Malware Analysis Report

2025-04-19 15:14

Sample ID 240522-zp6z8sgc4v
Target 2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike
SHA256 0e91816f751514c1baefb68f7ec4e3725a05b11401783ef906ea48561c00c343
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e91816f751514c1baefb68f7ec4e3725a05b11401783ef906ea48561c00c343

Threat Level: Known bad

The file 2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

XMRig Miner payload

Xmrig family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

xmrig

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:54

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:54

Reported

2024-05-22 20:57

Platform

win7-20231129-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uyYWBCz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sTfvfsS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lLOsSeo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ChDqjQS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HenOThx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ftIKnpE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DIiTYmr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DllqyYJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pxAnStU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RGvvKto.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pQuiNyA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gmirPeK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNBBNxC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HfYHrvL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gLgKYlF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TtzMnyk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hNJiGEr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VfqGyoU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JSnEzBM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nGVaQNq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FwOuhNO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\DllqyYJ.exe
PID 2884 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\DllqyYJ.exe
PID 2884 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\DllqyYJ.exe
PID 2884 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNBBNxC.exe
PID 2884 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNBBNxC.exe
PID 2884 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNBBNxC.exe
PID 2884 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\ChDqjQS.exe
PID 2884 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\ChDqjQS.exe
PID 2884 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\ChDqjQS.exe
PID 2884 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfYHrvL.exe
PID 2884 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfYHrvL.exe
PID 2884 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfYHrvL.exe
PID 2884 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGVaQNq.exe
PID 2884 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGVaQNq.exe
PID 2884 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGVaQNq.exe
PID 2884 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwOuhNO.exe
PID 2884 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwOuhNO.exe
PID 2884 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwOuhNO.exe
PID 2884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGvvKto.exe
PID 2884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGvvKto.exe
PID 2884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGvvKto.exe
PID 2884 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxAnStU.exe
PID 2884 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxAnStU.exe
PID 2884 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxAnStU.exe
PID 2884 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\gLgKYlF.exe
PID 2884 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\gLgKYlF.exe
PID 2884 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\gLgKYlF.exe
PID 2884 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtzMnyk.exe
PID 2884 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtzMnyk.exe
PID 2884 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtzMnyk.exe
PID 2884 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\HenOThx.exe
PID 2884 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\HenOThx.exe
PID 2884 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\HenOThx.exe
PID 2884 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\uyYWBCz.exe
PID 2884 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\uyYWBCz.exe
PID 2884 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\uyYWBCz.exe
PID 2884 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\hNJiGEr.exe
PID 2884 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\hNJiGEr.exe
PID 2884 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\hNJiGEr.exe
PID 2884 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQuiNyA.exe
PID 2884 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQuiNyA.exe
PID 2884 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQuiNyA.exe
PID 2884 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\sTfvfsS.exe
PID 2884 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\sTfvfsS.exe
PID 2884 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\sTfvfsS.exe
PID 2884 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\lLOsSeo.exe
PID 2884 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\lLOsSeo.exe
PID 2884 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\lLOsSeo.exe
PID 2884 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftIKnpE.exe
PID 2884 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftIKnpE.exe
PID 2884 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftIKnpE.exe
PID 2884 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\gmirPeK.exe
PID 2884 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\gmirPeK.exe
PID 2884 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\gmirPeK.exe
PID 2884 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\VfqGyoU.exe
PID 2884 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\VfqGyoU.exe
PID 2884 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\VfqGyoU.exe
PID 2884 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSnEzBM.exe
PID 2884 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSnEzBM.exe
PID 2884 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSnEzBM.exe
PID 2884 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIiTYmr.exe
PID 2884 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIiTYmr.exe
PID 2884 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIiTYmr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\DllqyYJ.exe

C:\Windows\System\DllqyYJ.exe

C:\Windows\System\pNBBNxC.exe

C:\Windows\System\pNBBNxC.exe

C:\Windows\System\ChDqjQS.exe

C:\Windows\System\ChDqjQS.exe

C:\Windows\System\HfYHrvL.exe

C:\Windows\System\HfYHrvL.exe

C:\Windows\System\nGVaQNq.exe

C:\Windows\System\nGVaQNq.exe

C:\Windows\System\FwOuhNO.exe

C:\Windows\System\FwOuhNO.exe

C:\Windows\System\RGvvKto.exe

C:\Windows\System\RGvvKto.exe

C:\Windows\System\pxAnStU.exe

C:\Windows\System\pxAnStU.exe

C:\Windows\System\gLgKYlF.exe

C:\Windows\System\gLgKYlF.exe

C:\Windows\System\TtzMnyk.exe

C:\Windows\System\TtzMnyk.exe

C:\Windows\System\HenOThx.exe

C:\Windows\System\HenOThx.exe

C:\Windows\System\uyYWBCz.exe

C:\Windows\System\uyYWBCz.exe

C:\Windows\System\hNJiGEr.exe

C:\Windows\System\hNJiGEr.exe

C:\Windows\System\pQuiNyA.exe

C:\Windows\System\pQuiNyA.exe

C:\Windows\System\sTfvfsS.exe

C:\Windows\System\sTfvfsS.exe

C:\Windows\System\lLOsSeo.exe

C:\Windows\System\lLOsSeo.exe

C:\Windows\System\ftIKnpE.exe

C:\Windows\System\ftIKnpE.exe

C:\Windows\System\gmirPeK.exe

C:\Windows\System\gmirPeK.exe

C:\Windows\System\VfqGyoU.exe

C:\Windows\System\VfqGyoU.exe

C:\Windows\System\JSnEzBM.exe

C:\Windows\System\JSnEzBM.exe

C:\Windows\System\DIiTYmr.exe

C:\Windows\System\DIiTYmr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2884-0-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2884-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\DllqyYJ.exe

MD5 6363371abce02c077615732582b8356c
SHA1 a3ccdb92a7737fef064f9a625ff7785a4ea16881
SHA256 5d092e72ee76c2ad95455e7729f3c40be998b894f5a931cc7407ba9378c2993f
SHA512 e001062f35ed6800b8c468908487e3ca20414b7da97ee100731672b6a351c644556e35da2857a11087c22f6baa09bc54a10d24425f4696c32c1feadbc9cf493c

\Windows\system\ChDqjQS.exe

MD5 41e261fe1ce7a5e541c6358c955b2928
SHA1 55683fba00273f7fa032f825c867b7093ee13fe7
SHA256 371c86773c02e9b6fecc0db20f756b5e12f19e98f7d9da11cb73cffc85394a85
SHA512 6b0f300dd881edf1ba55c0c1729806290d3cddef522f40ab6e12d6c736d1e2e17ca5a5daa2741e87fafe0d3651295bf7b5c1e3ca7315bbe8e5204319dff85f7a

C:\Windows\system\HfYHrvL.exe

MD5 31d9934efaf8779a5149294989c49e82
SHA1 dadd960d342c7371ac3e751aa5fbaf4adcaf8e37
SHA256 4ee655c9cfeab489d98d25f92f8d54515f5721f65c3b42865c740f3139741015
SHA512 272b5ba73ec6972a230e6c4e3c4768915789ec4b91e3eb8c9761350e1e9ae7a02c5b73f10f1b250d08da1c92fa7a1a51f14406d6219126fc1cd1164e2889e0ec

C:\Windows\system\pNBBNxC.exe

MD5 3548da63e6ac187f28f25e63563f35cb
SHA1 387c8a8b95ed45019177aa9bcda484df7c6ce9a3
SHA256 9665ba16920338461efab488ec5a7003ec25d867ecf1be137c54ae7ca8f32d3f
SHA512 e4cd899e41bbbfbbeed4481d79f464f1a2d03ef56fe2ff3de938b8b3729363c7af16137d3b936e0e01cfbcbc02f9bbbfa6e1b2096425c7732be39679205ff3b4

memory/2824-29-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2152-28-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/3032-25-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2884-21-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2884-19-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2884-17-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2988-12-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2884-35-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\nGVaQNq.exe

MD5 616fa5ddd0e31457274db54388beb1b7
SHA1 39b89528f5fe6599ed126769c5b0974a3a76a400
SHA256 b12b41f8cfcabf835ea5223c38ee45c6838a82c145276b6fde04ccb15cc3bbab
SHA512 28aa1648ad03713058bca5669a5d013d0e5737e0a28c7e6e05b82e28270c001ec49df32ba76a949bc521e8cf9caa253200f5e6a638a80744538be9f8c85e3ba7

memory/2716-36-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\FwOuhNO.exe

MD5 e3c59b1e4d798a0f54dc39587d7d63bd
SHA1 97e85f9198ac0ccf5c47bba1348564b732442e8d
SHA256 37b24f714ac804d52e2c98c82ee7040d90a4b7af4119806142037de89d6b546f
SHA512 17876eb22968e99799aac9d85a8218f4e04fba298844b259f9fb762be79f8f89c8330b3e38ae3fbe5f805ae21ce70bb36723ef382f56adab8c5389e64082a63b

memory/2884-46-0x000000013FD70000-0x00000001400C1000-memory.dmp

C:\Windows\system\pxAnStU.exe

MD5 853a18533dd2808578a86d2b986eb30f
SHA1 355e5dc5f206c5e2d0a8a9ed7a9aef849b638cb5
SHA256 3a2d96914868a7e3a9d55901cdd1b1743f8c5332ed4586ee08b03ab0f8f30c15
SHA512 8768bdc1a2b7b93bbede5da50ae5f596541bbfd471eccb3f08026f677c853f1a2d7738dca1717a51940f7dbf3f6102ab7f403e43fcf41e95bc7918a774ffdadf

memory/2508-56-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2832-57-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2884-55-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2884-51-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

\Windows\system\gLgKYlF.exe

MD5 76d93929c3042b14294397f9a359906a
SHA1 6961d44014cd10c516710fa0ee60995dfbaee995
SHA256 a2f144285a04d898b250b5df87dc171edca08608b8c3cfcffafedc5c94082f9c
SHA512 db19a4819c5c8d6ed9bd36e9af6dbab3e171520e4e9c5456896d9247dcfbbe14a6d87e00ed63e10704796e431a9a4e59247c3e216d413c2a0368905660803a88

memory/2728-64-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2988-62-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2884-61-0x000000013F770000-0x000000013FAC1000-memory.dmp

C:\Windows\system\RGvvKto.exe

MD5 ce271ead2563b6b125aa60e93820ece0
SHA1 6d502e8780d6f8ae373adcbef138a49ff524506f
SHA256 0748e4ed2003fd9201eaf1a62d9d4e1b8cbc6295d86f8118292405d6d3b5328f
SHA512 11415a1dca3342262312f7007a48fbc1f3df3156f3af672e91f89152a7ec747f2089dd1e9c8aadc18cd641b88af14d726517bb7eba3fbc66f1f0c499bf7f35e9

C:\Windows\system\TtzMnyk.exe

MD5 88f7942eb74b249ee020c99a28b1aecc
SHA1 26e53b2c5a9069e40be7e14329cebc8374b3926d
SHA256 3d0ce4c10cc850a31e4e8c4863bfe779287a261ff2feb0fc3aff957744bd2811
SHA512 90841e42c0c786ec891d5e8b4915239dddd404d26c21307f6029b7529b0883df9689430b9fd560a47f68937b675296e4197f5270fc8e9418f7f5af6ba4cd9027

memory/2152-70-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2884-71-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2532-72-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2620-49-0x000000013FD70000-0x00000001400C1000-memory.dmp

\Windows\system\uyYWBCz.exe

MD5 3386a19c5c41c1c2770dbbad9cb379b0
SHA1 434489cc5e6247b237ac47fdec9b7ce19447b27c
SHA256 981b29be38d2e5b3b69b5e7e5d3e98d7e4fba6a03b703aadf309159735b2534a
SHA512 f49deb2a22be7e15739eb8ec3caeeafe5708df1c1bcd5a5b6de512d8868497dd9f6b843238148d2e914a69219246530b4078d4986a8bd2d15fd8c60c88bc1303

memory/2884-86-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2164-78-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2884-77-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2344-87-0x000000013F0E0000-0x000000013F431000-memory.dmp

C:\Windows\system\HenOThx.exe

MD5 13765ad1b655f1d07d122697cf5d08bf
SHA1 5674a37c6423984016b13daecfb99c024571b287
SHA256 91dd4e11a08da8e9d13f6c601e78f36c92d844049b6de230364fd43a3b15d2f5
SHA512 794fce627cd4f5388403c6ce43b810bff44f6437afb5b56b6fb2704defab0fe4fdb2a8978d9b71dbd61d7c680836c211bc65739d08451a0dafb91f1d6309ef3b

\Windows\system\hNJiGEr.exe

MD5 8a6d8defd8a98132ebb2b1e564f01ded
SHA1 758c4cab6e8cdb359fb81729eaad5878a9547052
SHA256 29c376f8826f089ebd3350556e336555067bb4d30a62371006122676df638bb9
SHA512 527e41967aded49cf76ded3b0918f2e63ff234e31d042dd179eb95845685c5e9b13034ad84e3776ad8f9b8e8d19ede4e1cb0a4fe9b741887f853c19cdc94617a

memory/2448-93-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2884-92-0x00000000022D0000-0x0000000002621000-memory.dmp

C:\Windows\system\pQuiNyA.exe

MD5 3855c1b7b36edd988b6dbd3a992a5f4e
SHA1 e6d841c2cc25fb6f4b9d16745fdb4adc71bc2197
SHA256 300b3c39f32d0fcfb18b475584e7f1561bfa98f93b3f23d199e2e0a5a8e81929
SHA512 ee84f8023af4ec74009acea18014c70994d6dd56b7346eb2d8ba2f0e949e141b03bb7c9fae355f5a842975316cde84036c836b3120b4b9247176cc3fd08ba5f7

memory/1816-101-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2884-100-0x00000000022D0000-0x0000000002621000-memory.dmp

\Windows\system\sTfvfsS.exe

MD5 468f0b65b0cc09bf35d19e2cf27b1d12
SHA1 f280b998e7da1d44a4a389d9367669f588be8a86
SHA256 e863f709826a6c6f1f0777e31770ab1abcc92075996a5f259b7fa78defd34a82
SHA512 a3bfea4a985163e921bf00f2c8a18134e2945f6b94c4fdce49cca853038609f360d122ec4058e2a1e78b380b89e0f8782f467106246eb41f912581f43b47058f

memory/2884-106-0x000000013FD00000-0x0000000140051000-memory.dmp

\Windows\system\lLOsSeo.exe

MD5 8583c7ce441937c86a51b9e90525abef
SHA1 429434632c6fafe44ae24c285e6dd635a7fafe90
SHA256 216cdfd7ff323f4e1aad09a458a1aafdc4834277edaed7a3cf8d1008537314ab
SHA512 1ef38e59504663e885c1051066078f6147d9b3f04b01e1a921913b2832046808cb56bd979f411b8425588dc9b525da687968d2a8ae7f4e68c91ffdadfa06cbc3

C:\Windows\system\JSnEzBM.exe

MD5 e15b23d176f31a73a3d27847d5aab02e
SHA1 57a58e74b5eeac0e818f5fcf8d85d6ed5729c747
SHA256 95639a75e86b4ec4958a679cd4100d18bf16aed7b91cf552dfbfc8307e6c81de
SHA512 5f4b46e38b6f1e0871fa7b0eaf7d4283f1e99833c9f05b28184c690f7391f1890d46e84645f00329459524c5d6fb4d6b4b9ced50684d8bdf0b458c22af2322f0

C:\Windows\system\VfqGyoU.exe

MD5 3521a592ba5ec78769d46532e5c16c6c
SHA1 f4cdbb832a4522c8070b092a75678b08506fc8e5
SHA256 38f9c76a3e75250137239eb150588e2ff9cb409c33996d50cb547c1a7791a736
SHA512 1bee8b68c7b50622db03d56b4d77c72c69032be8b927f5923e9abe5ec7c27c176dc7d977dd2c7038212029b89333c63c222f32f61dd394e85f5e3b3895f2e43e

\Windows\system\DIiTYmr.exe

MD5 3a96331b4c67e309ac9ff89a63f305ab
SHA1 f132281d1cc4a5ff7182b6dbfa39f63ec5c80bf1
SHA256 4bf0123e128afd411b0fd00f07350312832af44054295c5a1c7f92ab70a38111
SHA512 58492e99fa24e5ad03239b405fef11fc606b6046b649c11a429f1d84118a8286981c30d11225d206f474aa5f558f2569496d638bc6364585b7b2d7b63d7373b2

C:\Windows\system\ftIKnpE.exe

MD5 0110335b528f6bde3fbccdafb8cbbde6
SHA1 780abd13e2af9468fdf53964cf7ef942fad7f15a
SHA256 ba4515a02976a1037cbc195df33c62a4af2d5664e8b5c89d91ab7ed088a66212
SHA512 5867e4d9599b772de3b58e2d27f48cd53864d1ea1a6c1b81416c544ac8c3a3329e52871f5ea36e4c9da370e3359449b036123ca609f4b56f1bb308866b5b661e

C:\Windows\system\gmirPeK.exe

MD5 4771964c311eaa2c244beb1940826be7
SHA1 68f2c86ac53acb1d2bae466053a87020890f4428
SHA256 a2a4947b5b0a2d834b524cdb21d1573a6e088ec3e22af818c4add6960ff3b05e
SHA512 4925751f65855a338e694e33ac10aa7fb8cf2c0d532b5795007300b28dc0bd7e449c871547c4cf5d9bc7b08344d4788c3275b85cfc538498b1030a73e6c2235b

memory/2884-137-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2728-142-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2164-149-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2448-151-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2884-152-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2532-148-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2684-158-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/1596-160-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/1776-159-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/1780-157-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/940-156-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1972-155-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/936-154-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2884-161-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2884-162-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2884-175-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2884-185-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2988-209-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/3032-211-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2824-215-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2152-214-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2716-224-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2620-226-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2508-229-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2832-230-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2728-232-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2532-234-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2164-236-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2344-238-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/1816-244-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2448-245-0x000000013F960000-0x000000013FCB1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:54

Reported

2024-05-22 20:57

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HThEWdb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\exmaLUn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WusSWsY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KFttJzE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\icYyMiv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FjzpJRp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QBytTJg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YIApajd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZPLlHRX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eIzaXxZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yuYPseH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jcGpdnH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qmaLZbY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lRDKVKY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NvupTop.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SzdfAqk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eyAVTru.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GbiRSeS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TvGyXBX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XoVJYJz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AcNOChf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\TvGyXBX.exe
PID 1780 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\TvGyXBX.exe
PID 1780 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\XoVJYJz.exe
PID 1780 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\XoVJYJz.exe
PID 1780 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\FjzpJRp.exe
PID 1780 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\FjzpJRp.exe
PID 1780 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\yuYPseH.exe
PID 1780 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\yuYPseH.exe
PID 1780 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBytTJg.exe
PID 1780 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBytTJg.exe
PID 1780 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPLlHRX.exe
PID 1780 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPLlHRX.exe
PID 1780 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\HThEWdb.exe
PID 1780 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\HThEWdb.exe
PID 1780 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\exmaLUn.exe
PID 1780 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\exmaLUn.exe
PID 1780 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\jcGpdnH.exe
PID 1780 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\jcGpdnH.exe
PID 1780 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\qmaLZbY.exe
PID 1780 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\qmaLZbY.exe
PID 1780 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\WusSWsY.exe
PID 1780 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\WusSWsY.exe
PID 1780 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRDKVKY.exe
PID 1780 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRDKVKY.exe
PID 1780 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\NvupTop.exe
PID 1780 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\NvupTop.exe
PID 1780 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzdfAqk.exe
PID 1780 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzdfAqk.exe
PID 1780 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIzaXxZ.exe
PID 1780 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIzaXxZ.exe
PID 1780 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyAVTru.exe
PID 1780 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyAVTru.exe
PID 1780 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFttJzE.exe
PID 1780 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFttJzE.exe
PID 1780 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\icYyMiv.exe
PID 1780 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\icYyMiv.exe
PID 1780 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\GbiRSeS.exe
PID 1780 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\GbiRSeS.exe
PID 1780 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIApajd.exe
PID 1780 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIApajd.exe
PID 1780 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcNOChf.exe
PID 1780 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcNOChf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TvGyXBX.exe

C:\Windows\System\TvGyXBX.exe

C:\Windows\System\XoVJYJz.exe

C:\Windows\System\XoVJYJz.exe

C:\Windows\System\FjzpJRp.exe

C:\Windows\System\FjzpJRp.exe

C:\Windows\System\yuYPseH.exe

C:\Windows\System\yuYPseH.exe

C:\Windows\System\QBytTJg.exe

C:\Windows\System\QBytTJg.exe

C:\Windows\System\ZPLlHRX.exe

C:\Windows\System\ZPLlHRX.exe

C:\Windows\System\HThEWdb.exe

C:\Windows\System\HThEWdb.exe

C:\Windows\System\exmaLUn.exe

C:\Windows\System\exmaLUn.exe

C:\Windows\System\jcGpdnH.exe

C:\Windows\System\jcGpdnH.exe

C:\Windows\System\qmaLZbY.exe

C:\Windows\System\qmaLZbY.exe

C:\Windows\System\WusSWsY.exe

C:\Windows\System\WusSWsY.exe

C:\Windows\System\lRDKVKY.exe

C:\Windows\System\lRDKVKY.exe

C:\Windows\System\NvupTop.exe

C:\Windows\System\NvupTop.exe

C:\Windows\System\SzdfAqk.exe

C:\Windows\System\SzdfAqk.exe

C:\Windows\System\eIzaXxZ.exe

C:\Windows\System\eIzaXxZ.exe

C:\Windows\System\eyAVTru.exe

C:\Windows\System\eyAVTru.exe

C:\Windows\System\KFttJzE.exe

C:\Windows\System\KFttJzE.exe

C:\Windows\System\icYyMiv.exe

C:\Windows\System\icYyMiv.exe

C:\Windows\System\GbiRSeS.exe

C:\Windows\System\GbiRSeS.exe

C:\Windows\System\YIApajd.exe

C:\Windows\System\YIApajd.exe

C:\Windows\System\AcNOChf.exe

C:\Windows\System\AcNOChf.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1780-0-0x00007FF7CF620000-0x00007FF7CF971000-memory.dmp

memory/1780-1-0x000001DF0F9A0000-0x000001DF0F9B0000-memory.dmp

C:\Windows\System\TvGyXBX.exe

MD5 e2f3dbbb20b58e5315bbda4a15f521fd
SHA1 a38af86aea55d4a8e62f787162e19f4e66fcc200
SHA256 0cf529ef18e335eddebb45e672c564f1ed99347b13d46a3d4489857864f7cb7e
SHA512 6f58e7fb382ea74a05fc482d677198d10e206ec28fabea272a1cae6f920dbd68b51a0c4126afb476282b17674b04b9b825589368207c5cd2825784d6c2d780c9

memory/3360-8-0x00007FF7D4A90000-0x00007FF7D4DE1000-memory.dmp

C:\Windows\System\XoVJYJz.exe

MD5 0673d003bf67f0e46b752b7485b77df2
SHA1 cbefecd8285208cd7a68b223e58dc4b6613b08c6
SHA256 0bbc5e267cdf702d819b54ee15e55fd42049fcc4a69e9927812bd665fb4c5098
SHA512 ef31ce8b5d8677d9efe22e05588cf5a3c05f67e9e56b1f364384f93e461b3687c3e4140ab43a61d373a85fce2aa3b4ed3bd7ebee77e20765c157e060af88d7e9

memory/2028-12-0x00007FF7EA090000-0x00007FF7EA3E1000-memory.dmp

C:\Windows\System\FjzpJRp.exe

MD5 cdaf5953bafbb2068b2ecc4c71054105
SHA1 9d5b71c332b6e638954c0769c150e40faedba236
SHA256 2779ee2196862dcafc5606cfb63a4d661fd0c53d9c88c9d6c65983ede07600a2
SHA512 a26a215f6a4a69bd15df809e94c9f1f127aba52b459582bc033afcfa02fc1e91c94a2f803541fa8ad6772f1f43009a6a829fc2d1d2f3b141f7e96bfbe805a78a

memory/3788-19-0x00007FF685E20000-0x00007FF686171000-memory.dmp

C:\Windows\System\yuYPseH.exe

MD5 5d7f47d048ea3202df302f2d7396a685
SHA1 ef2ab536425620c857aa3afd72b278198016b14a
SHA256 9a874a73e7fb2ed3fc40660090207c5686dda4f5ef1e078be5c9d4bafdc2dd7c
SHA512 86f07a99fed5be4671267da05437189b6e6cb3f23d315315baecb7774d60a8222ac2c4a0bcb6942a44f0de2a93450cb360b3156d93f04f406006df893d1cdf5a

memory/552-25-0x00007FF757B50000-0x00007FF757EA1000-memory.dmp

C:\Windows\System\QBytTJg.exe

MD5 c4a4c997456aa28551d1a33d487553db
SHA1 6a5dfacaf9a83f604d22f2e85df17af505d5804e
SHA256 ffa20fec74aa58e6dfd8d82988c26e852dcdf427e05f3f56199985698c4de7af
SHA512 46218b89e5afe80153d2299bf272796af3204144dd61556758274313567d44ea03f3da9d417465969e4ca5fe0b5621bc64829f672a2f566c5febb1f3abe4b8d2

memory/3772-30-0x00007FF7B35F0000-0x00007FF7B3941000-memory.dmp

C:\Windows\System\HThEWdb.exe

MD5 c800d3eb9c512c5a618c5c874faa953f
SHA1 d92108f283119e960d70120f700e6bd69a1c4a36
SHA256 8c526c155498ba2ef60b21412ad77c8408fd14efe30ac2a932bb4022658a6da3
SHA512 636f4b673100a1686d86f878197000cb3862d95e5eba9dbc1c8560a7cfe5095d2b771cbd84cd3523b2113d4e7b99ed36e5043bb35b3b027607fffb6179ed27db

memory/1652-43-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp

C:\Windows\System\ZPLlHRX.exe

MD5 c4bab380295ded935dccfd5b6933d2ea
SHA1 24f502710041afac36687c8cf3173ce4c09237cf
SHA256 ae425a6e65c1bf228562c5f725de64a4358a91f9a3648f0e508dd618ed6e1650
SHA512 ce33ddd5c7d607349982227f9605455dc179db442f3201202f97787491ef5a3f9a0ee0c26e646504f206362a730e839245ed19b5767902a72555131d10f8e158

memory/4160-47-0x00007FF65FC00000-0x00007FF65FF51000-memory.dmp

memory/2368-45-0x00007FF7A27D0000-0x00007FF7A2B21000-memory.dmp

C:\Windows\System\exmaLUn.exe

MD5 cfa0b1f2fe934b7e742144f0edfd3914
SHA1 3ad682ae53116df176602e14d950d3548c0ee8e8
SHA256 9f90efcf925f266d90882f5df380ad3b9a18895c5aa2076565f2c58a9afcfa42
SHA512 1190da55405138a5efd49f703dea17a9f373146f22a7aa1fae2029f0ef954bd0722d90e2de0c3d57354783624515a39216edf5ab212c6a1c629c6ffc8a7bdc7f

C:\Windows\System\jcGpdnH.exe

MD5 d7aa99e099de28601468183eca56a560
SHA1 b920be842241b564109c0278e8386a4c7b98a14a
SHA256 5a44ed75d79196e2cd074bfbf316b2717c96f0c7523578007959ca2698d75009
SHA512 25818e7cac2c2385bb498777427f96c46207b7a67af4ea32d31feab61246e27b7413c3a1ed88c86d51f12b79fae39e02773e7b234ac6983380782e6464cd5e97

C:\Windows\System\qmaLZbY.exe

MD5 3e293c9a456e436ea659e9725c1f63ae
SHA1 5b45a92c12c1844bdef04b1a2d79f66eb8c420f0
SHA256 fdbba8a16850db587e121f7d8eafa14139b8e7aec3633b8dab20035b78b35367
SHA512 e8428fd5b9410675068b95344a9462728914f55b26bc4bacd3675bb49735b0126d11ac62d14c980acc6e527c8ee56128783f5fc4d71a719ea0ed488c0ddd9cc9

C:\Windows\System\WusSWsY.exe

MD5 af1691226f074d69894d00e26ec859d6
SHA1 a00e2b1aae592bbaebf717a8cab45d522a574799
SHA256 ba1521e321c6a7394cf907fb4cfe14cca0d89653c5b2d0282746765f177feec2
SHA512 f8f78d4705bb93a7d7d5688d7bc90febc01606bb36ab7e5deb153859d8eb8f65a35e4e6a69e42c42462563931978a8bd057a1406c2729b13c9517f543838ddec

memory/2480-61-0x00007FF71B100000-0x00007FF71B451000-memory.dmp

memory/1040-66-0x00007FF6BB750000-0x00007FF6BBAA1000-memory.dmp

memory/1780-67-0x00007FF7CF620000-0x00007FF7CF971000-memory.dmp

memory/2280-68-0x00007FF6B9250000-0x00007FF6B95A1000-memory.dmp

C:\Windows\System\lRDKVKY.exe

MD5 8f8a7787fc840e2908357a18af907a04
SHA1 bddfe39bd57a98edc718128c226ae0b62257e3ae
SHA256 e06fdb2a81ef07eae4001bed79578c553570a1e87fdf6f8066b381fa70b9ad8a
SHA512 05d60d71723a9296c8c14dd768408de92ff357bc43e78fe0513ddfa81a788221d5ebc2c36db313a79122ba6dedaebee8a1faf62090f9d21ce494d4580d6e64d0

C:\Windows\System\NvupTop.exe

MD5 1c187ca8649a3a82378bebf69823e20a
SHA1 c6e432e872f92d806c50c811803b88efd6fb051c
SHA256 72ba12d628b3217f6fc262035f7b07327b58debb794ad835bd99d696c493519d
SHA512 dc02601c49f3da1a51e6047d7a35c7fdf99876f360bfea035588cd238009a8c98745e588180bb3ebc431d5d9369563c456345f72c9c1cee1971553e25a7e6487

C:\Windows\System\SzdfAqk.exe

MD5 d977fae96ede175fa8aa4ed4a6ee84e1
SHA1 1ff24a0d88d91789a9ca7620ec08b6185b64e2e8
SHA256 7a88821adae995483f4dcb46a2b2b29f4b3159a9e19f506b126502eefdd7897f
SHA512 3f19ed7f89511a8bd81d062e4b4368326ee02ad5d4fe111f95cab7098889ef6069ad51d434afe0d0247395661df9e1d312d2e9a53abe91d27f6a156507053ae7

C:\Windows\System\eIzaXxZ.exe

MD5 c79ee47030bb7db2975b07e168315d27
SHA1 c86649ccc0181b547cbd654b65abd4e2ddedcd98
SHA256 75e1679e05b02b20769032f88868c61a3f63b7a3be7ebc281558dad627c7af35
SHA512 ef6faf6dd9fbea43689ff85fd0a60a8f84f7bda1483c752fc4b9bf428c9cd0ba6e9afa84a00120402594c2bdc0214202d339ef2477b2a0b08ed03cd42943b59e

memory/3360-89-0x00007FF7D4A90000-0x00007FF7D4DE1000-memory.dmp

memory/1724-96-0x00007FF704A50000-0x00007FF704DA1000-memory.dmp

C:\Windows\System\eyAVTru.exe

MD5 111778930861e7f590b2b84b1d8ec1d1
SHA1 fe1a7c0ecd5da6899e10eac3f864916e9f0581c5
SHA256 37e122f7b12b3d126f8bab926e0d87f3e85cb98369a9dc2c875ff1ffe5be83e5
SHA512 cd3efc18c240d19305a72cf8d26c2fa9533dc5deb0b0473372edf3bebb156a96be204a42d1ab8fe4ab861d74be9687d5c8754613d995b0173f84b95a52c226bf

memory/3632-103-0x00007FF6E5250000-0x00007FF6E55A1000-memory.dmp

C:\Windows\System\KFttJzE.exe

MD5 f968883b7e6720ea0ad57627aa8fed05
SHA1 b4ae81eacb9a1e6360f7ec87c92938f8afbea6c4
SHA256 35aa24a747fa7c626a7d00f7b368ab32b76e81601c048ea9f042dc0558f43d02
SHA512 0d9bd0ce03503e244a57ffd9057ea12436b9b9e95e37c55f75d73b52424387fa71af335234910dd7dc50de6f48e2b886c88e180e9f67261c67cccf4d83e66ad6

C:\Windows\System\icYyMiv.exe

MD5 54357c477ccaf080f69bf11cc38c7b57
SHA1 bde4ba74f1c2df366e2257af828a10ba8e43707d
SHA256 068d5863d834314f1ed748c862724a744b4d3c201b1832c5a547a6f2a38db936
SHA512 279b9cd70b5d9c545915b39538b5ee83ca2f15c5c2c3e36468ee6ce4707c6f8b3b05eeec2a59621d3cf35d8b2deaf02cf30ec27221f4dd4ef34a68a163a56b87

C:\Windows\System\GbiRSeS.exe

MD5 56e6f85ec3b56c89a4d0fe16025d64e0
SHA1 6433c09db79c8f05175222c86619ce7335f0af20
SHA256 aeffb75b36fbdcef22a18dd4813f8451b6d925f056ea32daaf63279f6b5991a0
SHA512 6136ad4195bd0e29e503e53af56382ad5366c02725d6481c0d2ab5406753e3b413909177a34522463e0439478d4b59b13bb049a7f28644940378cf12cdd122e8

C:\Windows\System\YIApajd.exe

MD5 5960a5902da9720030d2e6ae246ec11e
SHA1 137fed0ca6d3d68c416b0e4e6a062d2cd51de747
SHA256 2470ac0a8a3d582f6419015282581616998a2d9f260e8c8056e4734af0ec594b
SHA512 2a7f9177ddf95be1b9e44d1b31f99de8cc8fd9415db62f0ba5eb58973c32581744a5eb7b4ed29e921779d2e04355073b92f4f4a9c32383899ff7e5aeeee7bd7e

C:\Windows\System\AcNOChf.exe

MD5 5357c1a3781cca123914d3c90b97d4c2
SHA1 08ad0537ae9a51d7dec65949862e0cc0eee227b1
SHA256 21c3f902a390880384a26785ebfa038802964b07f619ffb0821742e3131a4e97
SHA512 38b324ef440309567d89a47766e4b44a220aba2530b4d5693d1ad2bdce62531e7fb2793db12ebf7bafe4d5c149206c5169aa94f547ea0346cf9bb5514de591b5

memory/4572-109-0x00007FF629810000-0x00007FF629B61000-memory.dmp

memory/2028-101-0x00007FF7EA090000-0x00007FF7EA3E1000-memory.dmp

memory/1500-97-0x00007FF7BD510000-0x00007FF7BD861000-memory.dmp

memory/3256-95-0x00007FF748090000-0x00007FF7483E1000-memory.dmp

memory/1400-93-0x00007FF761020000-0x00007FF761371000-memory.dmp

memory/1780-127-0x00007FF7CF620000-0x00007FF7CF971000-memory.dmp

memory/2368-133-0x00007FF7A27D0000-0x00007FF7A2B21000-memory.dmp

memory/552-131-0x00007FF757B50000-0x00007FF757EA1000-memory.dmp

memory/2480-136-0x00007FF71B100000-0x00007FF71B451000-memory.dmp

memory/2280-138-0x00007FF6B9250000-0x00007FF6B95A1000-memory.dmp

memory/4160-135-0x00007FF65FC00000-0x00007FF65FF51000-memory.dmp

memory/3460-140-0x00007FF73ACA0000-0x00007FF73AFF1000-memory.dmp

memory/3656-142-0x00007FF6C4930000-0x00007FF6C4C81000-memory.dmp

memory/4000-141-0x00007FF756C40000-0x00007FF756F91000-memory.dmp

memory/1824-139-0x00007FF7123F0000-0x00007FF712741000-memory.dmp

memory/3772-132-0x00007FF7B35F0000-0x00007FF7B3941000-memory.dmp

memory/4572-148-0x00007FF629810000-0x00007FF629B61000-memory.dmp

memory/3632-147-0x00007FF6E5250000-0x00007FF6E55A1000-memory.dmp

memory/1780-153-0x00007FF7CF620000-0x00007FF7CF971000-memory.dmp

memory/3360-198-0x00007FF7D4A90000-0x00007FF7D4DE1000-memory.dmp

memory/3788-205-0x00007FF685E20000-0x00007FF686171000-memory.dmp

memory/2028-207-0x00007FF7EA090000-0x00007FF7EA3E1000-memory.dmp

memory/552-209-0x00007FF757B50000-0x00007FF757EA1000-memory.dmp

memory/1652-211-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp

memory/3772-213-0x00007FF7B35F0000-0x00007FF7B3941000-memory.dmp

memory/2480-220-0x00007FF71B100000-0x00007FF71B451000-memory.dmp

memory/2368-222-0x00007FF7A27D0000-0x00007FF7A2B21000-memory.dmp

memory/4160-226-0x00007FF65FC00000-0x00007FF65FF51000-memory.dmp

memory/1040-225-0x00007FF6BB750000-0x00007FF6BBAA1000-memory.dmp

memory/1400-228-0x00007FF761020000-0x00007FF761371000-memory.dmp

memory/3256-230-0x00007FF748090000-0x00007FF7483E1000-memory.dmp

memory/1724-232-0x00007FF704A50000-0x00007FF704DA1000-memory.dmp

memory/1500-239-0x00007FF7BD510000-0x00007FF7BD861000-memory.dmp

memory/2280-241-0x00007FF6B9250000-0x00007FF6B95A1000-memory.dmp

memory/4572-245-0x00007FF629810000-0x00007FF629B61000-memory.dmp

memory/3632-244-0x00007FF6E5250000-0x00007FF6E55A1000-memory.dmp

memory/1824-247-0x00007FF7123F0000-0x00007FF712741000-memory.dmp

memory/3460-249-0x00007FF73ACA0000-0x00007FF73AFF1000-memory.dmp

memory/4000-251-0x00007FF756C40000-0x00007FF756F91000-memory.dmp

memory/3656-253-0x00007FF6C4930000-0x00007FF6C4C81000-memory.dmp