Malware Analysis Report

2025-04-19 15:17

Sample ID 240522-zt1zsagf28
Target 2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike
SHA256 7b37ee6b0b65e1d4a1a6b358af460c9800ca7eb65dac2824bbe3f39d878dda0f
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b37ee6b0b65e1d4a1a6b358af460c9800ca7eb65dac2824bbe3f39d878dda0f

Threat Level: Known bad

The file 2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

xmrig

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:01

Reported

2024-05-22 21:04

Platform

win7-20240221-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uGOmlgt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cHUeMsO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OMxLHof.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bOQiFPA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YOMksYz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mXztLIq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YGUjFWZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MVGyave.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fuddDum.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWTVtQg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KINKTRo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVAGXLs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KgyGmHj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IuaYwzH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ydWQDkN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YCxgIAz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BNrvURr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IWGkwDl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cNwXNwh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nlbyoJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nMegjhg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\mXztLIq.exe
PID 2912 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\mXztLIq.exe
PID 2912 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\mXztLIq.exe
PID 2912 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IuaYwzH.exe
PID 2912 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IuaYwzH.exe
PID 2912 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IuaYwzH.exe
PID 2912 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\ydWQDkN.exe
PID 2912 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\ydWQDkN.exe
PID 2912 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\ydWQDkN.exe
PID 2912 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMxLHof.exe
PID 2912 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMxLHof.exe
PID 2912 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMxLHof.exe
PID 2912 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCxgIAz.exe
PID 2912 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCxgIAz.exe
PID 2912 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCxgIAz.exe
PID 2912 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\cNwXNwh.exe
PID 2912 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\cNwXNwh.exe
PID 2912 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\cNwXNwh.exe
PID 2912 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\nlbyoJJ.exe
PID 2912 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\nlbyoJJ.exe
PID 2912 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\nlbyoJJ.exe
PID 2912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\bOQiFPA.exe
PID 2912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\bOQiFPA.exe
PID 2912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\bOQiFPA.exe
PID 2912 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMegjhg.exe
PID 2912 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMegjhg.exe
PID 2912 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMegjhg.exe
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGUjFWZ.exe
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGUjFWZ.exe
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGUjFWZ.exe
PID 2912 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNrvURr.exe
PID 2912 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNrvURr.exe
PID 2912 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNrvURr.exe
PID 2912 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOMksYz.exe
PID 2912 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOMksYz.exe
PID 2912 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOMksYz.exe
PID 2912 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\fuddDum.exe
PID 2912 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\fuddDum.exe
PID 2912 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\fuddDum.exe
PID 2912 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWTVtQg.exe
PID 2912 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWTVtQg.exe
PID 2912 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWTVtQg.exe
PID 2912 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWGkwDl.exe
PID 2912 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWGkwDl.exe
PID 2912 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWGkwDl.exe
PID 2912 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVGyave.exe
PID 2912 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVGyave.exe
PID 2912 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVGyave.exe
PID 2912 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KINKTRo.exe
PID 2912 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KINKTRo.exe
PID 2912 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KINKTRo.exe
PID 2912 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGOmlgt.exe
PID 2912 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGOmlgt.exe
PID 2912 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGOmlgt.exe
PID 2912 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVAGXLs.exe
PID 2912 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVAGXLs.exe
PID 2912 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVAGXLs.exe
PID 2912 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHUeMsO.exe
PID 2912 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHUeMsO.exe
PID 2912 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHUeMsO.exe
PID 2912 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgyGmHj.exe
PID 2912 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgyGmHj.exe
PID 2912 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgyGmHj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\mXztLIq.exe

C:\Windows\System\mXztLIq.exe

C:\Windows\System\IuaYwzH.exe

C:\Windows\System\IuaYwzH.exe

C:\Windows\System\ydWQDkN.exe

C:\Windows\System\ydWQDkN.exe

C:\Windows\System\OMxLHof.exe

C:\Windows\System\OMxLHof.exe

C:\Windows\System\YCxgIAz.exe

C:\Windows\System\YCxgIAz.exe

C:\Windows\System\cNwXNwh.exe

C:\Windows\System\cNwXNwh.exe

C:\Windows\System\nlbyoJJ.exe

C:\Windows\System\nlbyoJJ.exe

C:\Windows\System\bOQiFPA.exe

C:\Windows\System\bOQiFPA.exe

C:\Windows\System\nMegjhg.exe

C:\Windows\System\nMegjhg.exe

C:\Windows\System\YGUjFWZ.exe

C:\Windows\System\YGUjFWZ.exe

C:\Windows\System\BNrvURr.exe

C:\Windows\System\BNrvURr.exe

C:\Windows\System\YOMksYz.exe

C:\Windows\System\YOMksYz.exe

C:\Windows\System\fuddDum.exe

C:\Windows\System\fuddDum.exe

C:\Windows\System\sWTVtQg.exe

C:\Windows\System\sWTVtQg.exe

C:\Windows\System\IWGkwDl.exe

C:\Windows\System\IWGkwDl.exe

C:\Windows\System\MVGyave.exe

C:\Windows\System\MVGyave.exe

C:\Windows\System\KINKTRo.exe

C:\Windows\System\KINKTRo.exe

C:\Windows\System\uGOmlgt.exe

C:\Windows\System\uGOmlgt.exe

C:\Windows\System\uVAGXLs.exe

C:\Windows\System\uVAGXLs.exe

C:\Windows\System\cHUeMsO.exe

C:\Windows\System\cHUeMsO.exe

C:\Windows\System\KgyGmHj.exe

C:\Windows\System\KgyGmHj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

C:\Windows\system\uVAGXLs.exe

MD5 a9b015b04bc9b285fae94b4eb758e620
SHA1 9df1030dfc0606b473627a75badbe8500683bda7
SHA256 a470adfa20d9009352312c0765e2f3764594e97133d44ce738358b3cbcbff621
SHA512 b9703192051ea16ca3579e3a0aadfa1610e5f66f51c17a6deacae73f775bdf25a392c1f3db3a0602f3c7e2fee40bd87a2bde53873acdc634c79082a03ba9a019

\Windows\system\cHUeMsO.exe

MD5 6d498d1afa853a35ab29df505cbb322a
SHA1 4841c189c87d777df83a14455295493f0b4734e8
SHA256 5cf4dfa73c148ade5bc7d4af89ba8dc57b3eb4ebd1f50ed52c69dfc014ddb61d
SHA512 9807a66be8ce3b4dfb0cde820a4c7588a05fd647ea810b025d00d7b822b2b37127faecb1593558332a15c6f9e890732b893297e79871369711a4bc9968ff0492

memory/2912-98-0x000000013F220000-0x000000013F571000-memory.dmp

C:\Windows\system\KINKTRo.exe

MD5 b8886a8d34f622468bf2edbfecd9ea1f
SHA1 bc562a8310b289cfbc3d52d9639db3794919fb2f
SHA256 097b6b66f21ad936b729e16e9d1d450e68dcbe33cecdae9244240eadb54fafb9
SHA512 b073bf22cede13dcf817a99c768c4831e5e4d8d84fa77724880f741bb5373512dd96b3d77ddcc3ca796b593a864696c35116c9997c7c34df1c8246978a6231eb

\Windows\system\uGOmlgt.exe

MD5 126b9c13674b3ed161e82bf8c1dcc984
SHA1 644f92e589c134ad5ed6baa19252b3f87aa436b5
SHA256 d127d7707277032863965c4a3dba68fc7a2bc86c8ab5595faea7ae1469d4a06c
SHA512 e82d4741e5f35438a2fac94f7cc105e232ebb30994b75651de0da62dffd57d32c0d35611e5b31420f612e438def4f7548520244ad1a587b114f5ad776ba8838d

\Windows\system\MVGyave.exe

MD5 ad4721ec0af71226f5a3ec6cec8059fd
SHA1 bb303490307a4def1e1f5dc0656861c636137ea7
SHA256 3f92aed943214bef1588012019d19b9fda73512ae06831c2cfb87de8490fdce7
SHA512 31405992952851bacf6ddaeaf49ee0343734432cc4a4f7e0de6d1dce01d1269d5a75369fc9360a22cee2d73bff6eeb57ac31734f22a02f7d33543dc80921f9f3

\Windows\system\sWTVtQg.exe

MD5 a0a654f5f68f346a8a3936ca6bd20784
SHA1 7d7feb819d789ba933d344df06ddbedfec4f7ede
SHA256 275367199ca6048df16c1eca02c92321fd4df0c7d5b28073bbdc5ca0e5301e92
SHA512 902e3c00771edad38d7967b1deea03a6b8bb81c6d9c138539e98d4b72cfb8a602d99e63db383d71819a702c27feaee7a1f86ebbdcd8e2374cbf8133b6a3a13d7

memory/2912-71-0x00000000023D0000-0x0000000002721000-memory.dmp

\Windows\system\YOMksYz.exe

MD5 1fe614006f1e31233efb72e5da69e4c4
SHA1 ea5cc5cbb806021c3bcfa3dd640d08d0242b6262
SHA256 6e4082bd654d9b5bdb5129f40c16e45b019bff5c8d202d26b94c6ab661b207aa
SHA512 a9a9d0d0aa8cb151e5877d69f7959294be196797aabcbf321413882ffa5bfe5708a5066866f0f36609d41ef6c79fa8abf64ff5af5bed3c273a9ccf63122b64f9

C:\Windows\system\nMegjhg.exe

MD5 c290687c6e61a4ad2ba615c30d18288e
SHA1 55ecacd0abcff676e17185421aa320abe1be7ac3
SHA256 92b370d4173f6c70fc860e149239eaa601dfc2c8094a562512a0094ea0a1134c
SHA512 309006eb750a297aff21910bb339b4e797cec578152df73ed4f0fc1b744a451299c9bb6f87e6aa34d22e6dff769e0b683d40e40b7c17971e59cbaff3b3b674b4

\Windows\system\YGUjFWZ.exe

MD5 31a4547f15987b51a4c503ddea1ea600
SHA1 f77a71c42b5542b5ca1bd8bc468a60565d184c7e
SHA256 3eb26138066928f843e76c98b5468757bf5559e68a5554b2c676e25e4bc66f5b
SHA512 85954c4e3e821ab6cde5e53981ab41313f5e59f8f8f41e75c20552a6ac8991a32fa7ba46aa9f1da6abfa1078eb2386d82f674e421c558b2711d13b23fcef4cd5

memory/2856-53-0x000000013FCC0000-0x0000000140011000-memory.dmp

\Windows\system\bOQiFPA.exe

MD5 63c48b5ebbba5f957e38e0765469aa64
SHA1 f80a01d1715e77ffb843a86d173087e4b2a0f06f
SHA256 e6310c5a76da06cd6fd9717422bb8b63c200b9b65f0bddb043892125f960e543
SHA512 e19272af00f06860c1db6a3f50f6657ef14765e0d0baaa7595f8f7f4d57a5983a2e94af1f8ea6cb1d7bb119390ba7d2f932fd2a59bce2367954b67e7e22fe0eb

memory/2612-116-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2756-115-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2912-114-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/868-33-0x000000013F5D0000-0x000000013F921000-memory.dmp

\Windows\system\cNwXNwh.exe

MD5 cc11b81f2122ab455e10ec5426cdfbc4
SHA1 bd1969d5cbb3d35ccd509d5a5197da3039096641
SHA256 b83459bfc016fc276b5483f84cd9817b415d086cb7faa7a6cd8d5ec9411ff4d5
SHA512 edb76b4e6f62cfabb961847f94f5641f97866209940cdce81da87efe3b058b5284ada4edd0142b9221039840e715c711bec9ba151b52c4131d17fc5ad494bd74

memory/2912-113-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2912-112-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2912-111-0x00000000023D0000-0x0000000002721000-memory.dmp

C:\Windows\system\KgyGmHj.exe

MD5 43034e31bb8d08fa4afb6575b04bd17c
SHA1 89e962da798d9f587096605e601ae7501d7279b0
SHA256 11519b9bce61d70e06b08d8a96d3b00ef711837772a4f5c961531d3875d512e3
SHA512 2f83e7d6334601b293b3d30f192edcf5131eda512705c30e87c0de5ed43a7b69535b2f6cc1cb6cc010111aac843d0d928a853fd38b0f3981ab84ea0adfbc9ffc

memory/2912-102-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2652-91-0x000000013F970000-0x000000013FCC1000-memory.dmp

C:\Windows\system\IWGkwDl.exe

MD5 11389b8a3b5f084fd0b0dcf2fbd88de4
SHA1 c96dda13a7c3fc22059964cde02bceaaad4a7399
SHA256 214f9c63516adef6699f9eaf7327bce66e67a3b8a243079d6d5da805793f3e75
SHA512 05c474ae6642ed895004a3423797772cb35fa869d948a8635cdfd6b70641f4bbbc57d41ef6f66c9752007d275383775317de3698711506c9b8c9812c6253da4f

memory/2912-83-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2912-124-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\fuddDum.exe

MD5 784728bb45155ac69b035043db0d1f0b
SHA1 991d67db10a9b33892f3ac9c4bd06440987af12f
SHA256 1fb66f8b1f860b3c921c29fd274870d313a88123cb6a15592614ed12c72f60c8
SHA512 8a70c315f4a3311c5c9656080efa34cad42c7b0b9ce6dd049692824538481a0648efedb5e3af719edde2a470f52f0829e4f4b4fa5887b5452033276a3ac7f20e

memory/2900-67-0x000000013F440000-0x000000013F791000-memory.dmp

C:\Windows\system\BNrvURr.exe

MD5 ba67e053681252c692524681efdcffd4
SHA1 79e33944d8d5b3f8ff2fedefc96a3155442b374b
SHA256 3f54f985d00763bfddcf817d7f560a13d6fbd5f6018b203c1080b1ed64574b94
SHA512 8d0b97191741c79671bf9707d4d8694b63d1499f309ee84468a7180e42fb8e4907d02987bdf5f1b33db652e5152e9f21b12b3f33f9c2d023b02929e8c376c898

memory/2912-65-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2912-48-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2912-47-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2912-46-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2912-45-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2912-44-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/3012-43-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/1108-42-0x000000013FC60000-0x000000013FFB1000-memory.dmp

C:\Windows\system\YCxgIAz.exe

MD5 d088059347ac43201a3ea7bd67018ab0
SHA1 911c4535ecba3a9ce76ca3cc31c96864b10c01cb
SHA256 a2afc512b58096a9ed3d7181890f425a89572ed6b09874000f4fa860b6f3e510
SHA512 ba364642981ffd4a43bfbd6c44fa4f26ae6a3e16df391c73e8648ab2a7497fbb7e2bdd8cd36e75c720afa5f5167fa13b2b5c4150b20bfb951924bf583c720506

memory/284-38-0x000000013F410000-0x000000013F761000-memory.dmp

C:\Windows\system\nlbyoJJ.exe

MD5 80aab291fe99bad6aa96e08034c30ba8
SHA1 02602ec8f230dcc527d03f1b828a490fa3dcb32c
SHA256 8ba9a30a9f0d1699caaca36e3cc50c0f5bd9b5757da3b1c0c4dae39cee78ab64
SHA512 0d384f6826235d1be3a8d6c3dfaa2176a39abe91381671f8af5e5146c89cb5794d9b859eec01fadc06d65df86d5e9baa358c6bc06384208ec3123e421f5d6d1b

memory/1108-129-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2752-145-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2652-141-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2432-152-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2964-154-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2488-153-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2476-151-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2848-150-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2436-149-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2556-140-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2600-138-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2572-142-0x000000013F220000-0x000000013F571000-memory.dmp

memory/284-128-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2912-29-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/780-28-0x000000013FB50000-0x000000013FEA1000-memory.dmp

C:\Windows\system\OMxLHof.exe

MD5 8787b3f4d5f5dfdbbd7e2b0b12582a5a
SHA1 cbcf6bd8ab2544c47983ec1ecb4e2f9c3680fb51
SHA256 b32d6d04c08f89fd0b344a33c428ee18265f0cf55053373785447d66b0413643
SHA512 e792a0f185be693540b7e09f2f7f8ac98c7bc29376f6650071b8de43490679d24836a3245434229ce6d7800e93622e2652e561aaed67a4e4ed018dc1e97dc024

memory/2504-21-0x000000013FB10000-0x000000013FE61000-memory.dmp

C:\Windows\system\ydWQDkN.exe

MD5 c2b86a8ae861353964d3d80fe065b18b
SHA1 c9857876178317733d2d1830d5e0cf4a0ccb4634
SHA256 68188a394ec97f7d8949cae932918beb7cb656c68e696514c462b499584c8ed5
SHA512 decb5b2b51ba7dd0ba7fc1bc0b9bef38a3d5d96a0aa8b51f576ba8f6a02c72faa5b58c0ca48caf181d99e20edfb31bc18588854a4dd45b73065e7a1c981dccf5

memory/2912-16-0x00000000023D0000-0x0000000002721000-memory.dmp

C:\Windows\system\mXztLIq.exe

MD5 51e111bdd1fabca2b8a881d6ff07a5d2
SHA1 690ac57e55b473792024fe284dec1d4010a0ea9e
SHA256 6d813358b2bebdeae7066ea9ae8cc30e9fc680e95919352b5c3d1f2076095e2f
SHA512 3d5f8d5da63223df8ddc8159547ca47ffeec88de5e3272f51fb93702619e3ba3b06239b8da829831d788fbabe43c666a1cd935fcaecaa99d69513fe83e5d06ab

C:\Windows\system\IuaYwzH.exe

MD5 72cf88be5697fc374fe42d4b6ec30dbf
SHA1 341b463226d644ce48fd32ae191b8eb1898342bd
SHA256 e4d8e30009f48f498fe7a863ea71b8a5d69105b81488a4579f1dec8f3d39e5c1
SHA512 7fcb42e64fe766d5e3323b357952c32d2b0227de8199ab203b09d1d2f465ca3fb96396b3834498ce5d98cfd45cdbf9e32fe87bf5a6c22b3fc116fb1572ca304d

memory/2912-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2912-0-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2912-155-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2912-156-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2856-162-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2504-202-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/780-204-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/868-206-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/284-209-0x000000013F410000-0x000000013F761000-memory.dmp

memory/3012-210-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/1108-212-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2900-214-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2756-230-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2612-233-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2652-248-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2856-257-0x000000013FCC0000-0x0000000140011000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:01

Reported

2024-05-22 21:03

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IJuRcGg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gOeeMzA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uHzHtoT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NUJiKYa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rsxCNDT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cOJhpSb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xVDfFtO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uCAQoWz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FWPqJqK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mmEPKxh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bJoPiHC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DiRJilN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HBTIMBL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wxiKUcL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KLeTBak.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MvLscGN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VNXBzFN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RGTiXXM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZqHQwNc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WKJwumA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yEaMbZd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZqHQwNc.exe
PID 2068 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZqHQwNc.exe
PID 2068 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCAQoWz.exe
PID 2068 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCAQoWz.exe
PID 2068 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\WKJwumA.exe
PID 2068 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\WKJwumA.exe
PID 2068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEaMbZd.exe
PID 2068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEaMbZd.exe
PID 2068 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\DiRJilN.exe
PID 2068 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\DiRJilN.exe
PID 2068 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KLeTBak.exe
PID 2068 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KLeTBak.exe
PID 2068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IJuRcGg.exe
PID 2068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IJuRcGg.exe
PID 2068 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWPqJqK.exe
PID 2068 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWPqJqK.exe
PID 2068 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\mmEPKxh.exe
PID 2068 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\mmEPKxh.exe
PID 2068 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvLscGN.exe
PID 2068 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvLscGN.exe
PID 2068 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBTIMBL.exe
PID 2068 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBTIMBL.exe
PID 2068 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\gOeeMzA.exe
PID 2068 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\gOeeMzA.exe
PID 2068 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\NUJiKYa.exe
PID 2068 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\NUJiKYa.exe
PID 2068 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\rsxCNDT.exe
PID 2068 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\rsxCNDT.exe
PID 2068 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\VNXBzFN.exe
PID 2068 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\VNXBzFN.exe
PID 2068 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOJhpSb.exe
PID 2068 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOJhpSb.exe
PID 2068 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxiKUcL.exe
PID 2068 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxiKUcL.exe
PID 2068 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\xVDfFtO.exe
PID 2068 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\xVDfFtO.exe
PID 2068 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uHzHtoT.exe
PID 2068 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\uHzHtoT.exe
PID 2068 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJoPiHC.exe
PID 2068 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJoPiHC.exe
PID 2068 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGTiXXM.exe
PID 2068 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGTiXXM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZqHQwNc.exe

C:\Windows\System\ZqHQwNc.exe

C:\Windows\System\uCAQoWz.exe

C:\Windows\System\uCAQoWz.exe

C:\Windows\System\WKJwumA.exe

C:\Windows\System\WKJwumA.exe

C:\Windows\System\yEaMbZd.exe

C:\Windows\System\yEaMbZd.exe

C:\Windows\System\DiRJilN.exe

C:\Windows\System\DiRJilN.exe

C:\Windows\System\KLeTBak.exe

C:\Windows\System\KLeTBak.exe

C:\Windows\System\IJuRcGg.exe

C:\Windows\System\IJuRcGg.exe

C:\Windows\System\FWPqJqK.exe

C:\Windows\System\FWPqJqK.exe

C:\Windows\System\mmEPKxh.exe

C:\Windows\System\mmEPKxh.exe

C:\Windows\System\MvLscGN.exe

C:\Windows\System\MvLscGN.exe

C:\Windows\System\HBTIMBL.exe

C:\Windows\System\HBTIMBL.exe

C:\Windows\System\gOeeMzA.exe

C:\Windows\System\gOeeMzA.exe

C:\Windows\System\NUJiKYa.exe

C:\Windows\System\NUJiKYa.exe

C:\Windows\System\rsxCNDT.exe

C:\Windows\System\rsxCNDT.exe

C:\Windows\System\VNXBzFN.exe

C:\Windows\System\VNXBzFN.exe

C:\Windows\System\cOJhpSb.exe

C:\Windows\System\cOJhpSb.exe

C:\Windows\System\wxiKUcL.exe

C:\Windows\System\wxiKUcL.exe

C:\Windows\System\xVDfFtO.exe

C:\Windows\System\xVDfFtO.exe

C:\Windows\System\uHzHtoT.exe

C:\Windows\System\uHzHtoT.exe

C:\Windows\System\bJoPiHC.exe

C:\Windows\System\bJoPiHC.exe

C:\Windows\System\RGTiXXM.exe

C:\Windows\System\RGTiXXM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2068-0-0x00007FF623F90000-0x00007FF6242E1000-memory.dmp

memory/2068-1-0x0000020640B30000-0x0000020640B40000-memory.dmp

C:\Windows\System\ZqHQwNc.exe

MD5 b938584f200f8a4f4a567b2a5689ce59
SHA1 3edad355c3174a8194ebc9943f38491f9c19c1ce
SHA256 40ac2059719d16430430c339dfec526e15c0925d45ebe5eb2f797560987d1755
SHA512 3b5fc600a419ad278f6ac47baea77b24ac9757f67e3e0e554eed8a95a80c0f15985dbcf9c654b4ea64a11e4d97212780a9608ab0a8375917288747af42ff7783

C:\Windows\System\uCAQoWz.exe

MD5 7523adb3a708ca60393e9d8cf9db2724
SHA1 545d563e5ea65ce7e2167bf43656cd887f5bdeaf
SHA256 d40eb4f49af132d968fb8bab8259134a535c8ba31d513d7f6e4a340643bb25e8
SHA512 9e5cce80498abb26fdc374bd495379a2fdb4fb275159fae0b347f986497bb19239bbb26f89feeea9bb36bdf2a386794459034cc993690671a9f1837f8d5cf28f

C:\Windows\System\yEaMbZd.exe

MD5 124e4007332c69e3ea7651083eb0d70a
SHA1 98694c9ad3d2fdb15a17c0b5f904d8a1ac30756c
SHA256 9499cdc8df208418aead6851c63967ca5d08c836bf6bd2f40f9f0b42b3d869a5
SHA512 8121cb1f322108ec24816834761109fff14b95b260640a77774cd65e68b6f588023830f0d42a39b7e7617a48024da17a6a76af18fcc4279c7e55529dd3ed11df

C:\Windows\System\WKJwumA.exe

MD5 58f9de17e2a5090fb5f2063fc0008611
SHA1 de73670116f0649b165c673e04ba0afa01d5d075
SHA256 7d3ca5313e28662f4548031897226df14f9fbb5a605f49da53fec4a99fc25d97
SHA512 1eec883f97fbf192d6c21a1be334dc02404dd47d841da7fc87a4f0f7ccfcde97361d8f6be36f32c78b1626d4d5ca59c91d8a7a6db7b3368c1bb36f39519e7686

C:\Windows\System\DiRJilN.exe

MD5 38798a6290118a5be2f4701c57556e41
SHA1 9d07f734da5ea199e515a13a8e3392d64a76a5f6
SHA256 0b23630ba3d1c383f57336a495fcab9ede6131c35b4be98c5d4bfeef845fd776
SHA512 33632490a18d18601bf62a2769f20ca09c553f6bc598f97b3db69baa5183c166825339f76f572931d29b941c2bfff4a50d05195418cdd1829c7ba0f112c8945e

C:\Windows\System\IJuRcGg.exe

MD5 7feb6ded00ee23c9b53d76e53061e144
SHA1 0d1b74d13315365916069c9772334669479eb879
SHA256 a1742ccf008e06462d6b5c29d36af13982c751932b264da04f58474f17ff737f
SHA512 574620150f6ad3c111364cd9d07b75edf9325943bc8c9d358f3033f082fb57434dc057678869cac32245129b3025d009f6b18df4ef35b95401eef96b4efdde69

memory/2908-50-0x00007FF6C73C0000-0x00007FF6C7711000-memory.dmp

C:\Windows\System\mmEPKxh.exe

MD5 cb5fc19ad5778e212210b6d31d638855
SHA1 043aafb5cab245e2f60c70939c34462bf773c245
SHA256 64940d46225046a2ab456f2b3624295f6389707bf50604e6c986e0704b578e00
SHA512 13fc92d1fe26bb94292d24a6827248bf41db9aa249b3f8446ec2266fa1e1c8a89177be1edb6274a64baaeddcfecce482d59517d16bafbe233f20418b28fccebc

C:\Windows\System\HBTIMBL.exe

MD5 227a9f8268f7b048fabb2f54ca070a83
SHA1 c0d88ad5724f82d78856782457bf8e2a29d83ea7
SHA256 fdf958ef1c3e9ec9d78f2f4e29c27ca48850855670e8d2b3474eb877dcb68ca5
SHA512 02629095b88a3f44572692724421a5a6e188d03fc896d6dbab09cd7496aa74f6cf8ae48ad5c23d55f8c564380a780e1b686aa65746bf73068d11ea98042646a4

memory/3600-62-0x00007FF7783E0000-0x00007FF778731000-memory.dmp

C:\Windows\System\FWPqJqK.exe

MD5 0d806c08ef12fc9c2bcbf3da0d2d4e5f
SHA1 3b929878b531f18c042f740553e52d23a50673a6
SHA256 7c11684db86d30a9f813688e7dbd14c860e7e04e39c412066c8bf71e69ff84f2
SHA512 f5e3eddb83d776930e5c7031971890e8438cd4f1530849d78e0e812c95b83d17163e786abdac80e41cec5f11aac73568e2f4cf34dbc8157ad8e67fb4884b63ac

memory/4936-58-0x00007FF60B390000-0x00007FF60B6E1000-memory.dmp

C:\Windows\System\MvLscGN.exe

MD5 7f81c1384552c0992499865c1bf5227c
SHA1 22e067edea35e8bf8ed1c616bc6d62c6c609a04b
SHA256 3f72cb8531d9962df5175e428d7362ae2e9c75402282b55e4578120de292f40f
SHA512 1064844ffe30189f3bfd92abdf35b7972f43af245f97add491e49538cb0355cbf5c8f4be0bffef7ddb5f0b143e1961ee0d5fd8c0b76e4e75d20d87828450d50d

memory/3452-75-0x00007FF7DCF40000-0x00007FF7DD291000-memory.dmp

C:\Windows\System\wxiKUcL.exe

MD5 3d624c5e1950bb6f274588616197fe6c
SHA1 3b2977ffcfd13af12bf033d5434d479ce37c8c77
SHA256 a2282adc29393f7cd883f0933ca5ecbb114ebc8b743a88ef509713c24bb6ae89
SHA512 ed888f6ffd9e7947fcdd5e288d54992f88a5f56ff2c674b8c0ff621aa15f31eee5c0454676b0bb5cb440c304f1d0194ab86c64a423676cbc39f22d8556a83e52

memory/372-108-0x00007FF74E9D0000-0x00007FF74ED21000-memory.dmp

memory/1916-118-0x00007FF628B40000-0x00007FF628E91000-memory.dmp

C:\Windows\System\bJoPiHC.exe

MD5 0ddedbbc8053cbdb62b189a8f952df5f
SHA1 b9c0acdda4c3c4138fd522a53af1585243e19b4e
SHA256 390f18a2a7fa70476e15f17602172948def3c0b4043c16b321f1ec085aaf7ba8
SHA512 6d1597f64ac0cbd29dd04f6dcbc4f1c8e39f5dfc4178b68b3bd4176082043e5485b39311d566f15bb70c2ac6958c9a7a48f84afee13174155fa9643cf34314bc

C:\Windows\System\uHzHtoT.exe

MD5 5f7739fb50f6d3a5458fc8b3f19155a6
SHA1 f0a8a693b17a95209636d9636630a331dd6014a8
SHA256 60ea7f3a75d7114fe5b741e133cb68e311cf46a876d09c19d83f0c08d759eb83
SHA512 6485c262de336fc93f8573166e14bc17e3135c23964ea3f062f17781d6402290cf4b5e7f292ef42a2cb91a769aa8e0fb4b17ab24df621a7a4f62cffc3442e620

memory/8-117-0x00007FF60AEB0000-0x00007FF60B201000-memory.dmp

C:\Windows\System\xVDfFtO.exe

MD5 ea4022c6ec4dd060864555f9d3978602
SHA1 547006436c58ba001c36fac1ea9b8821f17a3955
SHA256 5f6192eee5f7592f7b270f7a51e726d27717e8539e76b1a18e54bdcb229bc5bb
SHA512 7711629e540dd8616ab22a90ffa8056831bf209e87caafb89a395c4eccc70fc9ed17b41e396f04d6ac711b21cc4586a71837378e0317a58add9e2df48bd800ac

memory/3660-107-0x00007FF7A5860000-0x00007FF7A5BB1000-memory.dmp

memory/2068-103-0x00007FF623F90000-0x00007FF6242E1000-memory.dmp

memory/1336-102-0x00007FF67A000000-0x00007FF67A351000-memory.dmp

C:\Windows\System\cOJhpSb.exe

MD5 3b8018493e2fda57389b1993f1be6284
SHA1 2892aea9adbd84cce34f832f99e375b96bdfbfdb
SHA256 a647b253a57ea164cd944af2e44dd74c47d70085053f983be523afaad9eb25fb
SHA512 ebb25bbf9dfd66bd57dbd6018fa366cff55a8dfb76d29c8e4f6b858aedc5943548fc47af05fac5cab858bb19193625d1fcbf05e02f01c079334d4f8525cd567b

memory/3076-96-0x00007FF659D40000-0x00007FF65A091000-memory.dmp

C:\Windows\System\rsxCNDT.exe

MD5 b75dd4361249965b60d0ba9481ca8ddb
SHA1 f9257cb8faaebc9e40912189489700acbb44771d
SHA256 4b4aee91f7bba4e194a943cbff0016a64354a99c1befcf604c0a4c7a0185f878
SHA512 b2287e304c8946edf66d36b3ba83ffcd61fb5db310bea14b5bffc24cdad35145750eda8602865192d26dc0f3d7daa43572b4e909bd11dcc37a9aecde1a12b4e7

C:\Windows\System\VNXBzFN.exe

MD5 97e56e1f738c312b3acdc0e0178720ab
SHA1 157184a1c7418e54b8edfa2e43433336dd11c4d8
SHA256 5558bea662639f3963c2cc69b827920fcd728faacfe9dc3d77e388a5f6d42541
SHA512 fa2b229ca697419595d2b0f5cd2edcf52401b143ab2b5e8d643c32700f2f6a6049a06ae6b0e2e8146ccd683d7291c09f520908b10506076dbd7bd65f135c23bd

memory/2272-90-0x00007FF75DCF0000-0x00007FF75E041000-memory.dmp

memory/4264-88-0x00007FF7E6D90000-0x00007FF7E70E1000-memory.dmp

memory/5008-79-0x00007FF7B8E60000-0x00007FF7B91B1000-memory.dmp

C:\Windows\System\gOeeMzA.exe

MD5 4d7d9287612d2d9190d0f2a08593872c
SHA1 415552ae4cb8f1a5aaf7fe2eea5e29b0765662e9
SHA256 1b8d86af3ee087341cc01a7bb8aa53c0817ef38909197c1f73413bd74e196d66
SHA512 3c65fe4dc8e36251e963322cac3e4111283821198785a1aefd14cc30cc5a7e15f78c436bda4fa1f2a6fe5ca5184552f403016fd940df4f2bcefcf3d774efaa98

memory/1360-76-0x00007FF6B03B0000-0x00007FF6B0701000-memory.dmp

C:\Windows\System\NUJiKYa.exe

MD5 1317754879d80151c5f5e2f993778a35
SHA1 510caaddd35144222c8aa53479db292ef7ccbef4
SHA256 01553361a3d5b250b50a7018304cd7f1ad655bf99206545f4be5793924521c64
SHA512 0dd4d32023e97684672818fbcaa3faedf8d848cbed287b05780ffc23f4c2b3285ecd366a007258e7cab39493ec23d77e7450664a554c4cf755f5959263200580

memory/3624-42-0x00007FF6A5E90000-0x00007FF6A61E1000-memory.dmp

C:\Windows\System\KLeTBak.exe

MD5 d70353bbacc56b240ca4195517262154
SHA1 a7e0ce11e959ec1f83fcd28eb269d4e669dd178e
SHA256 c707e67ca6c6e7f806d41c2e1400cfc8f8fbda19163c21eca02ba23c00e50ae8
SHA512 37d5f5cc0f6efcb2586dda5661b598bc954d59f0ce61c565edb810daeb993267c67fbbb102308666728a5779fbf6130052e2ed65689b55a50daf425d4bc869df

memory/2504-34-0x00007FF603C30000-0x00007FF603F81000-memory.dmp

memory/2540-27-0x00007FF7FA610000-0x00007FF7FA961000-memory.dmp

memory/888-18-0x00007FF691F60000-0x00007FF6922B1000-memory.dmp

memory/4952-17-0x00007FF67E650000-0x00007FF67E9A1000-memory.dmp

memory/8-10-0x00007FF60AEB0000-0x00007FF60B201000-memory.dmp

C:\Windows\System\RGTiXXM.exe

MD5 6dfe5f12bb488a3a1172c37c713776c2
SHA1 a69ec947ad27912746686c896b5c162342c6cd6c
SHA256 44cca416e12b759b451c6030e27cad93d8ba675ffd0162cfe65ef8609d16833b
SHA512 6a739f86b9de85d21998ce4744138193ebde3d9ef128e82cbafc05341cc115d80d60437436b3bc6a738cadcaefb1539fef311ae8226e129556a94818a86c81ff

memory/3372-126-0x00007FF63EA70000-0x00007FF63EDC1000-memory.dmp

memory/888-129-0x00007FF691F60000-0x00007FF6922B1000-memory.dmp

memory/4496-130-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp

memory/2540-131-0x00007FF7FA610000-0x00007FF7FA961000-memory.dmp

memory/3452-142-0x00007FF7DCF40000-0x00007FF7DD291000-memory.dmp

memory/3076-148-0x00007FF659D40000-0x00007FF65A091000-memory.dmp

memory/1916-151-0x00007FF628B40000-0x00007FF628E91000-memory.dmp

memory/372-150-0x00007FF74E9D0000-0x00007FF74ED21000-memory.dmp

memory/2272-146-0x00007FF75DCF0000-0x00007FF75E041000-memory.dmp

memory/1360-145-0x00007FF6B03B0000-0x00007FF6B0701000-memory.dmp

memory/1336-149-0x00007FF67A000000-0x00007FF67A351000-memory.dmp

memory/4936-141-0x00007FF60B390000-0x00007FF60B6E1000-memory.dmp

memory/4264-144-0x00007FF7E6D90000-0x00007FF7E70E1000-memory.dmp

memory/3600-140-0x00007FF7783E0000-0x00007FF778731000-memory.dmp

memory/2908-139-0x00007FF6C73C0000-0x00007FF6C7711000-memory.dmp

memory/3624-138-0x00007FF6A5E90000-0x00007FF6A61E1000-memory.dmp

memory/2068-132-0x00007FF623F90000-0x00007FF6242E1000-memory.dmp

memory/2068-154-0x00007FF623F90000-0x00007FF6242E1000-memory.dmp

memory/8-205-0x00007FF60AEB0000-0x00007FF60B201000-memory.dmp

memory/4952-207-0x00007FF67E650000-0x00007FF67E9A1000-memory.dmp

memory/888-209-0x00007FF691F60000-0x00007FF6922B1000-memory.dmp

memory/2540-211-0x00007FF7FA610000-0x00007FF7FA961000-memory.dmp

memory/2504-213-0x00007FF603C30000-0x00007FF603F81000-memory.dmp

memory/3624-215-0x00007FF6A5E90000-0x00007FF6A61E1000-memory.dmp

memory/2908-217-0x00007FF6C73C0000-0x00007FF6C7711000-memory.dmp

memory/4936-219-0x00007FF60B390000-0x00007FF60B6E1000-memory.dmp

memory/3600-221-0x00007FF7783E0000-0x00007FF778731000-memory.dmp

memory/3452-223-0x00007FF7DCF40000-0x00007FF7DD291000-memory.dmp

memory/5008-225-0x00007FF7B8E60000-0x00007FF7B91B1000-memory.dmp

memory/1360-228-0x00007FF6B03B0000-0x00007FF6B0701000-memory.dmp

memory/4264-229-0x00007FF7E6D90000-0x00007FF7E70E1000-memory.dmp

memory/2272-233-0x00007FF75DCF0000-0x00007FF75E041000-memory.dmp

memory/3660-231-0x00007FF7A5860000-0x00007FF7A5BB1000-memory.dmp

memory/3076-235-0x00007FF659D40000-0x00007FF65A091000-memory.dmp

memory/1336-237-0x00007FF67A000000-0x00007FF67A351000-memory.dmp

memory/372-239-0x00007FF74E9D0000-0x00007FF74ED21000-memory.dmp

memory/1916-241-0x00007FF628B40000-0x00007FF628E91000-memory.dmp

memory/3372-245-0x00007FF63EA70000-0x00007FF63EDC1000-memory.dmp

memory/4496-247-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp