Malware Analysis Report

2025-04-19 15:29

Sample ID 240522-zqtfjagd66
Target 2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike
SHA256 b345984886d424a2acd7106c4d2da9e7b6df3d6e6ca380d2f6dd613846a4bcca
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b345984886d424a2acd7106c4d2da9e7b6df3d6e6ca380d2f6dd613846a4bcca

Threat Level: Known bad

The file 2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike

xmrig

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:55

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:55

Reported

2024-05-22 20:58

Platform

win7-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PLczjCY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JFRapME.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATAmiQk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fibcEeX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HOSQxHz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xAVAwGX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lQsVNDm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rzXobqq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SyyHXSm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dJSTaHt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HMcvPgJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WqochvG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GuZNOkp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bXYsfAz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mquleAa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vPkCKUl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DeeElTG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NXojYXB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XKpueLx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MzOhNzZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yfIvHjc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\XKpueLx.exe
PID 2056 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\XKpueLx.exe
PID 2056 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\XKpueLx.exe
PID 2056 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\dJSTaHt.exe
PID 2056 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\dJSTaHt.exe
PID 2056 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\dJSTaHt.exe
PID 2056 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXYsfAz.exe
PID 2056 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXYsfAz.exe
PID 2056 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXYsfAz.exe
PID 2056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\fibcEeX.exe
PID 2056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\fibcEeX.exe
PID 2056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\fibcEeX.exe
PID 2056 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMcvPgJ.exe
PID 2056 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMcvPgJ.exe
PID 2056 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMcvPgJ.exe
PID 2056 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\MzOhNzZ.exe
PID 2056 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\MzOhNzZ.exe
PID 2056 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\MzOhNzZ.exe
PID 2056 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\mquleAa.exe
PID 2056 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\mquleAa.exe
PID 2056 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\mquleAa.exe
PID 2056 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfIvHjc.exe
PID 2056 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfIvHjc.exe
PID 2056 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfIvHjc.exe
PID 2056 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeeElTG.exe
PID 2056 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeeElTG.exe
PID 2056 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeeElTG.exe
PID 2056 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\WqochvG.exe
PID 2056 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\WqochvG.exe
PID 2056 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\WqochvG.exe
PID 2056 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HOSQxHz.exe
PID 2056 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HOSQxHz.exe
PID 2056 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HOSQxHz.exe
PID 2056 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAVAwGX.exe
PID 2056 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAVAwGX.exe
PID 2056 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAVAwGX.exe
PID 2056 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQsVNDm.exe
PID 2056 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQsVNDm.exe
PID 2056 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQsVNDm.exe
PID 2056 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\PLczjCY.exe
PID 2056 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\PLczjCY.exe
PID 2056 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\PLczjCY.exe
PID 2056 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\vPkCKUl.exe
PID 2056 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\vPkCKUl.exe
PID 2056 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\vPkCKUl.exe
PID 2056 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuZNOkp.exe
PID 2056 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuZNOkp.exe
PID 2056 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuZNOkp.exe
PID 2056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\NXojYXB.exe
PID 2056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\NXojYXB.exe
PID 2056 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\NXojYXB.exe
PID 2056 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\JFRapME.exe
PID 2056 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\JFRapME.exe
PID 2056 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\JFRapME.exe
PID 2056 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATAmiQk.exe
PID 2056 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATAmiQk.exe
PID 2056 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATAmiQk.exe
PID 2056 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzXobqq.exe
PID 2056 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzXobqq.exe
PID 2056 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzXobqq.exe
PID 2056 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyyHXSm.exe
PID 2056 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyyHXSm.exe
PID 2056 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyyHXSm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\XKpueLx.exe

C:\Windows\System\XKpueLx.exe

C:\Windows\System\dJSTaHt.exe

C:\Windows\System\dJSTaHt.exe

C:\Windows\System\bXYsfAz.exe

C:\Windows\System\bXYsfAz.exe

C:\Windows\System\fibcEeX.exe

C:\Windows\System\fibcEeX.exe

C:\Windows\System\HMcvPgJ.exe

C:\Windows\System\HMcvPgJ.exe

C:\Windows\System\MzOhNzZ.exe

C:\Windows\System\MzOhNzZ.exe

C:\Windows\System\mquleAa.exe

C:\Windows\System\mquleAa.exe

C:\Windows\System\yfIvHjc.exe

C:\Windows\System\yfIvHjc.exe

C:\Windows\System\DeeElTG.exe

C:\Windows\System\DeeElTG.exe

C:\Windows\System\WqochvG.exe

C:\Windows\System\WqochvG.exe

C:\Windows\System\HOSQxHz.exe

C:\Windows\System\HOSQxHz.exe

C:\Windows\System\xAVAwGX.exe

C:\Windows\System\xAVAwGX.exe

C:\Windows\System\lQsVNDm.exe

C:\Windows\System\lQsVNDm.exe

C:\Windows\System\PLczjCY.exe

C:\Windows\System\PLczjCY.exe

C:\Windows\System\vPkCKUl.exe

C:\Windows\System\vPkCKUl.exe

C:\Windows\System\GuZNOkp.exe

C:\Windows\System\GuZNOkp.exe

C:\Windows\System\NXojYXB.exe

C:\Windows\System\NXojYXB.exe

C:\Windows\System\JFRapME.exe

C:\Windows\System\JFRapME.exe

C:\Windows\System\ATAmiQk.exe

C:\Windows\System\ATAmiQk.exe

C:\Windows\System\rzXobqq.exe

C:\Windows\System\rzXobqq.exe

C:\Windows\System\SyyHXSm.exe

C:\Windows\System\SyyHXSm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2056-0-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2056-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\XKpueLx.exe

MD5 eab7e0f380ca1678ff8342c3b5a0228c
SHA1 03ad3e010e881a9409ac5cbf17c25ffc072043e0
SHA256 ea6f90c2560266874dea0f651bbc3cd991d83b83a81355cd9a2b6cfa60b5f59f
SHA512 5ad81235890d0e51d0e6edefc86fa8079cf0a2e7a05d5f96bbda2a2531437f973a7b113687546ccd5263f4e6b0990fa15b7fcd22b38cf114e0784ec3f742dc61

\Windows\system\dJSTaHt.exe

MD5 566c6d5ce3e9bd4a1604ae0f3ce67b0a
SHA1 e5962dc1032f229121fd5f97e69b5106f343e72e
SHA256 b4378f064a5d58e5b5c4f7e790d30e4f87c68326365219003fceaab18db87b48
SHA512 5bee7b5939594f05cf12774c8205e73e4933c6e8f3e93d1dccf53ce1e5080f6140acb60ed7cce0ba103f3e14f0fe77f1dda42500736e1b6a0a3288cefb906c4c

\Windows\system\bXYsfAz.exe

MD5 aaf8b8de3744fac5340e5131e968448c
SHA1 feb2da44b36dfbc06f1c721ca78337fef3157cff
SHA256 e69ea46fd8d850911e8f8c98c7ca7b0580eadec6ed89278d766cdd3614896ff6
SHA512 5d8255d66d12591352698152ba23c9037fdbf332402a3be7c1cace47d429da88f659514d21f22b736039c2abf9d56f76384d317b00fb1d6cf10ac913cd1a7526

C:\Windows\system\fibcEeX.exe

MD5 11e353211db5b34f30b34ee38113b5d2
SHA1 e2ceeffc1fa8d92b948d41e257e52909c28ead59
SHA256 96f86f3837ed6fc88ea25c00a6fd05d53af3c39bda3f48e773faa8a6e7d5a2d8
SHA512 cf80ee681e927619ea81792648fa82a8782cfd4432842f524088fd9c30d80ab4661aca7f096b4dfa0f09e6e3fbc63596c579d7e1bd40070a92ff5e5bd2d8a08a

memory/2056-14-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2956-26-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2056-34-0x0000000002420000-0x0000000002771000-memory.dmp

memory/2788-38-0x000000013F020000-0x000000013F371000-memory.dmp

C:\Windows\system\HMcvPgJ.exe

MD5 56caba8fe504b753ff5f7041bc6b0e37
SHA1 b7cfe38310b1dc0733fb7cd2697fb957dacd74ed
SHA256 3d656ee152eba8c0b8a3c6bf697618d419870b0a9db679e7a78447a484ee7ba5
SHA512 9c58f66414a2442cce7d941f7d6b77bfb1db79f43ec0c6a32ecb946e1848fb20a978ca1585172aae9b005a91e11c5b99937540894079b79f31e4d3e04ad2bdae

memory/2684-31-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2072-30-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2652-41-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2056-37-0x000000013F020000-0x000000013F371000-memory.dmp

C:\Windows\system\MzOhNzZ.exe

MD5 3486efae10ca4386c0ba4faf0b5ba73b
SHA1 d6d25a6be04c59843ba53375cdc28def8532f1c8
SHA256 d02dfdbfed28b0b4d712b646febaac4a71d0cddee7fcd2c9abcfd0295aa1b42e
SHA512 f64fcfb0bf2ac00c28fea607d6531512fdd56154b8f298be6ba170290cec0e880270ba158e8778439ed9adbe0c9f7aa86186f2e62c3967f340f0f3f098594d53

memory/2056-24-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2056-54-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2528-56-0x000000013FF20000-0x0000000140271000-memory.dmp

\Windows\system\WqochvG.exe

MD5 a9d98110b659ccedc7a1586026f65014
SHA1 80b101e9356fea750a51d9aafdb6985710184ea2
SHA256 5f89a400b9e26d5a33eb8f7c3755d849f9e83c98d01f77b61ef5234d54229108
SHA512 ced775408642d8e0e712c3ae5a83ee94af8ffa557d7b516538ff4d45a39fd4f07cb5810e358eb0f0f673f3a8ed96991d10ed396095d55bd8ddf29883d55573ea

memory/2668-64-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2056-62-0x000000013FB60000-0x000000013FEB1000-memory.dmp

C:\Windows\system\DeeElTG.exe

MD5 a7cbdc84ae3af0e9f17530b50a21be02
SHA1 4cc0a7b2f63ff81de73007a7116319d178630f14
SHA256 945ecc1a348229509b26b8555c9458ad67ab807bf0137677bf60ba86d7c1a80c
SHA512 e000fcaab0e2733499b63d2698cea70c5cf71700b6f5d01ff0ed19ecf9d4213b28f78c2fb0991f4a5cd4d037146f04038a1bc2286013e0d26be52e1dda04f2c2

memory/2056-65-0x000000013F330000-0x000000013F681000-memory.dmp

memory/2772-70-0x000000013F330000-0x000000013F681000-memory.dmp

memory/3032-48-0x000000013F600000-0x000000013F951000-memory.dmp

C:\Windows\system\mquleAa.exe

MD5 241d2b6ae79a16424b500a772ca18dd5
SHA1 89b35d53c97fbe23472922b6aac8810d6f4128d0
SHA256 9822cf55d52ebebf4c12ff893e38b6e67cd9619f4e352533609048ee83e48dde
SHA512 d35dd1981699257f7ac62b173e0efe19a83840cae3045d2d72f58bdf86302cb7f91be25f106e85beba2f84fb8096d7d7481822368b59884ca8b0d8ba74fa90de

memory/2056-44-0x0000000002420000-0x0000000002771000-memory.dmp

memory/2896-55-0x000000013FD70000-0x00000001400C1000-memory.dmp

C:\Windows\system\yfIvHjc.exe

MD5 d96b7afde3c8181f5fb6a005504fc876
SHA1 eea998e19efe6465db8a20d8506d15ab21128516
SHA256 3cca3dee1722fbeb3b620cfc816cc6bc6e8ffa40bb9675fc307c0c2c70c8edbf
SHA512 315693d652c5a2c94a6d99291984439dab2c0ab54d67e5c8ebca22700d69e696c63f4b9744b876c74a2795d05b02087c10e2709c9fbe6fcfaebb1bc782698f1a

memory/2896-10-0x000000013FD70000-0x00000001400C1000-memory.dmp

\Windows\system\HOSQxHz.exe

MD5 4290b8aa136fd773d2939de4ecacd5f0
SHA1 4da2fda8dffc0ae0e6d6e40e9f8359ab296cb15d
SHA256 758edf15fe7ab32106f85773a45efd82238d678d2a1caa15b51547680079a26b
SHA512 2ce572284e1b0520bf0a455f9c917c745f3a7c071729850f51bb0daca55aecfe20e35863b66e530992f785de7bdfb1833a068e55cd869e961502666b3ed515f8

memory/620-95-0x000000013F7C0000-0x000000013FB11000-memory.dmp

\Windows\system\lQsVNDm.exe

MD5 ccf1105829819751c2e6b727795e89f1
SHA1 fb8298c57205852308245276cdc654e36cf2b120
SHA256 4965b9cbf2e790b4c2eb005ff9960dc2b94275a3d4d82925039c4ee7dea9b58a
SHA512 02e0643a695a00fa3f85d5d2dd874f9c802f80f5c39f772425334d50bf35fd439d352bc951393847540c2124314ac2fd394030e3b5c1bfb3a13888c196e8ac07

C:\Windows\system\PLczjCY.exe

MD5 bb208ba03d91965d3230a89dc6634733
SHA1 e76399488114fa94098a03c7f68bba67474d0df9
SHA256 78fd896602d600142c5ee6c63bf1a83b43c3384d803d7a2399537b120ed9a78c
SHA512 281b91e5bca4ec6a3796f0d0a1b1aca16e6993879da1a6db32499e81b69effa2a3cffe7946460cb28c3d9b53c33762f50d9c25e909ec91fe33942094928b0404

\Windows\system\GuZNOkp.exe

MD5 9f6d543f83dda47cfeb5d1c86f186ca0
SHA1 9af4e79992085caf1f8d6aa1cb675ecb60ea7cd1
SHA256 6385b299b3322a66fb53931d290998c79b164ab8bb8eb0d34d25a67d3f4d4255
SHA512 f99c6ec567d5c13f1abc46e02279ea58d1528d3d56621941ce45c6ce315ac3623153c0759b08740f2cb8d5e8fc2759376c9b14e1dd425f5650fc9b84b8d6d5b7

C:\Windows\system\JFRapME.exe

MD5 da0aec64a60f42d95d466e4f96318079
SHA1 e90825b92749c4a9db921b24282517d36b2b57e1
SHA256 30321c66c76465c79d3a0c507d8b32e2a0dfa5765d7207e7712ecd0bc9009daa
SHA512 a87c1d8386e5c3271665688f77c417ab63ef7fac75ef47260aec16a69fcd5cdf672182e1a11ac4e7bab5200a8778aee42ab202edb097b91306b696fb4d698ad5

C:\Windows\system\NXojYXB.exe

MD5 3ea69eb1b5982ff493d282eba19fa987
SHA1 ce202b70d9debc0a6c8bc46d3fedc203f09431f0
SHA256 4f8eb271bc7de7ed28365df5bf52028ba071d1bed6f4bb7fdcae33dbbfc6e5b4
SHA512 b1859115f757369d2bf37a153a3118afab9a4b978a1635ee9a2a0e34935fb655890b734b5a70bb7d4d0b615b1243bed58c84d50b0f83f7facc520c0288d62bf2

C:\Windows\system\rzXobqq.exe

MD5 5747ed7f8ef0e50de27022e121342af8
SHA1 6cb35a1472af20932524b1722db594f0e32f5403
SHA256 df476699c320efaa42fce9b7e0c33e165a04e9c00656306b52e6993d0a993d06
SHA512 dae2d13b5ab2bbd149039b9c4a210f282c45722805b7bed26014451f8ddc4cc3a31c2c0b6c74465dd6b48637a0b15fac746c52152b37920d54a9a886dccceb87

\Windows\system\SyyHXSm.exe

MD5 d453d0c1a30fa9ce7a4e96780b979c8b
SHA1 f0ae036acc09de7695ff5c15197a7a3ab2222645
SHA256 a332a82e529e753b7284788c0b72f776938b0950bc6cce630d4e9b8e96814cf0
SHA512 501382ef0dd47122d36215d599ec76dad14ec68b093b265dc0ba3097a75a64d054d2cceb247c557575160cffc9fc8ce8fa0accab4b3ffb954e30feae907f5ee9

C:\Windows\system\ATAmiQk.exe

MD5 502843420cdaceeafcf2b170fcf2eb9c
SHA1 d4aea207610110a6b8cf2aaff56c4b13f29be674
SHA256 09599e1a7b78ddf4aff38c3cd1a2a7a42d5556b32024293b25f4106d2f498177
SHA512 8c4cfff93092ced8ac86be8bbf80f8c55bac7853921635cb14b2ce811890fb6e64d781ff01afaa2842434c4d9ab5259ee22f881dda29d0fcd08a16ff22973054

C:\Windows\system\vPkCKUl.exe

MD5 f343425d0d423a5c8a5662504eec4860
SHA1 a3f89302c11638747a7e03249e3b7d86dd049dcb
SHA256 daf02a251355d85495164f861e73ec61d6fda9247d0b21e508e52f05fa901886
SHA512 15d59f131996c7d162d97e0d33cc9173ee5626509ca164033ba9bf0d2b2059f376b2dfd4890aeb0b7948c98169d2d98e1a339d6d22d04f85bfab215b7c8153f4

memory/2056-112-0x0000000002420000-0x0000000002771000-memory.dmp

memory/2056-111-0x0000000002420000-0x0000000002771000-memory.dmp

memory/2056-109-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2056-108-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2652-105-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2056-103-0x0000000002420000-0x0000000002771000-memory.dmp

memory/848-102-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2548-90-0x000000013F730000-0x000000013FA81000-memory.dmp

C:\Windows\system\xAVAwGX.exe

MD5 4f6e601de2cfe85efb7704e3d8963ea9
SHA1 f0dbeb26b1e0a679a3abf1edd035957dd5c7f9ea
SHA256 2be6a7986e10426e8935f22ea6cbdfa5e74d67aac407434b4da666623a9d8bc9
SHA512 204b085b73dd90d1058a032dc9c27b79fb07a65e0544f43e5e1eea835920a2665a996d2bbb39f60b52c2ab4a7fd393f2b0109208be2e7aaa9ee8d66d032ff493

memory/2788-79-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2056-136-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2668-145-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/3032-147-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2528-144-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2772-146-0x000000013F330000-0x000000013F681000-memory.dmp

memory/2056-148-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2704-153-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2056-160-0x000000013F330000-0x000000013F681000-memory.dmp

memory/532-158-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2200-157-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2920-155-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/1392-151-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1772-156-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2248-154-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/1564-159-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2056-161-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2056-183-0x0000000002420000-0x0000000002771000-memory.dmp

memory/2056-195-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2896-208-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2956-210-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2684-213-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2072-214-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2788-223-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2652-225-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/3032-227-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2528-229-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2668-231-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2772-233-0x000000013F330000-0x000000013F681000-memory.dmp

memory/620-246-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/848-250-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2548-248-0x000000013F730000-0x000000013FA81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:55

Reported

2024-05-22 20:58

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qhODPnB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PrGbPZJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oqwFzZr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SczZuVI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EJlvFWd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yLWGUzZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eDAMtfu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VeHhixo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RptbtJU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yAdbcxy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HRvZQbK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YzDyRkG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LsRqXsn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ELiVIwE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RnOiFft.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TCiFYZU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HYFFljB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gWUIYZi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OFHaZPl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wjfLWpP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XbUHOTs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\RptbtJU.exe
PID 2208 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\RptbtJU.exe
PID 2208 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjfLWpP.exe
PID 2208 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjfLWpP.exe
PID 2208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnOiFft.exe
PID 2208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnOiFft.exe
PID 2208 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbUHOTs.exe
PID 2208 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbUHOTs.exe
PID 2208 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCiFYZU.exe
PID 2208 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCiFYZU.exe
PID 2208 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HYFFljB.exe
PID 2208 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HYFFljB.exe
PID 2208 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\SczZuVI.exe
PID 2208 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\SczZuVI.exe
PID 2208 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJlvFWd.exe
PID 2208 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJlvFWd.exe
PID 2208 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRvZQbK.exe
PID 2208 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRvZQbK.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\qhODPnB.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\qhODPnB.exe
PID 2208 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\PrGbPZJ.exe
PID 2208 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\PrGbPZJ.exe
PID 2208 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAdbcxy.exe
PID 2208 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAdbcxy.exe
PID 2208 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\YzDyRkG.exe
PID 2208 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\YzDyRkG.exe
PID 2208 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsRqXsn.exe
PID 2208 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsRqXsn.exe
PID 2208 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLWGUzZ.exe
PID 2208 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLWGUzZ.exe
PID 2208 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\oqwFzZr.exe
PID 2208 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\oqwFzZr.exe
PID 2208 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\gWUIYZi.exe
PID 2208 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\gWUIYZi.exe
PID 2208 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\OFHaZPl.exe
PID 2208 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\OFHaZPl.exe
PID 2208 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\eDAMtfu.exe
PID 2208 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\eDAMtfu.exe
PID 2208 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\VeHhixo.exe
PID 2208 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\VeHhixo.exe
PID 2208 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELiVIwE.exe
PID 2208 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELiVIwE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\RptbtJU.exe

C:\Windows\System\RptbtJU.exe

C:\Windows\System\wjfLWpP.exe

C:\Windows\System\wjfLWpP.exe

C:\Windows\System\RnOiFft.exe

C:\Windows\System\RnOiFft.exe

C:\Windows\System\XbUHOTs.exe

C:\Windows\System\XbUHOTs.exe

C:\Windows\System\TCiFYZU.exe

C:\Windows\System\TCiFYZU.exe

C:\Windows\System\HYFFljB.exe

C:\Windows\System\HYFFljB.exe

C:\Windows\System\SczZuVI.exe

C:\Windows\System\SczZuVI.exe

C:\Windows\System\EJlvFWd.exe

C:\Windows\System\EJlvFWd.exe

C:\Windows\System\HRvZQbK.exe

C:\Windows\System\HRvZQbK.exe

C:\Windows\System\qhODPnB.exe

C:\Windows\System\qhODPnB.exe

C:\Windows\System\PrGbPZJ.exe

C:\Windows\System\PrGbPZJ.exe

C:\Windows\System\yAdbcxy.exe

C:\Windows\System\yAdbcxy.exe

C:\Windows\System\YzDyRkG.exe

C:\Windows\System\YzDyRkG.exe

C:\Windows\System\LsRqXsn.exe

C:\Windows\System\LsRqXsn.exe

C:\Windows\System\yLWGUzZ.exe

C:\Windows\System\yLWGUzZ.exe

C:\Windows\System\oqwFzZr.exe

C:\Windows\System\oqwFzZr.exe

C:\Windows\System\gWUIYZi.exe

C:\Windows\System\gWUIYZi.exe

C:\Windows\System\OFHaZPl.exe

C:\Windows\System\OFHaZPl.exe

C:\Windows\System\eDAMtfu.exe

C:\Windows\System\eDAMtfu.exe

C:\Windows\System\VeHhixo.exe

C:\Windows\System\VeHhixo.exe

C:\Windows\System\ELiVIwE.exe

C:\Windows\System\ELiVIwE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2208-0-0x00007FF7F2200000-0x00007FF7F2551000-memory.dmp

memory/2208-1-0x00000207E2D30000-0x00000207E2D40000-memory.dmp

C:\Windows\System\RptbtJU.exe

MD5 9917fe44af7ab42a95a987fe2a8e6710
SHA1 5646ab35ca773d6cd9a12b8f9008aaf36a14689f
SHA256 d8e8e2394d8d0090afef55889870d8affc7aeea870717bf3f449af9c38722023
SHA512 833872b0fac7df973a1a7e7af03c0fe45d8a260ba6b7686056808f388f46cadf7afa216cc820cc0d42c7cdc7ad5ac92385295c72acabba319d4fed5fbf782a0d

memory/4856-8-0x00007FF61DE80000-0x00007FF61E1D1000-memory.dmp

C:\Windows\System\wjfLWpP.exe

MD5 8b2c12fd65bf7acf9ca80538167f45f4
SHA1 3b017c4c55e00b75d7d66d19a1449f32447e40ff
SHA256 b74823fc04bea12ee2183349885c3baa75bfc02b8237a422a7707d1faefeb3ae
SHA512 68964e08bc43fd38d6efdf2ea34e15a8dff597bfcafaf0f32bd3b18fccd2311643f51e1bc43ab02ab6420d4ce9165b17045b92bc8cbfed4d2502ac4ec7742f06

C:\Windows\System\RnOiFft.exe

MD5 da503e65a596a275a4776569f6df55d7
SHA1 5ce65f456e076127f644b0d58d03c0fa68fe8549
SHA256 16b0146695d224b3eef8eaa14d2abbe25d7ab9f20b05f754f845c786341aeb8f
SHA512 18551b31f0f93b616f34dfdeb0d84ad47ae8157492a8f1ddcbb40a2402d7026ec748c8fa177a8e02748c1cb905188f61162b7dcaa1fd9514b2c5d5a95622060d

memory/3988-18-0x00007FF757900000-0x00007FF757C51000-memory.dmp

C:\Windows\System\XbUHOTs.exe

MD5 7f9c5e5403324372561012391944e1ac
SHA1 38e8b7d1367419e29be23bc1b173026011571a6f
SHA256 1f0ea35bf977099aec41a41c3d82cb059271c818efbb11906ffff507f63420f4
SHA512 2913d12e20fd68321a70e02cfca2de94ff4031e9a4dc88cf8b92c34b789d751014ff76b9eb320c30224d98cd6f578984dad65e496c2c7131c21a846f31f21ea1

C:\Windows\System\TCiFYZU.exe

MD5 081f2c57494ebb45e2a87950e652ad20
SHA1 94960f9ba9a97134b1d86d8bbba69af6c3d81fd9
SHA256 3f1bce8a00e6d194763b2261a780d7cf5ad686a9bdaf2ce09bf8c71d61715296
SHA512 fd53b90ae4510137e6a654c106241a1266000084f433d42dc1027fcfd5a5a895fdc5c281f336c1dfba7d6690544b473755096d08975d86f88dabbdefe36a73a8

C:\Windows\System\HYFFljB.exe

MD5 403c2657783956ebcc803b1c2f07181c
SHA1 a8ba29c75952bcd480ca1708c8f3de20805669c1
SHA256 baeab97b6c8277bed897a27d8d8bc9f3a5748b9e9745398b884addae96352d5b
SHA512 4e36356cf9e4c69e781fb4303bdad3678fbc4ac36efe8e9a53ada93b262a2c958cfde5898f3d443055c6df41908bb9a692b86ce707fe2ebacc9da2f761407507

memory/4392-43-0x00007FF6306C0000-0x00007FF630A11000-memory.dmp

C:\Windows\System\SczZuVI.exe

MD5 099275e07a391704108f1fb793463689
SHA1 44db857eac17980941cf77bba79987e3f664648b
SHA256 925b2cd263c9e7efb1b4bfaf70e746d1db21d98bbea18e648fa3c1063ec7ab23
SHA512 732a33f403779a65a74795e514e60bc08fa19285c63d642256baa35fb69cff3210515e9917bcccc821c498501f225a8a61800e265ebf6f17cc1c1b274e0b04d6

C:\Windows\System\EJlvFWd.exe

MD5 dd8e5b3d87d237732b8b6386759e726a
SHA1 72b2d87c95f6cb3c754517a7edd3146d9ba5417b
SHA256 0b3333d206507f7b9192865720156fb3ffa25294e3f30914d770a159a0656bff
SHA512 b7ed5af807aa683436b4c2bbeba25ce42f7bb38cf9437451fe7d8945699dfc73c27781ce3e9a91729eb2fdbeec2189679c719d8d0e081ac2ce9896882097b8bd

memory/1396-49-0x00007FF7681C0000-0x00007FF768511000-memory.dmp

memory/4428-53-0x00007FF7A2290000-0x00007FF7A25E1000-memory.dmp

C:\Windows\System\HRvZQbK.exe

MD5 dc2bc44ce7b231dacc408343d4ee63de
SHA1 120f3bfebe016717cb9dbea5a1a98de3d75f7b38
SHA256 cb936583a73d5ac26ce5b3899f0b5c31e1f6612936c30c90094fc2c64d4e603a
SHA512 38ce1717d62facbc35ac3be3caaa799a6ad0b6f84f6505e7f57fbd95feef9d1b45f9e70ded9e0c036484b3f9a5ddfa335b4dbf753bf72bc00b8aa4f1837c31e7

memory/2772-54-0x00007FF7D50D0000-0x00007FF7D5421000-memory.dmp

memory/1620-52-0x00007FF72E840000-0x00007FF72EB91000-memory.dmp

memory/1616-35-0x00007FF6F2370000-0x00007FF6F26C1000-memory.dmp

memory/2972-24-0x00007FF637BD0000-0x00007FF637F21000-memory.dmp

C:\Windows\System\qhODPnB.exe

MD5 6488d25581a9c65fd851e3f089579a95
SHA1 b35a78efcf7419a78f2f315afaab3cca19a721c4
SHA256 10783515ed524a86b7d9e91a886c9826bdf731a2ec10c74d20fbda97082d3981
SHA512 952bac4f7edb852de8251c57b0708668b9eaf27fb49d229a426d4584b65a1f2048f90fe7a185a3e5d970181dd00571375cbca5833fb1517ed77e61ae7aa2d55a

memory/2628-60-0x00007FF6DDC40000-0x00007FF6DDF91000-memory.dmp

C:\Windows\System\PrGbPZJ.exe

MD5 d686f855e6f70020355acdc8263f4e2e
SHA1 48a7acb2154a421ead93d344c654479efc6daf34
SHA256 db3f51c179a6ebe6f2f0846d1fc0ef045e9b04ec3914ed4df0f93de04ce4b917
SHA512 10ca0bb31b91056b31004e197dde12638654f4a3fd08315324d5901000e4f0ea1eb0002205bf5708f71137c1b8aefa204d6ac72d443dc7ab4c7366f5e04f7f8b

memory/4172-67-0x00007FF60F470000-0x00007FF60F7C1000-memory.dmp

C:\Windows\System\yAdbcxy.exe

MD5 14ab448d07767e3930da592312520b5b
SHA1 1610c30f1b3ab5d779908beca9c914e0a0fb9a65
SHA256 723b6ad767b7bf24f24edfde143071c281350221e0969b53a603412560ebc0d5
SHA512 979ce07962989ca61590292de6d870bfeddac9ca60fe2beb66bdb5bc1fad408dc7f16ded25e942daf276e9c4c36c9e47c146d426eff25a984f7116b19ecb45ab

memory/4092-75-0x00007FF6AD5F0000-0x00007FF6AD941000-memory.dmp

C:\Windows\System\YzDyRkG.exe

MD5 648733dda3772b6affaea9b8520e226f
SHA1 e8b55b033e5515a9c4caa02be97367536f3acfee
SHA256 4abfd366f4416bb67dc76cdae8e119eb7d952d26d89c88697e9a22b4ec6ff4e6
SHA512 18fd7eb12a72eaecbbe0e315632a95b1816f42a71a93e25cadab6c88f0e4c337a3f29a817d53877537dd6b2b4fe2a6ae406a664683a6e0c20a252d9571a58075

C:\Windows\System\LsRqXsn.exe

MD5 0d64a1ee7727bb8bd08be8dc796a632e
SHA1 01c4b47b7fabb85849581818917b8d6247ba2fed
SHA256 09147df93443b301afe1f206c9ddce4a6f12e7f5049f76d1df96c601975da648
SHA512 3628529209f863b231a353e51f93aaa77605bbc45bb8eeba01b585fae48c207c84b3bdd68b7a589d46ce236a9f84a00c374b3015f4cc6d7078a9f0a7bcf136b8

memory/2208-88-0x00007FF7F2200000-0x00007FF7F2551000-memory.dmp

C:\Windows\System\oqwFzZr.exe

MD5 e45b313938d0b44f11a37c70f26617f5
SHA1 0b912515c533b2dedd856d0d4f92d63ad682a203
SHA256 a58fd29b88289151dcf858b7dfdd4c4ab2a046e24cbd39bc587e52b2d2fb0b2a
SHA512 40e084647b7243d3b312cf5b9fd62270a205f3939e7829568b7388f49810d7481952296985d18af0c77c94e33503bfdff5dd44dc9605743ca27f64c10057c247

memory/4856-98-0x00007FF61DE80000-0x00007FF61E1D1000-memory.dmp

C:\Windows\System\eDAMtfu.exe

MD5 f94944ee29f9aa23a1a7012e212a15ea
SHA1 69cb0ae5af0a7fec8c3d2b167e23f1ed44b003cc
SHA256 fda61bd54acd2e71580a8668c53e83e54c67605e7c4b04aafa81a1546e57b37d
SHA512 57068ad33f9b009b46c4f25504b96046505625eae9fd5fbb317b14c14ce1bd082fb2009896147df70df9f08d1224e7c68539597654cf46ab8b405378b7f46195

memory/4400-112-0x00007FF7A1B20000-0x00007FF7A1E71000-memory.dmp

memory/64-109-0x00007FF788AD0000-0x00007FF788E21000-memory.dmp

memory/2960-123-0x00007FF7CBC00000-0x00007FF7CBF51000-memory.dmp

C:\Windows\System\VeHhixo.exe

MD5 828108d2732a794742d10e280a5c5e12
SHA1 db14bbe1dfbb64dca310c875410134a0d7feda82
SHA256 bf324c2a2897c914d58d9d2a716b61e543e87a529c63e2e6acaddbba2638e922
SHA512 9caac5d1aa5342897897cc8c43f7c8023a88907b69a6ab17466905b8bd55b8e9f8b827e7a166f6114872b601f9e3ca6682ec2dca970a1c812187c3ea9b699f1d

C:\Windows\System\ELiVIwE.exe

MD5 4738149331db1214ae9565c45ee37232
SHA1 1da6a516ba0d5601fb80d4aa3635a0b0e71fadf1
SHA256 ffaaebc4e72a19e9192e47d5b1cab3435b570c291fc7e561b97456fc77f5740f
SHA512 26c51c82904386e546c6c7c5b28708b1e2f671aca981c3c7c0ad2cd5ac76de6acc99641804b9faaedef1084af28ac526a1332df32d42a06b9138a852e262eea9

C:\Windows\System\OFHaZPl.exe

MD5 6a3af279e7b9122e7c20662eb5899fb6
SHA1 50e200775743d5bd4d881e43ca50ddfc162db03c
SHA256 ba6d42e3a9c471f82e9213035e8a2da4a7cc22a9a0c37be3dca586354df885cb
SHA512 abfee200636cd316daa12d248926861bc91a93f5b3e1af6c61729574a6e2505beb3e98de9ae91e200b823689e2f1815dc3995f28317f85e1e6090fe94b344c50

memory/2392-124-0x00007FF7E6F00000-0x00007FF7E7251000-memory.dmp

memory/432-122-0x00007FF6DA990000-0x00007FF6DACE1000-memory.dmp

memory/1196-120-0x00007FF6AA770000-0x00007FF6AAAC1000-memory.dmp

memory/1616-119-0x00007FF6F2370000-0x00007FF6F26C1000-memory.dmp

memory/2972-118-0x00007FF637BD0000-0x00007FF637F21000-memory.dmp

C:\Windows\System\gWUIYZi.exe

MD5 0a04adef7789eb2115d67ca873d039c3
SHA1 db37720b3cec0874b7ac219426fab7eb05180855
SHA256 a5540ccbb911b5bcfecae749b504fe42cd95b876c9354ad63ced00d29861f767
SHA512 22c29bbd54faae469c6616c93d809bfbc5e73867a1220303c0f1d5f0d0f0105e2dba48bf97311c9d55ce4316b0f58431aff89d73bd0071748c7b0846fc2f754a

memory/3856-104-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp

memory/3988-99-0x00007FF757900000-0x00007FF757C51000-memory.dmp

C:\Windows\System\yLWGUzZ.exe

MD5 45464eeb46fa054b18ac92d9250ae5a6
SHA1 f0af9f252c49b20fb8c15031579f06933333ebdb
SHA256 be2858217aa7818ee386b73861a14a1f59fa7246570cfe8e8fab8d3f14866f50
SHA512 ae86f55770609cc0b141c6d73dc4d57ed7fc66e9ef8ed010593360ae4d422196b5e71058d1530a8ed98791823c3206031aff4e9ae937dc20cd1ccd10c6b6dc7d

memory/1464-90-0x00007FF6BE230000-0x00007FF6BE581000-memory.dmp

memory/4380-79-0x00007FF6F0D10000-0x00007FF6F1061000-memory.dmp

memory/2208-133-0x00007FF7F2200000-0x00007FF7F2551000-memory.dmp

memory/2628-143-0x00007FF6DDC40000-0x00007FF6DDF91000-memory.dmp

memory/4172-144-0x00007FF60F470000-0x00007FF60F7C1000-memory.dmp

memory/2772-142-0x00007FF7D50D0000-0x00007FF7D5421000-memory.dmp

memory/4380-146-0x00007FF6F0D10000-0x00007FF6F1061000-memory.dmp

memory/2960-153-0x00007FF7CBC00000-0x00007FF7CBF51000-memory.dmp

memory/4400-151-0x00007FF7A1B20000-0x00007FF7A1E71000-memory.dmp

memory/2392-154-0x00007FF7E6F00000-0x00007FF7E7251000-memory.dmp

memory/432-152-0x00007FF6DA990000-0x00007FF6DACE1000-memory.dmp

memory/2208-155-0x00007FF7F2200000-0x00007FF7F2551000-memory.dmp

memory/4856-200-0x00007FF61DE80000-0x00007FF61E1D1000-memory.dmp

memory/3988-202-0x00007FF757900000-0x00007FF757C51000-memory.dmp

memory/2972-204-0x00007FF637BD0000-0x00007FF637F21000-memory.dmp

memory/4392-206-0x00007FF6306C0000-0x00007FF630A11000-memory.dmp

memory/1616-208-0x00007FF6F2370000-0x00007FF6F26C1000-memory.dmp

memory/1396-210-0x00007FF7681C0000-0x00007FF768511000-memory.dmp

memory/1620-212-0x00007FF72E840000-0x00007FF72EB91000-memory.dmp

memory/4428-214-0x00007FF7A2290000-0x00007FF7A25E1000-memory.dmp

memory/2772-220-0x00007FF7D50D0000-0x00007FF7D5421000-memory.dmp

memory/2628-222-0x00007FF6DDC40000-0x00007FF6DDF91000-memory.dmp

memory/4172-224-0x00007FF60F470000-0x00007FF60F7C1000-memory.dmp

memory/4092-226-0x00007FF6AD5F0000-0x00007FF6AD941000-memory.dmp

memory/4380-228-0x00007FF6F0D10000-0x00007FF6F1061000-memory.dmp

memory/1464-230-0x00007FF6BE230000-0x00007FF6BE581000-memory.dmp

memory/3856-239-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp

memory/64-241-0x00007FF788AD0000-0x00007FF788E21000-memory.dmp

memory/1196-243-0x00007FF6AA770000-0x00007FF6AAAC1000-memory.dmp

memory/4400-245-0x00007FF7A1B20000-0x00007FF7A1E71000-memory.dmp

memory/432-247-0x00007FF6DA990000-0x00007FF6DACE1000-memory.dmp

memory/2960-249-0x00007FF7CBC00000-0x00007FF7CBF51000-memory.dmp

memory/2392-251-0x00007FF7E6F00000-0x00007FF7E7251000-memory.dmp