Malware Analysis Report

2025-01-06 15:14

Sample ID 240525-qznrzaeh57
Target 2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike
SHA256 91e286870059f96d287582b3edf38f41bfc6d1f2df1fcd165ecbf487b3381269
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91e286870059f96d287582b3edf38f41bfc6d1f2df1fcd165ecbf487b3381269

Threat Level: Known bad

The file 2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 13:42

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 13:42

Reported

2024-05-25 13:44

Platform

win7-20240221-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WnEIUSz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zdoIMYm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZmxMaJc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LEpqppY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vZcTEHE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HSyrPtM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hoHldyu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vzFewTj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\auWLUJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JNwlrZJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\indwijP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uvVUIAU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ibLqvFq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xSpNZpH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AXtRAvE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KzDMNAS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DHVNGXJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\myWvcmh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GnGtxTO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tqWsHlG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oPuYJdR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZcTEHE.exe
PID 2032 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZcTEHE.exe
PID 2032 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZcTEHE.exe
PID 2032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\GnGtxTO.exe
PID 2032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\GnGtxTO.exe
PID 2032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\GnGtxTO.exe
PID 2032 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSyrPtM.exe
PID 2032 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSyrPtM.exe
PID 2032 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSyrPtM.exe
PID 2032 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\tqWsHlG.exe
PID 2032 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\tqWsHlG.exe
PID 2032 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\tqWsHlG.exe
PID 2032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnEIUSz.exe
PID 2032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnEIUSz.exe
PID 2032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnEIUSz.exe
PID 2032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdoIMYm.exe
PID 2032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdoIMYm.exe
PID 2032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdoIMYm.exe
PID 2032 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\indwijP.exe
PID 2032 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\indwijP.exe
PID 2032 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\indwijP.exe
PID 2032 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmxMaJc.exe
PID 2032 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmxMaJc.exe
PID 2032 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmxMaJc.exe
PID 2032 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\ibLqvFq.exe
PID 2032 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\ibLqvFq.exe
PID 2032 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\ibLqvFq.exe
PID 2032 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvVUIAU.exe
PID 2032 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvVUIAU.exe
PID 2032 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvVUIAU.exe
PID 2032 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSpNZpH.exe
PID 2032 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSpNZpH.exe
PID 2032 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSpNZpH.exe
PID 2032 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXtRAvE.exe
PID 2032 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXtRAvE.exe
PID 2032 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXtRAvE.exe
PID 2032 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoHldyu.exe
PID 2032 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoHldyu.exe
PID 2032 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoHldyu.exe
PID 2032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\vzFewTj.exe
PID 2032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\vzFewTj.exe
PID 2032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\vzFewTj.exe
PID 2032 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzDMNAS.exe
PID 2032 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzDMNAS.exe
PID 2032 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzDMNAS.exe
PID 2032 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHVNGXJ.exe
PID 2032 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHVNGXJ.exe
PID 2032 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHVNGXJ.exe
PID 2032 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\auWLUJJ.exe
PID 2032 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\auWLUJJ.exe
PID 2032 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\auWLUJJ.exe
PID 2032 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\myWvcmh.exe
PID 2032 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\myWvcmh.exe
PID 2032 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\myWvcmh.exe
PID 2032 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNwlrZJ.exe
PID 2032 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNwlrZJ.exe
PID 2032 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNwlrZJ.exe
PID 2032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEpqppY.exe
PID 2032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEpqppY.exe
PID 2032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEpqppY.exe
PID 2032 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPuYJdR.exe
PID 2032 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPuYJdR.exe
PID 2032 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPuYJdR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vZcTEHE.exe

C:\Windows\System\vZcTEHE.exe

C:\Windows\System\GnGtxTO.exe

C:\Windows\System\GnGtxTO.exe

C:\Windows\System\HSyrPtM.exe

C:\Windows\System\HSyrPtM.exe

C:\Windows\System\tqWsHlG.exe

C:\Windows\System\tqWsHlG.exe

C:\Windows\System\WnEIUSz.exe

C:\Windows\System\WnEIUSz.exe

C:\Windows\System\zdoIMYm.exe

C:\Windows\System\zdoIMYm.exe

C:\Windows\System\indwijP.exe

C:\Windows\System\indwijP.exe

C:\Windows\System\ZmxMaJc.exe

C:\Windows\System\ZmxMaJc.exe

C:\Windows\System\ibLqvFq.exe

C:\Windows\System\ibLqvFq.exe

C:\Windows\System\uvVUIAU.exe

C:\Windows\System\uvVUIAU.exe

C:\Windows\System\xSpNZpH.exe

C:\Windows\System\xSpNZpH.exe

C:\Windows\System\AXtRAvE.exe

C:\Windows\System\AXtRAvE.exe

C:\Windows\System\hoHldyu.exe

C:\Windows\System\hoHldyu.exe

C:\Windows\System\vzFewTj.exe

C:\Windows\System\vzFewTj.exe

C:\Windows\System\KzDMNAS.exe

C:\Windows\System\KzDMNAS.exe

C:\Windows\System\DHVNGXJ.exe

C:\Windows\System\DHVNGXJ.exe

C:\Windows\System\auWLUJJ.exe

C:\Windows\System\auWLUJJ.exe

C:\Windows\System\myWvcmh.exe

C:\Windows\System\myWvcmh.exe

C:\Windows\System\JNwlrZJ.exe

C:\Windows\System\JNwlrZJ.exe

C:\Windows\System\LEpqppY.exe

C:\Windows\System\LEpqppY.exe

C:\Windows\System\oPuYJdR.exe

C:\Windows\System\oPuYJdR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2032-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2032-1-0x00000000003F0000-0x0000000000400000-memory.dmp

\Windows\system\vZcTEHE.exe

MD5 dd9489e7d635ac0ce719b11e975744af
SHA1 51cc4bbe45cf0b7008ff5fe675ef12b6456d0499
SHA256 13daa08c003b95196360c3f84b31ef501623e8000c92c7f28ba17873f5e2d9df
SHA512 74344a15ca58a13ded31b179a3c66832eb3bd444570d5f4c6e232cfe1369fdccc9ecd0f704744a901f5be88a26bb6b09564c0e4dc3516d0ef3a57585129cb3ef

\Windows\system\GnGtxTO.exe

MD5 852df8af322d9e6c618aad9e50204471
SHA1 21a6f182b0447e1c9b90d1ca9e30a40c83b6637a
SHA256 2a5cc44ad2b425f50e866f5992a23312ca5bbcb3e2f7a82f98e5d0b6b69b2549
SHA512 8aa487ab533f68dc90c64c5ac045433375da5bc02c2c694b0da9faba2939e2329d353536ed8a8ed1c78710c7b33c48a3406a7157eda2ff420bf0f702c42daee3

memory/2536-12-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2796-14-0x000000013F6D0000-0x000000013FA24000-memory.dmp

\Windows\system\HSyrPtM.exe

MD5 d0db72172985ee5f22f228571ad0816e
SHA1 9a3a5925b5088a3257ff79da158acbcd51ed0b03
SHA256 5c744328d71403d04a31571d6c51498d4424c384974e63c9ced40c9ee7ed33fa
SHA512 c1d7cb8a44f0674a99156edf94e3249146d808e4d4a75e2b08c09d7e93a413ef58ce87d27cc13c3f94c00273fe00169d5084c7326b7adeb76ade01db1f736070

memory/2032-18-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\tqWsHlG.exe

MD5 6d74fb1025417ed1f2bea8f34cf40a67
SHA1 a2f92b046281c7d30172649fd3195408e181992f
SHA256 73f3b5d3e008dc7209d59df26b737cb843759d74d48ded13f1914127f709f5ef
SHA512 332b078666079c1b1e77e2d7fc6a8096a49a6c95c2e8150a6d8492e53bbfe646709faef9ac5532a4bc30b06d5ee50b20cfdc037492858eed461eb8c94fa2f87f

C:\Windows\system\WnEIUSz.exe

MD5 8bf16bcd6a287c3a57a21c5826c89fa9
SHA1 a3b451262cac9d8695c4e1dab349d25255d1a220
SHA256 9f658852778f13a5ab7b3a223fbfdea9c545b1da201671c5a9204ee82baa79e7
SHA512 e82b3b719f7c0bdd6a325a165acf018ffb754df6bab0e4eca19cb277ec0bbdbf71623457a300429885a6d4c0dc24c81742c9a6b457c68dc5f9f04d1f402290cc

memory/2688-31-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2600-33-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2584-37-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2032-40-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\zdoIMYm.exe

MD5 256516edc90906ea55e72587a4368fb0
SHA1 dea2ea3b595765fccd6b3978e0f5f758220bba29
SHA256 2e21f11c51004bda51d01ca37eb27db49486b3cecd0ee9745826c54308738926
SHA512 9280d2cc767402d633eee6bfaae984fe3b3943148acba2b05ec1ebd2c29363f1aac1a0d37112a9783ad003dc1f4cfa27f6e8b371c9f343cb1c9933ba08be7d56

\Windows\system\indwijP.exe

MD5 4a327bb3a1b911fdb890105648be9d68
SHA1 b8e6b2648673a09b3e210ab58276989ca56f9636
SHA256 0f35589fea93cc7e6a131ed94e317520e345878f4361e05c04c924cb8361b238
SHA512 2b2b6feb19df926509beff10320078934259983cc590c18db49bf1b9219c8ef4b8c09e23691405f856d19c19aaee770b4228674eb28af4e0bc60cc14f5aa671c

memory/2032-43-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2632-41-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2032-32-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2628-54-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2484-47-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2032-66-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

C:\Windows\system\uvVUIAU.exe

MD5 a3ac94f0756dfbd779682371481fdd88
SHA1 8a39f78fe982d2ed0f4985fa3015b9a074d45c88
SHA256 3327202551fa3a3938cb88b0a268182b1f36d860d07a2b7c71ab1c8536876bc5
SHA512 d7e6f589474f946fddd4d061db6314e1e0e03af3195fecb108293bc64250518480efae981f2f5aab98ac3c01eb5d7a2e09610517dbb13c9ee8d85333203b4d65

memory/2536-67-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2528-69-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2032-68-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2796-80-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/3056-76-0x000000013F0E0000-0x000000013F434000-memory.dmp

C:\Windows\system\AXtRAvE.exe

MD5 8d5f93510e35ad94c9a86aa6ac54059a
SHA1 e13266ef2b9aad34fd2d90cf13d0897b39d0c690
SHA256 e59faefaded84056c8ff10fa20d7a36aec71064df2c01c8e686994ab6f314953
SHA512 f9b1e5164574b5e9c25a207d613e44c4ed6410ccccc3b884410949ba7c5cb51adaa25b58c6934ae45509d7d9118892df0c3a4bcf55b88f989d140cc8163d2221

memory/1276-83-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2032-75-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/3068-96-0x000000013F6C0000-0x000000013FA14000-memory.dmp

C:\Windows\system\KzDMNAS.exe

MD5 fd9e752f77812d8c0969f658693b95a3
SHA1 00d2986a7cc868da3bb5aaa4d0c35a88094f495a
SHA256 438168f2d8e09d18d43b2deb60fd42215cfc8216ae0e7b417d312f978ce16921
SHA512 db178f25a28c099c68f2b3410cca333827c32e1e5a484c648b3054aed7b211fa67074401370e6235db2165927336d6ad6657798b2a3eb4e1992934cf308c5fd1

C:\Windows\system\myWvcmh.exe

MD5 a0503380449bbec70457737d6da1052a
SHA1 58788ff33d60d5080bc4bb097aaf6f63e4cf637c
SHA256 8e097c42c22c9b9296e967604b29c2ccf4b8680d10ae112089b7b39978992779
SHA512 d392cae0f05d059fae0b8b9d6293549864e950746f5cae1e0a247a74d0eb846325f2e4d30c697a8b8938801c0957d37e6a3db2183e968fd11c93ba59cfa413a5

\Windows\system\oPuYJdR.exe

MD5 2647ebd327635008da49af6e4cae94b4
SHA1 21ed66f5ce48d5b1cccb1df5b92c20042fb6bf86
SHA256 1e089a780572eb3fb369ff408d0301d3c4b14dce38d9cdf8e216706ec81c43ae
SHA512 dd0fa23938aace1b0a3313d3ed9e518f34f2fdd89de08af3244166433f93d7c4fc610c3fba694e13a3459de091fc09834c555099be3983f9e579f18c778b4a33

C:\Windows\system\JNwlrZJ.exe

MD5 8609b77859219b4262a21f4867a01235
SHA1 7009ee5912a80052392e42224a006536bf2bc29d
SHA256 7277da74a998f682bd6af768ed3905d1df99ce690473af0f17ff801a7b1e1d58
SHA512 53e8924edc0c2c5264ad1d4292cdbca44789aa1db6b4c35df25b7ed09a7065ec618acd308d3379b9930a3ebaa055e25f6a401b7ae310491bbbd9b424dc15da5e

C:\Windows\system\LEpqppY.exe

MD5 7be00242436b1dde4e160a65548241c4
SHA1 02af82d1bc9f9c02c3108749083b6014aaa22331
SHA256 27b72c725be54033ef89568277fb54e75783579df0eba87ad40174ff27541a2e
SHA512 f6c15eb5f1b9c5d780da4739516c033916e36c58b6c5cde3ea6fa463760fa8efb8e52c89070593beaeeb0389cfd72c44338af448312709a08cd1d71e1d850f99

C:\Windows\system\auWLUJJ.exe

MD5 87b505cac3cb87bd4baa7a1fee7c6cfa
SHA1 4d918ba09a8ecd541400a4ed5710b0cf0be6addc
SHA256 6a41ab1e7f4ca30769bb89261247ffae7e8762ea16c308da7272ab9b98d5128c
SHA512 3c480b4b99a462b7a4cd1b148ff882a86b8c475f215c42aad05af19a5ae7cea066707c6b0f45b9e0c5b18444e43bf0bfc99747dd82e973a685250487e9515886

C:\Windows\system\DHVNGXJ.exe

MD5 a2e76482966bebd50c7e2cc16e580c67
SHA1 3ae41fd7777a1eceb1197aeed1ab263cfa71c9bf
SHA256 e31312386cd9249c45ea81cc0d68d05b08989c42bef996513930e6d4f3279b20
SHA512 705f17ba725e20900c792356a4d1cfe2401dcb7085efe2ea7074413fe5e1412d161323b3fc1fb9be3623cce848a65acb764b682f01e88fc4d8f6fdcd434eb1a2

memory/2484-134-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2032-100-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2032-95-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\vzFewTj.exe

MD5 19574b307362e8af522ddfe846b816ac
SHA1 d5802d2236f591e0e653b8ea97cf51197c9f9162
SHA256 14ff0a9c1016cd93df7507e4d05468219333ea0b5f3c29c05047d6bc55bfd67c
SHA512 39f64119bb2b02f91dcb77da3780d2a53ff7cb63ff4531bca1e814b2bb7c1425243716e347f27715eaacf682249a0a6bb81ced2ea77ad1c614b4e36c87688b59

memory/2788-89-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\hoHldyu.exe

MD5 f7592c30781ab4dba3f5c3683436bed0
SHA1 d33b1d382e8e0ece8843955ec8732f81a8a59b30
SHA256 959b32dbfb671750a078d4eaf30fb14d11d3183c7f0574d28250200e56f5b7a8
SHA512 745d6fe347bf22bc45400bc3ae6a6f3694ddb806b6efe3e0d1d2758927f68c5320e49022c3670b261930b3f82bfd471a0c16dae769aa6bd4b1a8832a7c22bd7d

C:\Windows\system\xSpNZpH.exe

MD5 76ebfeb4b1f3b3bdf4fd5904c5a8334c
SHA1 01574dfa610db56eae6022e261a11fe76b5e8083
SHA256 5e18ddb7b971557d78d7c258c40d18ed21a7aba57755bcb17694ccf2c8366c15
SHA512 71d0c0a0124a8dfc78b1c7f41a09527c0700403f446dc2d87012539f556e15d0314522716f365d3e327f5f3df11b009eb70a54c3dcba1ba34fbbd048e1b37017

memory/2628-135-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2460-60-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2032-59-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\ibLqvFq.exe

MD5 cedebead0a55919a29617428e528f0c4
SHA1 cc0127c995d458e8969ae59a666606fcf891a9f8
SHA256 e2ef9e29523b34d01008f4e43e15532dad95f837b44a8c0c47849607540dc84d
SHA512 71ac17a1a854c1bf3c33a89626977c8d052ed415aa8862242cb037ef131f6fb2ab4cf80e21aed4747cd12aed590098044856e6edda5673348cb5ef5ac57f88c7

memory/2032-53-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\ZmxMaJc.exe

MD5 210b62da7ed2f6f567d273d087c143a5
SHA1 8b9e1db5c7b97ceed7c05f9a681838986fea1e2d
SHA256 4f8bbe5eea9ff38cc1c82789809888d9953c5c51064fbe3dab70a9ee589e2d6c
SHA512 0dbd59a339b114f8a045fb1c3b7b4c8acb40ecbcb3e792080818ed0193bfca5671f56993dcb2fcef1f2e2ca2301975aca4316e71bf783b0f967b97e37d14358f

memory/2460-136-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2032-137-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2528-138-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/3056-139-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2032-140-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1276-141-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2788-142-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/3068-143-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2032-144-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2536-145-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2796-146-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2584-147-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2688-148-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2600-149-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2632-150-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2484-151-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2628-152-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2460-153-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2528-154-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/3056-155-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1276-156-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2788-157-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/3068-158-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 13:42

Reported

2024-05-25 13:45

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lHQCkBI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GWnjqFn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CxIOIhy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wUvRSjY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MgmoKcL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CGcRdgy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MzpecYg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MyYFiug.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rTAPTWT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KyJkegL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NocYQqb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DIwujip.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CgLQANW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UvevEgD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yIVmUqb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DUnOUIr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ccSqTUY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hTimulK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eKptDDv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hKxiNDG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DrhTbrQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\MzpecYg.exe
PID 3172 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\MzpecYg.exe
PID 3172 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\NocYQqb.exe
PID 3172 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\NocYQqb.exe
PID 3172 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\yIVmUqb.exe
PID 3172 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\yIVmUqb.exe
PID 3172 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHQCkBI.exe
PID 3172 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHQCkBI.exe
PID 3172 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\DrhTbrQ.exe
PID 3172 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\DrhTbrQ.exe
PID 3172 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIwujip.exe
PID 3172 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIwujip.exe
PID 3172 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\GWnjqFn.exe
PID 3172 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\GWnjqFn.exe
PID 3172 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\MyYFiug.exe
PID 3172 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\MyYFiug.exe
PID 3172 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxIOIhy.exe
PID 3172 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxIOIhy.exe
PID 3172 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTAPTWT.exe
PID 3172 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTAPTWT.exe
PID 3172 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\DUnOUIr.exe
PID 3172 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\DUnOUIr.exe
PID 3172 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccSqTUY.exe
PID 3172 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccSqTUY.exe
PID 3172 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUvRSjY.exe
PID 3172 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUvRSjY.exe
PID 3172 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\hTimulK.exe
PID 3172 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\hTimulK.exe
PID 3172 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgmoKcL.exe
PID 3172 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgmoKcL.exe
PID 3172 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\KyJkegL.exe
PID 3172 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\KyJkegL.exe
PID 3172 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgLQANW.exe
PID 3172 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgLQANW.exe
PID 3172 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKptDDv.exe
PID 3172 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKptDDv.exe
PID 3172 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGcRdgy.exe
PID 3172 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGcRdgy.exe
PID 3172 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvevEgD.exe
PID 3172 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvevEgD.exe
PID 3172 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\hKxiNDG.exe
PID 3172 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe C:\Windows\System\hKxiNDG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MzpecYg.exe

C:\Windows\System\MzpecYg.exe

C:\Windows\System\NocYQqb.exe

C:\Windows\System\NocYQqb.exe

C:\Windows\System\yIVmUqb.exe

C:\Windows\System\yIVmUqb.exe

C:\Windows\System\lHQCkBI.exe

C:\Windows\System\lHQCkBI.exe

C:\Windows\System\DrhTbrQ.exe

C:\Windows\System\DrhTbrQ.exe

C:\Windows\System\DIwujip.exe

C:\Windows\System\DIwujip.exe

C:\Windows\System\GWnjqFn.exe

C:\Windows\System\GWnjqFn.exe

C:\Windows\System\MyYFiug.exe

C:\Windows\System\MyYFiug.exe

C:\Windows\System\CxIOIhy.exe

C:\Windows\System\CxIOIhy.exe

C:\Windows\System\rTAPTWT.exe

C:\Windows\System\rTAPTWT.exe

C:\Windows\System\DUnOUIr.exe

C:\Windows\System\DUnOUIr.exe

C:\Windows\System\ccSqTUY.exe

C:\Windows\System\ccSqTUY.exe

C:\Windows\System\wUvRSjY.exe

C:\Windows\System\wUvRSjY.exe

C:\Windows\System\hTimulK.exe

C:\Windows\System\hTimulK.exe

C:\Windows\System\MgmoKcL.exe

C:\Windows\System\MgmoKcL.exe

C:\Windows\System\KyJkegL.exe

C:\Windows\System\KyJkegL.exe

C:\Windows\System\CgLQANW.exe

C:\Windows\System\CgLQANW.exe

C:\Windows\System\eKptDDv.exe

C:\Windows\System\eKptDDv.exe

C:\Windows\System\CGcRdgy.exe

C:\Windows\System\CGcRdgy.exe

C:\Windows\System\UvevEgD.exe

C:\Windows\System\UvevEgD.exe

C:\Windows\System\hKxiNDG.exe

C:\Windows\System\hKxiNDG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/3172-0-0x00007FF792F50000-0x00007FF7932A4000-memory.dmp

memory/3172-1-0x0000026023DE0000-0x0000026023DF0000-memory.dmp

C:\Windows\System\MzpecYg.exe

MD5 99c7cd74b3364a40dba3427c22b74a2d
SHA1 6d8df3ca3f6a9bfffb1e6f94f1de32305fa817f0
SHA256 51d61965504d85a049a2dde84741973cd9981aa73d9c662ba796bf8b4ba2b3c9
SHA512 bcb5770daeb2d4f4f4039580041e25061ae7adbd5dc13e2920d561767e149a0211ce1af29635db0f59d1d1b35bcd30f40a74bdc149b056a47c04132e1223c73f

C:\Windows\System\NocYQqb.exe

MD5 887c744d94829305b6e7087afb68254a
SHA1 887b7e40ec4dc882d1115fd7d161d7f909f3706e
SHA256 12681cbf44f931b077bb13b4ab211646969d6bf3f8157485f9402256672e247f
SHA512 0e082843da914c6b2f3953ddecc10c22a39c3c4c5318338653549e0e0971cee72c659032382a128055bc1df2ad9643b9694f3a1dd11676c490f0bbf63801a75e

C:\Windows\System\yIVmUqb.exe

MD5 c9605272ef6df9586f15a397fd00655e
SHA1 032321c1c1f4e8830df8d58646ce90dfa0975663
SHA256 61572ceaa794b1051726f89437167e23387a49c0354321e684bfa81e94b1679b
SHA512 e690e413803d3b4c8e8d8d5da48066f4a4e349f99171659eb4e227af2f4035ea73affc069f203065c7a4dd5891bf136d8a84720f3fa7922f4ff0f62775d02098

memory/3252-20-0x00007FF6FC200000-0x00007FF6FC554000-memory.dmp

C:\Windows\System\lHQCkBI.exe

MD5 278a98b7cb7c940edcfff03aba7ddf9d
SHA1 9637eb38c17c59bc2ea1613e69eefe8df9f2b533
SHA256 33074c9e3b18606cce5cf8f4ddc986379daae77f78a38b085d1447290cb756d8
SHA512 db33c6b7f35dff56dc2f556df98287bfb480b69e39f5c0887d72bd89f9c37d6fdb535acd36e215662accf7455e880015225b2903b7be21ae3264bb8b7f01d200

C:\Windows\System\DrhTbrQ.exe

MD5 1e01f5d8bb971088de3a7238dc473981
SHA1 8d06fc7ad2e88cf0fcdcf1ccf046e9748416a83c
SHA256 298df40233b24c4fae73d31f2e8b49be52ee32560b07c278f555214a87b3459a
SHA512 485bc4ceea2c2c005035412830c444ceee2dc39d465fdbb0045b89ab820877ab1a4fbd44c5632af0c36ec866017ec91bc6d81ff460bf91b3f074cc81b382b76b

C:\Windows\System\DIwujip.exe

MD5 d43b7cb21421e64b8f04146e8646003e
SHA1 a5b3aaa62051780387904fe7086aaeed49099703
SHA256 f31aad49d99523f2050c7f7e8eb67148ffb64cc0936bd1d5859d593f6055573d
SHA512 4ab1fea8266452a368e0c4a0519d65571c8553b1c40ef1dcc09d9050f88d7d18a602618b1c84fb57420c5b89c66f2b92a4cf76edc83a57ade0097c33b1b35477

C:\Windows\System\GWnjqFn.exe

MD5 2a3f09670c0f265cff5e464766a1f10e
SHA1 bd15c3a19746d4da389fe7121f32f040c2c2552e
SHA256 b9c546c0f052cad2d5640fc04b81bb4623e08cd7fea7b8c610b50a39757e3e35
SHA512 761b5fac3f0d625e604cd40434ad5ab7c2838dc64b1539b290c8bcd695efdc6268d03eb9b3fe524397b3c7ac6f8ff317db7b9cc98ec284277a092b37e3e9c0d9

memory/4424-37-0x00007FF6269A0000-0x00007FF626CF4000-memory.dmp

memory/4236-41-0x00007FF689B90000-0x00007FF689EE4000-memory.dmp

memory/4652-45-0x00007FF64BD30000-0x00007FF64C084000-memory.dmp

C:\Windows\System\MyYFiug.exe

MD5 51012d10ef95fe1cfce43353c7f0aab8
SHA1 a7f1b2efce0c541d092740b98203034e59f6f3a8
SHA256 3c5944e2f6760e09ae6d4bcd381aa82e18b5974c0d100690e6172c2864505223
SHA512 5e5fb4bdd037e2e7f7d79c048a9c74ef7bc6717c07c211d6dde2c67c8f6dc75ee8b2882689c66991f669ef6098c13f6e1635bf3ef8ee8b6d34e3bf09c8715f9c

memory/4908-46-0x00007FF7F4F90000-0x00007FF7F52E4000-memory.dmp

memory/3772-47-0x00007FF636280000-0x00007FF6365D4000-memory.dmp

memory/1848-12-0x00007FF799E30000-0x00007FF79A184000-memory.dmp

memory/4752-8-0x00007FF680460000-0x00007FF6807B4000-memory.dmp

C:\Windows\System\CxIOIhy.exe

MD5 9bacdb9898e92b62a1db4de610fff77f
SHA1 1414cf83b97cb798d74223e20dadd89847d11b59
SHA256 9b7270f8a22818e1f6774a62e7f0003d5f067f8744e4beb04e1b646f643fb281
SHA512 0981068c8a0d8fd0c8800a94829098c64410f869edc4e1fbc1baa8da4831325ea20fc08d829726985943cefb02354e986564531a9ec22ebd3458a8a337fc4a73

C:\Windows\System\rTAPTWT.exe

MD5 1b540d7391e1356a18a59ee66f261da6
SHA1 a5aa9a7b0643838a2dd5ced9b581e5d109afba9b
SHA256 0eb633b2a19b41b80558b67db2544b2061a0d288f064c24dae5cee062a60c87e
SHA512 9893418082f3f766237d06a29b92f9c1802246b85cdd8de041f2e2b8ded255aad6322f6ad0641cab2df85f9fb8ad88a2fa6618cb7e8a9810db6b43f3475ca71c

C:\Windows\System\DUnOUIr.exe

MD5 6b62f0a9965513f97c4b9e881c8fad6e
SHA1 637cfacd80a1fd19af9668aabc99e442bd18a90d
SHA256 ec7a9b15ce8358d9337fe8e26be7ecc5df85aa0bb030eee73e1d301fd1092948
SHA512 cbcf4c71edfdaec46c2b2269c5ae9abbfa6181c3f5730cd2e041cc610e26bef3f51e7683cc7be8ca9475dd2d0db4f29532533a238f20bdfd3b72cc62ae7ad7b6

C:\Windows\System\wUvRSjY.exe

MD5 3308fb34b3c08bd6e8605a21d579d347
SHA1 9c1e17cfae2b2d260ac6dacd4bd3bcc5362fec7e
SHA256 aa77efd8a2685b600784770ced947e901b4210331499370ce2aa45f06bbc3e6d
SHA512 33f597f28dab33121e59bb1e89871b9b7050648bfd2d504ac474b563c9fc7224f707feaf8dc6a5caf932b590f335c29196f805b26a3d7f070de90a9e2cdcad97

C:\Windows\System\CGcRdgy.exe

MD5 99634a4d44245189f347e1057007ebfb
SHA1 ab3e1da3d177bb8d5c69ed6e62b4246cf7d8d4e9
SHA256 33b7138ed8f50e2c0f5149aa24e4074a079271c0e87ed07dbc501523e1d049c9
SHA512 8cf51b3fb5444a766f74af2c9b4721d662be58145e17164852f055c0bdb4583d8016af79470cdb52017ee5299f5a057eaeb09b1f253293baf9f349461721c8a7

C:\Windows\System\UvevEgD.exe

MD5 557313f4eb2cf5f5277a978a27ae8462
SHA1 3d0b482b9c6e79713e561a47aca0b3647499fcc5
SHA256 0efaaf5c974d5d53fa5feaad3c19d177b964731835ee526671ce2f948dea94e9
SHA512 957dd8a57497a88f99f7f27ab58eadbbed110c901e931271fc1d297e57024330f01a5afffaf77cde0a7e4747efe8b09d1f4c786cef77788afff2c8bd858d1252

C:\Windows\System\hKxiNDG.exe

MD5 2e1305305a5b6b9d082dad3ce69274b1
SHA1 4cf703dcbe3bea1931b8999e820a416fce82202f
SHA256 2b48d2819fb5ad9f26b21646c117e1c9f0312627ee48f39423bc853ac17a7e7f
SHA512 5fca7d92337ae4d2fad726d1995b1f4e50fbf4a78f914c9a71ce607cbb139b505d9fd3d33af183eb2b067617b012f6e069e7c2c0a595d1ee6ba2b9f175ec7ba2

C:\Windows\System\eKptDDv.exe

MD5 3ee029030784b59300d06ef62502917c
SHA1 ca68ba72f7d82011b03f6ee29adeaf86a84175c2
SHA256 7ebe024f0d22cc60c30794627b39ec833c64a1fe8adbe6f847bd95b742b6288d
SHA512 979aa3cd0b3ed77f11ea739d3973cfe42e677a7b2702c4390f0880565d3a00ca051d526ccba880932bd6da7b317e50f0319c137069e5db0f7ac7d179c71f33c6

C:\Windows\System\CgLQANW.exe

MD5 76e63a4f16f6ac38d1c44f643a9e29f8
SHA1 e0aa921e577ba4726b028d96b904a595c1a0a117
SHA256 46567515c78d4b7316ba9e2e270e1a3ed6dfd4a5cac92858f470e998c5d353ca
SHA512 c3a2e8305790aea9a5b940bd10b3e08a7863528ed65dbac8f34de439ff007bceecc3bfde6ec74da4f7348da86e8a843d57197ec290c8457c5e0f5c47a9a05875

C:\Windows\System\KyJkegL.exe

MD5 48d8eb69d3d6b19cae465b1357b4740b
SHA1 0a5c352add907d4dd5732ea37bbab52e3a9eb702
SHA256 22bf590b8a21c3cd9f824aa2cc46753159cdd866b4d88b6041b25dce8f1f96dd
SHA512 7aa6884ff6a56d1207808ae2e3ac9094d3e6fe6e8d1565169b86c6990cd760ed64a880e182781a68a9de004c25c5989222cbeb03c2e374b4bbb6d7bf54f72b27

C:\Windows\System\MgmoKcL.exe

MD5 6d9aa643213135e3cc3b7c49bbe2fa81
SHA1 afcd2d7dd1f7ab70adc1a539f6396701ccd3a918
SHA256 1a91e029f1433d175725a21cf29107dd8b9b9442a98516113e28bc54d644315b
SHA512 7f2403ef0d6adf81feffb40f35084ba42ea0d22ad4a3846527b7c101c451be2a499baa2b346cc4946107ad6e677f0ce3c4e5295e411544c51eddaf9bf97c12f3

C:\Windows\System\hTimulK.exe

MD5 cfc810815c406f397415857bf6d55fef
SHA1 a140e4000e6530893df72617a3659f4d36f03aad
SHA256 87c975f05ed69d5795e564af8e30d3dc83c797ecd495abe33e542b5fcac395d7
SHA512 8fa52d33413afbd65a6f54d150ab903a01537e988591e0f7a63e630071cd4bedebb566fd574bbad778b9d8f020912702ec12b9beb08d67fb9f63948b493a13bb

C:\Windows\System\ccSqTUY.exe

MD5 97377fb73dad929029b5ee28280df8c5
SHA1 8056db981845e2fb49c5503973c47764e83f7743
SHA256 d0299b1957087056858da6ad04c93541a115d2e2ffad204b397838f261535b1a
SHA512 055373d9a83d7521f0f51610dc0c49688bc0da8424c029345acc2cc46ee0dee171a5e7a2c257d3b39627c58d486d537cab6914cb17459ea2b5ad528e52a587e9

memory/3888-115-0x00007FF6B10D0000-0x00007FF6B1424000-memory.dmp

memory/4952-116-0x00007FF775A90000-0x00007FF775DE4000-memory.dmp

memory/4332-117-0x00007FF6E9080000-0x00007FF6E93D4000-memory.dmp

memory/5020-118-0x00007FF61D500000-0x00007FF61D854000-memory.dmp

memory/3436-119-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp

memory/2808-120-0x00007FF7BF370000-0x00007FF7BF6C4000-memory.dmp

memory/1420-121-0x00007FF649010000-0x00007FF649364000-memory.dmp

memory/3204-122-0x00007FF770400000-0x00007FF770754000-memory.dmp

memory/1216-123-0x00007FF62D330000-0x00007FF62D684000-memory.dmp

memory/932-124-0x00007FF787450000-0x00007FF7877A4000-memory.dmp

memory/1932-125-0x00007FF6A7720000-0x00007FF6A7A74000-memory.dmp

memory/4676-126-0x00007FF708210000-0x00007FF708564000-memory.dmp

memory/3324-127-0x00007FF664DA0000-0x00007FF6650F4000-memory.dmp

memory/4752-128-0x00007FF680460000-0x00007FF6807B4000-memory.dmp

memory/1848-129-0x00007FF799E30000-0x00007FF79A184000-memory.dmp

memory/4424-131-0x00007FF6269A0000-0x00007FF626CF4000-memory.dmp

memory/3252-130-0x00007FF6FC200000-0x00007FF6FC554000-memory.dmp

memory/4236-132-0x00007FF689B90000-0x00007FF689EE4000-memory.dmp

memory/4652-133-0x00007FF64BD30000-0x00007FF64C084000-memory.dmp

memory/4908-134-0x00007FF7F4F90000-0x00007FF7F52E4000-memory.dmp

memory/3772-135-0x00007FF636280000-0x00007FF6365D4000-memory.dmp

memory/3888-136-0x00007FF6B10D0000-0x00007FF6B1424000-memory.dmp

memory/4952-137-0x00007FF775A90000-0x00007FF775DE4000-memory.dmp

memory/5020-138-0x00007FF61D500000-0x00007FF61D854000-memory.dmp

memory/2808-140-0x00007FF7BF370000-0x00007FF7BF6C4000-memory.dmp

memory/4332-139-0x00007FF6E9080000-0x00007FF6E93D4000-memory.dmp

memory/3436-141-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp

memory/1420-142-0x00007FF649010000-0x00007FF649364000-memory.dmp

memory/3204-143-0x00007FF770400000-0x00007FF770754000-memory.dmp

memory/1216-146-0x00007FF62D330000-0x00007FF62D684000-memory.dmp

memory/4676-145-0x00007FF708210000-0x00007FF708564000-memory.dmp

memory/1932-148-0x00007FF6A7720000-0x00007FF6A7A74000-memory.dmp

memory/932-144-0x00007FF787450000-0x00007FF7877A4000-memory.dmp

memory/3324-147-0x00007FF664DA0000-0x00007FF6650F4000-memory.dmp

memory/3172-149-0x00007FF792F50000-0x00007FF7932A4000-memory.dmp