Malware Analysis Report

2024-10-16 03:10

Sample ID 240609-djf1zacf6x
Target 2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike
SHA256 533968da5f70b15825c3d38ac86568d335d754e3ebdfc6d22b3fdc90f72b8416
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

533968da5f70b15825c3d38ac86568d335d754e3ebdfc6d22b3fdc90f72b8416

Threat Level: Known bad

The file 2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 03:02

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 03:02

Reported

2024-06-09 03:05

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XFpUjoo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EETtwrN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qIJzTLK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FmmJDvD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fUIXESd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WoERXDB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nVvBHhw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rViuXVP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GBlFSuj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YixCYSX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\thuGTyu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eksiifC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FSYHUpz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ugANaHi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ekPhrzR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SVYoKgI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IeTnUhP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QRhrYfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GuVABwR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\isdfGms.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uGBaVkU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugANaHi.exe
PID 2056 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugANaHi.exe
PID 2056 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugANaHi.exe
PID 2056 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\WoERXDB.exe
PID 2056 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\WoERXDB.exe
PID 2056 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\WoERXDB.exe
PID 2056 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\nVvBHhw.exe
PID 2056 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\nVvBHhw.exe
PID 2056 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\nVvBHhw.exe
PID 2056 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekPhrzR.exe
PID 2056 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekPhrzR.exe
PID 2056 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekPhrzR.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVYoKgI.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVYoKgI.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVYoKgI.exe
PID 2056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\rViuXVP.exe
PID 2056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\rViuXVP.exe
PID 2056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\rViuXVP.exe
PID 2056 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFpUjoo.exe
PID 2056 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFpUjoo.exe
PID 2056 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFpUjoo.exe
PID 2056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeTnUhP.exe
PID 2056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeTnUhP.exe
PID 2056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeTnUhP.exe
PID 2056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\YixCYSX.exe
PID 2056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\YixCYSX.exe
PID 2056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\YixCYSX.exe
PID 2056 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\GBlFSuj.exe
PID 2056 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\GBlFSuj.exe
PID 2056 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\GBlFSuj.exe
PID 2056 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\thuGTyu.exe
PID 2056 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\thuGTyu.exe
PID 2056 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\thuGTyu.exe
PID 2056 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\qIJzTLK.exe
PID 2056 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\qIJzTLK.exe
PID 2056 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\qIJzTLK.exe
PID 2056 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\eksiifC.exe
PID 2056 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\eksiifC.exe
PID 2056 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\eksiifC.exe
PID 2056 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmmJDvD.exe
PID 2056 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmmJDvD.exe
PID 2056 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmmJDvD.exe
PID 2056 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\QRhrYfZ.exe
PID 2056 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\QRhrYfZ.exe
PID 2056 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\QRhrYfZ.exe
PID 2056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuVABwR.exe
PID 2056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuVABwR.exe
PID 2056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuVABwR.exe
PID 2056 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUIXESd.exe
PID 2056 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUIXESd.exe
PID 2056 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUIXESd.exe
PID 2056 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\EETtwrN.exe
PID 2056 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\EETtwrN.exe
PID 2056 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\EETtwrN.exe
PID 2056 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\FSYHUpz.exe
PID 2056 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\FSYHUpz.exe
PID 2056 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\FSYHUpz.exe
PID 2056 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\isdfGms.exe
PID 2056 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\isdfGms.exe
PID 2056 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\isdfGms.exe
PID 2056 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGBaVkU.exe
PID 2056 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGBaVkU.exe
PID 2056 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGBaVkU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ugANaHi.exe

C:\Windows\System\ugANaHi.exe

C:\Windows\System\WoERXDB.exe

C:\Windows\System\WoERXDB.exe

C:\Windows\System\nVvBHhw.exe

C:\Windows\System\nVvBHhw.exe

C:\Windows\System\ekPhrzR.exe

C:\Windows\System\ekPhrzR.exe

C:\Windows\System\SVYoKgI.exe

C:\Windows\System\SVYoKgI.exe

C:\Windows\System\rViuXVP.exe

C:\Windows\System\rViuXVP.exe

C:\Windows\System\XFpUjoo.exe

C:\Windows\System\XFpUjoo.exe

C:\Windows\System\IeTnUhP.exe

C:\Windows\System\IeTnUhP.exe

C:\Windows\System\YixCYSX.exe

C:\Windows\System\YixCYSX.exe

C:\Windows\System\GBlFSuj.exe

C:\Windows\System\GBlFSuj.exe

C:\Windows\System\thuGTyu.exe

C:\Windows\System\thuGTyu.exe

C:\Windows\System\qIJzTLK.exe

C:\Windows\System\qIJzTLK.exe

C:\Windows\System\eksiifC.exe

C:\Windows\System\eksiifC.exe

C:\Windows\System\FmmJDvD.exe

C:\Windows\System\FmmJDvD.exe

C:\Windows\System\QRhrYfZ.exe

C:\Windows\System\QRhrYfZ.exe

C:\Windows\System\GuVABwR.exe

C:\Windows\System\GuVABwR.exe

C:\Windows\System\fUIXESd.exe

C:\Windows\System\fUIXESd.exe

C:\Windows\System\EETtwrN.exe

C:\Windows\System\EETtwrN.exe

C:\Windows\System\FSYHUpz.exe

C:\Windows\System\FSYHUpz.exe

C:\Windows\System\isdfGms.exe

C:\Windows\System\isdfGms.exe

C:\Windows\System\uGBaVkU.exe

C:\Windows\System\uGBaVkU.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2056-0-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2056-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\ugANaHi.exe

MD5 5231ecf85e4883a0d33f187b699e43f9
SHA1 987b828002e5b15cd469b4e1ae07fed5e7f7c510
SHA256 7f95f0c022e61f17338e9d9e7666beb12393caadda05941c2918c1c05a78562f
SHA512 26a4b3b23076d78e0fbfb03214b468ebf2cf0cab2ef4f2bcd208d1a225ba44ee78e0bbb5103f43ed9ea2b1fd2c7c51ca05fb422f5257954235a43a2d171f5e29

\Windows\system\WoERXDB.exe

MD5 434128fb68957d65431bdb024d30ac25
SHA1 6a327e681d8b7582e25ca2d8cbb4d10631b518c6
SHA256 7e18e3672d0290ed387d1e8d4c84a4384d9cad7f92e81cb2b0b84d12c887059a
SHA512 52c9f9ca8f44a8e948c6ab2fa01d10d9216b349acdf07c8929055cd1104da9078664dc1c3da2935e09b463b5bda3b0c45e7e2e0d4e4d4c9335b440a52ebd97f7

\Windows\system\nVvBHhw.exe

MD5 6c79d066aceedcfe2bcc1fba32d1f1ed
SHA1 a31b07c549272376b2d4088b2a338bc3318a0122
SHA256 59d216ece5b5786cfbbdd7324ba7901b0d5690d548cb99e3d6907ddea423f540
SHA512 62860ca8c47eb1e1607cb0e1c84d0f875414ecf073d0e14777b08c86ea4ffcabd6a3cfbc028438667709e72cb3171d815b08a7ebf677b8789eff72c32c7be62a

\Windows\system\ekPhrzR.exe

MD5 97f5b08370214369426882d4187ee75f
SHA1 fa6864297a037d8272784952421cc5ecaeaf2b71
SHA256 58e3a138d07193eace0f292430cbd78c141c6a81dc9312efab923d55752d0856
SHA512 b7f5735ab8155f9d09b44393ca841b3e5c510128bc4fbb6f7d914e5daf4d2a5e114b52b8afe45eb4332e1e5f1875c3d24a213dccfed6d691035963a172b3523c

memory/2056-20-0x000000013F390000-0x000000013F6E4000-memory.dmp

\Windows\system\SVYoKgI.exe

MD5 9a577f83242e403e6e9acce33189e722
SHA1 ad6cdf0b56bdc1e1691f23b55b935a8dc4fa7b03
SHA256 209c19a5db46d392382bf1957be98ccc5f81cf099ec10066854af7536de9e2b3
SHA512 f2c3c45817b8e84b636da9f230ca59ee8c9c65562208874f9b933e9ec7deb92a94e695557719aa9fce15ed4d64c5d96b763a4f78caa55dac4aa3646f7aa8ff8c

C:\Windows\system\rViuXVP.exe

MD5 65b33a248d58b0ca904e65ea195a63d4
SHA1 78a193c79e5c00318fad7cd91191a4472cfc4d77
SHA256 6567acdb4c6ca5e7a925f85da35ff7b11f8bb9873ebc5252b95c130fe163c2c2
SHA512 1c958ea7a7d72436377d0a60132758fad94b1324496cf0e7605b3366ae21bc7956c05e57f4f422b3654a2738ade4f95a12eed48413ff592343358a170931f035

C:\Windows\system\XFpUjoo.exe

MD5 7729e8d3032defa3102f1d7a6fe8c06d
SHA1 88d89a4a5dd4b6eb01067d34e3e0173ae1f480e8
SHA256 a54fbe419236e7fbe871318ca375b3102943449b0c48a9452514717991103fde
SHA512 2ab715f08b5b9fa9da50b5613f2f030fbea21d5ce157bc8339aa67b71b9c0a8fafabd5fae0393d4b340073c5b788e32c40d8934b063d5efded938688255c8d3e

C:\Windows\system\IeTnUhP.exe

MD5 e34eb3c1b2e299addd37f2f77b3648ac
SHA1 0b14dd673688766768bb9f41ffb1bae6a006f670
SHA256 4bd416d82df926044b8b495e2fb36c8ed5b8d118cbefd25e7ff5b5d7d5b021d0
SHA512 ff2a4e1b000194476fcedfb4a497d0925df45ad93857165f03a80d30716284718f50ccd15ff56cb6f0eb827bbb1c6478abc24e17fe3e5b88c6c4503a9fb68d0b

C:\Windows\system\YixCYSX.exe

MD5 0c1384f038e23b7adb6203706fe34b2e
SHA1 aca629081c4182141616f0b8937d6c4edf2066a1
SHA256 5b874e05eec10a977996199e1edbd15180439aa5be146df29644ce23111af230
SHA512 6cb00c0f35c245822bce45c42604473d05949a9b65555f5865051219cc98a8330ccd8a6f5b22c0954d683619f496ea62f8a486c40d0a0cc39c88027d9032c27e

C:\Windows\system\GBlFSuj.exe

MD5 a9da488a58a45636b88ba94b04dfef5c
SHA1 f59f50df33e23708836697f555de15a5356888ae
SHA256 af01684a96d8fdcf5fdb92396b5875855010c2ca0490fc2346c2da2ff3b278e7
SHA512 0dad3292465e46ca03716f74e57f9b37f83c662cb4af7109ef353c3b3b68652ceddba75e8b47ad3b20d30854edd2442dd7e25cdcfda8cbbbb81141f8a5f8a6e5

C:\Windows\system\thuGTyu.exe

MD5 50def838cb17a1b0dbd8165e55c85c0d
SHA1 eac859a6aad7eac501d70e4e402cc3125ab16fac
SHA256 a818f521620c7c08318ca4bc78f7c7503dcbd432f003bc78e595c1d8b4c02ac4
SHA512 98f9ff5d2054b9f45a259b231855ff33fef47ff3ac14535207a2c065b48eb3dd09291a7c89af9361809627910a306d52425ca4f3c6342be93124d340c9f85292

C:\Windows\system\qIJzTLK.exe

MD5 57785674a23052952658530bd19fd7e9
SHA1 9a94c166e3209329608b87761612bca48cf1d9b1
SHA256 ba9a18f1fe7dbf93196337518a18c29360a213fed5a63e9ab63c47ff9ad3a016
SHA512 1bc07c3db32320aced790eddaf6c5c295595023cda0affce4245b3271f52900293b1ed882ca3e0430f46fa3cfd2186932398452c7a0e606137ba8da356b8e779

\Windows\system\FmmJDvD.exe

MD5 2f6338cdc480f6dfaa957421689d1466
SHA1 e78c2f09bffc985a1ec9171f7738d6870a50929b
SHA256 ad8162be5796c8649b25e5243f8121245aaefb064ef09fc7e4885c5173016615
SHA512 03642232408700d2c67697c54a7bf76c35b2170f04d7b7a15e76b08309f3e111c2df77b90b1186b9b09f164e3a4e92b07ce7f86130cf260e1f65bad945d8e592

C:\Windows\system\GuVABwR.exe

MD5 be5154dae885132bd9163e6e71570585
SHA1 8d7b721b1445ef15bc9f6fa9521c620a65bb3909
SHA256 dc5b599476690e396e0a6a9686bc7eaf5e1f22747a8a299e66f8742203fb58a7
SHA512 a88fc852dd810cfc6d92e3d97502f5f5fda2ce8463d8950af00fe744ea47aecffdc57d96e551fcdfae226b6d461c6b3014dd6f0d7f8959a79455139fe33369a8

C:\Windows\system\isdfGms.exe

MD5 b1c0cbf3312db10380e137503f909a2e
SHA1 02896948a4617909ffc77cabf961e53f9836f6a6
SHA256 c5563df3f729ece03a9513c07ac38bbb6fd0baf3e43754f6fc20f8a27009a283
SHA512 d5f7b8621cdd2b9e90cb1aa9ee2685a0ad744353009eded27304ad7732ed1c23b7c8ea409fe4fc370aaf947a1bdf793a190c6d04d5c6ebd5814c78bee7a480dd

C:\Windows\system\uGBaVkU.exe

MD5 cbad39b87355c6c534a2a9e2cfff5134
SHA1 58f2b76635cec78e0ba081adf82aac514fb4b3fe
SHA256 102d3e53ea538888ad67930b27f2f31ce2b6152779790807c952814d8263d267
SHA512 afb252c58e772053660980d834cf75e2fbddcd92afb18c9e563f8f94054388c95fa3e915acc2612052d970fd61fdeb4c554d49a797c523f774350a56f03f22bf

C:\Windows\system\FSYHUpz.exe

MD5 1e84ca046ce6ffdbe4abbeadf081be14
SHA1 48a8f919a6efb21903aef648562e6966ac772852
SHA256 8f2e205b0d24200f9409ae742278e9c936fd6b0df5d02cd833998bf86b7077e1
SHA512 2627857f91f45aa7db050e65f167385fdeb5ac5d37fcc87f4c2fd4ed938a0bf3ac2080b8aa88d69a7d4d76eda4fda864b10fa3e6415218c4e6c7dba19043aa15

C:\Windows\system\EETtwrN.exe

MD5 248f563b3b539f9c1ecc0a9d463721fd
SHA1 5031d9ab4e0f52d29357cc733fa792cecf04ca01
SHA256 8d4ab302affc4da1290f6e8ab3bcc37685da5e5686faf77f817c9ba5f15be4b6
SHA512 46ba1ab2a1a7ce6dac18acaf7135bd43762f01c98838fe27de1757ef684ec44e8cfc6465800da302ba7ddc244455652bf2b899843046cdbfa0e719ad370cb6df

C:\Windows\system\fUIXESd.exe

MD5 c284f2d53989a5915abb11a286d327e9
SHA1 9f3d018286f2f6adce0bd553e48d0ef8fff9be83
SHA256 49a29f477c026cc8b18fdb93132f74b6b93eca48705dc4e7bafecbda1d646401
SHA512 9576d5c10d30b568454cdd91344d8798e8d3e63fb664f76a16ad379747228f573609320d88393b17fedae51990878c81a1b4d6c8edee2e3f75b8fe3dff71bfa2

C:\Windows\system\QRhrYfZ.exe

MD5 a1a1f6881678f22a7fe1ea8877c5d720
SHA1 be80c939d96533923f2bc9b981b5080d5ef5d6b2
SHA256 1c2dcad46a4e79e16a7781adc3da572f097bfcc8803beda3f5f1c4f9e58e6c1f
SHA512 e6073d1160e32ccdb1e0e5cfb1e29a22f0f6689122a1ed5eb602badd423c524b8f282745be5b26db327f1956eace62d20b7f1f89113afe79e64ce7c67f5c8d27

C:\Windows\system\eksiifC.exe

MD5 78c79b1fe5675bf383064f7753d9cd38
SHA1 745215c76ed7f8844054c72dc96b628b8e3fd833
SHA256 60e9aaba45fbefb3e469326c1940cecb15c17da3b4f3af40b75e7ef58c76ef9c
SHA512 8b25d1f63adfd6d5ddd69fffb996d97e0db7c46dcd61fcef932615b3d6b8e42bfd635dcfee778255fe733345617f2f2d63bad664162aad57ed145d6f0fed824a

memory/2392-34-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2552-102-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2056-111-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2724-110-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2056-112-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2056-115-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2056-117-0x0000000002320000-0x0000000002674000-memory.dmp

memory/1948-118-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2620-116-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2568-120-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2056-123-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2056-128-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2604-127-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2056-126-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2776-125-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2032-124-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2492-122-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2060-121-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2468-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2140-114-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2732-113-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2056-129-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2776-130-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2392-131-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2552-132-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2724-133-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2604-135-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2732-134-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2492-138-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/1948-137-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2140-136-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2620-140-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2568-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2060-142-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2468-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2032-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 03:02

Reported

2024-06-09 03:05

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BmNilDb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aSpRErZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qiEpzmB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rsZMTQQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hzroJTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xIUttia.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iXyRZeq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EkArEbC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SbDVbyL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PtaeGtp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lsIuKlo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OMegZrA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iwVjgGD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hqmFTep.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HpKpTlJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wVNGavI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xkLJurx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\atEjRrl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PSKFIfM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CBxtNQT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GzBpVvt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIUttia.exe
PID 1920 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIUttia.exe
PID 1920 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\iXyRZeq.exe
PID 1920 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\iXyRZeq.exe
PID 1920 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMegZrA.exe
PID 1920 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMegZrA.exe
PID 1920 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkArEbC.exe
PID 1920 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkArEbC.exe
PID 1920 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\iwVjgGD.exe
PID 1920 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\iwVjgGD.exe
PID 1920 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmNilDb.exe
PID 1920 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmNilDb.exe
PID 1920 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqmFTep.exe
PID 1920 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqmFTep.exe
PID 1920 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\atEjRrl.exe
PID 1920 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\atEjRrl.exe
PID 1920 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSpRErZ.exe
PID 1920 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSpRErZ.exe
PID 1920 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\SbDVbyL.exe
PID 1920 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\SbDVbyL.exe
PID 1920 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtaeGtp.exe
PID 1920 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtaeGtp.exe
PID 1920 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiEpzmB.exe
PID 1920 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiEpzmB.exe
PID 1920 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsIuKlo.exe
PID 1920 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsIuKlo.exe
PID 1920 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzroJTS.exe
PID 1920 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzroJTS.exe
PID 1920 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpKpTlJ.exe
PID 1920 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpKpTlJ.exe
PID 1920 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSKFIfM.exe
PID 1920 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSKFIfM.exe
PID 1920 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\wVNGavI.exe
PID 1920 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\wVNGavI.exe
PID 1920 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\CBxtNQT.exe
PID 1920 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\CBxtNQT.exe
PID 1920 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\rsZMTQQ.exe
PID 1920 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\rsZMTQQ.exe
PID 1920 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkLJurx.exe
PID 1920 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkLJurx.exe
PID 1920 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzBpVvt.exe
PID 1920 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzBpVvt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\xIUttia.exe

C:\Windows\System\xIUttia.exe

C:\Windows\System\iXyRZeq.exe

C:\Windows\System\iXyRZeq.exe

C:\Windows\System\OMegZrA.exe

C:\Windows\System\OMegZrA.exe

C:\Windows\System\EkArEbC.exe

C:\Windows\System\EkArEbC.exe

C:\Windows\System\iwVjgGD.exe

C:\Windows\System\iwVjgGD.exe

C:\Windows\System\BmNilDb.exe

C:\Windows\System\BmNilDb.exe

C:\Windows\System\hqmFTep.exe

C:\Windows\System\hqmFTep.exe

C:\Windows\System\atEjRrl.exe

C:\Windows\System\atEjRrl.exe

C:\Windows\System\aSpRErZ.exe

C:\Windows\System\aSpRErZ.exe

C:\Windows\System\SbDVbyL.exe

C:\Windows\System\SbDVbyL.exe

C:\Windows\System\PtaeGtp.exe

C:\Windows\System\PtaeGtp.exe

C:\Windows\System\qiEpzmB.exe

C:\Windows\System\qiEpzmB.exe

C:\Windows\System\lsIuKlo.exe

C:\Windows\System\lsIuKlo.exe

C:\Windows\System\hzroJTS.exe

C:\Windows\System\hzroJTS.exe

C:\Windows\System\HpKpTlJ.exe

C:\Windows\System\HpKpTlJ.exe

C:\Windows\System\PSKFIfM.exe

C:\Windows\System\PSKFIfM.exe

C:\Windows\System\wVNGavI.exe

C:\Windows\System\wVNGavI.exe

C:\Windows\System\CBxtNQT.exe

C:\Windows\System\CBxtNQT.exe

C:\Windows\System\rsZMTQQ.exe

C:\Windows\System\rsZMTQQ.exe

C:\Windows\System\xkLJurx.exe

C:\Windows\System\xkLJurx.exe

C:\Windows\System\GzBpVvt.exe

C:\Windows\System\GzBpVvt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.227.14:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1920-0-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp

memory/1920-1-0x000001E6F3940000-0x000001E6F3950000-memory.dmp

C:\Windows\System\xIUttia.exe

MD5 15971c3a967e8175aba8f4fc79a53f8b
SHA1 52295ffb22935781547d01b1e8dd37c661ab0c87
SHA256 e50f3e6c8cb686460a57dbc94f8a2f729b6b5acbb6e063cfdfc615c63c9624cd
SHA512 a9eb7aa1c5b998fdac8c031e039041c3f1200322af1a41c69bd310032c70e9df083b9f7742e61d018c4941668b93d89ef36e5e40b873dc02cce8c361ccc771f8

memory/3980-8-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp

C:\Windows\System\OMegZrA.exe

MD5 0b19319807c8f302fff7624796b1aa0f
SHA1 3d8a1f0f3f34bd03baeac3cd584dbf9b18cef349
SHA256 be8009faa4467007e048c6fc7693d7a0648bd9f1b1209eea9fabd490a45f7b86
SHA512 9a919c687dfe283ae218a5d984663788d54f85cdf7ac034b79126e3ec40a24524f3b8ae11b459e70b7eb2351a4c8aeaedf2e9c9e1ac00c1362810a715025d23b

C:\Windows\System\iXyRZeq.exe

MD5 bd5652bea0be3209dafd1c0b22ddf9b1
SHA1 ae0bcf70fb4717d4fedd04e209da426cf575a6ba
SHA256 bda287214cf31f94c63abef3b62b81da6a132ea6a43f5e29aa35c6033d06fe86
SHA512 65ff9451ada555ddb2e7aedc2b14fc4404052049402b7f232078ad85541715a3b46de096e66e6ca078f87ad58b913d2f86e48377d327bc92771be7a5d68dfa85

memory/2612-12-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp

memory/4452-20-0x00007FF7754D0000-0x00007FF775824000-memory.dmp

C:\Windows\System\EkArEbC.exe

MD5 6acdb7f94dd7a35d392ffec3a4e773c3
SHA1 da28ded8d12a97b56b93292a78e5c8adfeb940f8
SHA256 3f3b239882ee88da34b691d762588437598ef6b055529a8da31ff69f3164704a
SHA512 5d44d22d39968eff68901dc28d451959b91d4bcc791f742ee229a0a2e9f8b09de784fdbd2e2937fe2e6ad7f33c090156d9d624546d0a72bc61a2050ec3dc193a

memory/1832-24-0x00007FF706550000-0x00007FF7068A4000-memory.dmp

C:\Windows\System\BmNilDb.exe

MD5 076d6d7c34d78cfa42c351c6aa5bdf0a
SHA1 044af3e8604e91738eb2cd8354446e041d9c854b
SHA256 c5fcf08c8e5986fd951ac5d6f1919b178d53c3679bc62e32469bbe3881fd2965
SHA512 be7c5cd4ad9438a3455bcbeb40470b8794519838dd07db35d86dc8360dcfee0e713c3ffaa90e0e3fcb770ed689c3257fbf677bb03568734a1c5b1d60b64d1d3f

C:\Windows\System\iwVjgGD.exe

MD5 247d69728a81c5b36ffd3638fa17dc34
SHA1 ef6b982b1137176448c64d0a74a9cddfc571ecf8
SHA256 5d94deb6bf7e26a0816d4e3bc3a5320331c9d6511cc3f341cfbf00716f93f0b2
SHA512 9ae7c53d2111c1c8bcbe6f522fb70d04f1b920b53caadaf08667b2614524ae0e781a42e36b55959c2e7cb4b1981ba1ff762bc42e0f325b14370bb791162a56aa

C:\Windows\System\hqmFTep.exe

MD5 add223615610735f034e7b872db43230
SHA1 0b01f2618702020a614d5d5d6e2a193f75fcaee5
SHA256 dbc4990a617b6220792c4248837520cb70099724d013ae28b0160d87301d209d
SHA512 3caedcbfce6a7d06338d339351be3711b537940443006352c253c46db5f4e146a9c702ec339e4d77c0054439b6f7e4f0bfd5a7356f4a6a249ead0d337f9e15a2

C:\Windows\System\atEjRrl.exe

MD5 fbdab45f2c133e9cf4527033966f6591
SHA1 21c02928ccf114ebcef118882cecf6518286e393
SHA256 b37df4e22fa8c2915840d7f101a1c75f4e56e4eb1f53e4859b47f91197e963ea
SHA512 52541dfcd3efd0d3c13d6cfd85f047def6158576f53eef0e58364a787b97f226e2c30d52bd409ce3b876173bd08818b52c27955bd28d915710d4379aa78f1ff1

C:\Windows\System\aSpRErZ.exe

MD5 a25f03c5ca806657f204038e66c6faf0
SHA1 424b9d1c673888c3a9d3edb4bac2ca26312cf0a7
SHA256 777bf7fdad74b5487995d69136f04073e859a0efb17eaa70f5723761df49bcdf
SHA512 044bfffc3cff2e3cfefd42df605294bd33f7ee07f759635b9334df6419ee896f15982c20b4672a59de3c7d0a9eebf003406edcb1833d88c6ef5a7978406e4414

C:\Windows\System\SbDVbyL.exe

MD5 ea243355682d00abaa75aa5faee76428
SHA1 2ce35d89a7515429990400e84c970c33c5002e6c
SHA256 d6b2f340d8eccd57fa9d68e86ad580863e98c7e566e77d1a1e960f3d89fb2052
SHA512 6569ad89f52da3931119cf80b911528fb57fea8e2f7afcf8adc6c67227655d045ac5529b66863a3bb6ccf074afff9450b97102c1883e19ccf30238ced9e61f44

C:\Windows\System\PtaeGtp.exe

MD5 bc951d066d7e8f95d61adffd30336c33
SHA1 36782bf83a3fd9575ce65fc5c3fe06588a2737a4
SHA256 cba3968228a17274f45f2577aa87ce372b12fda31ed47eafe7b47b8cd8fe9cd1
SHA512 d643a879fecdaaf735398e372e806c8e6244b2b3de8e4ee895b11afbb62fe5ffd2e332c07a08a6dbfa2f167f5728a7cb38c9871c62491bd4917237eeac86dc01

memory/3912-62-0x00007FF790CB0000-0x00007FF791004000-memory.dmp

C:\Windows\System\qiEpzmB.exe

MD5 ec2cdac2d28aac477b92f59cfda95f8a
SHA1 d2e0980b7c603dd0e302744c8b4b23224882a4c8
SHA256 1e23d2cc5c9b29fe28e60b3da1e6e0a8f051d405557bc13518ba78b16fa1f872
SHA512 785714f79f08efe90e8a9467788141db4e8280a10951cadac3615255f9875c08aeb59f22853b7dd9b08a6bdceb06b79babb7aa086d58a6e4abaa7106fdd1c885

memory/3264-71-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp

C:\Windows\System\lsIuKlo.exe

MD5 a683e2890d3d8dc385360c5ead12c5de
SHA1 9106d5ff524ba0cb89f2160a3387eeaaa2dde4b8
SHA256 9a4423f9584fb7e64cc4db5ee51ad9e4a9cce3c0d7a096a64cc662acbd7c55e6
SHA512 f1f7504d6f69420d9e68b212d1d6b5f49002cab12c5595ca2b350d6097a1ab086005a1e0bd64c570a14cbc12c439a04fc4c52a63f06008d32dd92596fb00cc3e

C:\Windows\System\CBxtNQT.exe

MD5 e06730c8a600ab7aa915e9975e600a7b
SHA1 b15b3e64a25fe283c8c0959665c948e05694aaf9
SHA256 4c76ef9292a970dee241182402102457e26ca1ae7d60825dce1ee2a5b31ce584
SHA512 8260537b9e7ac43ec39fd0cfd40cf8ee4cdf048f7963927d413586b0a5191774668f30ef0242bc52e724015c2672c753ce8ff7648f6c6e8721180e2cf8c09874

C:\Windows\System\GzBpVvt.exe

MD5 173a4d0df9e365310a2f2f232c34afe4
SHA1 4301c6add570b5a6ae80b876cc1a838364705b2c
SHA256 b178805e8b4ee5ecb12b6ac655d46d538494d1149934b2ab599e7d140330f829
SHA512 dc80b2cba61b8ff6a25bc3899b8e1f8630373534e97afc2f795cee178180d5762f76ca3e22f744f6023e53dba2b06d56cc4b7e0b198eecd9d56c6d7d3bf2593a

C:\Windows\System\xkLJurx.exe

MD5 2bac9d52ad7378bce41051af48afb70d
SHA1 576487c580ec2b9c826e28527f87fcc0713acd40
SHA256 413908d0076fcf04189df16092e07bf0fe9e0aa1d70ba653921dec312720933b
SHA512 3c800d8a5e28137ae7bc854b698af75ddce4f7d668401e22f2266797274d88541f6f921db4179dd2a4cd5d544af13e87e6cf87aa5b524009fe7f0cfe1a40e43e

C:\Windows\System\rsZMTQQ.exe

MD5 a42ae5c26492287bf9244335554e18d9
SHA1 d7088eb21c7c2858dbe2d23272cfddd288370bf6
SHA256 a51c2b5682da955f11d5a38eb4cea43948121dd2472b0ac52bc71e5fb177263b
SHA512 b97d6aefb228056b147377f08aa4bb0aa4acf8b9f353d57c29963cebf83734801a0087485f8f936f9dce08df357a87b3d726439b160a5ba96975287282cae847

C:\Windows\System\wVNGavI.exe

MD5 221f66433ed60584cc07a7daa1d537ab
SHA1 8ea0cae839add18a33a884a8cfa50dbbc29eb1d9
SHA256 3fb70b186cd0d79c978470641bdcb67b2594566c850684c3ea464c5f8e0818a6
SHA512 087747290829f21a8e9527c239045c25c79297d0765093d5ffae18fc67a313bfe244c71c6f74d4260627df3ecf397123da98990b7d8c4540f84df4d24b66cd68

C:\Windows\System\PSKFIfM.exe

MD5 e3a60e0aebb2ccde299c1760f6e79f92
SHA1 bf62c7d1665ad22bb0cace14a7ac9cb55035bb2b
SHA256 29a2ff4a3be94cdfdc79f86470828bc55efb649fc7198495e6a5737a0897af52
SHA512 d7ed48073ad567326b6f48a90d929ac852254680233660cfdd5af0723d6ae72ace2a965d6fc03b3a2a9f3eb4274f7371f22f68c9f6196160d6c49f1e2cb4c5bb

C:\Windows\System\HpKpTlJ.exe

MD5 82cb98afec5ddbf7866e220748323b26
SHA1 0052626241510dada42a446fdfb8ee81825cdc7b
SHA256 9ef5d0deea73bdf3aa72ab953727bbacdd763ae2a9315e539c6716894de5e855
SHA512 682ca2f3b89777d90a74e32d8cfd7b62f7f7851eb32fafc7d173bdec9e652dbd01fb311ec26ce61ec23e391d160854b7a5e4c763cf0bc637419aa9e39faae3ca

C:\Windows\System\hzroJTS.exe

MD5 feb30dc6597f3cb193f7d3e94b853a02
SHA1 f884be67c293357db477c2352d25dd3f9aedb3d5
SHA256 d5d60c4bb2406a9326dcbf3bcc84a96edd372ba76d722d7832d8137c8ccfdfae
SHA512 8d0d7be84024cf9630a075e3fc5c0c7372d7d36812f4611ea73c21f99c99b5961bfa6d6eac16b070cf84f3cbed94b57947f27b93c80f47af994e113e2e6e81de

memory/2140-68-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp

memory/1976-64-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp

memory/1996-60-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp

memory/2136-39-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp

memory/2948-36-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp

memory/2144-30-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp

memory/1920-119-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp

memory/760-120-0x00007FF775400000-0x00007FF775754000-memory.dmp

memory/3600-123-0x00007FF642D10000-0x00007FF643064000-memory.dmp

memory/2172-124-0x00007FF7FCC90000-0x00007FF7FCFE4000-memory.dmp

memory/1592-125-0x00007FF680C80000-0x00007FF680FD4000-memory.dmp

memory/4188-122-0x00007FF60D320000-0x00007FF60D674000-memory.dmp

memory/1560-126-0x00007FF6609B0000-0x00007FF660D04000-memory.dmp

memory/3136-121-0x00007FF6BAF30000-0x00007FF6BB284000-memory.dmp

memory/3788-127-0x00007FF6DE990000-0x00007FF6DECE4000-memory.dmp

memory/2220-128-0x00007FF6CA7C0000-0x00007FF6CAB14000-memory.dmp

memory/3980-129-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp

memory/2612-130-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp

memory/1832-131-0x00007FF706550000-0x00007FF7068A4000-memory.dmp

memory/2144-132-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp

memory/2948-133-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp

memory/2136-134-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp

memory/2140-135-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp

memory/1976-136-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp

memory/3264-137-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp

memory/3980-138-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp

memory/2612-139-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp

memory/4452-140-0x00007FF7754D0000-0x00007FF775824000-memory.dmp

memory/1832-141-0x00007FF706550000-0x00007FF7068A4000-memory.dmp

memory/2144-142-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp

memory/2136-143-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp

memory/2948-144-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp

memory/1996-145-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp

memory/3912-146-0x00007FF790CB0000-0x00007FF791004000-memory.dmp

memory/2140-147-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp

memory/3264-148-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp

memory/1976-149-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp

memory/760-150-0x00007FF775400000-0x00007FF775754000-memory.dmp

memory/3136-151-0x00007FF6BAF30000-0x00007FF6BB284000-memory.dmp

memory/4188-152-0x00007FF60D320000-0x00007FF60D674000-memory.dmp

memory/3600-153-0x00007FF642D10000-0x00007FF643064000-memory.dmp

memory/2172-154-0x00007FF7FCC90000-0x00007FF7FCFE4000-memory.dmp

memory/1592-155-0x00007FF680C80000-0x00007FF680FD4000-memory.dmp

memory/1560-157-0x00007FF6609B0000-0x00007FF660D04000-memory.dmp

memory/2220-158-0x00007FF6CA7C0000-0x00007FF6CAB14000-memory.dmp

memory/3788-156-0x00007FF6DE990000-0x00007FF6DECE4000-memory.dmp