhM.exe
PID 1996 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNQNKhM.exe
PID 1996 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNQNKhM.exe
PID 1996 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSUOzyP.exe
PID 1996 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSUOzyP.exe
PID 1996 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSUOzyP.exe
PID 1996 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRYBSVU.exe
PID 1996 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRYBSVU.exe
PID 1996 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRYBSVU.exe
PID 1996 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvgBkIp.exe
PID 1996 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvgBkIp.exe
PID 1996 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvgBkIp.exe
PID 1996 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlBTeNl.exe
PID 1996 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlBTeNl.exe
PID 1996 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlBTeNl.exe
PID 1996 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGFyegf.exe
PID 1996 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGFyegf.exe
PID 1996 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGFyegf.exe
PID 1996 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCrqWzt.exe
PID 1996 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCrqWzt.exe
PID 1996 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCrqWzt.exe
PID 1996 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUYWEXL.exe
PID 1996 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUYWEXL.exe
PID 1996 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUYWEXL.exe
PID 1996 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYxoHYl.exe
PID 1996 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYxoHYl.exe
PID 1996 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYxoHYl.exe
PID 1996 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCelRQk.exe
PID 1996 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCelRQk.exe
PID 1996 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCelRQk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIpVhnD.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIpVhnD.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIpVhnD.exe
PID 1996 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwzxbVZ.exe
PID 1996 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwzxbVZ.exe
PID 1996 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwzxbVZ.exe
PID 1996 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\symRklM.exe
PID 1996 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\symRklM.exe
PID 1996 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\symRklM.exe
PID 1996 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WaxeNyo.exe
PID 1996 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WaxeNyo.exe
PID 1996 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WaxeNyo.exe
PID 1996 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxpovlP.exe
PID 1996 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxpovlP.exe
PID 1996 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxpovlP.exe
PID 1996 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSQtAuI.exe
PID 1996 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSQtAuI.exe
PID 1996 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSQtAuI.exe
PID 1996 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbBoVnF.exe
PID 1996 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbBoVnF.exe
PID 1996 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbBoVnF.exe
PID 1996 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIewjZz.exe
PID 1996 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIewjZz.exe
PID 1996 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIewjZz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gPuvRur.exe

C:\Windows\System\gPuvRur.exe

C:\Windows\System\OAuocsi.exe

C:\Windows\System\OAuocsi.exe

C:\Windows\System\sZpCIiX.exe

C:\Windows\System\sZpCIiX.exe

C:\Windows\System\pNQNKhM.exe

C:\Windows\System\pNQNKhM.exe

C:\Windows\System\LSUOzyP.exe

C:\Windows\System\LSUOzyP.exe

C:\Windows\System\TRYBSVU.exe

C:\Windows\System\TRYBSVU.exe

C:\Windows\System\wvgBkIp.exe

C:\Windows\System\wvgBkIp.exe

C:\Windows\System\IlBTeNl.exe

C:\Windows\System\IlBTeNl.exe

C:\Windows\System\gGFyegf.exe

C:\Windows\System\gGFyegf.exe

C:\Windows\System\mCrqWzt.exe

C:\Windows\System\mCrqWzt.exe

C:\Windows\System\gUYWEXL.exe

C:\Windows\System\gUYWEXL.exe

C:\Windows\System\YYxoHYl.exe

C:\Windows\System\YYxoHYl.exe

C:\Windows\System\HCelRQk.exe

C:\Windows\System\HCelRQk.exe

C:\Windows\System\pIpVhnD.exe

C:\Windows\System\pIpVhnD.exe

C:\Windows\System\SwzxbVZ.exe

C:\Windows\System\SwzxbVZ.exe

C:\Windows\System\symRklM.exe

C:\Windows\System\symRklM.exe

C:\Windows\System\WaxeNyo.exe

C:\Windows\System\WaxeNyo.exe

C:\Windows\System\kxpovlP.exe

C:\Windows\System\kxpovlP.exe

C:\Windows\System\aSQtAuI.exe

C:\Windows\System\aSQtAuI.exe

C:\Windows\System\BbBoVnF.exe

C:\Windows\System\BbBoVnF.exe

C:\Windows\System\pIewjZz.exe

C:\Windows\System\pIewjZz.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1996-0-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1996-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\gPuvRur.exe

MD5 6a6495ac7d8b33356e7207c225183989
SHA1 23dedeb38c1d3462c6660c0c354675c4f10af7a7
SHA256 d9f3bbbf669847b4984bd17a89142960d54124a9f5a71fb2f0941c250b9c0f14
SHA512 eb4c77e6a03f29d1d8786020ae6c7e167d05c1f664188b7cf332670efbcd3705e1d84a496d38ccc8ffb8219f815d2d4775dfd8e8b4044d900a9255007b09696b

\Windows\system\OAuocsi.exe

MD5 e34686bf22933617f0b1d99f3d9650bf
SHA1 4246750d37de60b3132f078b3007f2db0d991fbd
SHA256 f453ca29e9bb32500b9868ca3871362eb853c351b1738213bdf388c143309447
SHA512 2dfb1496083b4b17c65029fb74a0505ec0e9a1fd37e5cc4852a948bca7f7be4858f54c7ceadb78274a978c02c02740961a47850dc2501655587af88e3da6d8da

\Windows\system\sZpCIiX.exe

MD5 0fa1a7c1e3081790624e4d27e00425e5
SHA1 a8925a76a7df0f2f4db08132007826a0fc4220d7
SHA256 d76f7575810772453f3d7b2b9913fd4fd301efc9fb4aff1a075ac2f4675e6697
SHA512 767311ade357dcc6efadcf465d466497335c9ca040b727fc27c36c0061f581f8ee9e66646219943ebb13a407100cc3f795ff49a8d9747650f114a939061e8d63

memory/1996-16-0x000000013FA30000-0x000000013FD84000-memory.dmp

\Windows\system\pNQNKhM.exe

MD5 f76666ef5e45fce65e7a5d1a18f94534
SHA1 50d7f597048f28a6bc4ded54ec0bf478555e19e6
SHA256 3bb5d7303efaab1772ea0cba36a586c597976bddc0dd572dd63632cb9bbcd4de
SHA512 a89feee3eceb3a092cda5bc5f0b1bf9bc741386e3669efd35fe12e721e0f9b07b299bae571c0dea2aa542c3a53539c33ffa3e4a1b771ec3ec86c9c9a90d09cd9

C:\Windows\system\LSUOzyP.exe

MD5 0fc3c7b89d24926f732e41828b0aff45
SHA1 1c42a9036c31fe7d1a1e3772ee37b08ad069c904
SHA256 33e33dbab8d4425727422e56491dae1bc708014e2c782dda3a43b6e55af6e235
SHA512 13316b70b8add368f8f6d715e8a601265a4b6742b4c871bcaec320229ba7a3a10dabb6ebdcfa4518409ebb0573618d918b71c353403710a7fbf3a449bba3ce61

C:\Windows\system\TRYBSVU.exe

MD5 e6e25c8ed305d19e257431fa052888fe
SHA1 567e89d950ec8f50952ca0f9418ab8fc9d497249
SHA256 2dc05c83a40f456be2bfce6337b80ce249cff8ab085752660833b793c2f8ac38
SHA512 c9a67f8dd4c619d3b2b776fe24ebafc7dffbe898e5ef3e0d927020af7ffb755fecc450106fa3512a9b1f93444240a162dbde9e37d53835f538b37c512e92bdd0

C:\Windows\system\wvgBkIp.exe

MD5 afdf94c43581756570759fb10a373194
SHA1 a68fd51ee5f81aad352a6281527916855af049dd
SHA256 163ae47279acb50830ec02b79789e088055a6e8341226f2206be0d255dd8478c
SHA512 00c856c7ac3c3aef0b9d89a6ed5bbaf78970d9d22a87e48cd731fccebd5e71d6500aaa754a82b4ce0b39c7b714fddd89b2569923f1a0c673801a335eb3819c64

C:\Windows\system\IlBTeNl.exe

MD5 01370593592887c2db697fecdc371f8d
SHA1 7678467f353ab0e45548990defb75ec09c05ad2d
SHA256 06b30f4c16221de09f64ec3c2de23e9a200c5ba6f6443db49b78a778954d8c20
SHA512 9b7bd6600df4a89271555758b006e94a2541c259f563d373b9695858bb2a44c6dbb0f61894f6b562ef1474ddec5e02cb619ccb82a74dde17b40f27c019596f0d

C:\Windows\system\gGFyegf.exe

MD5 fbe62081b6eae9bcb8c89f46bf72b644
SHA1 c5bb97b0e55b3ef54859eabd2887a714580a4284
SHA256 cd52012c6675ebd43e61270f5d97ce131dc56aa476d4a4073e83498cdd576098
SHA512 ec6fec6e3ded3507fdf234b76ebe1f34cb5322983eedb5ff738daf4c3b0a54d95762d744caa6e3405957abc18a0be0e396b34e6dedc12a246cef86c8718440e1

C:\Windows\system\pIpVhnD.exe

MD5 7aee1b782971b040e0bb34df87af6a54
SHA1 7c8d73fb3285b8c4a26db66580fa6a393b43fd15
SHA256 d59b10688e2153d32464ea5bdf3007448739b7f88678f3a12871cd4034607406
SHA512 1ca9dab696bf30caec85fe9616877399f5bd5e1dcba6ab5e23eecfff9f569773427916cfd64e78ca9b67c7d36be18a74f05830ee0a945165b5f35f0329712d1c

C:\Windows\system\aSQtAuI.exe

MD5 47a4a7a6a2356df589d9ba441f55554f
SHA1 7eb12e50906a545537cfb9b9638e172b238baf17
SHA256 060f804b2e213e4062fdc24564c6dc7ad87f71719b8c97ec5f0ba8abac25038f
SHA512 be9090b3c9812658de85de96f54c696762ddc66481cd0d01e25d5009d73011a26fe83de16ee4f8a560d86613fa41cd11d7a83d7e52f6d3e8bb69139e5a5342a5

C:\Windows\system\pIewjZz.exe

MD5 7b0cd64d7f2f83eb9d2790da19c07907
SHA1 52ae1623c0c198aa2ca91a6ec17bb5edce59ddb9
SHA256 5fdb3a564df549499e23cfae47689a728b7b817aed68b46bb746e885d7e33f70
SHA512 a827682c7272db5a7e516bbff6ac2f3cb931abb962f21ce33ca6316b3b7025cae8a8715dfd5761d23180d6095133c268f9e2a3184b5f02c120751c7d0040f5ba

C:\Windows\system\BbBoVnF.exe

MD5 5acc378baf509dcc061e3b67a83bc2ab
SHA1 6e041fb5477d1aa76df49abbaf7fd73c71db4fc1
SHA256 826c9ee409a32d1f2a66372fc961eb5cdd921da0203980e408d20fd55c1220ce
SHA512 b4b87aac3cf8ee4aad9bef7c7497914b8a82787e6a0c3ee87e67714a7bee53efa20ee95046bad87d20fcd29a7b142da3d45136d39edcaf2c61bf76fe9de3891b

C:\Windows\system\kxpovlP.exe

MD5 91a85dccb2e21b2bac3861ad685e008d
SHA1 d0250dad23562559891eb02eadd78422d5f5bfa1
SHA256 877bc1c27d66b67306cda8c9ba32907b6981c48fce7951bf4864ccf5e4f2be52
SHA512 bef739af6c8b17f884b85f52d52f6cd93929e2f4917be8c76b7a138901df9e7f591238e0a40d46e516efcd09c5ed0864f3c8d1f218cf2303ec83e74d77fc62ae

C:\Windows\system\WaxeNyo.exe

MD5 104b32745e19e6fcbfa3e04320bfe7b1
SHA1 8aa3ed5433428b96e0579c8864dbf2ef30d47a84
SHA256 6eb513e13a4553ee8adbeffb7637de60e92f0daa1c91e05d4d8ec9691274b39d
SHA512 cbcf0c3ddc3b705b5d25e345b4b91db345215eee286c3853e43cac92f2921b300d992a56eb25fc59790e5b30f872aac1529606e7402d87f02528a43305a7f705

C:\Windows\system\symRklM.exe

MD5 a0517f6051d7397584f490bfe150aedb
SHA1 13c2301ac4a93d25a846321306495075b5606b33
SHA256 5f408207d8afe92d1f466e5774d18263694d2e070dffdec2016ae742f25e18cc
SHA512 cb9c887daeaa90721da5ca420212b3c67423cf52b671040186174e78b6037d729f4be06fe93a084f99259cdceb49a8940ef564619bbca2c8733ef9aa802abdfb

C:\Windows\system\SwzxbVZ.exe

MD5 9186682ebc23bc95e53c7c05cf946387
SHA1 5a0a6fbc296f16f97b263fc2957f8101d42f8071
SHA256 bdde1442ef70ce9c0d9569f0b01cfae50500daf3c6674f1715da674487052297
SHA512 2ba1903a27080202a5efdc32e3bd604ff4f0c0ee0352582828f1f6d1edf510a7fe84c1503bede0f029197699119c67f31f86736299fb2e54f648506c415126a2

C:\Windows\system\YYxoHYl.exe

MD5 1ffd42fc6c3f39d2984d58faddde0a9c
SHA1 8a7c05b864bc6a20c9ab2990065259a46d6871e3
SHA256 cdb653e9270a894fb1342205cb6082fe9db66ed3879c5acde45094b6390ccf5d
SHA512 bc9242d80dc6e29bf95ee406489d3197ddad9e1fc65151ba4dfda55d37c147243156f258025c7ed37e2aac7a6ad25cb4c35685fa72d5cafcd6ab26196fc774df

C:\Windows\system\HCelRQk.exe

MD5 946ab05db4ecb89ca92b54539ab3187a
SHA1 dbb3ab65e1e64ad82a3930a1a36aff3edc04a27e
SHA256 2c62f5e2f6aa463e6953036d766310599a7904077e88b9830de703c5946e281b
SHA512 b6d697e8f1d8412f6498a367ccb38354baabb2f6337046aa3f5fba11cee0aafb1ab8c3532955eb87df61db66f5dc1f78bf5c43f114b009bec258612204c00d56

memory/2936-60-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1996-59-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2692-58-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2588-57-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1996-56-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/1836-55-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/1996-50-0x000000013F780000-0x000000013FAD4000-memory.dmp

C:\Windows\system\gUYWEXL.exe

MD5 0936eba371f2f8f737013bb11af1426b
SHA1 f3b0691109e4e23b1ed5882fe883a04ee188363a
SHA256 41df8c64773b34741dd22aef88fa5e6ff3fa8065de5ee810dacb6659de2ce793
SHA512 edfc791b43c65e01e1fe76f4f40f5ac08821ffd0e89bc68b3f2dce397366c1bc5a22cd2cbf533879f2173d088a0af05356e28879e24643a0e2c0086053d3c676

C:\Windows\system\mCrqWzt.exe

MD5 4afd6c8a74c90b9d41dbee3fd7a89ec2
SHA1 30419adcd568d88f638da0cee70fa13f634b5a50
SHA256 6e7e635fd441b4433df1a9e394ed8981c31c9dfebe7c5b9a1c6260153bfe084d
SHA512 aa53ea5140d10bea642ad267b03f084eeec2a39ee57ac5583e2838583ea2c7c5d0df69ff24b898af4f6a41db030f9e7e581ec0e846a2616010debe009a2771a5

memory/2924-116-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/1996-117-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/1996-115-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/1996-119-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2920-118-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/1996-125-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2616-126-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2020-124-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/1996-123-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/1996-135-0x000000013F630000-0x000000013F984000-memory.dmp

memory/1996-134-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2912-133-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/1996-132-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2872-131-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1996-130-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2844-129-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2332-128-0x000000013F630000-0x000000013F984000-memory.dmp

memory/1996-127-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2868-122-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/1996-121-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2644-120-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/1996-136-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1996-137-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/1836-138-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2692-139-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2912-140-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2588-141-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2616-145-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2868-144-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2920-143-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2936-142-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2844-146-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2020-152-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2644-151-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2692-150-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2332-149-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2924-148-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/1836-147-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2872-153-0x000000013F620000-0x000000013F974000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 03:03

Reported

2024-06-09 03:07

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sZpCIiX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YYxoHYl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HCelRQk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BbBoVnF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\symRklM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kxpovlP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aSQtAuI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pIewjZz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gPuvRur.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNQNKhM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LSUOzyP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SwzxbVZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OAuocsi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TRYBSVU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wvgBkIp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gGFyegf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WaxeNyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IlBTeNl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mCrqWzt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gUYWEXL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pIpVhnD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPuvRur.exe
PID 2332 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPuvRur.exe
PID 2332 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAuocsi.exe
PID 2332 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAuocsi.exe
PID 2332 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZpCIiX.exe
PID 2332 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZpCIiX.exe
PID 2332 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNQNKhM.exe
PID 2332 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNQNKhM.exe
PID 2332 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSUOzyP.exe
PID 2332 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSUOzyP.exe
PID 2332 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRYBSVU.exe
PID 2332 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRYBSVU.exe
PID 2332 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvgBkIp.exe
PID 2332 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvgBkIp.exe
PID 2332 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlBTeNl.exe
PID 2332 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlBTeNl.exe
PID 2332 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGFyegf.exe
PID 2332 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGFyegf.exe
PID 2332 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCrqWzt.exe
PID 2332 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCrqWzt.exe
PID 2332 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUYWEXL.exe
PID 2332 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUYWEXL.exe
PID 2332 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYxoHYl.exe
PID 2332 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYxoHYl.exe
PID 2332 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCelRQk.exe
PID 2332 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCelRQk.exe
PID 2332 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIpVhnD.exe
PID 2332 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIpVhnD.exe
PID 2332 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwzxbVZ.exe
PID 2332 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwzxbVZ.exe
PID 2332 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\symRklM.exe
PID 2332 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\symRklM.exe
PID 2332 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WaxeNyo.exe
PID 2332 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WaxeNyo.exe
PID 2332 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxpovlP.exe
PID 2332 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxpovlP.exe
PID 2332 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSQtAuI.exe
PID 2332 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSQtAuI.exe
PID 2332 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbBoVnF.exe
PID 2332 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbBoVnF.exe
PID 2332 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIewjZz.exe
PID 2332 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIewjZz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_72615c19f0136751925e1675c00edee1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gPuvRur.exe

C:\Windows\System\gPuvRur.exe

C:\Windows\System\OAuocsi.exe

C:\Windows\System\OAuocsi.exe

C:\Windows\System\sZpCIiX.exe

C:\Windows\System\sZpCIiX.exe

C:\Windows\System\pNQNKhM.exe

C:\Windows\System\pNQNKhM.exe

C:\Windows\System\LSUOzyP.exe

C:\Windows\System\LSUOzyP.exe

C:\Windows\System\TRYBSVU.exe

C:\Windows\System\TRYBSVU.exe

C:\Windows\System\wvgBkIp.exe

C:\Windows\System\wvgBkIp.exe

C:\Windows\System\IlBTeNl.exe

C:\Windows\System\IlBTeNl.exe

C:\Windows\System\gGFyegf.exe

C:\Windows\System\gGFyegf.exe

C:\Windows\System\mCrqWzt.exe

C:\Windows\System\mCrqWzt.exe

C:\Windows\System\gUYWEXL.exe

C:\Windows\System\gUYWEXL.exe

C:\Windows\System\YYxoHYl.exe

C:\Windows\System\YYxoHYl.exe

C:\Windows\System\HCelRQk.exe

C:\Windows\System\HCelRQk.exe

C:\Windows\System\pIpVhnD.exe

C:\Windows\System\pIpVhnD.exe

C:\Windows\System\SwzxbVZ.exe

C:\Windows\System\SwzxbVZ.exe

C:\Windows\System\symRklM.exe

C:\Windows\System\symRklM.exe

C:\Windows\System\WaxeNyo.exe

C:\Windows\System\WaxeNyo.exe

C:\Windows\System\kxpovlP.exe

C:\Windows\System\kxpovlP.exe

C:\Windows\System\aSQtAuI.exe

C:\Windows\System\aSQtAuI.exe

C:\Windows\System\BbBoVnF.exe

C:\Windows\System\BbBoVnF.exe

C:\Windows\System\pIewjZz.exe

C:\Windows\System\pIewjZz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2332-0-0x00007FF7B7540000-0x00007FF7B7894000-memory.dmp

memory/2332-1-0x000001EEA0540000-0x000001EEA0550000-memory.dmp

C:\Windows\System\gPuvRur.exe

MD5 6a6495ac7d8b33356e7207c225183989
SHA1 23dedeb38c1d3462c6660c0c354675c4f10af7a7
SHA256 d9f3bbbf669847b4984bd17a89142960d54124a9f5a71fb2f0941c250b9c0f14
SHA512 eb4c77e6a03f29d1d8786020ae6c7e167d05c1f664188b7cf332670efbcd3705e1d84a496d38ccc8ffb8219f815d2d4775dfd8e8b4044d900a9255007b09696b

memory/1992-6-0x00007FF63B130000-0x00007FF63B484000-memory.dmp

C:\Windows\System\OAuocsi.exe

MD5 e34686bf22933617f0b1d99f3d9650bf
SHA1 4246750d37de60b3132f078b3007f2db0d991fbd
SHA256 f453ca29e9bb32500b9868ca3871362eb853c351b1738213bdf388c143309447
SHA512 2dfb1496083b4b17c65029fb74a0505ec0e9a1fd37e5cc4852a948bca7f7be4858f54c7ceadb78274a978c02c02740961a47850dc2501655587af88e3da6d8da

C:\Windows\System\sZpCIiX.exe

MD5 0fa1a7c1e3081790624e4d27e00425e5
SHA1 a8925a76a7df0f2f4db08132007826a0fc4220d7
SHA256 d76f7575810772453f3d7b2b9913fd4fd301efc9fb4aff1a075ac2f4675e6697
SHA512 767311ade357dcc6efadcf465d466497335c9ca040b727fc27c36c0061f581f8ee9e66646219943ebb13a407100cc3f795ff49a8d9747650f114a939061e8d63

C:\Windows\System\pNQNKhM.exe

MD5 f76666ef5e45fce65e7a5d1a18f94534
SHA1 50d7f597048f28a6bc4ded54ec0bf478555e19e6
SHA256 3bb5d7303efaab1772ea0cba36a586c597976bddc0dd572dd63632cb9bbcd4de
SHA512 a89feee3eceb3a092cda5bc5f0b1bf9bc741386e3669efd35fe12e721e0f9b07b299bae571c0dea2aa542c3a53539c33ffa3e4a1b771ec3ec86c9c9a90d09cd9

C:\Windows\System\LSUOzyP.exe

MD5 0fc3c7b89d24926f732e41828b0aff45
SHA1 1c42a9036c31fe7d1a1e3772ee37b08ad069c904
SHA256 33e33dbab8d4425727422e56491dae1bc708014e2c782dda3a43b6e55af6e235
SHA512 13316b70b8add368f8f6d715e8a601265a4b6742b4c871bcaec320229ba7a3a10dabb6ebdcfa4518409ebb0573618d918b71c353403710a7fbf3a449bba3ce61

memory/1836-31-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp

memory/3784-32-0x00007FF617F90000-0x00007FF6182E4000-memory.dmp

C:\Windows\System\TRYBSVU.exe

MD5 e6e25c8ed305d19e257431fa052888fe
SHA1 567e89d950ec8f50952ca0f9418ab8fc9d497249
SHA256 2dc05c83a40f456be2bfce6337b80ce249cff8ab085752660833b793c2f8ac38
SHA512 c9a67f8dd4c619d3b2b776fe24ebafc7dffbe898e5ef3e0d927020af7ffb755fecc450106fa3512a9b1f93444240a162dbde9e37d53835f538b37c512e92bdd0

C:\Windows\System\wvgBkIp.exe

MD5 afdf94c43581756570759fb10a373194
SHA1 a68fd51ee5f81aad352a6281527916855af049dd
SHA256 163ae47279acb50830ec02b79789e088055a6e8341226f2206be0d255dd8478c
SHA512 00c856c7ac3c3aef0b9d89a6ed5bbaf78970d9d22a87e48cd731fccebd5e71d6500aaa754a82b4ce0b39c7b714fddd89b2569923f1a0c673801a335eb3819c64

memory/3144-38-0x00007FF7B40B0000-0x00007FF7B4404000-memory.dmp

memory/4020-30-0x00007FF669ED0000-0x00007FF66A224000-memory.dmp

memory/3964-15-0x00007FF77B8B0000-0x00007FF77BC04000-memory.dmp

memory/3724-44-0x00007FF705FE0000-0x00007FF706334000-memory.dmp

C:\Windows\System\IlBTeNl.exe

MD5 01370593592887c2db697fecdc371f8d
SHA1 7678467f353ab0e45548990defb75ec09c05ad2d
SHA256 06b30f4c16221de09f64ec3c2de23e9a200c5ba6f6443db49b78a778954d8c20
SHA512 9b7bd6600df4a89271555758b006e94a2541c259f563d373b9695858bb2a44c6dbb0f61894f6b562ef1474ddec5e02cb619ccb82a74dde17b40f27c019596f0d

memory/4144-49-0x00007FF6384B0000-0x00007FF638804000-memory.dmp

C:\Windows\System\gGFyegf.exe

MD5 fbe62081b6eae9bcb8c89f46bf72b644
SHA1 c5bb97b0e55b3ef54859eabd2887a714580a4284
SHA256 cd52012c6675ebd43e61270f5d97ce131dc56aa476d4a4073e83498cdd576098
SHA512 ec6fec6e3ded3507fdf234b76ebe1f34cb5322983eedb5ff738daf4c3b0a54d95762d744caa6e3405957abc18a0be0e396b34e6dedc12a246cef86c8718440e1

C:\Windows\System\gUYWEXL.exe

MD5 0936eba371f2f8f737013bb11af1426b
SHA1 f3b0691109e4e23b1ed5882fe883a04ee188363a
SHA256 41df8c64773b34741dd22aef88fa5e6ff3fa8065de5ee810dacb6659de2ce793
SHA512 edfc791b43c65e01e1fe76f4f40f5ac08821ffd0e89bc68b3f2dce397366c1bc5a22cd2cbf533879f2173d088a0af05356e28879e24643a0e2c0086053d3c676

memory/4112-66-0x00007FF6F6DF0000-0x00007FF6F7144000-memory.dmp

C:\Windows\System\mCrqWzt.exe

MD5 4afd6c8a74c90b9d41dbee3fd7a89ec2
SHA1 30419adcd568d88f638da0cee70fa13f634b5a50
SHA256 6e7e635fd441b4433df1a9e394ed8981c31c9dfebe7c5b9a1c6260153bfe084d
SHA512 aa53ea5140d10bea642ad267b03f084eeec2a39ee57ac5583e2838583ea2c7c5d0df69ff24b898af4f6a41db030f9e7e581ec0e846a2616010debe009a2771a5

memory/2792-63-0x00007FF7BCCC0000-0x00007FF7BD014000-memory.dmp

C:\Windows\System\YYxoHYl.exe

MD5 1ffd42fc6c3f39d2984d58faddde0a9c
SHA1 8a7c05b864bc6a20c9ab2990065259a46d6871e3
SHA256 cdb653e9270a894fb1342205cb6082fe9db66ed3879c5acde45094b6390ccf5d
SHA512 bc9242d80dc6e29bf95ee406489d3197ddad9e1fc65151ba4dfda55d37c147243156f258025c7ed37e2aac7a6ad25cb4c35685fa72d5cafcd6ab26196fc774df

C:\Windows\System\pIpVhnD.exe

MD5 7aee1b782971b040e0bb34df87af6a54
SHA1 7c8d73fb3285b8c4a26db66580fa6a393b43fd15
SHA256 d59b10688e2153d32464ea5bdf3007448739b7f88678f3a12871cd4034607406
SHA512 1ca9dab696bf30caec85fe9616877399f5bd5e1dcba6ab5e23eecfff9f569773427916cfd64e78ca9b67c7d36be18a74f05830ee0a945165b5f35f0329712d1c

C:\Windows\System\symRklM.exe

MD5 a0517f6051d7397584f490bfe150aedb
SHA1 13c2301ac4a93d25a846321306495075b5606b33
SHA256 5f408207d8afe92d1f466e5774d18263694d2e070dffdec2016ae742f25e18cc
SHA512 cb9c887daeaa90721da5ca420212b3c67423cf52b671040186174e78b6037d729f4be06fe93a084f99259cdceb49a8940ef564619bbca2c8733ef9aa802abdfb

memory/2652-95-0x00007FF6923D0000-0x00007FF692724000-memory.dmp

memory/2956-97-0x00007FF75CB50000-0x00007FF75CEA4000-memory.dmp

C:\Windows\System\SwzxbVZ.exe

MD5 9186682ebc23bc95e53c7c05cf946387
SHA1 5a0a6fbc296f16f97b263fc2957f8101d42f8071
SHA256 bdde1442ef70ce9c0d9569f0b01cfae50500daf3c6674f1715da674487052297
SHA512 2ba1903a27080202a5efdc32e3bd604ff4f0c0ee0352582828f1f6d1edf510a7fe84c1503bede0f029197699119c67f31f86736299fb2e54f648506c415126a2

memory/4020-96-0x00007FF669ED0000-0x00007FF66A224000-memory.dmp

memory/2404-94-0x00007FF6A5D10000-0x00007FF6A6064000-memory.dmp

memory/1028-93-0x00007FF65B330000-0x00007FF65B684000-memory.dmp

memory/1992-91-0x00007FF63B130000-0x00007FF63B484000-memory.dmp

C:\Windows\System\HCelRQk.exe

MD5 946ab05db4ecb89ca92b54539ab3187a
SHA1 dbb3ab65e1e64ad82a3930a1a36aff3edc04a27e
SHA256 2c62f5e2f6aa463e6953036d766310599a7904077e88b9830de703c5946e281b
SHA512 b6d697e8f1d8412f6498a367ccb38354baabb2f6337046aa3f5fba11cee0aafb1ab8c3532955eb87df61db66f5dc1f78bf5c43f114b009bec258612204c00d56

memory/4460-79-0x00007FF760800000-0x00007FF760B54000-memory.dmp

memory/1188-78-0x00007FF7B9BD0000-0x00007FF7B9F24000-memory.dmp

memory/2332-71-0x00007FF7B7540000-0x00007FF7B7894000-memory.dmp

C:\Windows\System\WaxeNyo.exe

MD5 104b32745e19e6fcbfa3e04320bfe7b1
SHA1 8aa3ed5433428b96e0579c8864dbf2ef30d47a84
SHA256 6eb513e13a4553ee8adbeffb7637de60e92f0daa1c91e05d4d8ec9691274b39d
SHA512 cbcf0c3ddc3b705b5d25e345b4b91db345215eee286c3853e43cac92f2921b300d992a56eb25fc59790e5b30f872aac1529606e7402d87f02528a43305a7f705

C:\Windows\System\kxpovlP.exe

MD5 91a85dccb2e21b2bac3861ad685e008d
SHA1 d0250dad23562559891eb02eadd78422d5f5bfa1
SHA256 877bc1c27d66b67306cda8c9ba32907b6981c48fce7951bf4864ccf5e4f2be52
SHA512 bef739af6c8b17f884b85f52d52f6cd93929e2f4917be8c76b7a138901df9e7f591238e0a40d46e516efcd09c5ed0864f3c8d1f218cf2303ec83e74d77fc62ae

C:\Windows\System\aSQtAuI.exe

MD5 47a4a7a6a2356df589d9ba441f55554f
SHA1 7eb12e50906a545537cfb9b9638e172b238baf17
SHA256 060f804b2e213e4062fdc24564c6dc7ad87f71719b8c97ec5f0ba8abac25038f
SHA512 be9090b3c9812658de85de96f54c696762ddc66481cd0d01e25d5009d73011a26fe83de16ee4f8a560d86613fa41cd11d7a83d7e52f6d3e8bb69139e5a5342a5

C:\Windows\System\BbBoVnF.exe

MD5 5acc378baf509dcc061e3b67a83bc2ab
SHA1 6e041fb5477d1aa76df49abbaf7fd73c71db4fc1
SHA256 826c9ee409a32d1f2a66372fc961eb5cdd921da0203980e408d20fd55c1220ce
SHA512 b4b87aac3cf8ee4aad9bef7c7497914b8a82787e6a0c3ee87e67714a7bee53efa20ee95046bad87d20fcd29a7b142da3d45136d39edcaf2c61bf76fe9de3891b

memory/4692-119-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp

memory/3808-123-0x00007FF62AC50000-0x00007FF62AFA4000-memory.dmp

memory/4324-124-0x00007FF67E200000-0x00007FF67E554000-memory.dmp

C:\Windows\System\pIewjZz.exe

MD5 7b0cd64d7f2f83eb9d2790da19c07907
SHA1 52ae1623c0c198aa2ca91a6ec17bb5edce59ddb9
SHA256 5fdb3a564df549499e23cfae47689a728b7b817aed68b46bb746e885d7e33f70
SHA512 a827682c7272db5a7e516bbff6ac2f3cb931abb962f21ce33ca6316b3b7025cae8a8715dfd5761d23180d6095133c268f9e2a3184b5f02c120751c7d0040f5ba

memory/1012-129-0x00007FF6752A0000-0x00007FF6755F4000-memory.dmp

memory/4060-130-0x00007FF7D2C30000-0x00007FF7D2F84000-memory.dmp

memory/2792-132-0x00007FF7BCCC0000-0x00007FF7BD014000-memory.dmp

memory/4144-131-0x00007FF6384B0000-0x00007FF638804000-memory.dmp

memory/1188-133-0x00007FF7B9BD0000-0x00007FF7B9F24000-memory.dmp

memory/2652-134-0x00007FF6923D0000-0x00007FF692724000-memory.dmp

memory/2956-135-0x00007FF75CB50000-0x00007FF75CEA4000-memory.dmp

memory/1992-136-0x00007FF63B130000-0x00007FF63B484000-memory.dmp

memory/3964-137-0x00007FF77B8B0000-0x00007FF77BC04000-memory.dmp

memory/1836-139-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp

memory/4020-138-0x00007FF669ED0000-0x00007FF66A224000-memory.dmp

memory/3784-140-0x00007FF617F90000-0x00007FF6182E4000-memory.dmp

memory/3144-141-0x00007FF7B40B0000-0x00007FF7B4404000-memory.dmp

memory/3724-142-0x00007FF705FE0000-0x00007FF706334000-memory.dmp

memory/4144-143-0x00007FF6384B0000-0x00007FF638804000-memory.dmp

memory/4112-144-0x00007FF6F6DF0000-0x00007FF6F7144000-memory.dmp

memory/2792-145-0x00007FF7BCCC0000-0x00007FF7BD014000-memory.dmp

memory/1188-147-0x00007FF7B9BD0000-0x00007FF7B9F24000-memory.dmp

memory/4460-146-0x00007FF760800000-0x00007FF760B54000-memory.dmp

memory/1028-148-0x00007FF65B330000-0x00007FF65B684000-memory.dmp

memory/2404-149-0x00007FF6A5D10000-0x00007FF6A6064000-memory.dmp

memory/2652-150-0x00007FF6923D0000-0x00007FF692724000-memory.dmp

memory/2956-151-0x00007FF75CB50000-0x00007FF75CEA4000-memory.dmp

memory/4692-152-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp

memory/3808-153-0x00007FF62AC50000-0x00007FF62AFA4000-memory.dmp

memory/4324-154-0x00007FF67E200000-0x00007FF67E554000-memory.dmp

memory/1012-155-0x00007FF6752A0000-0x00007FF6755F4000-memory.dmp

memory/4060-156-0x00007FF7D2C30000-0x00007FF7D2F84000-memory.dmp