Malware Analysis Report

2025-04-19 15:55

Sample ID 240522-zxkf7sgg46
Target 2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike
SHA256 a9f4f0aaa2b9dada4882da30859d2da372ccd7d5633a195b0b94333e72e85c0d
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9f4f0aaa2b9dada4882da30859d2da372ccd7d5633a195b0b94333e72e85c0d

Threat Level: Known bad

The file 2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

xmrig

Cobaltstrike

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:05

Reported

2024-05-22 21:08

Platform

win7-20240419-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DNIDYCT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QWDqrqm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rYzVUXI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\prnJqjv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZXvvHS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sCPXniY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kfVoYGH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MVBcHTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GuYbRdY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gfRoYtJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aYABSRl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ndbsVPN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tjBgRhp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RJWZWVT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SPiUxVI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MHvoCHf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fPTwpoi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IqNxFzn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fsjdSkC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UUstWaY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WhDrcBV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\DNIDYCT.exe
PID 1860 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\DNIDYCT.exe
PID 1860 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\DNIDYCT.exe
PID 1860 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZXvvHS.exe
PID 1860 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZXvvHS.exe
PID 1860 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZXvvHS.exe
PID 1860 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\SPiUxVI.exe
PID 1860 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\SPiUxVI.exe
PID 1860 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\SPiUxVI.exe
PID 1860 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\aYABSRl.exe
PID 1860 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\aYABSRl.exe
PID 1860 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\aYABSRl.exe
PID 1860 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\QWDqrqm.exe
PID 1860 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\QWDqrqm.exe
PID 1860 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\QWDqrqm.exe
PID 1860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCPXniY.exe
PID 1860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCPXniY.exe
PID 1860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCPXniY.exe
PID 1860 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYzVUXI.exe
PID 1860 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYzVUXI.exe
PID 1860 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYzVUXI.exe
PID 1860 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfVoYGH.exe
PID 1860 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfVoYGH.exe
PID 1860 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfVoYGH.exe
PID 1860 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\prnJqjv.exe
PID 1860 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\prnJqjv.exe
PID 1860 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\prnJqjv.exe
PID 1860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\ndbsVPN.exe
PID 1860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\ndbsVPN.exe
PID 1860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\ndbsVPN.exe
PID 1860 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjBgRhp.exe
PID 1860 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjBgRhp.exe
PID 1860 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjBgRhp.exe
PID 1860 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHvoCHf.exe
PID 1860 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHvoCHf.exe
PID 1860 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHvoCHf.exe
PID 1860 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPTwpoi.exe
PID 1860 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPTwpoi.exe
PID 1860 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPTwpoi.exe
PID 1860 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJWZWVT.exe
PID 1860 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJWZWVT.exe
PID 1860 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJWZWVT.exe
PID 1860 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\IqNxFzn.exe
PID 1860 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\IqNxFzn.exe
PID 1860 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\IqNxFzn.exe
PID 1860 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVBcHTS.exe
PID 1860 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVBcHTS.exe
PID 1860 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVBcHTS.exe
PID 1860 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\fsjdSkC.exe
PID 1860 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\fsjdSkC.exe
PID 1860 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\fsjdSkC.exe
PID 1860 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUstWaY.exe
PID 1860 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUstWaY.exe
PID 1860 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUstWaY.exe
PID 1860 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\WhDrcBV.exe
PID 1860 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\WhDrcBV.exe
PID 1860 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\WhDrcBV.exe
PID 1860 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuYbRdY.exe
PID 1860 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuYbRdY.exe
PID 1860 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuYbRdY.exe
PID 1860 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfRoYtJ.exe
PID 1860 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfRoYtJ.exe
PID 1860 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfRoYtJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\DNIDYCT.exe

C:\Windows\System\DNIDYCT.exe

C:\Windows\System\uZXvvHS.exe

C:\Windows\System\uZXvvHS.exe

C:\Windows\System\SPiUxVI.exe

C:\Windows\System\SPiUxVI.exe

C:\Windows\System\aYABSRl.exe

C:\Windows\System\aYABSRl.exe

C:\Windows\System\QWDqrqm.exe

C:\Windows\System\QWDqrqm.exe

C:\Windows\System\sCPXniY.exe

C:\Windows\System\sCPXniY.exe

C:\Windows\System\rYzVUXI.exe

C:\Windows\System\rYzVUXI.exe

C:\Windows\System\kfVoYGH.exe

C:\Windows\System\kfVoYGH.exe

C:\Windows\System\prnJqjv.exe

C:\Windows\System\prnJqjv.exe

C:\Windows\System\ndbsVPN.exe

C:\Windows\System\ndbsVPN.exe

C:\Windows\System\tjBgRhp.exe

C:\Windows\System\tjBgRhp.exe

C:\Windows\System\MHvoCHf.exe

C:\Windows\System\MHvoCHf.exe

C:\Windows\System\fPTwpoi.exe

C:\Windows\System\fPTwpoi.exe

C:\Windows\System\RJWZWVT.exe

C:\Windows\System\RJWZWVT.exe

C:\Windows\System\IqNxFzn.exe

C:\Windows\System\IqNxFzn.exe

C:\Windows\System\MVBcHTS.exe

C:\Windows\System\MVBcHTS.exe

C:\Windows\System\fsjdSkC.exe

C:\Windows\System\fsjdSkC.exe

C:\Windows\System\UUstWaY.exe

C:\Windows\System\UUstWaY.exe

C:\Windows\System\WhDrcBV.exe

C:\Windows\System\WhDrcBV.exe

C:\Windows\System\GuYbRdY.exe

C:\Windows\System\GuYbRdY.exe

C:\Windows\System\gfRoYtJ.exe

C:\Windows\System\gfRoYtJ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1860-0-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/1860-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\DNIDYCT.exe

MD5 e5fdfee7a9d89247aa4cab8bf8c0bb7d
SHA1 07f64ddcd8d88dcf19ffed84a6e81ddef3a08ce9
SHA256 eb9c05ede79fe58d6c7f5cb37011bcb52864ea92a97d6351906e4b577b276190
SHA512 e1738a0cdc398b6aae67909aef0b6c80b842380c96dd72d7cccf572bc4c7836e3a50fc7411b51aaac1124883a23eb7b1d2a1e5e8d5cac66ceaa8f404450e1167

\Windows\system\uZXvvHS.exe

MD5 e972115af3e5d6d037bffd0f58cebd6a
SHA1 712bc9c5e5bf2f4555444e1f2adbb583041855b6
SHA256 b1ec76456da3179bd8e3befd6b261a8a811070371affb5fda5f26f80b074ae14
SHA512 661811069c3c143930dac659cf71704a539dc1bb1d10546fe02f881ed4e70888c297097e557fbbf86af42ee00923f4c7e0eb1b1816f1444bae58803a00584333

memory/2636-13-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1860-15-0x0000000002420000-0x0000000002771000-memory.dmp

memory/1636-14-0x000000013FFE0000-0x0000000140331000-memory.dmp

C:\Windows\system\SPiUxVI.exe

MD5 27da3cf9b619eb57cea51e1a41f17c29
SHA1 8f2edc30a37ce646ba5697fab8b1a234f517eccd
SHA256 b4b2d984893a05937063658646153807929d524895db37839e2b170cc05b5fa2
SHA512 3aa0f38a542db607961f2f9fe748b20fd7f61f764f5d49866448674eb52aa303e4b9830b80bc6499e1f41a895b1df4078b02c206ac831b08a49ea2c128f0af83

memory/2664-22-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/1860-21-0x000000013F070000-0x000000013F3C1000-memory.dmp

C:\Windows\system\aYABSRl.exe

MD5 ddde07ea1aca50046070b00f09245f7a
SHA1 ddea2e1cb263afbedb77b136ba88d3f38edfc0e7
SHA256 27050752fdfa4f365165dd938dc92bbe516eff104be65b7940970c3e2a485314
SHA512 b9125af2cbe0c38ab56d199d922d16e4dcb65ccd193144c6505ab2d525c3951184528d07ed76a27112c21bd0a58e73e5a2ee336fad201d287d60572d6f59695c

memory/2652-29-0x000000013FC60000-0x000000013FFB1000-memory.dmp

\Windows\system\sCPXniY.exe

MD5 4b79c19874de529afc44c5ef2ec2a6b6
SHA1 14c40e53012cd3f3602df30193d6ca03980fdcba
SHA256 f8913c1f5b551bda23b2f8bafb7865b1e10aa7da3ab5f77e9e60c2f2d4db445c
SHA512 8e9087d4053172ac73240fd0ee00d97777bde9863f91ad08f7b6ed6082f5361d653839dcc2f530cc21f72dc7abb94814f0c02e07628b236b97c2c0c1b07ce787

memory/1860-37-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1860-38-0x000000013F030000-0x000000013F381000-memory.dmp

C:\Windows\system\QWDqrqm.exe

MD5 9854a0163fc08964d524be56dd69950c
SHA1 67fd48319f9e402449c54b97011e7d56d7a74eb2
SHA256 3b9a7636e9f0039ad42cd234010331087218925b20c63325f4186910b3a06814
SHA512 933646bca68d5d0020a9821935ea5e9b449d493ecd189edf4351f9db18eb33c18f5e8c083c5e39e35f3c40bc21f2d79e8f604d5a0e6b87c79824928661ef0305

memory/2844-39-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2792-42-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2376-50-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2500-57-0x000000013F1F0000-0x000000013F541000-memory.dmp

C:\Windows\system\prnJqjv.exe

MD5 0fcf7824c21d27a66906a906e4d1956d
SHA1 f2d2f310e670accaa21c8cacd3dd67503c506388
SHA256 5625629355e181569c1cec47aa72edd568c140f79e77657ec7e20a66f428f498
SHA512 95606bc79af1ffc71fd56b4c08d9f71b2d60137f6e5c14bf37bc5591da432c51edea9bfdd0a3abfb90a5888967a668dd684f4489f4494c354bd34a1d9374e712

memory/3000-62-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2972-69-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/1860-68-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/1356-75-0x000000013F270000-0x000000013F5C1000-memory.dmp

C:\Windows\system\MHvoCHf.exe

MD5 fe7652d7e7df06849537121af1c36b11
SHA1 f0bdf470cf4c7b84ff07ec2e35585940868215fb
SHA256 0fa7b162d5cb30147cd372cb8c9a75f7bc142f993f9012403f840aa6bc87bb6a
SHA512 b31e6ade30075c782b5777cb7b46334250c1cb7ff28275cf5f80c4891c10538cf6ad3ab148f28b6423a3c24a2601b83083c27a9c2990542a7941752072f98c90

memory/2688-82-0x000000013FCB0000-0x0000000140001000-memory.dmp

C:\Windows\system\fPTwpoi.exe

MD5 ac5522c8d8eb425bbad630904d63b528
SHA1 37b7cb8f61790daa510a1d917ab54e20267333b8
SHA256 6c2929eb975c74d57551cfdcc9aa005faa7eaa793fd1cf129cf9857b274f8cd2
SHA512 33c1ae70bdf8e0669bb7b1b918890c48a99ff2f809e384ebe16c481b7426a780347fd812aa59dcf02559a6af641fa4f77bffab0e29b4f8928143b24b812ca0f3

C:\Windows\system\RJWZWVT.exe

MD5 1859bd4020bde4d751048f798f84538b
SHA1 85b407592493595ca796701c5717b7e3cac5f4b7
SHA256 d81e6fa7e101837efc6f1d1783828f720a3f4fa70421794024a28eee5e6741b7
SHA512 96b870d3ed3f319b0efea1995429e5c6bb20129107514d52d69ff0159c7865e8bf23ea5b439818e0ee25c7ffa426d5373776a7e5c61ce02a534ca8c80e6c9d33

C:\Windows\system\fsjdSkC.exe

MD5 4e87de12faba38ff042589ab63c953d6
SHA1 b951f001fc4e4b345cab71d2d25e2708030769f4
SHA256 7ee1daf7bf68376118c593fccd7b666be5e1ab22358e144c807b51c02abfa9cf
SHA512 9e2859ee856ebfae9e95335e932240567e4abb466c0ef4e203ce0a2cd46d873e5cc100c325a9bc1bb70690582510031a60b7ed5a22bf796b488dc45b26566906

\Windows\system\gfRoYtJ.exe

MD5 3b3ade7a16e40bdef9d4f1082cb6ad48
SHA1 d1b024b74b0e008fd66a829c69f5d35d0425b1e5
SHA256 ba8d696b390e6f345c85f62972e05f991e5d20a2a4a711a48bf0188467fd46cd
SHA512 fae32ffa89f16b782792f3b81a8e7e249ad75167b1c27087966f483202de64b5bb58549de2a31f6ea39aacf3d72b778d898eb6565b882b23ce28d9553f750222

C:\Windows\system\GuYbRdY.exe

MD5 779335ce386324b61b6e75545dab12a6
SHA1 fdb6246b53c8e242ed7b0df069a927cea3cd19cb
SHA256 7286a3fcb667a05fe9ab54bd22ec9c641ed544023c90bfb85bb3e6a74e09abdc
SHA512 9d3fd319839bf3a0e09abc72229f033992913acf376f9366c71778be2ea9704e7f93c4e03ea4afbfb1501fb85a38f14235ac9b45e6286513473ad133e1dd34ee

C:\Windows\system\WhDrcBV.exe

MD5 0d22ca626e7426b2a3617a17d85389ed
SHA1 2d070d709110c7a1c53c072690c2733aedc401af
SHA256 115794446e109c2410cee4ac5f8a20fbe91e6c84f45ecbf4f5c323e5478c394a
SHA512 d12793eea2d840aece9353ca8fc86a8ba36561053a77481d49ce7aff9dfbe7fb55d8f1211e0e87ae9ddc9a1a853020156d522af58144c5c4f1b1005797c70ffd

C:\Windows\system\UUstWaY.exe

MD5 faf56dda40ecf1181f1b8563ef05ce91
SHA1 3dbb866b4ee9b4b59bcfdc3d97d096a81d6ca75f
SHA256 17e0f46b9f15ef80b0434cd666374f308580d4b918fddf8656f4a3f38e767e92
SHA512 db15bc2626f975728801cd87f86d4ba1409882436a8f3be89a913756da8ee79fc0f296527b5795dc6264e19b731c1c55b963d44cfede6fe014dd11feb3a6b523

C:\Windows\system\MVBcHTS.exe

MD5 1919c800658df9bbe70c8d1b89ed1690
SHA1 fb92f7a0370a5e51179f3e0c8c0fdd16ad761b0a
SHA256 c15435ff8ce900b5fadb6dd03f7956e9767de009bccdda03a03330bf9128f79d
SHA512 122675b00ed6dd6dfce5a0d4ae059a03d91ebf70f33c5d7aa0af505ddcedc0fc3ccdb2d93be01dc1990f013f2e31762a040012aa6f2bec24e4a139ba4297eff8

memory/1860-104-0x000000013F570000-0x000000013F8C1000-memory.dmp

C:\Windows\system\IqNxFzn.exe

MD5 28ef57987a44e99de08e21bee34bf789
SHA1 b0ce949ed33dffd1bcb7951376eed65c2d3a7304
SHA256 2d233cedf5f47051c535d70199215ed785d1ea4a96fb509c8371ceeade95761a
SHA512 58d2a0764552a1adcc2334f952675d873d9ccd4dbccf5cc2135f348f057e42fbe1eecd8b92608b9924bfe2175024d64733e59cadea48061f13038e8d5fd558d2

memory/2340-99-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/1860-98-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2792-97-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2772-91-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2844-90-0x000000013F030000-0x000000013F381000-memory.dmp

memory/1860-86-0x0000000002420000-0x0000000002771000-memory.dmp

memory/1860-81-0x0000000002420000-0x0000000002771000-memory.dmp

memory/1860-74-0x000000013F270000-0x000000013F5C1000-memory.dmp

C:\Windows\system\tjBgRhp.exe

MD5 622f320eb2b1b9a3cbc05417facb8ebf
SHA1 b3d5f4419333d7a65fc15dad97d01eac541e9639
SHA256 8988dfecee62f0be96efb11541064b201e481235d59717bc6b34ccd818507c50
SHA512 89bb99c23a1c9ef945d9e55c5e9d66217afcb0fe12a8ac2a20a7d7788e6e01fcf44312755b030355a18db12ffc90aaf6920ab9dd58dd7aa79361c3d0a21b4ebe

C:\Windows\system\ndbsVPN.exe

MD5 21ede488b8c37299505de90d50824bae
SHA1 3e7a89e8e79ca40ec5e2717bf603213f8def7579
SHA256 c95c923edf5646e022eb7d92ba1c37cda1eadee1e051de7d0459e5e4f23d4faa
SHA512 d7b2d8c2fc3af7d2057848971e39540e04127bd90943d976640029c14d2ed0561aadd7ae65ca0d00bff4ca947edba5c1ff081ed0a6b6bf93691b8dc6b8dad012

memory/1860-49-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2636-56-0x000000013FC20000-0x000000013FF71000-memory.dmp

C:\Windows\system\rYzVUXI.exe

MD5 bf947c2ba856961f508c0bec91ec6ce0
SHA1 4141a697d21c2252315681bc9d596c63a75f3dc0
SHA256 e8828fa8af17571b2fb985b8e7dba1a8f0f1d72bbbd14436de12a7d1536b5a37
SHA512 d9d7ee3a9e423d65c2f2d634ac0818015870a2daacd2af11fca7c5290416a37c00d7cabf3a5edb321a65a4272b7a1e3bae6dd711df9297f5108db4c410e8fbd8

C:\Windows\system\kfVoYGH.exe

MD5 f0d16cc4506f85bf741bb732da1fc9e9
SHA1 437287ec6777e9a08bab4d837a26fc76754b32eb
SHA256 be46c3958e4652151db8bcb21cafc90e719ba5e310e5cafdc50d87af2e69d258
SHA512 436d6838f1131b3773c9fae9c1bb07f72082018fcfbe082991d19fa255e607219cbe819b4f2c2262e5bc9eeb96ef189eec1334c4c5e7866830709bcf7102c117

memory/1860-136-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/3000-140-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/1860-139-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/1860-28-0x0000000002420000-0x0000000002771000-memory.dmp

memory/2972-153-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/1860-152-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2772-151-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2688-150-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/1356-149-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/1504-158-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2044-161-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/1860-162-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2384-160-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/1352-159-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/1452-157-0x000000013F040000-0x000000013F391000-memory.dmp

memory/1176-156-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/1784-155-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2340-154-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/1860-163-0x0000000002420000-0x0000000002771000-memory.dmp

memory/1860-164-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/1860-186-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/1860-187-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1636-212-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2636-213-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2664-217-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2652-219-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2844-221-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2792-223-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2500-227-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2376-226-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/3000-229-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2972-231-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/1356-233-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2688-235-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2772-246-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2340-248-0x000000013F870000-0x000000013FBC1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:05

Reported

2024-05-22 21:08

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CtOGfju.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\neNjBMR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bumIaHt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hyiFsme.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVJkThk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KwTayzX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aOQOEad.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NktLLrA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SAdvvJq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vKaEZyO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NblqKCw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YIwHDWh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tZhCXyr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FduWFuF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IeTZjNw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jsFWlzM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wCLriVk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gJofWMp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FtkJRyO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LlfoscR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uXmelZL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4380 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwTayzX.exe
PID 4380 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwTayzX.exe
PID 4380 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCLriVk.exe
PID 4380 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCLriVk.exe
PID 4380 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\aOQOEad.exe
PID 4380 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\aOQOEad.exe
PID 4380 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJofWMp.exe
PID 4380 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJofWMp.exe
PID 4380 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAdvvJq.exe
PID 4380 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAdvvJq.exe
PID 4380 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\NktLLrA.exe
PID 4380 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\NktLLrA.exe
PID 4380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\FtkJRyO.exe
PID 4380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\FtkJRyO.exe
PID 4380 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIwHDWh.exe
PID 4380 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIwHDWh.exe
PID 4380 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZhCXyr.exe
PID 4380 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZhCXyr.exe
PID 4380 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\FduWFuF.exe
PID 4380 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\FduWFuF.exe
PID 4380 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\CtOGfju.exe
PID 4380 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\CtOGfju.exe
PID 4380 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\neNjBMR.exe
PID 4380 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\neNjBMR.exe
PID 4380 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\bumIaHt.exe
PID 4380 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\bumIaHt.exe
PID 4380 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyiFsme.exe
PID 4380 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyiFsme.exe
PID 4380 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeTZjNw.exe
PID 4380 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeTZjNw.exe
PID 4380 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\jsFWlzM.exe
PID 4380 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\jsFWlzM.exe
PID 4380 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\LlfoscR.exe
PID 4380 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\LlfoscR.exe
PID 4380 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\uXmelZL.exe
PID 4380 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\uXmelZL.exe
PID 4380 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\vKaEZyO.exe
PID 4380 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\vKaEZyO.exe
PID 4380 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVJkThk.exe
PID 4380 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVJkThk.exe
PID 4380 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\NblqKCw.exe
PID 4380 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe C:\Windows\System\NblqKCw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KwTayzX.exe

C:\Windows\System\KwTayzX.exe

C:\Windows\System\wCLriVk.exe

C:\Windows\System\wCLriVk.exe

C:\Windows\System\aOQOEad.exe

C:\Windows\System\aOQOEad.exe

C:\Windows\System\gJofWMp.exe

C:\Windows\System\gJofWMp.exe

C:\Windows\System\SAdvvJq.exe

C:\Windows\System\SAdvvJq.exe

C:\Windows\System\NktLLrA.exe

C:\Windows\System\NktLLrA.exe

C:\Windows\System\FtkJRyO.exe

C:\Windows\System\FtkJRyO.exe

C:\Windows\System\YIwHDWh.exe

C:\Windows\System\YIwHDWh.exe

C:\Windows\System\tZhCXyr.exe

C:\Windows\System\tZhCXyr.exe

C:\Windows\System\FduWFuF.exe

C:\Windows\System\FduWFuF.exe

C:\Windows\System\CtOGfju.exe

C:\Windows\System\CtOGfju.exe

C:\Windows\System\neNjBMR.exe

C:\Windows\System\neNjBMR.exe

C:\Windows\System\bumIaHt.exe

C:\Windows\System\bumIaHt.exe

C:\Windows\System\hyiFsme.exe

C:\Windows\System\hyiFsme.exe

C:\Windows\System\IeTZjNw.exe

C:\Windows\System\IeTZjNw.exe

C:\Windows\System\jsFWlzM.exe

C:\Windows\System\jsFWlzM.exe

C:\Windows\System\LlfoscR.exe

C:\Windows\System\LlfoscR.exe

C:\Windows\System\uXmelZL.exe

C:\Windows\System\uXmelZL.exe

C:\Windows\System\vKaEZyO.exe

C:\Windows\System\vKaEZyO.exe

C:\Windows\System\uVJkThk.exe

C:\Windows\System\uVJkThk.exe

C:\Windows\System\NblqKCw.exe

C:\Windows\System\NblqKCw.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4380-0-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp

memory/4380-1-0x000001D3CD6D0000-0x000001D3CD6E0000-memory.dmp

C:\Windows\System\KwTayzX.exe

MD5 d81dfbdfebf5ddf7da1d343b0d902f0a
SHA1 20d6fd309cc1c6ba8631efe89c47e143d5807c40
SHA256 8ecee6c19b69c7c9e7a16c3768c2e912edb4923b8e69b1fe9f75e9cf3cb77951
SHA512 06d3af01435b241e96a8efc2c6c43108084ac51161675c94c17aa0e889e20ca9676e38b3efa073d0efa41b1b4b9e09d10fa31d0e49089c62594f3d6a2856d231

memory/2728-7-0x00007FF7AC020000-0x00007FF7AC371000-memory.dmp

C:\Windows\System\wCLriVk.exe

MD5 194afdcbccf03c189e58521f4aa1fe9e
SHA1 c5c0295ea833e6fdc81d1cf21bf84e7d4bf6e403
SHA256 efcf12f3a47c64fea93682268f582e8ed8531e278eb8da2527af10abce1dfe9b
SHA512 5cfb30657e87bf2718835840e6e57ff81d454e164e6aec375e8b97f6beca4c0fe3a842e25a74514232d26597a3d2a4d6075cd5f6fde664a6b68320c16dde789d

C:\Windows\System\aOQOEad.exe

MD5 953613e387ce95f2f3a9776412f23387
SHA1 80041387a96ba61955e584c5ad3406097f8b32ff
SHA256 3786f991f29a40cbbc6767a8d5b3e16e15b254b2e93b8598fb06ee0360e83ffb
SHA512 73948dea703d5cf9457c47eb3c829d6e9b76410cf4b3391840be1a1bfd23f325131e23784c084c6216c9fb96b275c05ba0799773a15d0c876f5062df283c08e0

memory/4984-14-0x00007FF7AAB60000-0x00007FF7AAEB1000-memory.dmp

memory/4024-20-0x00007FF6A22F0000-0x00007FF6A2641000-memory.dmp

C:\Windows\System\gJofWMp.exe

MD5 79afe3e45fc8c0e96c0aef99da926441
SHA1 55a7f2bc6f9afa46bb307ef9dae28fa5a54eb6d1
SHA256 b0527a729d3919e6046b31e3fbc7c400a4814755e7fb383327a78ce980fa51b6
SHA512 5e3218c26522d9e07308a10e878a84275a2aacc60b8669702f5c51c50b159345b92ce6b0583651b69b0f28d255ca47653f6ad2b8349a7a23ff69002600b77ae1

memory/1284-26-0x00007FF7030C0000-0x00007FF703411000-memory.dmp

C:\Windows\System\SAdvvJq.exe

MD5 2d4cedce6a4dc482b9428fc606acc727
SHA1 efb2c760f0bdcbd459cad7b52cb38a014002aecf
SHA256 b3c94f0862e99bfd02dee8f485257b849d533d5193b43deb77b673fa69817202
SHA512 cbe81c2762680447fdcf75f6e139e70a00910831d0b3a382a940d34e7263cb22e2570176463e38d3aea921b6e260633ab03cfdd8f5e881eca9458ead987c6da4

memory/1212-32-0x00007FF79A310000-0x00007FF79A661000-memory.dmp

C:\Windows\System\NktLLrA.exe

MD5 cf95643e96284076743d56d66b6a911f
SHA1 82f39bc436a9eb189982ff7d1c6e793f524f7c40
SHA256 f8d24599ac76caa47d4447352a266c07d4814be06ddc5d4372d54fa376764e1f
SHA512 6a9c986379720bb935d31a822a57863696e486bde6851f9b1a194bfe6288b45a65220a749f72f30b7d30bc695fcdd409c7f09c84f5cd43c30a8d693c7a97cda5

memory/3012-38-0x00007FF60FE60000-0x00007FF6101B1000-memory.dmp

C:\Windows\System\FtkJRyO.exe

MD5 a65dc02bbb2eab6cbe60eb9c2fa3c92c
SHA1 e01d8c16395fe879ba089e3030fbc59d40cbae62
SHA256 90e76881216360e607f2104fdfb280b9f87be0e91f52d55f861d99cbe27b8b30
SHA512 c6f49e7f541367d705ffa553702b4bc57edd7d5a2579220cd85f5eb7b6b8dd8a8acc96c4e47df6a58385eebdb3354b9e2ad1e7a2bd9ffbb9b8c1ced989ebcbbc

memory/2820-44-0x00007FF7C9050000-0x00007FF7C93A1000-memory.dmp

C:\Windows\System\YIwHDWh.exe

MD5 262f2d44f78bfd9b8154dd1a3191a34f
SHA1 c490faed448b3fa52c3114740f9e301bbb05f3dc
SHA256 4233ba3b8eb7d594904c83a3f8f3a92427b2a90f44e3f5ea2add5f3f73f2bd04
SHA512 2ea6646d476b31d44b938fb953c7bfe2380bcd735b1aed26917bb6cc62425736512c35bd77e60fafe851fe114ebe26d29eadbd39a2f982692b89f0935a293cb3

memory/1776-50-0x00007FF71A640000-0x00007FF71A991000-memory.dmp

C:\Windows\System\tZhCXyr.exe

MD5 dfbe4c989296e92005f9bc5d49ff1f78
SHA1 ff391838ada30a14632849ecb6fb7375e9b3607a
SHA256 811981cc23e5feea03c8dd99dd4dbb16af617fbffa36db1540f3c0b9a31787c2
SHA512 ec984d89de10550e19ad7a48fea29a0eaeaec764d31da612f0bd6b2e227d2d51ae01ad7ea50edceeb078468ee456daf73bc8f950f2b2844cfc961ff87ce70633

memory/4380-55-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp

memory/4572-57-0x00007FF792C20000-0x00007FF792F71000-memory.dmp

C:\Windows\System\FduWFuF.exe

MD5 284bd7ca385967563d2597a0e602ff51
SHA1 77fbdf0003d3f9b42c3a834a61b4af55edae1a4a
SHA256 29b265981412f811b0b1b253e76303ca86053dc7dc7224347688fa370f1206dd
SHA512 6b3340196dc084f62e69f842b50b69bf69b5eec2418b61423ba1155798c51b39cfe882059fc982bbf09e54e766d7f5a5630ed1bd167c7b715ef4543a55bf23e3

C:\Windows\System\CtOGfju.exe

MD5 a25491ccc9263b8dcd74f803e4f0c42d
SHA1 67a2d8c1cbfaf31ae4721f86151384779c007a72
SHA256 9c5e41967236d259655dc0785f1bd3f765eff8f3fd394d1f32b1803d91cd1464
SHA512 59afdc9391582e9931e0228e47194f1f94d708cabb333bbdbb8b3d08b91b8e3cc65cfcc6cff82aa72027da0f2d4c40aecdb71013b0e0659e0d855a18dffcf4f8

memory/2728-69-0x00007FF7AC020000-0x00007FF7AC371000-memory.dmp

memory/776-70-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp

memory/680-63-0x00007FF7820F0000-0x00007FF782441000-memory.dmp

C:\Windows\System\neNjBMR.exe

MD5 112237c3f4d7c20ce2d8635ad4d7546e
SHA1 91198b7a33b347d9229649c7c3fff93c989cc49e
SHA256 0d1f07fcad8a2c947e2124b3252a70017684cd7ca4a5ccec834da94985c97e4d
SHA512 40cb345d2c6b201ba15cf7f409ecef0d39846814c5285eda8881c568bccbb40721e2c3afb4721654a8c36f6d10798870277aab2b893dbe1fb2fafe41f14173ba

memory/4984-75-0x00007FF7AAB60000-0x00007FF7AAEB1000-memory.dmp

C:\Windows\System\bumIaHt.exe

MD5 597790784c7461bf3f2bf1384358f32b
SHA1 f783b6900b82ab636f03b32a1a0948897a5aa1d4
SHA256 656cb72abe8bd3691c14c7bf5b620156e26b37ec223245ad36cd728510521b8b
SHA512 ddd0516976a745b9c96395f5233c944e5bfb7625e3b931f2c819c6c17b40c3a9b24766aba0b0411317e3bc8f772fa636ad5c33a3664b6b646127767b030485d0

C:\Windows\System\hyiFsme.exe

MD5 343f612152bdb5687f9fad1728902c74
SHA1 59c8a408ef6bced660cc395f0d753096ce43bf04
SHA256 07f8e2fe1cce8fd677f3142b3ad97dd0f132c4cef4897c44d37e077b48cccf88
SHA512 e128ef0f09e97a667ad11c559f50a13344c1b82e0ef1ec2974e8874fd0728966cf7edabe17935e2fe2a5e196e69f201ba8d645e5b7b4ce566383b40fd6e92794

C:\Windows\System\IeTZjNw.exe

MD5 4165819c363e28f3e7f995363514f537
SHA1 cea118dae5c70e434e3aa1310ce3ce0fadde81dc
SHA256 202e09fbd4743a2b74d15addab29c8889ffae4acc5598a30f659b688303ed09a
SHA512 2f22a41cc2e2df9ad8c5d4e623956acee61f7dbe99e49dbfe4f656e0ceb8b7418a830ae008748ee61fef90a19581fddee8c73d7c5b6f0986f64ed433859d5d2d

memory/4024-94-0x00007FF6A22F0000-0x00007FF6A2641000-memory.dmp

C:\Windows\System\jsFWlzM.exe

MD5 37aab6796a60dbaece4a092f4c5e648c
SHA1 229c9a7941dd9f45411e05acd98e4b03b883ae06
SHA256 058835f15462bba20556c2bcf8e667ea63c708a883e8b6ed1125c54df0a1aa30
SHA512 3f73a0aa53415ee65c484a33b5a7b9bfd1795e3dc1f6c0b372c1e62de518be32606c2c0be03da788c714be9e2db4c5e92514d987817e76906d62d4aaaa43a5f2

memory/2492-98-0x00007FF6CE160000-0x00007FF6CE4B1000-memory.dmp

memory/1284-95-0x00007FF7030C0000-0x00007FF703411000-memory.dmp

C:\Windows\System\LlfoscR.exe

MD5 d0976774d1e9974681e5187d34dc1538
SHA1 d0bb1d762cd012c9b734dca7476da6bf50f4934f
SHA256 291effeb8681cbd606921a74c2e8cf155201d9663ce8d7a57951ac65b8f33656
SHA512 d16ee535f372aa279fd8189ab38b7b939bf76e3c954ec818b309ce5e434d7fb5010aa8c764464374369f8856cb3004ab36ce3dca4e849f964e508128982986f7

memory/1212-108-0x00007FF79A310000-0x00007FF79A661000-memory.dmp

memory/2792-109-0x00007FF7AEC10000-0x00007FF7AEF61000-memory.dmp

memory/3752-112-0x00007FF7F69A0000-0x00007FF7F6CF1000-memory.dmp

memory/524-118-0x00007FF79C210000-0x00007FF79C561000-memory.dmp

C:\Windows\System\uXmelZL.exe

MD5 68085f3cdf22d129709d067fc2a64974
SHA1 48879cb595c7ae5d035ad3a5f27e5d9167d5217d
SHA256 1d10c8a0639984ff10e98ae28493f958706925be52c6ec159c366b9f2f5e2a11
SHA512 6cc22e5c54331ec6f5ba8e56fcd17037c3b0048999ca4cf0ec3285da5569da733652ab4b6e8202a0f5ed915a5b2ba043692ee643796ad41ee0c8b71b2e18da3a

C:\Windows\System\vKaEZyO.exe

MD5 fb0291f12b975cb5c8dfdbcd0d7b50ca
SHA1 1d4ea853381c99b82e4e886a889548cb75f21bb7
SHA256 cf3a60e82cc20d5d72873981ac47a2ff69e7f57ab9a029079457d16f8d9301a9
SHA512 c44fcca403482c7a8a844b80ad3d31a0d83d596041f27f9eb0fa934192c39acaa630f9398ef1cdff86064dcb04ef816b36f19ad9aec5ab07604807e97847665c

C:\Windows\System\uVJkThk.exe

MD5 07b0740bb66cfabeede8317113ffe2db
SHA1 f07d633ea2b57d6a07d4cfd286220c2c73a0482e
SHA256 5c1fe31ff53963f4cf5690962aab908d08ef6ac7f0d9d70853764eda98defd53
SHA512 c6256329d0494214a21b490a637545c9f854755812c8cced1e0c6cc05fa5ba0e1032a15b3a8cc310cfa45ec95bf3d2f3508f6dfcd23881b6070cce9dcd9e3479

C:\Windows\System\NblqKCw.exe

MD5 642798002fe57cd2f09c23ff91b1250e
SHA1 8672f314d368f5bcd3fa518e5dd9d6922aeb69da
SHA256 2c5240b8f1d5f0fc2b4e39421b973d5c2d09004c190b0fd51fa3a9d26ac642a5
SHA512 6872bcfef00cf6b0e3954047123185197aa341849996eef6829c144c82f47baf3e3df0549b7bed95630a4a9c824f966e5fa05eaece0fe2c93cf3bea036d1eb85

memory/3172-115-0x00007FF73FBA0000-0x00007FF73FEF1000-memory.dmp

memory/3380-114-0x00007FF6B1740000-0x00007FF6B1A91000-memory.dmp

memory/1060-107-0x00007FF7870D0000-0x00007FF787421000-memory.dmp

memory/1776-138-0x00007FF71A640000-0x00007FF71A991000-memory.dmp

memory/2820-137-0x00007FF7C9050000-0x00007FF7C93A1000-memory.dmp

memory/4380-134-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp

memory/4084-148-0x00007FF692D10000-0x00007FF693061000-memory.dmp

memory/4584-147-0x00007FF7A2020000-0x00007FF7A2371000-memory.dmp

memory/3640-149-0x00007FF6244A0000-0x00007FF6247F1000-memory.dmp

memory/4380-160-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp

memory/2728-190-0x00007FF7AC020000-0x00007FF7AC371000-memory.dmp

memory/4984-192-0x00007FF7AAB60000-0x00007FF7AAEB1000-memory.dmp

memory/4024-194-0x00007FF6A22F0000-0x00007FF6A2641000-memory.dmp

memory/1284-202-0x00007FF7030C0000-0x00007FF703411000-memory.dmp

memory/1212-204-0x00007FF79A310000-0x00007FF79A661000-memory.dmp

memory/3012-206-0x00007FF60FE60000-0x00007FF6101B1000-memory.dmp

memory/2820-212-0x00007FF7C9050000-0x00007FF7C93A1000-memory.dmp

memory/1776-214-0x00007FF71A640000-0x00007FF71A991000-memory.dmp

memory/4572-220-0x00007FF792C20000-0x00007FF792F71000-memory.dmp

memory/680-222-0x00007FF7820F0000-0x00007FF782441000-memory.dmp

memory/776-224-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp

memory/2492-226-0x00007FF6CE160000-0x00007FF6CE4B1000-memory.dmp

memory/3752-228-0x00007FF7F69A0000-0x00007FF7F6CF1000-memory.dmp

memory/1060-230-0x00007FF7870D0000-0x00007FF787421000-memory.dmp

memory/2792-235-0x00007FF7AEC10000-0x00007FF7AEF61000-memory.dmp

memory/3380-237-0x00007FF6B1740000-0x00007FF6B1A91000-memory.dmp

memory/3172-239-0x00007FF73FBA0000-0x00007FF73FEF1000-memory.dmp

memory/524-241-0x00007FF79C210000-0x00007FF79C561000-memory.dmp

memory/4584-243-0x00007FF7A2020000-0x00007FF7A2371000-memory.dmp

memory/4084-245-0x00007FF692D10000-0x00007FF693061000-memory.dmp

memory/3640-247-0x00007FF6244A0000-0x00007FF6247F1000-memory.dmp