Malware Analysis Report

2025-04-19 15:40

Sample ID 240522-zwketage7s
Target 2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike
SHA256 9d68e22de91f42af030db75e111ad608a7afe88107431cd6c1158382e975473a
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d68e22de91f42af030db75e111ad608a7afe88107431cd6c1158382e975473a

Threat Level: Known bad

The file 2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:04

Reported

2024-05-22 21:06

Platform

win7-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UdwMaqs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hCqykSY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JFtdwWw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pYLDGGS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VJbjlGu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hwHUPYG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NkdGRIU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GXkxAtq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YdkfoDX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jXVkUnR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BksRsts.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TWjVPSD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fTylfxk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kRAlTkh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xBoxoYD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IcvOsLL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ofpBoYG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\csupAYW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZSHuVmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\goNrisV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zEdOJfl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTylfxk.exe
PID 1736 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTylfxk.exe
PID 1736 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTylfxk.exe
PID 1736 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pYLDGGS.exe
PID 1736 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pYLDGGS.exe
PID 1736 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pYLDGGS.exe
PID 1736 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VJbjlGu.exe
PID 1736 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VJbjlGu.exe
PID 1736 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VJbjlGu.exe
PID 1736 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwHUPYG.exe
PID 1736 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwHUPYG.exe
PID 1736 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwHUPYG.exe
PID 1736 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\xBoxoYD.exe
PID 1736 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\xBoxoYD.exe
PID 1736 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\xBoxoYD.exe
PID 1736 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcvOsLL.exe
PID 1736 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcvOsLL.exe
PID 1736 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcvOsLL.exe
PID 1736 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\goNrisV.exe
PID 1736 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\goNrisV.exe
PID 1736 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\goNrisV.exe
PID 1736 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkdGRIU.exe
PID 1736 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkdGRIU.exe
PID 1736 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkdGRIU.exe
PID 1736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zEdOJfl.exe
PID 1736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zEdOJfl.exe
PID 1736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zEdOJfl.exe
PID 1736 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRAlTkh.exe
PID 1736 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRAlTkh.exe
PID 1736 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRAlTkh.exe
PID 1736 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofpBoYG.exe
PID 1736 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofpBoYG.exe
PID 1736 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofpBoYG.exe
PID 1736 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXkxAtq.exe
PID 1736 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXkxAtq.exe
PID 1736 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXkxAtq.exe
PID 1736 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\UdwMaqs.exe
PID 1736 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\UdwMaqs.exe
PID 1736 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\UdwMaqs.exe
PID 1736 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hCqykSY.exe
PID 1736 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hCqykSY.exe
PID 1736 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hCqykSY.exe
PID 1736 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JFtdwWw.exe
PID 1736 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JFtdwWw.exe
PID 1736 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JFtdwWw.exe
PID 1736 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdkfoDX.exe
PID 1736 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdkfoDX.exe
PID 1736 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdkfoDX.exe
PID 1736 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXVkUnR.exe
PID 1736 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXVkUnR.exe
PID 1736 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXVkUnR.exe
PID 1736 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\csupAYW.exe
PID 1736 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\csupAYW.exe
PID 1736 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\csupAYW.exe
PID 1736 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BksRsts.exe
PID 1736 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BksRsts.exe
PID 1736 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BksRsts.exe
PID 1736 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZSHuVmd.exe
PID 1736 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZSHuVmd.exe
PID 1736 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZSHuVmd.exe
PID 1736 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TWjVPSD.exe
PID 1736 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TWjVPSD.exe
PID 1736 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TWjVPSD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fTylfxk.exe

C:\Windows\System\fTylfxk.exe

C:\Windows\System\pYLDGGS.exe

C:\Windows\System\pYLDGGS.exe

C:\Windows\System\VJbjlGu.exe

C:\Windows\System\VJbjlGu.exe

C:\Windows\System\hwHUPYG.exe

C:\Windows\System\hwHUPYG.exe

C:\Windows\System\xBoxoYD.exe

C:\Windows\System\xBoxoYD.exe

C:\Windows\System\IcvOsLL.exe

C:\Windows\System\IcvOsLL.exe

C:\Windows\System\goNrisV.exe

C:\Windows\System\goNrisV.exe

C:\Windows\System\NkdGRIU.exe

C:\Windows\System\NkdGRIU.exe

C:\Windows\System\zEdOJfl.exe

C:\Windows\System\zEdOJfl.exe

C:\Windows\System\kRAlTkh.exe

C:\Windows\System\kRAlTkh.exe

C:\Windows\System\ofpBoYG.exe

C:\Windows\System\ofpBoYG.exe

C:\Windows\System\GXkxAtq.exe

C:\Windows\System\GXkxAtq.exe

C:\Windows\System\UdwMaqs.exe

C:\Windows\System\UdwMaqs.exe

C:\Windows\System\hCqykSY.exe

C:\Windows\System\hCqykSY.exe

C:\Windows\System\JFtdwWw.exe

C:\Windows\System\JFtdwWw.exe

C:\Windows\System\YdkfoDX.exe

C:\Windows\System\YdkfoDX.exe

C:\Windows\System\jXVkUnR.exe

C:\Windows\System\jXVkUnR.exe

C:\Windows\System\csupAYW.exe

C:\Windows\System\csupAYW.exe

C:\Windows\System\BksRsts.exe

C:\Windows\System\BksRsts.exe

C:\Windows\System\ZSHuVmd.exe

C:\Windows\System\ZSHuVmd.exe

C:\Windows\System\TWjVPSD.exe

C:\Windows\System\TWjVPSD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1736-0-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1736-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\fTylfxk.exe

MD5 13d8936bac7073b08c05dfb01e0f20cc
SHA1 8b9a74737879f955040550351ba722a79203261c
SHA256 03eeb55ee595d20094f1a036d6008661928b4a5a540e4af3c6d2ae166bcba0cd
SHA512 c1aeff95aae832d7cc839180bd91c727be4c30f09f1b31d35fc762282bbe99826be189d328675bfea5667b20a93d104b8afe6f8d7b074a0ff177f5dd1a538f42

memory/1736-6-0x00000000022A0000-0x00000000025F1000-memory.dmp

\Windows\system\pYLDGGS.exe

MD5 2fe73be978fbbfe5e754159b486590a6
SHA1 ae9688c8578c22d690ac58f4cdb8062141edd373
SHA256 118c1033cfba6e6571165da4264dcfed58a333554e14549486a3567dea535ea2
SHA512 185924c6e19bdfcc91530eb9b692a8287005d1fe1c35e10502d027e0f9b5cafa4fd01cc5d1d3ca76b3d7b8219ddc70c6e11c95d2684f034f46e61363902f48a9

memory/2112-15-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1736-14-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2340-12-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\VJbjlGu.exe

MD5 cab326a0752721388557ae834b50d6e6
SHA1 e20d5cf0b1c3dc17b91fac89f6e4f239ccee1a8a
SHA256 d4fb0a7c46142cd09e88bcd942cf7c1006c40060c78fec5730a424189d136016
SHA512 f168c11f3cbe40727b016af034cdf53b68f8f1f6e29b89d8caf36d60040717cae55243d84d323750244047830beec12e9931f1d7a70726c106127bc23d3451c5

memory/1600-22-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/1736-21-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/1736-28-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/2992-29-0x000000013F910000-0x000000013FC61000-memory.dmp

C:\Windows\system\IcvOsLL.exe

MD5 10d1b51883a5dc8262ad5f6bbbe892d6
SHA1 dd14e98d56a6a5fb01427b98930d4a7d48a1ef12
SHA256 5bac7ba3023981f5ba6b4e3f6c39caed039ea1c042241d80883318af4265e941
SHA512 b5aeed41ba14fa83f39fe89b1c992a4f955023fc376c85996cee5e04615aed3640329ee24be9d7f87bfa156fce0941fa4e8cc33c99b559776048e1cb35047469

memory/1636-40-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/1736-41-0x000000013F500000-0x000000013F851000-memory.dmp

C:\Windows\system\NkdGRIU.exe

MD5 106ba4e4d5e4717e8d6803966fec3650
SHA1 6cd88a46e7f906dd832e8544f18ec432306037fa
SHA256 0602480b05f0ddedc1acad2687993ec77509b43f039396839053c390d7504c6c
SHA512 2d6a0735f68094ce19f3d5ae1b4901df90395e3ea19a23053a84f91f089ffdbe5630fad0328a861bc4cc50def9909c7270395273c72e2cf8dc856a7d2d99ad75

C:\Windows\system\xBoxoYD.exe

MD5 ac866a3506d6b4ca18e4d116bb94205e
SHA1 f2b08901557bbe7e756408233557daa19f811c41
SHA256 bf7399c14b715321913ee7c81d96fc7e41c927f05135c26b7f2b7df56dfba8b1
SHA512 d2050635cedf21f9320fa87d340fad1d4a81f006fa58832626ea95668848ab7fb81fce9d95244ca265773bff37aabc94751e10d6a66c50b2eed2e1c37e6f7b72

memory/2676-54-0x000000013F620000-0x000000013F971000-memory.dmp

memory/1736-53-0x000000013F620000-0x000000013F971000-memory.dmp

C:\Windows\system\goNrisV.exe

MD5 2065ca03a9a4572c878674e572150dbb
SHA1 c960d49ef1a1d92e54e138a5b1baf4b35441a14e
SHA256 686eb5d7c902b71c0556730bb4b4c26c3799436dca1d27e4d9e8e5a4778e1149
SHA512 f92dc413b49db970a0926ee8223965199663e00a5f08a709e7b9031ac906c1ff31602047d5bea4febdd40adc49f758c7c0cb74fedb92df799e3ec355514d6e70

memory/2648-56-0x000000013FC60000-0x000000013FFB1000-memory.dmp

C:\Windows\system\kRAlTkh.exe

MD5 cd3767ee0f8468a50c3e83205aa2a30d
SHA1 b6a266a6d1f1c0461755a26deffac1c788b79942
SHA256 4b441e3181587bd7b77ecd8d7ce51681ad600772875e868603520d1c34d11a00
SHA512 9fd46070aea69a6def32773b38658f574647366b84e934085a01f26a89ab76f929c2e0166bb5ab46ebc21bc17b3ce993697618c5dda7724890ace38d237d2b9a

memory/2236-68-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2528-76-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2684-85-0x000000013FD10000-0x0000000140061000-memory.dmp

C:\Windows\system\UdwMaqs.exe

MD5 680c798d229c6d2a2027f1a187dbf2c1
SHA1 8ed779a83fe0b3a7d1b1e856124feb58b69e1605
SHA256 ade0a182a9fc7248890d5dad87d5529da57a5191c11a1ce0c111a514f7d02ac4
SHA512 9307cb7532568286de18fbc70b71e7797df68433bcc2ffc67fe6d644f7c8f17ba97e7f16d2073bad4321843122090df0fde2a424b8068e7cef067e8ca2db7537

C:\Windows\system\ZSHuVmd.exe

MD5 89bc63d26b945701333e7dcdb8eafc60
SHA1 1ca6d2131c9c235f300dcf5a9c1c5fd943eef99e
SHA256 e8501dd3cfe47178ad8b85b1e84d3f8a8a624dfe85db6a374c3e347aab83f973
SHA512 a2e5224f25e0c7e551ac7b94cdff71ebcbc4f4c1d27bf0a1880957cb4214d1944fad00018c1db70e74b43f38c5f1a597146a71c897cb994a3a3c6f4ef52f59b6

\Windows\system\TWjVPSD.exe

MD5 71ff6a9ac38fbf7642bc60fe5adf4177
SHA1 c9b510b0092c736c92b4980d5556e563a6bc4d62
SHA256 bbdde8139d86db33a5ae5dcf2d1d12af1550d9759150250ba0418e3ce4856128
SHA512 326fa6a802e01630c088b667956eada435c80b1bc553dcce05853dcb8c8e3e036cb1723422b1ba7151f06a752cf8902281a0425f675ac07e132812299aa50cf2

C:\Windows\system\BksRsts.exe

MD5 1471d91c1779873aaf334e7705585703
SHA1 9e98c74cd4985432b440f3ac6fb0b7fa72a5fbed
SHA256 b7c05323bcdd60d5b53400d08ab52f2b947419118b76d64e269b772b48e4f1b6
SHA512 b274985abe4724836381ce76d4eded961f07a83f7016ee87e8288e512505c3a5914ecaea301fa8d57751cc4561c11888eafa1820a5328d53f292b574962639eb

C:\Windows\system\jXVkUnR.exe

MD5 1b4575c94df0111482c2239798dea09c
SHA1 7fd2b192b0a5a94a94022de28b7f99cdf278ad90
SHA256 2cf54ca5f002a691070848088e1eb998a463e195b5df6edee5ad2554f519eab8
SHA512 50bc5cb10d9a8e13ef28b598fccc357c96004de7b48204c292ba87fb1f99d75b64cc265067f7ec31747e9f87e3f7882961a81ccab1c233059981aeb7ccedb443

C:\Windows\system\csupAYW.exe

MD5 1fe42373993db169203f8dbda4214443
SHA1 1bc9bbd18aa297c2e2e9582ee47121ab54e29ff1
SHA256 006fe168089ebfa6936c46942ad90f74ae336b5abac0c1c2de431d6ae7d7b76e
SHA512 05ff0ade7556a6b1efca279276b8acaaa162c0b774f5522140798c83baf18cd4812a5d5dfb683c4382e9bd76599e8d4a639dbf345b960282b1ada836d7699489

C:\Windows\system\YdkfoDX.exe

MD5 8650bcc6469762d6378dc27c8368cfdb
SHA1 30a56e75f7f663e1ea264d6d43d4f356787a146c
SHA256 3b94d034aa93cff283838d5a5afcc9e07ba105603d5ce46912dcedee22414331
SHA512 edae04a88e2cb4a8ff17284789a50d1688ecd672f79fcfd71da3341a19b47c93b3e4b20e93714142ca0893251191487631b3991c22cc1d9d47ec775496f34e0c

C:\Windows\system\JFtdwWw.exe

MD5 9f02885f21d9485589092ee3267648ee
SHA1 2b1cbc6104d9ea71d3a54275e86e5e050d46168b
SHA256 9bb79e30b92da979e023d63238ee863363c6e97c29c221c64617e720ca0047e8
SHA512 dd2eb88f3626bd57eb3e924737c5bc9f9cbab27437ffffcaa723db22fa6e91e33fa5ee575f336a10ebf222d6b76c88a5bb1db9d25851813e7d01967372141589

memory/1736-106-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2792-105-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1636-104-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2984-93-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1736-92-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2992-91-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/1292-100-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/1736-99-0x000000013F560000-0x000000013F8B1000-memory.dmp

C:\Windows\system\hCqykSY.exe

MD5 c61fda51628c0e27751e1c015a63bb16
SHA1 40b604ca230a351325d8917356585d5995a39287
SHA256 deb94a4d4e45382184a4767f7a18ee413e9b241121d4a18ffa649cc4b854f777
SHA512 3dc537fb8540cc8b12db636397ad8b6b0118c89842dbf34914a8aa388c7612928a0821a206a1f7ebc72d22767ec29f8a98d918e69279efdf49edc7dd437b4d9f

memory/1736-84-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/1600-83-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2112-75-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2340-74-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\GXkxAtq.exe

MD5 143d82960889d0c0e094523c93f8a29e
SHA1 b2bd684ed5b50c8dfe21b439f8afdcf4201544b9
SHA256 ea7557ee8f39314345cb37d94b1d2b41d3680ac662f79c41efcb425cda351ebb
SHA512 159e676a253113475cacc497efb2c8393b1e0f223b0073efd4f0753bd040eae43e909c1ffa8949a7eea4a01c2150e1c79bc2352a3be0ff76a4baf9127e863196

C:\Windows\system\ofpBoYG.exe

MD5 22f33f2fc579477421df7d9ba90fc01f
SHA1 82de1d99854d5c839ecb85be1214bcaa0ce3c3dd
SHA256 457383c80988358ba87e2aaf7c4a6fb41c8520d093c8703e74b205f7fd9a99fa
SHA512 ff21a3e13815dae57246fc98b7f8766f245dd0d21ef55590cc98ffb16c207d2c719a33e5fa2c16575b05836e0be82ff5905f794e41084c5b0988c42517a3c592

memory/2544-63-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/1736-62-0x000000013FAE0000-0x000000013FE31000-memory.dmp

C:\Windows\system\zEdOJfl.exe

MD5 4f7f828c39a69158aaa81348578bd944
SHA1 5b1aea6ca8b5e6aec88ea77177f49e531c40c7a8
SHA256 168669b1c946978ba9f3e0fed6400a7e916cc5816462307c38d0ffd3d464ca24
SHA512 81fd18ede0fc25f9b76a48e1f25a6a8494678675ef094012d12a12d95bff6bbe994fad44359758c1d2d912ca463c72d75b35dbbf83b39f03a40cb93c640ea8a3

memory/1736-34-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/2792-42-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2648-139-0x000000013FC60000-0x000000013FFB1000-memory.dmp

C:\Windows\system\hwHUPYG.exe

MD5 a0d2879a80724ba09ad14eebc3d54ce9
SHA1 9d3dead1aededeb3582cd2d1d0876e421778ada2
SHA256 5aa9480e43571382a230039f6d8e8039c0f8d1edc43a2dfdd31670a8ce36c479
SHA512 bfd4e0e41bfa6f56d72aa5c1e797de189c4b19147acdb3036398419a4967f1de9118b53cd9bbeabc5e18a98fc2eb0118ea89a3f8e0d0aca1c4e82d4028f2ff9e

memory/2236-150-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2528-151-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1736-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2184-159-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1876-158-0x000000013F110000-0x000000013F461000-memory.dmp

memory/1972-161-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/1340-160-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1008-157-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/1952-156-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/856-155-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1292-154-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2984-153-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2684-152-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/1736-162-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/1736-163-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1736-172-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1736-186-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/1736-187-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2340-215-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2112-217-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1600-219-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2992-221-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2792-223-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2676-227-0x000000013F620000-0x000000013F971000-memory.dmp

memory/1636-226-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2544-229-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2648-231-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2236-233-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2528-246-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2684-248-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2984-250-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1292-252-0x000000013F560000-0x000000013F8B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:04

Reported

2024-05-22 21:06

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HEkfkAr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NklsJFx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LtZBGtX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\grOCOKq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oCpYRih.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iESZxYd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CGEDJhH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wBKOuZx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KHvcqxn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hBYjvmR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mSkeiTJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\thddqFn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LrVRbTB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GxgoocZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IlWbAlg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qZKbShf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EsRBcoK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\alVYvwe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zYjbyJx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZoZwIxc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fPqkOdU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iESZxYd.exe
PID 748 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iESZxYd.exe
PID 748 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGEDJhH.exe
PID 748 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGEDJhH.exe
PID 748 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBKOuZx.exe
PID 748 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBKOuZx.exe
PID 748 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HEkfkAr.exe
PID 748 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HEkfkAr.exe
PID 748 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NklsJFx.exe
PID 748 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NklsJFx.exe
PID 748 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LtZBGtX.exe
PID 748 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LtZBGtX.exe
PID 748 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZKbShf.exe
PID 748 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZKbShf.exe
PID 748 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\grOCOKq.exe
PID 748 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\grOCOKq.exe
PID 748 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\thddqFn.exe
PID 748 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\thddqFn.exe
PID 748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\EsRBcoK.exe
PID 748 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\EsRBcoK.exe
PID 748 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrVRbTB.exe
PID 748 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrVRbTB.exe
PID 748 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GxgoocZ.exe
PID 748 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GxgoocZ.exe
PID 748 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\alVYvwe.exe
PID 748 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\alVYvwe.exe
PID 748 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHvcqxn.exe
PID 748 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHvcqxn.exe
PID 748 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlWbAlg.exe
PID 748 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlWbAlg.exe
PID 748 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBYjvmR.exe
PID 748 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBYjvmR.exe
PID 748 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zYjbyJx.exe
PID 748 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zYjbyJx.exe
PID 748 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZoZwIxc.exe
PID 748 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZoZwIxc.exe
PID 748 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSkeiTJ.exe
PID 748 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSkeiTJ.exe
PID 748 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCpYRih.exe
PID 748 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCpYRih.exe
PID 748 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPqkOdU.exe
PID 748 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPqkOdU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\iESZxYd.exe

C:\Windows\System\iESZxYd.exe

C:\Windows\System\CGEDJhH.exe

C:\Windows\System\CGEDJhH.exe

C:\Windows\System\wBKOuZx.exe

C:\Windows\System\wBKOuZx.exe

C:\Windows\System\HEkfkAr.exe

C:\Windows\System\HEkfkAr.exe

C:\Windows\System\NklsJFx.exe

C:\Windows\System\NklsJFx.exe

C:\Windows\System\LtZBGtX.exe

C:\Windows\System\LtZBGtX.exe

C:\Windows\System\qZKbShf.exe

C:\Windows\System\qZKbShf.exe

C:\Windows\System\grOCOKq.exe

C:\Windows\System\grOCOKq.exe

C:\Windows\System\thddqFn.exe

C:\Windows\System\thddqFn.exe

C:\Windows\System\EsRBcoK.exe

C:\Windows\System\EsRBcoK.exe

C:\Windows\System\LrVRbTB.exe

C:\Windows\System\LrVRbTB.exe

C:\Windows\System\GxgoocZ.exe

C:\Windows\System\GxgoocZ.exe

C:\Windows\System\alVYvwe.exe

C:\Windows\System\alVYvwe.exe

C:\Windows\System\KHvcqxn.exe

C:\Windows\System\KHvcqxn.exe

C:\Windows\System\IlWbAlg.exe

C:\Windows\System\IlWbAlg.exe

C:\Windows\System\hBYjvmR.exe

C:\Windows\System\hBYjvmR.exe

C:\Windows\System\zYjbyJx.exe

C:\Windows\System\zYjbyJx.exe

C:\Windows\System\ZoZwIxc.exe

C:\Windows\System\ZoZwIxc.exe

C:\Windows\System\mSkeiTJ.exe

C:\Windows\System\mSkeiTJ.exe

C:\Windows\System\oCpYRih.exe

C:\Windows\System\oCpYRih.exe

C:\Windows\System\fPqkOdU.exe

C:\Windows\System\fPqkOdU.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.139:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 139.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/748-0-0x00007FF771FD0000-0x00007FF772321000-memory.dmp

memory/748-1-0x00000234A4410000-0x00000234A4420000-memory.dmp

C:\Windows\System\iESZxYd.exe

MD5 b3971e1317e2d31d14a406d1c0b2d8fb
SHA1 52b3ee5a619ff10fc0539665d8f783f98926ba50
SHA256 8befb05a3536fc3d1db3c2c415a270df52c711dbda425324e95119a1c23735a2
SHA512 def9b36fc599f50eff1ae1cc7c8685f7710107e75e8ca74c61265fb239f64ccba6bc756c0c06f38b4acacb4dcaa72ea36ebffdbfb01e13e03e4eb9ffb3e7f509

memory/4788-7-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp

C:\Windows\System\wBKOuZx.exe

MD5 8a248dc667310319e56f0f1fced33b69
SHA1 d026a31867f29307528292f6e00639ffad99b44e
SHA256 707f8f20ee1ce976a62eb4313f4157b91edbd80640222dfdd04f10a6ad783cae
SHA512 373a39f7bd1b55e9cbf3fb40873d1325f04bfed386f31a7d4abb435c0018d749b2542037a9719959264d1da9b1efba99eeeb0a40a75098737ec5bcc819b7b024

memory/1404-14-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp

C:\Windows\System\CGEDJhH.exe

MD5 cea6502b1277d9919c01d82b66a549aa
SHA1 baa6504275bac30084dc7053a0c6b1b50439b7b2
SHA256 8ab2b5698ff8d4086d549eca430b0fbb1036abe34cbaa02ba55ad6f333dcd9a9
SHA512 7c58fbae35d30eb0daea53f758b3d5b7fa7d94f0e7d3f0016e13d2399e8035372b0071def8fc391579ad7a37c6e993e6c73ce54f4a3420963997778019ed2831

C:\Windows\System\HEkfkAr.exe

MD5 9da102b655ae538d64136ac2b72a10d4
SHA1 8058596651ec4a06881019d04d34a8d19f3ddf8c
SHA256 ac6d7ea362459c2d41c5b5db2d87ba2792c7c00c6c81cd509d311cb590740dd2
SHA512 3b5f032b30125ba7628712b73344428ff65e6d96e1ac023ccbf6ec8a1dc9705b976614c2c1c2c99236d11011234db1cf9f7a948605ba7e2c825bce73c1920963

C:\Windows\System\NklsJFx.exe

MD5 e9259a901df6de5e30e76c0f7b8393e2
SHA1 80331116b863b24a7bec7c87a9a11c4d1f2a5ea7
SHA256 0a1d7d634499483762c7d50f368785903e0ff96aa6fcb0dbaea50d324f1cd51b
SHA512 38fae0d9ace03af56633ca4d006ebdfb9d09df033fe6c559b32da1eda45c3b840500b91c880738efa85ce099ca6f7efd4b203b74bc89f84df65bd8813a5dc275

memory/3188-26-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp

C:\Windows\System\LtZBGtX.exe

MD5 4c7823e95417bb6ee85ba0840e82c5b5
SHA1 a6cd76aa95f3172a04a695b70813c8936a00c260
SHA256 e82faf366a1981468f7285a0270f9e7630ad4691799c25e3712e5f552a091f31
SHA512 d8107c6618044227d562b34e44f9e5647997320eb7b2a371854515669d10c259f188afc797ac2e55c4a9136cef8d79b953152482319e945ae3596c1c9d41c400

C:\Windows\System\qZKbShf.exe

MD5 dafaee27e204df2cf95395174bd04d88
SHA1 797da11736f883d8fae4580fbfc446da84230ed4
SHA256 2bfd21c7ccbc88058274285a628bd9ab099b3f8681fb2cbe9aa932a41b689346
SHA512 8520c6d13cc95c1dd6610f224dd7c9df9316c0c90d5e84bb373072fc1c7d7a4d46710cd3ba7946b86bace4230256c7cf587273388304fc8c3032eae565fc2ae0

C:\Windows\System\grOCOKq.exe

MD5 2cb1a0fd7fa7686004e3b519a3c65c56
SHA1 489ffaf1f16581c1735e02641283db8db1ac7d5e
SHA256 3e5e0ad1105efc44bca84b586f8a20e63190db6bb56ca407bfe530c8f723635f
SHA512 2886476fd9f53e741169bdf90b9c923e5b825df698aafda241e1547f04d63160aa6b2d7b9ce74464a877b6388db1a2a440a6fbc0eae6ba3f9c9f26daaf22a697

C:\Windows\System\thddqFn.exe

MD5 0e9ad77de0907fd14e36ca3004a6d609
SHA1 749aa234bebe3f2df1138ff00a4eaa0929b3621e
SHA256 67377ad17f668fe3028fb8ca7ae9cd8dac510293d59256bca18c84db08f943f8
SHA512 5dd99f07645f7cffdfd06fd5c3981f01db3804ae4a45a6273da9fc38a11bc603fb8ee66528ccb0d8630c902c0babee58ff2493fcf4dbbecad4313d519d6504e8

C:\Windows\System\LrVRbTB.exe

MD5 cb83e9a007cf5df3cdeade56b5ff7fa8
SHA1 0290dd8acfd9e4154490456399f766e2d7ab54b4
SHA256 ef70b1411929252f5915e7b337cc11df48496dfa6cfc68c186c20dc984bdb249
SHA512 65fefee1b7ea74a4a5e2ac57bce01780891b93dca81fc999e1cafbe6bfa2c1a9bddc3e93df489615f91fa5c54f7e2bd6f28047376f0db1c67b85dd6f91a5fc4f

C:\Windows\System\GxgoocZ.exe

MD5 5ed152469f775d22eb833fdbd60485e5
SHA1 8a0604306f3d3ceea7d3d92b98187ac2598a26eb
SHA256 d93ef0fd8a1dad32d039a5abc360c83f75e04f5d84cdf4ca83524aaa314518f7
SHA512 4adc4312ca85f261ed53c564a28ee73b6698ed65a7cab36de5c8cf60049e303e115365797d792c00ece530d180e7ee62835bf59ca1c8e4a7770d05de1931617c

C:\Windows\System\KHvcqxn.exe

MD5 f8204e11d852bf9fe0edbff1e30f9e39
SHA1 018671c89cf95cd92252356142a27a6055f6f58a
SHA256 c8c1913acdd00413052602045c2f11e2531688c30ccedb38061e0a435bbf6346
SHA512 a6df314e06e65a3bb3fab17e7dd131b44dfb4aae5462c1b109ea1db29b9d21ecb6e6efe061788e0a0af5e35fb9fddacb0b876688a5be4ee8a539b696427b5cea

C:\Windows\System\zYjbyJx.exe

MD5 d04615d1b3decebf4bdce9ea62c8c343
SHA1 96c9272d76ffe3422eaff89091b3de9155e50c95
SHA256 8893702b7a4d3b00594f7d653f4b4938121445aa569000f18b1d77744b03f4c2
SHA512 db37984e6812ab68cb78381c42cff26c052e050fb3d8140c63c18fbf6f631ff4a55c5107eb111547679e29135af9584d2360c7102f9415566a64bf8518582d3a

C:\Windows\System\ZoZwIxc.exe

MD5 78c9facc2466840c356e01cfe6a7b098
SHA1 d031fc7f598c2c90dba0613d114f84d12b86817b
SHA256 8bfc26dc1610f74b36c237c81ec0bc0c667edee9129752c5bf0c5f1acf74ac39
SHA512 5a5f3f61816cfffc0d7062a131babbad417b18bad26d40f240b168bce7bcf494001ffe6e41274163e688b7ff232bb143e13a8e44448b177ab7eb15d71efd1ec1

C:\Windows\System\oCpYRih.exe

MD5 6901ec577b94c4da7e4830e3dad6a72a
SHA1 263890e77df1218817843a987b32fc4e48f0962d
SHA256 8b8c843849cd39bd2ca511ff2e6e017f2eb21c4f4cfd981675fe811b67b06a71
SHA512 4f35a1b652139666dc9e1e1b54dc66405c4cc264232da24d316036fc3e3a939e69d445b474d7b7efb0c3907dc4ddc651b6ad84061e02c26589a55b15e3386a83

C:\Windows\System\fPqkOdU.exe

MD5 4c665c1dbd393856f72a69fafbed5a1d
SHA1 7cf5892f764f2ff7b67b8c910268cf784015e3a6
SHA256 1baa8a85901c3623e5ad7fe5020cb2aa6807e5187262ce73c9621f54ab0fb89f
SHA512 296a8770a306cee513b645eb92a4802389caba390ad75be13e0a13260e6e37d0c2c54454ab8338559d689f347b17ce553726e53b644d473fc4743b1c3a57d3f9

C:\Windows\System\mSkeiTJ.exe

MD5 972df430b591e9addd79a02d6b0da356
SHA1 9eb95546d1a62ecd707d909bdcddee2d187af1d2
SHA256 4991bcfd3b9ca280142d1f7377055b4cb31bf60abb4aad39e48c2e67a4e9b696
SHA512 ac11afea4de6c67f9ade1868a61bf35722c271f54c4b8e48a288d3a13a2856a7f2a123ebc6258d484b0efc6c46b1c9c33d27fd1aed769e702a0f8dc5fa1558dd

C:\Windows\System\hBYjvmR.exe

MD5 d80ef78674ba84bdcf357e3702d1a867
SHA1 96742e0b832e61ffe605faf9e2af2d9fe651658c
SHA256 df93a4e008258d943e22de532c5b971fece939d843574e1dbf3557c836b16c9d
SHA512 b2bf337fcb2a4191ac1789e70bb3785017c6802934cd29cbb1d45a4e12717cb6813689cdafcc59add9d92b796d9e1bae326aff41b2267232b72d5755f6a707b5

C:\Windows\System\IlWbAlg.exe

MD5 f05e809c46642ba3aa7ef9e304092de9
SHA1 44240e7d325e76d7900723578c5bc04b089085a4
SHA256 72f4ba6e1d3d9077b3cd89d4d2d357f6ea897fd8c13bfbf204aba51c63737136
SHA512 ecb0d5eae10071b890381024ee739f9b953f4cb787d593367bca4fa55a364494583ee04d9679e8b15e1ce7f2a93adc62232be546d77b6b4c5cabfedfc4ad0c37

C:\Windows\System\alVYvwe.exe

MD5 143c58d70d491ff821098ef9584dc43b
SHA1 2f3ea0b06b91ed1439b2bb2df3cb0573c96d8f4e
SHA256 6640610a46141c9668543417678fb9e5975249d20a074c3afa6fdd67c233ec59
SHA512 11d29b2557be7fed9d33b8c70c6b6e821d56beaad4ca81a90a505cddebcc5e7bc8de89c4ab920d110dc755b7ee0a49a3900ab26be64cd02cef66fd4db0b576e0

C:\Windows\System\EsRBcoK.exe

MD5 b07ef4a5a1cd9b01d2e389acb34f13c8
SHA1 aa5d2625e534b505a8ca6cb6554a8f3df8bfdb2d
SHA256 f9957bb81f599ca22e41f84a6611802ea3c0fb35a5c9731943d21830cb777562
SHA512 ca605eb0a4247cb2afb170193e973a71f6e9ec7c63234a5681fa968a42eb35140a1d7b87ab261dd84c521d5895bfa306d525a3d7b0c9a048f7df0b058affef4a

memory/4088-38-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp

memory/772-32-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp

memory/2096-25-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp

memory/1404-115-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp

memory/4788-114-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp

memory/4348-127-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp

memory/1488-124-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp

memory/2620-121-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp

memory/3096-120-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp

memory/748-113-0x00007FF771FD0000-0x00007FF772321000-memory.dmp

memory/2256-129-0x00007FF6995E0000-0x00007FF699931000-memory.dmp

memory/5100-131-0x00007FF607200000-0x00007FF607551000-memory.dmp

memory/4036-132-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp

memory/1712-134-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp

memory/4476-130-0x00007FF626430000-0x00007FF626781000-memory.dmp

memory/2796-133-0x00007FF755EF0000-0x00007FF756241000-memory.dmp

memory/2012-128-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp

memory/752-126-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp

memory/1636-125-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp

memory/2372-123-0x00007FF70C540000-0x00007FF70C891000-memory.dmp

memory/1644-122-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp

memory/748-135-0x00007FF771FD0000-0x00007FF772321000-memory.dmp

memory/4788-184-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp

memory/1404-186-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp

memory/2096-188-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp

memory/3188-190-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp

memory/772-192-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp

memory/4088-194-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp

memory/3096-196-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp

memory/2620-198-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp

memory/1644-200-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp

memory/2372-204-0x00007FF70C540000-0x00007FF70C891000-memory.dmp

memory/1488-203-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp

memory/2256-209-0x00007FF6995E0000-0x00007FF699931000-memory.dmp

memory/2012-212-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp

memory/752-214-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp

memory/4476-216-0x00007FF626430000-0x00007FF626781000-memory.dmp

memory/1636-211-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp

memory/4348-207-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp

memory/2796-221-0x00007FF755EF0000-0x00007FF756241000-memory.dmp

memory/5100-224-0x00007FF607200000-0x00007FF607551000-memory.dmp

memory/4036-223-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp

memory/1712-219-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp