Malware Analysis Report

2025-01-06 15:13

Sample ID 240525-qnk7psea4y
Target 2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike
SHA256 e4f9ff88f4511e88e1db77fb12581dcd80993c63e613c42bc352b449eb723e1a
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4f9ff88f4511e88e1db77fb12581dcd80993c63e613c42bc352b449eb723e1a

Threat Level: Known bad

The file 2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Xmrig family

UPX dump on OEP (original entry point)

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 13:24

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 13:24

Reported

2024-05-25 13:27

Platform

win7-20240220-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\iltawKi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QjLpPLO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OXkVuOI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ULlBPmj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LTbxVVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jjJSvgM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SZsYXaZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\plOUtHv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VBDlWLK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PdxVAfx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DVwVccN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oteqolE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oFfKTDD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IDaklQX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UbMLMko.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OzHOmCP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vZJpxtu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SKTvQFt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EGvnXmz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lHfUNvT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RyTnkFU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGvnXmz.exe
PID 2172 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGvnXmz.exe
PID 2172 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGvnXmz.exe
PID 2172 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDaklQX.exe
PID 2172 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDaklQX.exe
PID 2172 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDaklQX.exe
PID 2172 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjJSvgM.exe
PID 2172 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjJSvgM.exe
PID 2172 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjJSvgM.exe
PID 2172 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbMLMko.exe
PID 2172 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbMLMko.exe
PID 2172 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbMLMko.exe
PID 2172 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SZsYXaZ.exe
PID 2172 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SZsYXaZ.exe
PID 2172 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SZsYXaZ.exe
PID 2172 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzHOmCP.exe
PID 2172 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzHOmCP.exe
PID 2172 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzHOmCP.exe
PID 2172 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHfUNvT.exe
PID 2172 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHfUNvT.exe
PID 2172 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHfUNvT.exe
PID 2172 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\plOUtHv.exe
PID 2172 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\plOUtHv.exe
PID 2172 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\plOUtHv.exe
PID 2172 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iltawKi.exe
PID 2172 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iltawKi.exe
PID 2172 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iltawKi.exe
PID 2172 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjLpPLO.exe
PID 2172 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjLpPLO.exe
PID 2172 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjLpPLO.exe
PID 2172 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdxVAfx.exe
PID 2172 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdxVAfx.exe
PID 2172 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdxVAfx.exe
PID 2172 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oteqolE.exe
PID 2172 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oteqolE.exe
PID 2172 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oteqolE.exe
PID 2172 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXkVuOI.exe
PID 2172 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXkVuOI.exe
PID 2172 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXkVuOI.exe
PID 2172 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULlBPmj.exe
PID 2172 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULlBPmj.exe
PID 2172 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULlBPmj.exe
PID 2172 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVwVccN.exe
PID 2172 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVwVccN.exe
PID 2172 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVwVccN.exe
PID 2172 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFfKTDD.exe
PID 2172 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFfKTDD.exe
PID 2172 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFfKTDD.exe
PID 2172 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RyTnkFU.exe
PID 2172 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RyTnkFU.exe
PID 2172 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RyTnkFU.exe
PID 2172 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZJpxtu.exe
PID 2172 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZJpxtu.exe
PID 2172 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZJpxtu.exe
PID 2172 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKTvQFt.exe
PID 2172 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKTvQFt.exe
PID 2172 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKTvQFt.exe
PID 2172 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTbxVVQ.exe
PID 2172 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTbxVVQ.exe
PID 2172 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTbxVVQ.exe
PID 2172 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VBDlWLK.exe
PID 2172 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VBDlWLK.exe
PID 2172 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VBDlWLK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\EGvnXmz.exe

C:\Windows\System\EGvnXmz.exe

C:\Windows\System\IDaklQX.exe

C:\Windows\System\IDaklQX.exe

C:\Windows\System\jjJSvgM.exe

C:\Windows\System\jjJSvgM.exe

C:\Windows\System\UbMLMko.exe

C:\Windows\System\UbMLMko.exe

C:\Windows\System\SZsYXaZ.exe

C:\Windows\System\SZsYXaZ.exe

C:\Windows\System\OzHOmCP.exe

C:\Windows\System\OzHOmCP.exe

C:\Windows\System\lHfUNvT.exe

C:\Windows\System\lHfUNvT.exe

C:\Windows\System\plOUtHv.exe

C:\Windows\System\plOUtHv.exe

C:\Windows\System\iltawKi.exe

C:\Windows\System\iltawKi.exe

C:\Windows\System\QjLpPLO.exe

C:\Windows\System\QjLpPLO.exe

C:\Windows\System\PdxVAfx.exe

C:\Windows\System\PdxVAfx.exe

C:\Windows\System\oteqolE.exe

C:\Windows\System\oteqolE.exe

C:\Windows\System\OXkVuOI.exe

C:\Windows\System\OXkVuOI.exe

C:\Windows\System\ULlBPmj.exe

C:\Windows\System\ULlBPmj.exe

C:\Windows\System\DVwVccN.exe

C:\Windows\System\DVwVccN.exe

C:\Windows\System\oFfKTDD.exe

C:\Windows\System\oFfKTDD.exe

C:\Windows\System\RyTnkFU.exe

C:\Windows\System\RyTnkFU.exe

C:\Windows\System\vZJpxtu.exe

C:\Windows\System\vZJpxtu.exe

C:\Windows\System\SKTvQFt.exe

C:\Windows\System\SKTvQFt.exe

C:\Windows\System\LTbxVVQ.exe

C:\Windows\System\LTbxVVQ.exe

C:\Windows\System\VBDlWLK.exe

C:\Windows\System\VBDlWLK.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2172-0-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2172-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\EGvnXmz.exe

MD5 38260f324703dafe28e42ccd644df119
SHA1 770d77e06f999f9a997e6eebd69e98a4e44d3cb0
SHA256 f08a5adec6de8bf585b8ef0e8d60cdc91eeceeb8659ef78c9d2efa3b6eb61418
SHA512 9311d441ef61dd87491157186f4e9fdfb39c95f6d49049112919de384451f5deeedc2a79ef4a00860747b9e8ac8e0a042f4593e42c8ac43aa9003ab3ae78d3c9

C:\Windows\system\IDaklQX.exe

MD5 7e74a7580dbb089d35789123df4def6d
SHA1 294afcb1095ae3d6c678b3b9ab28fa053ae1cbca
SHA256 29b14fd743825476b4637a57d199f4d15149046366268c84b514bdab54817d10
SHA512 f1deeadf37c20392f0fce348cf6f36ea7affcdc4d53bc18410fb4a4e7533deb4d512975ab7dfc3b2351317fb1f14be1bd5096bdfb0f44fe5fc10159dfd47170d

C:\Windows\system\jjJSvgM.exe

MD5 621ba7aed07f633f2f3322009520dbbf
SHA1 a746bc54ff2db7e93bf99c3e4977ed2f2b1bc558
SHA256 442f8a478b7c1015685f75341b8ce3fa3bed069b9bc5601f3a55be881f67bd79
SHA512 39955daf87b3c80147d9c350425123c8943d66b33aa0dca6fc98182c28afbe886ec02c93a993fee4959b66335def8e3e499410e61793b4c5264d42546bd4e68f

memory/2156-16-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2172-9-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2612-22-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2976-21-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2172-20-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\UbMLMko.exe

MD5 a237e84881bc02f77e0ed328f038dce7
SHA1 6285e1e083e6b858a284d5ef9e4bec22508e63b9
SHA256 2e80ed5cc86c287616183ee22a389d07b7cae9851d45b9e43856fe66e147ecba
SHA512 b01376feffce73e1ca25aa370b8c1c04317b3abe0ea1c3c3890d76118493f8617d955506a83d347bea41d7778b9447c8531d4c0b03ea37c7f08e05b1945b4b0c

memory/2172-28-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2528-29-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

\Windows\system\SZsYXaZ.exe

MD5 450d5bbf16d7d22673f3ed5960afc77c
SHA1 71696abbc4e61043feaa90a3cc28c6306cf085cd
SHA256 e45d22099baa813216e1ee1008ea6c0c56befe7e3d807020be4e309711ff5621
SHA512 53926b7022c5faf939b1a475fee5799ef78716968ad3d474992b452b2cac2fe94d40a9c9bb1f685e547af2c2c0adab5fe77a59cacce5b88d50447acf903f5317

C:\Windows\system\OzHOmCP.exe

MD5 28e76e0c8e73cb4defd1122cf9efeaf2
SHA1 42fd66bda31608aa6db4730a0e4d6b0af5674fb7
SHA256 bf0237287b481b20e4369cf1c54e8698b97e5ab4901930e95f686f45b33cef11
SHA512 5bc623968be6d4cb743c70d1db7b6845b8f58a726aa5dbd5b9df815b14a27223d5290895112e336b1adac8e5f96b004c01079fe30587be60091a42fe708ac65d

memory/2172-44-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/1680-46-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2864-47-0x000000013F290000-0x000000013F5E4000-memory.dmp

C:\Windows\system\lHfUNvT.exe

MD5 e6adf2e3c5095714b71ab3bdc9988071
SHA1 de0b8af016e490f93c6887f47d88b375c8dd340e
SHA256 8f25f91cba5afd7d54b9f25c6a82eabb7c01a52fbadf123bd4f248b17f7b9f60
SHA512 a3f8a20865a12c4b0e5646c7866de6455fa8550eb1bb2567851f01ded8264142ac5410758920cb365563abf50ac07fa7ad3283c8251da983fc105b4689a71e8a

memory/2172-49-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2696-48-0x000000013F3E0000-0x000000013F734000-memory.dmp

\Windows\system\plOUtHv.exe

MD5 8fd821b76b768333d9045ff47fc1a82b
SHA1 0756a59ebaa6a91f87111b8c0d9b9319ec61847d
SHA256 9ad3bd4a669602e95ec68b59793b4f8efbb0026c7d20cbed7a04d334a7ca5197
SHA512 10ef22162329ae8eb352fbab86fd521168535acfec06f23be5f619eb41b7f7f09560af01df5abbd93c1bcddedf1ef81b3fae3acec268c8304d99e12897a9ac93

memory/2156-54-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2452-56-0x000000013F330000-0x000000013F684000-memory.dmp

\Windows\system\iltawKi.exe

MD5 51cf04361ec6113f199982c7461321bf
SHA1 ef45a48d224200b96347d2c9da30ff11d3c03c6a
SHA256 85fd0fa38511502332e207b02cda28c4aafbbbebed8b4aea0a7cf8ff138befc3
SHA512 25c9ba76d18a62a50ec7d1886771a379ef147613ecc4b93ae3256b18e642d62eca47d8aef41b3a8d9a0ec16358fcf8d43a5eeff478ffe2b12ac62ea4825429c1

memory/2172-62-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2172-63-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2456-64-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

\Windows\system\QjLpPLO.exe

MD5 3c1e75f4c78e0b9d19cfe87bc64161f0
SHA1 250384b11e2d86e3fd510baba2825d36d0a0e06d
SHA256 c0c8b0b66acffc81fffe2eee4ddbae764760c18fab15994e0e6676e732464db4
SHA512 af5dceef604ef1b9a2b888f2818b5bae6a18a10926267a3fba540a60f6fd03e680e608dff4aa1dcd1e27e226b7b31de8a2f74247ee3bc9fb47421e8601dfeada

\Windows\system\PdxVAfx.exe

MD5 4bae0993e2f3ae9563a7ad4331e101ab
SHA1 2274de7c4e74b8bf242fff374686f40cff2ea7d4
SHA256 1aabcd0b643ba6e7a14b41db2876ec79fff37ecf6ab34de40ccbb2143c11b22b
SHA512 8ac23d691f841ce35cfdbb08a6cfb9f1400903d007d460b840e099a636b22a060518f906369d58514e788d858334d96d209ab36db11af5302b8cb891b095748b

memory/2172-72-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2296-75-0x000000013F200000-0x000000013F554000-memory.dmp

memory/1664-78-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2172-77-0x000000013F840000-0x000000013FB94000-memory.dmp

C:\Windows\system\oteqolE.exe

MD5 c894b02103b674a2c8cbabcf44fc78cb
SHA1 b800c4e687ba387c645fe5a658e44fceb5d367e9
SHA256 82443216599a91998801f9dfaad97f0450c794fc2692f787e9c4267adba7111f
SHA512 dae517fa6dbc7b0cd8f74ea541d206481cc39b444be84601b1a0c7d5688fde87e863a493e5db418440d9861503dc06b34a4ab395696e6c48081a01f9ae2f9bc6

memory/1504-85-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2172-84-0x000000013FB60000-0x000000013FEB4000-memory.dmp

C:\Windows\system\ULlBPmj.exe

MD5 a8934f4bf4f9bc4cc723c3c03f869be2
SHA1 44e702bddd4ca12fd6cfb034a01ab133fec42db4
SHA256 f5432ec6b5724bf886d5f55f6fbd0689546ada329dbe708b58d7243cc26beff8
SHA512 00f5d9af27869f7f8ad945e11e82e16809552f7bc6f41cd52b1ef7337f92765bc15cfe271e75190495a5088d999232604f052aff380cb368f7f2375014225498

memory/2172-98-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/776-99-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2372-93-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2172-92-0x000000013FAE0000-0x000000013FE34000-memory.dmp

C:\Windows\system\OXkVuOI.exe

MD5 367492cdd7bcd9ab6d78242d3ccee469
SHA1 f63a5ed829ac1da7ba96bd9c22181f7115364d53
SHA256 a39c0b2f8c3db7ee8d7bcbd2e548303807f0ffb5b58186b49cf6552f74758a79
SHA512 8e8637b9e49c44b5e0a2641e3f47094cf91c7a07d70f77d3d33b7bcf46b5d84ad5f03ca6ba73846c4474ff1fdfc44d616d3f2e35e97f14988bd6d00611d7e112

memory/2172-88-0x000000013FCD0000-0x0000000140024000-memory.dmp

C:\Windows\system\DVwVccN.exe

MD5 165abdf2a2841c234742851e4d36940b
SHA1 3a3088b9bbd07ac319dbaa9f5622a32834ead234
SHA256 0d4bb4e48fff1a64ee5b3b7fd4076fb24795535b44518b4e9559f1c51c7358a6
SHA512 6127320aab089bbd354a354aca3163f1183a52437751ff917df8f89364543ebb73a4fd43a6c08ecebdc444edafe07f3c64a434c8340148bb3594c4ebd7d22d35

memory/2172-105-0x00000000022F0000-0x0000000002644000-memory.dmp

\Windows\system\oFfKTDD.exe

MD5 a80fb21dad208d04f18e9de98b237e61
SHA1 8f077540cc36cab8d17e146753d9821540196f70
SHA256 757a4861be45725d1caabeab87c77e54b52784118d977a1b7bd9bd5c7dff6a19
SHA512 858b8c2faaac6646dbddd52c0d027ca9786c632750652a867c8fbed8ae38fb2acd44986a0d875ea3ef3166eb121697cd90d22de960115c50e9e9ce2fae06c65b

\Windows\system\RyTnkFU.exe

MD5 617104b8855960abb4117f5acdab4ee2
SHA1 024f4635b59533822558e9cc4d0b26ca8b74321e
SHA256 dbc8c594020cf6e123726845e9d7b4c9681977b3dc2ddcc5b792a03e63b23cdb
SHA512 faa723ad726bd8390ff38e271a936438cfa62e66d30f85f27ad6c8e46286c79ad5ad8d4ef53b3ec4814a112ef20dd9545fd83491b8c3468149848a9ba7881491

C:\Windows\system\vZJpxtu.exe

MD5 d312734b9b5e0883747172775499af99
SHA1 2a5de475fb6318ac2ec52a18811e01f18cb37a90
SHA256 f6714bf0ffa1ded93884524ed8c41faaa10bf240efa7eb8fb53f9534a7b23e14
SHA512 0cc99055d333a3239d1647bd499a8059bd6cb6e14e9416af001b597ce32cfbaa0bb33d56813087c64c437773babfa0e8a647746906c11a8ea5099c2215c26d82

C:\Windows\system\SKTvQFt.exe

MD5 7070b23d1eda84bac00fc22e84a981dd
SHA1 3e6fcc6328c93ddfdacaf2bcce311d0c6b3ce9b1
SHA256 d80fdae989097c0984e2e528cd859c9dd01cc97ae95b0dd476683a854dee958c
SHA512 5d2ff173a718f4f99b3f0946f37048310b05509f3aee189c9d407a6ae209cbe90ebf0d8acb62a48d70d5e39c495564e7792b90acd3b5b4c976e1f90d3812234f

C:\Windows\system\LTbxVVQ.exe

MD5 4ca3ee1a8e00ce3134f9cb58f0b7f468
SHA1 ef5f459bf14b20efff26b83646ed2de2aec847de
SHA256 a793d8b10c18f3f3cde10c1d6b377d0a60c9668e1616cacd6f3bce750d64d2fe
SHA512 b05ce7b2ae12d62c585dc01611e700cad4e72ac338afe473d0fa8666e170478024f32e82304c6773cb5896bf129504627103a1a3a4c01a117c3598267a8f4fe6

\Windows\system\VBDlWLK.exe

MD5 1baf544e3e45c58a36bb5594f562cd17
SHA1 572b308334e3cf2920adbe6af2e6e9752cb2a9f6
SHA256 737eeb3b8041588d510726ef0d893d5a97518675b1b5b8800d0ddc1460809846
SHA512 eb33c2f4c1e868408d1171b68c065f5ee6cce6f1a6c6fa0e1b9f9130c946a734d0d50aef1cf0f4e064977d07c2728661fe262ad7ce402d87ff1b2094d6a901a4

memory/2452-136-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2172-137-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2172-138-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2172-139-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2172-140-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2156-141-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2612-142-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2976-143-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2528-144-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2696-145-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/1680-146-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2864-147-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2452-148-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2456-149-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2296-150-0x000000013F200000-0x000000013F554000-memory.dmp

memory/1664-151-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/1504-152-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2372-153-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/776-154-0x000000013F5E0000-0x000000013F934000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 13:24

Reported

2024-05-25 13:27

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SZsYXaZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lHfUNvT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\plOUtHv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iltawKi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PdxVAfx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DVwVccN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LTbxVVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EGvnXmz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QjLpPLO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RyTnkFU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vZJpxtu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IDaklQX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jjJSvgM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UbMLMko.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OzHOmCP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OXkVuOI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ULlBPmj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oFfKTDD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SKTvQFt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VBDlWLK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oteqolE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGvnXmz.exe
PID 220 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGvnXmz.exe
PID 220 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDaklQX.exe
PID 220 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDaklQX.exe
PID 220 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjJSvgM.exe
PID 220 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjJSvgM.exe
PID 220 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbMLMko.exe
PID 220 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbMLMko.exe
PID 220 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SZsYXaZ.exe
PID 220 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SZsYXaZ.exe
PID 220 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzHOmCP.exe
PID 220 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzHOmCP.exe
PID 220 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHfUNvT.exe
PID 220 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHfUNvT.exe
PID 220 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\plOUtHv.exe
PID 220 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\plOUtHv.exe
PID 220 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iltawKi.exe
PID 220 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iltawKi.exe
PID 220 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjLpPLO.exe
PID 220 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjLpPLO.exe
PID 220 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdxVAfx.exe
PID 220 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdxVAfx.exe
PID 220 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oteqolE.exe
PID 220 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oteqolE.exe
PID 220 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXkVuOI.exe
PID 220 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXkVuOI.exe
PID 220 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULlBPmj.exe
PID 220 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULlBPmj.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVwVccN.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVwVccN.exe
PID 220 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFfKTDD.exe
PID 220 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFfKTDD.exe
PID 220 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RyTnkFU.exe
PID 220 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RyTnkFU.exe
PID 220 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZJpxtu.exe
PID 220 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZJpxtu.exe
PID 220 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKTvQFt.exe
PID 220 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKTvQFt.exe
PID 220 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTbxVVQ.exe
PID 220 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTbxVVQ.exe
PID 220 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VBDlWLK.exe
PID 220 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VBDlWLK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\EGvnXmz.exe

C:\Windows\System\EGvnXmz.exe

C:\Windows\System\IDaklQX.exe

C:\Windows\System\IDaklQX.exe

C:\Windows\System\jjJSvgM.exe

C:\Windows\System\jjJSvgM.exe

C:\Windows\System\UbMLMko.exe

C:\Windows\System\UbMLMko.exe

C:\Windows\System\SZsYXaZ.exe

C:\Windows\System\SZsYXaZ.exe

C:\Windows\System\OzHOmCP.exe

C:\Windows\System\OzHOmCP.exe

C:\Windows\System\lHfUNvT.exe

C:\Windows\System\lHfUNvT.exe

C:\Windows\System\plOUtHv.exe

C:\Windows\System\plOUtHv.exe

C:\Windows\System\iltawKi.exe

C:\Windows\System\iltawKi.exe

C:\Windows\System\QjLpPLO.exe

C:\Windows\System\QjLpPLO.exe

C:\Windows\System\PdxVAfx.exe

C:\Windows\System\PdxVAfx.exe

C:\Windows\System\oteqolE.exe

C:\Windows\System\oteqolE.exe

C:\Windows\System\OXkVuOI.exe

C:\Windows\System\OXkVuOI.exe

C:\Windows\System\ULlBPmj.exe

C:\Windows\System\ULlBPmj.exe

C:\Windows\System\DVwVccN.exe

C:\Windows\System\DVwVccN.exe

C:\Windows\System\oFfKTDD.exe

C:\Windows\System\oFfKTDD.exe

C:\Windows\System\RyTnkFU.exe

C:\Windows\System\RyTnkFU.exe

C:\Windows\System\vZJpxtu.exe

C:\Windows\System\vZJpxtu.exe

C:\Windows\System\SKTvQFt.exe

C:\Windows\System\SKTvQFt.exe

C:\Windows\System\LTbxVVQ.exe

C:\Windows\System\LTbxVVQ.exe

C:\Windows\System\VBDlWLK.exe

C:\Windows\System\VBDlWLK.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/220-0-0x00007FF65A1F0000-0x00007FF65A544000-memory.dmp

memory/220-1-0x000001995D5D0000-0x000001995D5E0000-memory.dmp

C:\Windows\System\EGvnXmz.exe

MD5 38260f324703dafe28e42ccd644df119
SHA1 770d77e06f999f9a997e6eebd69e98a4e44d3cb0
SHA256 f08a5adec6de8bf585b8ef0e8d60cdc91eeceeb8659ef78c9d2efa3b6eb61418
SHA512 9311d441ef61dd87491157186f4e9fdfb39c95f6d49049112919de384451f5deeedc2a79ef4a00860747b9e8ac8e0a042f4593e42c8ac43aa9003ab3ae78d3c9

memory/4720-8-0x00007FF6E7DF0000-0x00007FF6E8144000-memory.dmp

C:\Windows\System\IDaklQX.exe

MD5 7e74a7580dbb089d35789123df4def6d
SHA1 294afcb1095ae3d6c678b3b9ab28fa053ae1cbca
SHA256 29b14fd743825476b4637a57d199f4d15149046366268c84b514bdab54817d10
SHA512 f1deeadf37c20392f0fce348cf6f36ea7affcdc4d53bc18410fb4a4e7533deb4d512975ab7dfc3b2351317fb1f14be1bd5096bdfb0f44fe5fc10159dfd47170d

memory/3644-14-0x00007FF704CA0000-0x00007FF704FF4000-memory.dmp

C:\Windows\System\jjJSvgM.exe

MD5 621ba7aed07f633f2f3322009520dbbf
SHA1 a746bc54ff2db7e93bf99c3e4977ed2f2b1bc558
SHA256 442f8a478b7c1015685f75341b8ce3fa3bed069b9bc5601f3a55be881f67bd79
SHA512 39955daf87b3c80147d9c350425123c8943d66b33aa0dca6fc98182c28afbe886ec02c93a993fee4959b66335def8e3e499410e61793b4c5264d42546bd4e68f

memory/4624-20-0x00007FF62BE40000-0x00007FF62C194000-memory.dmp

C:\Windows\System\UbMLMko.exe

MD5 a237e84881bc02f77e0ed328f038dce7
SHA1 6285e1e083e6b858a284d5ef9e4bec22508e63b9
SHA256 2e80ed5cc86c287616183ee22a389d07b7cae9851d45b9e43856fe66e147ecba
SHA512 b01376feffce73e1ca25aa370b8c1c04317b3abe0ea1c3c3890d76118493f8617d955506a83d347bea41d7778b9447c8531d4c0b03ea37c7f08e05b1945b4b0c

memory/4124-26-0x00007FF6B3360000-0x00007FF6B36B4000-memory.dmp

C:\Windows\System\SZsYXaZ.exe

MD5 450d5bbf16d7d22673f3ed5960afc77c
SHA1 71696abbc4e61043feaa90a3cc28c6306cf085cd
SHA256 e45d22099baa813216e1ee1008ea6c0c56befe7e3d807020be4e309711ff5621
SHA512 53926b7022c5faf939b1a475fee5799ef78716968ad3d474992b452b2cac2fe94d40a9c9bb1f685e547af2c2c0adab5fe77a59cacce5b88d50447acf903f5317

memory/4028-32-0x00007FF667C80000-0x00007FF667FD4000-memory.dmp

C:\Windows\System\OzHOmCP.exe

MD5 28e76e0c8e73cb4defd1122cf9efeaf2
SHA1 42fd66bda31608aa6db4730a0e4d6b0af5674fb7
SHA256 bf0237287b481b20e4369cf1c54e8698b97e5ab4901930e95f686f45b33cef11
SHA512 5bc623968be6d4cb743c70d1db7b6845b8f58a726aa5dbd5b9df815b14a27223d5290895112e336b1adac8e5f96b004c01079fe30587be60091a42fe708ac65d

C:\Windows\System\lHfUNvT.exe

MD5 e6adf2e3c5095714b71ab3bdc9988071
SHA1 de0b8af016e490f93c6887f47d88b375c8dd340e
SHA256 8f25f91cba5afd7d54b9f25c6a82eabb7c01a52fbadf123bd4f248b17f7b9f60
SHA512 a3f8a20865a12c4b0e5646c7866de6455fa8550eb1bb2567851f01ded8264142ac5410758920cb365563abf50ac07fa7ad3283c8251da983fc105b4689a71e8a

memory/3376-44-0x00007FF7A0D00000-0x00007FF7A1054000-memory.dmp

memory/1180-36-0x00007FF61D520000-0x00007FF61D874000-memory.dmp

C:\Windows\System\plOUtHv.exe

MD5 8fd821b76b768333d9045ff47fc1a82b
SHA1 0756a59ebaa6a91f87111b8c0d9b9319ec61847d
SHA256 9ad3bd4a669602e95ec68b59793b4f8efbb0026c7d20cbed7a04d334a7ca5197
SHA512 10ef22162329ae8eb352fbab86fd521168535acfec06f23be5f619eb41b7f7f09560af01df5abbd93c1bcddedf1ef81b3fae3acec268c8304d99e12897a9ac93

memory/2252-47-0x00007FF7D2ED0000-0x00007FF7D3224000-memory.dmp

C:\Windows\System\iltawKi.exe

MD5 51cf04361ec6113f199982c7461321bf
SHA1 ef45a48d224200b96347d2c9da30ff11d3c03c6a
SHA256 85fd0fa38511502332e207b02cda28c4aafbbbebed8b4aea0a7cf8ff138befc3
SHA512 25c9ba76d18a62a50ec7d1886771a379ef147613ecc4b93ae3256b18e642d62eca47d8aef41b3a8d9a0ec16358fcf8d43a5eeff478ffe2b12ac62ea4825429c1

memory/3412-56-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp

C:\Windows\System\QjLpPLO.exe

MD5 3c1e75f4c78e0b9d19cfe87bc64161f0
SHA1 250384b11e2d86e3fd510baba2825d36d0a0e06d
SHA256 c0c8b0b66acffc81fffe2eee4ddbae764760c18fab15994e0e6676e732464db4
SHA512 af5dceef604ef1b9a2b888f2818b5bae6a18a10926267a3fba540a60f6fd03e680e608dff4aa1dcd1e27e226b7b31de8a2f74247ee3bc9fb47421e8601dfeada

memory/220-62-0x00007FF65A1F0000-0x00007FF65A544000-memory.dmp

memory/1572-63-0x00007FF6FCF10000-0x00007FF6FD264000-memory.dmp

memory/4720-67-0x00007FF6E7DF0000-0x00007FF6E8144000-memory.dmp

C:\Windows\System\PdxVAfx.exe

MD5 4bae0993e2f3ae9563a7ad4331e101ab
SHA1 2274de7c4e74b8bf242fff374686f40cff2ea7d4
SHA256 1aabcd0b643ba6e7a14b41db2876ec79fff37ecf6ab34de40ccbb2143c11b22b
SHA512 8ac23d691f841ce35cfdbb08a6cfb9f1400903d007d460b840e099a636b22a060518f906369d58514e788d858334d96d209ab36db11af5302b8cb891b095748b

memory/2808-70-0x00007FF7C34B0000-0x00007FF7C3804000-memory.dmp

C:\Windows\System\oteqolE.exe

MD5 c894b02103b674a2c8cbabcf44fc78cb
SHA1 b800c4e687ba387c645fe5a658e44fceb5d367e9
SHA256 82443216599a91998801f9dfaad97f0450c794fc2692f787e9c4267adba7111f
SHA512 dae517fa6dbc7b0cd8f74ea541d206481cc39b444be84601b1a0c7d5688fde87e863a493e5db418440d9861503dc06b34a4ab395696e6c48081a01f9ae2f9bc6

memory/3644-74-0x00007FF704CA0000-0x00007FF704FF4000-memory.dmp

memory/2020-75-0x00007FF7E5140000-0x00007FF7E5494000-memory.dmp

C:\Windows\System\OXkVuOI.exe

MD5 367492cdd7bcd9ab6d78242d3ccee469
SHA1 f63a5ed829ac1da7ba96bd9c22181f7115364d53
SHA256 a39c0b2f8c3db7ee8d7bcbd2e548303807f0ffb5b58186b49cf6552f74758a79
SHA512 8e8637b9e49c44b5e0a2641e3f47094cf91c7a07d70f77d3d33b7bcf46b5d84ad5f03ca6ba73846c4474ff1fdfc44d616d3f2e35e97f14988bd6d00611d7e112

C:\Windows\System\ULlBPmj.exe

MD5 a8934f4bf4f9bc4cc723c3c03f869be2
SHA1 44e702bddd4ca12fd6cfb034a01ab133fec42db4
SHA256 f5432ec6b5724bf886d5f55f6fbd0689546ada329dbe708b58d7243cc26beff8
SHA512 00f5d9af27869f7f8ad945e11e82e16809552f7bc6f41cd52b1ef7337f92765bc15cfe271e75190495a5088d999232604f052aff380cb368f7f2375014225498

memory/1804-92-0x00007FF7E62E0000-0x00007FF7E6634000-memory.dmp

memory/2288-94-0x00007FF67C950000-0x00007FF67CCA4000-memory.dmp

memory/4028-95-0x00007FF667C80000-0x00007FF667FD4000-memory.dmp

C:\Windows\System\oFfKTDD.exe

MD5 a80fb21dad208d04f18e9de98b237e61
SHA1 8f077540cc36cab8d17e146753d9821540196f70
SHA256 757a4861be45725d1caabeab87c77e54b52784118d977a1b7bd9bd5c7dff6a19
SHA512 858b8c2faaac6646dbddd52c0d027ca9786c632750652a867c8fbed8ae38fb2acd44986a0d875ea3ef3166eb121697cd90d22de960115c50e9e9ce2fae06c65b

C:\Windows\System\RyTnkFU.exe

MD5 617104b8855960abb4117f5acdab4ee2
SHA1 024f4635b59533822558e9cc4d0b26ca8b74321e
SHA256 dbc8c594020cf6e123726845e9d7b4c9681977b3dc2ddcc5b792a03e63b23cdb
SHA512 faa723ad726bd8390ff38e271a936438cfa62e66d30f85f27ad6c8e46286c79ad5ad8d4ef53b3ec4814a112ef20dd9545fd83491b8c3468149848a9ba7881491

C:\Windows\System\vZJpxtu.exe

MD5 d312734b9b5e0883747172775499af99
SHA1 2a5de475fb6318ac2ec52a18811e01f18cb37a90
SHA256 f6714bf0ffa1ded93884524ed8c41faaa10bf240efa7eb8fb53f9534a7b23e14
SHA512 0cc99055d333a3239d1647bd499a8059bd6cb6e14e9416af001b597ce32cfbaa0bb33d56813087c64c437773babfa0e8a647746906c11a8ea5099c2215c26d82

C:\Windows\System\SKTvQFt.exe

MD5 7070b23d1eda84bac00fc22e84a981dd
SHA1 3e6fcc6328c93ddfdacaf2bcce311d0c6b3ce9b1
SHA256 d80fdae989097c0984e2e528cd859c9dd01cc97ae95b0dd476683a854dee958c
SHA512 5d2ff173a718f4f99b3f0946f37048310b05509f3aee189c9d407a6ae209cbe90ebf0d8acb62a48d70d5e39c495564e7792b90acd3b5b4c976e1f90d3812234f

C:\Windows\System\VBDlWLK.exe

MD5 1baf544e3e45c58a36bb5594f562cd17
SHA1 572b308334e3cf2920adbe6af2e6e9752cb2a9f6
SHA256 737eeb3b8041588d510726ef0d893d5a97518675b1b5b8800d0ddc1460809846
SHA512 eb33c2f4c1e868408d1171b68c065f5ee6cce6f1a6c6fa0e1b9f9130c946a734d0d50aef1cf0f4e064977d07c2728661fe262ad7ce402d87ff1b2094d6a901a4

C:\Windows\System\LTbxVVQ.exe

MD5 4ca3ee1a8e00ce3134f9cb58f0b7f468
SHA1 ef5f459bf14b20efff26b83646ed2de2aec847de
SHA256 a793d8b10c18f3f3cde10c1d6b377d0a60c9668e1616cacd6f3bce750d64d2fe
SHA512 b05ce7b2ae12d62c585dc01611e700cad4e72ac338afe473d0fa8666e170478024f32e82304c6773cb5896bf129504627103a1a3a4c01a117c3598267a8f4fe6

C:\Windows\System\DVwVccN.exe

MD5 165abdf2a2841c234742851e4d36940b
SHA1 3a3088b9bbd07ac319dbaa9f5622a32834ead234
SHA256 0d4bb4e48fff1a64ee5b3b7fd4076fb24795535b44518b4e9559f1c51c7358a6
SHA512 6127320aab089bbd354a354aca3163f1183a52437751ff917df8f89364543ebb73a4fd43a6c08ecebdc444edafe07f3c64a434c8340148bb3594c4ebd7d22d35

memory/4124-93-0x00007FF6B3360000-0x00007FF6B36B4000-memory.dmp

memory/1052-90-0x00007FF79A380000-0x00007FF79A6D4000-memory.dmp

memory/3788-127-0x00007FF799FD0000-0x00007FF79A324000-memory.dmp

memory/3836-128-0x00007FF653CB0000-0x00007FF654004000-memory.dmp

memory/2804-129-0x00007FF694C20000-0x00007FF694F74000-memory.dmp

memory/1236-130-0x00007FF7C3EB0000-0x00007FF7C4204000-memory.dmp

memory/5096-131-0x00007FF789EA0000-0x00007FF78A1F4000-memory.dmp

memory/1180-132-0x00007FF61D520000-0x00007FF61D874000-memory.dmp

memory/2724-133-0x00007FF6346A0000-0x00007FF6349F4000-memory.dmp

memory/2252-134-0x00007FF7D2ED0000-0x00007FF7D3224000-memory.dmp

memory/4720-135-0x00007FF6E7DF0000-0x00007FF6E8144000-memory.dmp

memory/2808-136-0x00007FF7C34B0000-0x00007FF7C3804000-memory.dmp

memory/3644-137-0x00007FF704CA0000-0x00007FF704FF4000-memory.dmp

memory/4624-138-0x00007FF62BE40000-0x00007FF62C194000-memory.dmp

memory/2020-139-0x00007FF7E5140000-0x00007FF7E5494000-memory.dmp

memory/4124-140-0x00007FF6B3360000-0x00007FF6B36B4000-memory.dmp

memory/4028-141-0x00007FF667C80000-0x00007FF667FD4000-memory.dmp

memory/3376-142-0x00007FF7A0D00000-0x00007FF7A1054000-memory.dmp

memory/1180-143-0x00007FF61D520000-0x00007FF61D874000-memory.dmp

memory/2252-144-0x00007FF7D2ED0000-0x00007FF7D3224000-memory.dmp

memory/3412-145-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp

memory/1572-146-0x00007FF6FCF10000-0x00007FF6FD264000-memory.dmp

memory/2288-147-0x00007FF67C950000-0x00007FF67CCA4000-memory.dmp

memory/2808-148-0x00007FF7C34B0000-0x00007FF7C3804000-memory.dmp

memory/2020-149-0x00007FF7E5140000-0x00007FF7E5494000-memory.dmp

memory/1052-150-0x00007FF79A380000-0x00007FF79A6D4000-memory.dmp

memory/1804-151-0x00007FF7E62E0000-0x00007FF7E6634000-memory.dmp

memory/2288-152-0x00007FF67C950000-0x00007FF67CCA4000-memory.dmp

memory/2724-153-0x00007FF6346A0000-0x00007FF6349F4000-memory.dmp

memory/3788-154-0x00007FF799FD0000-0x00007FF79A324000-memory.dmp

memory/3836-155-0x00007FF653CB0000-0x00007FF654004000-memory.dmp

memory/2804-156-0x00007FF694C20000-0x00007FF694F74000-memory.dmp

memory/1236-158-0x00007FF7C3EB0000-0x00007FF7C4204000-memory.dmp

memory/5096-157-0x00007FF789EA0000-0x00007FF78A1F4000-memory.dmp