Malware Analysis Report

2025-01-06 15:58

Sample ID 240525-sswv4shd52
Target 2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike
SHA256 1175fe857654c399c724e4e19074290bd75dc133f9bbc8460e979ee9972fd37d
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1175fe857654c399c724e4e19074290bd75dc133f9bbc8460e979ee9972fd37d

Threat Level: Known bad

The file 2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobalt Strike reflective loader

xmrig

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 15:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 15:23

Reported

2024-05-25 15:26

Platform

win7-20240220-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uDouGko.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YGWcFal.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KoiIMsS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kATeXYu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RsEBWBt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fBxdPJS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yqqWoLC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xKgwMmp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TSlYYsY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HMjHqSa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hCLhjfu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TOJtNiW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jSzFnew.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sKCvpEm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FmBorrD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Ferzrsc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nsKZNpf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qNYOfPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XgKcGTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\frJgmoA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RkFoZqO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nsKZNpf.exe
PID 1636 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nsKZNpf.exe
PID 1636 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nsKZNpf.exe
PID 1636 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDouGko.exe
PID 1636 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDouGko.exe
PID 1636 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDouGko.exe
PID 1636 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGWcFal.exe
PID 1636 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGWcFal.exe
PID 1636 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGWcFal.exe
PID 1636 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNYOfPQ.exe
PID 1636 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNYOfPQ.exe
PID 1636 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNYOfPQ.exe
PID 1636 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBxdPJS.exe
PID 1636 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBxdPJS.exe
PID 1636 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBxdPJS.exe
PID 1636 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KoiIMsS.exe
PID 1636 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KoiIMsS.exe
PID 1636 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KoiIMsS.exe
PID 1636 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hCLhjfu.exe
PID 1636 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hCLhjfu.exe
PID 1636 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hCLhjfu.exe
PID 1636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgKcGTS.exe
PID 1636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgKcGTS.exe
PID 1636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgKcGTS.exe
PID 1636 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kATeXYu.exe
PID 1636 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kATeXYu.exe
PID 1636 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kATeXYu.exe
PID 1636 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqqWoLC.exe
PID 1636 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqqWoLC.exe
PID 1636 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqqWoLC.exe
PID 1636 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\frJgmoA.exe
PID 1636 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\frJgmoA.exe
PID 1636 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\frJgmoA.exe
PID 1636 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkFoZqO.exe
PID 1636 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkFoZqO.exe
PID 1636 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkFoZqO.exe
PID 1636 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RsEBWBt.exe
PID 1636 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RsEBWBt.exe
PID 1636 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RsEBWBt.exe
PID 1636 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmBorrD.exe
PID 1636 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmBorrD.exe
PID 1636 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmBorrD.exe
PID 1636 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ferzrsc.exe
PID 1636 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ferzrsc.exe
PID 1636 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ferzrsc.exe
PID 1636 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOJtNiW.exe
PID 1636 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOJtNiW.exe
PID 1636 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOJtNiW.exe
PID 1636 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jSzFnew.exe
PID 1636 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jSzFnew.exe
PID 1636 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jSzFnew.exe
PID 1636 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKCvpEm.exe
PID 1636 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKCvpEm.exe
PID 1636 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKCvpEm.exe
PID 1636 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKgwMmp.exe
PID 1636 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKgwMmp.exe
PID 1636 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKgwMmp.exe
PID 1636 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TSlYYsY.exe
PID 1636 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TSlYYsY.exe
PID 1636 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TSlYYsY.exe
PID 1636 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMjHqSa.exe
PID 1636 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMjHqSa.exe
PID 1636 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMjHqSa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\nsKZNpf.exe

C:\Windows\System\nsKZNpf.exe

C:\Windows\System\uDouGko.exe

C:\Windows\System\uDouGko.exe

C:\Windows\System\YGWcFal.exe

C:\Windows\System\YGWcFal.exe

C:\Windows\System\qNYOfPQ.exe

C:\Windows\System\qNYOfPQ.exe

C:\Windows\System\fBxdPJS.exe

C:\Windows\System\fBxdPJS.exe

C:\Windows\System\KoiIMsS.exe

C:\Windows\System\KoiIMsS.exe

C:\Windows\System\hCLhjfu.exe

C:\Windows\System\hCLhjfu.exe

C:\Windows\System\XgKcGTS.exe

C:\Windows\System\XgKcGTS.exe

C:\Windows\System\kATeXYu.exe

C:\Windows\System\kATeXYu.exe

C:\Windows\System\yqqWoLC.exe

C:\Windows\System\yqqWoLC.exe

C:\Windows\System\frJgmoA.exe

C:\Windows\System\frJgmoA.exe

C:\Windows\System\RkFoZqO.exe

C:\Windows\System\RkFoZqO.exe

C:\Windows\System\RsEBWBt.exe

C:\Windows\System\RsEBWBt.exe

C:\Windows\System\FmBorrD.exe

C:\Windows\System\FmBorrD.exe

C:\Windows\System\Ferzrsc.exe

C:\Windows\System\Ferzrsc.exe

C:\Windows\System\TOJtNiW.exe

C:\Windows\System\TOJtNiW.exe

C:\Windows\System\jSzFnew.exe

C:\Windows\System\jSzFnew.exe

C:\Windows\System\sKCvpEm.exe

C:\Windows\System\sKCvpEm.exe

C:\Windows\System\xKgwMmp.exe

C:\Windows\System\xKgwMmp.exe

C:\Windows\System\TSlYYsY.exe

C:\Windows\System\TSlYYsY.exe

C:\Windows\System\HMjHqSa.exe

C:\Windows\System\HMjHqSa.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1636-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/1636-2-0x000000013F760000-0x000000013FAB4000-memory.dmp

\Windows\system\nsKZNpf.exe

MD5 ef6da47b49384f92e6dd1713aa878b64
SHA1 95998db508d7052b911eed34bc94a805cb27a898
SHA256 80ae0f36cda9260c1c006a990d8cbb54b03823ebaac83b3debf5920de1a35e22
SHA512 880423a87ac007435a2c4359ae868747effe7dab6603248eaecf646147dc5130843802193c38d914a723f865943d63df399999c8ba58539ea363749556c727df

memory/1636-7-0x000000013FC80000-0x000000013FFD4000-memory.dmp

C:\Windows\system\qNYOfPQ.exe

MD5 996e8d7f4e2f45f927fdb1e49b997666
SHA1 9b4a32900495e315a57e956bc0ea3568caacb037
SHA256 93e6e575afb8a1ed33103e5f0ca63ba4a8404746bd1f929d14bc8b59d488efa6
SHA512 f245818ea420efc69df8bd96ad90cc49686626dffe489dbd4be5d1cb3909463d26499bde4458ac82782b5723929c5a4fe9803ac3d90c84601d4d7998d28b9219

\Windows\system\uDouGko.exe

MD5 46798ed08206fc5c84464267f462469c
SHA1 ad6926c861bdd3e4a56278adcec451e9a55cda0d
SHA256 5c6cc0eafe4e27d6683f4d81049562e8c8d276cb8ab355984de17517a94ebee6
SHA512 38d45d856cebebe15ce057296e39fe0a7c1b78149a61b541c1ea0375226e466b49ace015d033b203548f1c7f356f8356ead193e2ca47969b03e4bb4507d79179

memory/2036-25-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/1636-16-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2820-27-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2572-23-0x000000013F540000-0x000000013F894000-memory.dmp

C:\Windows\system\YGWcFal.exe

MD5 e7398fad780a7df97150c1f6a28afaad
SHA1 007d17c2c506fa2e54de58d46408edd3583a8193
SHA256 f7a22c05982bf64a6aa66991a80fd84bb596f5ced17a146ca273e9558e50a48f
SHA512 8b2c73cac5cae6171cd9418b4ee53a2e5a44fbb6a12a1b47ef982c6bb2c234cb59a9bb51c87cc00ca3159a77b2f791b866054651810a9176df74d689b80894f7

C:\Windows\system\KoiIMsS.exe

MD5 4b208de24ecd1d5d7b72e510e47cf419
SHA1 bf486189cb6e38eda977d1a04abfb7e4b7257543
SHA256 5ebd8d9193bdeb8dcb5c4694645460c1baa30da409e9a61964d1e03b07140b77
SHA512 de928cc65680c6a90a04619ed2a266396d17f4655babc361d7762be46d5f7d6b543d20beffea7aa44395418524db82a42abec06607bc235db2dc6841deae3719

memory/1636-40-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1636-41-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/892-43-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2380-34-0x000000013F360000-0x000000013F6B4000-memory.dmp

C:\Windows\system\fBxdPJS.exe

MD5 90a10a7f7f5160830b280cc690db36ef
SHA1 aa74f39e947037fefe60d63f6d0f76aa5438d296
SHA256 d6b6c01b551e5e8967f6a6671acd93dda7feb7dce6f5cf29dbadda1801d61b1a
SHA512 0d947397d2d1f4d702a9730bbd696892b865803248c491c03f8b5739e6d64ce29e37c60a87d9e3ccd9681fdcf273671ad689ea73837ca9cb1e667c853f5d6702

memory/1636-20-0x00000000023E0000-0x0000000002734000-memory.dmp

C:\Windows\system\hCLhjfu.exe

MD5 5a82c99a6d7a2fa38825c126e43da7f5
SHA1 db4918c25b0fa4b7e28d379095d8be6eefa62e6f
SHA256 e99cc74a693216b317e12ddfbe0324ce9f9523c5314bc009487457b8e4da6040
SHA512 acbd6ca4a065ba27e419eb60971db9ff06a6246248687652b57ef9ea51946d54a415f239ade593448ef20ddbbf7896ad8eff1405d85092ff0222bf6e4bca37df

memory/2732-50-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/1636-49-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2968-12-0x000000013FC80000-0x000000013FFD4000-memory.dmp

\Windows\system\XgKcGTS.exe

MD5 53fe11e954d2fb13775a156d31b6c2e1
SHA1 6b72f230d6f24eb4fb8d252e9227cc5566756bc1
SHA256 020b5c7b3674acbb7102a0041e80a18ff883d73bc19219cb513e2b32445365e3
SHA512 eadceff0316e4b01dcfe783fd27cd921791663e6e14695809ba4f139ea38fc6386e109d1cdaff0e31117e48e90abe97807cdef96556cbce9ad2f64a9ba79ff8d

memory/1636-62-0x00000000023E0000-0x0000000002734000-memory.dmp

C:\Windows\system\kATeXYu.exe

MD5 ae4fbee4f525934e1ee6cb86c5cd0d96
SHA1 37f0e650e5326e3af89317a38f7cc5533c05ebdd
SHA256 56276a959f59fb46065bfec8ab2160b05ca2cca7aa39d47d79ec3347c298247d
SHA512 851af1dcbc9129426d798939e1411eb723ff6eafbab1a7f4be4f43a8b74690843977a1297052631dffe93bd018b5a440626e4c07859c7a9dc313388f487890d7

memory/2668-63-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2672-56-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\yqqWoLC.exe

MD5 c3538a2499bae672a63e5d5c74b6593f
SHA1 38c2b03c08d9a51abbadbc251333e831ae52fd9b
SHA256 f81a461d50d8c65c4af09b9b57986aedfb745e0ac96759960997374682bac9c8
SHA512 b6de9dc1e40ea4a3bb057099bbfa8b0d67141d23ab22dd0dddc87abf5a7f2da3d374dbab1d04121d29360905034bcbf0aac3da70a5b82dc2a45c39f9d1233046

memory/1636-70-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2572-69-0x000000013F540000-0x000000013F894000-memory.dmp

memory/1876-71-0x000000013F490000-0x000000013F7E4000-memory.dmp

\Windows\system\frJgmoA.exe

MD5 1163e4e2813427d9dbfc28eb38a33609
SHA1 1a9072cfa624f955107022ffdf341afdaca7561a
SHA256 8587c83cfe5bb47e277534713b7307f46f6c4479bf8e783a4ac1455222c2bb3f
SHA512 17db6d7bb630b950aec65f1e738e14b3eb75fe2da4826c9eef842d6aaa18a40f540bc43544c8f0e922d2e9522ac36bf67529c2e1560a443adf7579f9577c66c8

memory/2036-77-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2596-79-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1636-78-0x000000013F0E0000-0x000000013F434000-memory.dmp

C:\Windows\system\RkFoZqO.exe

MD5 c80a33da50cf0d7484deacabfa820a00
SHA1 f3e39f5a57388c1a9035aecf6ab9a170252ae0b9
SHA256 946bbf3ac109feb22f51264cfe879bc51dc4ea0161fcd3ef4509f25de0c5ab26
SHA512 0dd98a48acf4e9aebe1ab40cee41d45892c81fa14b1857a73e05f26da30e85a0a459169d4d0122e92da772f2f38531f4e480e1d01f9ff884ef9301287ba16968

memory/2820-85-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2756-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/1636-86-0x000000013FFA0000-0x00000001402F4000-memory.dmp

\Windows\system\RsEBWBt.exe

MD5 0229095cddc449588226b156728af038
SHA1 2dcf65477b7b9b5e4e14370124a4b753ca86e1f5
SHA256 0a1bccb3d02a5d66fe98fece0c723ec9fd52d52bf790ff44ab6956b737cc4e7e
SHA512 2f8196affddef1db6d7f2112ee11c3582e16d3e91d1ffd43b9f73c78fe87d3ac764d6cb4de63e93ff5580662f304e549ef024f26ac224ed6fad29b14f7eb29b7

\Windows\system\xKgwMmp.exe

MD5 1797c7494b62f923d1dd0c06c3a86f3c
SHA1 512d7c234b4aeeac6a8cb5f6756f39cbcdaa52d2
SHA256 66f977149952d4a2eedd734053a9505a22d70f5069dfb17510ab10d203a78fc8
SHA512 b0247452e1ff974a389efc87a76b44cf421dfdc7a3ffd84cc30661eb91a0aead1d72001ceb42b789b18df1738f9ef47a06929ef3a8dd0ffba4ed6556ff1bd6ea

C:\Windows\system\FmBorrD.exe

MD5 f805a25bc4a930da1c587d030629b20d
SHA1 9c843f8843f55b15d0ed26cdcc330cd563c2b5aa
SHA256 0df5d9532b2067cc7b8d24227103d88eda2c1bff98f7b571a47d5fc18213f58c
SHA512 c74dc01afa4c51caef37de83391d666bafc1f28903a4dee751cea6eb2b008371ad5b69f8d303417332311550118c5238b4984486ee882227f3e8d05c3c11cde4

C:\Windows\system\jSzFnew.exe

MD5 453e100a5af0683255c8b4c2cc0db03a
SHA1 d56bcc48d6b79b420e181153ac5586760d4e5dea
SHA256 8f439bac237b46445879df46ead91647993dcee5cf3dc86eeeb3d7c14af704a2
SHA512 00213eb1c00331625f78036268a16b1f0ee3c0d9460343d90d30e6fce0eb61e838a6a421100b5b1a9cf5a2b076add78843bbc6469367c93f742229e227d2c8cc

C:\Windows\system\TSlYYsY.exe

MD5 7606c825524e7dff9f0d2d5dd055032d
SHA1 6c7ce36263edc3caa56d0506ee0ee7dccf699bd4
SHA256 ab6ab378435dc2785c8b7977e65c21db7b80b3c1eb9ba307f5bdadf2860ccb9c
SHA512 69a0cc7c130a07ce688968a152cb0e3c2adee2540cfea62c15bcaa80057b593fa4fa2d1414ed33d554672340fffea972a60392c8279fd8abdd67ac5ccefb8277

C:\Windows\system\sKCvpEm.exe

MD5 2a7e219914c9d73f74bd3580ad1a88a5
SHA1 6099fa0f3eed593ca196246cb0f1ef5fed794ed7
SHA256 654fe4b4f21e134f1b42683e19fa0a153eff1ad2c7d078b75cf96c75b5c093dc
SHA512 a0838b81df7f5aca6f746aab7bda0448ecf25ec3e0bf8af94a4f657bd189f0faf4b9873cd5f0fc2d683a9c0a7012c2ce7132d42bbcfda127b97d5c469a472576

C:\Windows\system\TOJtNiW.exe

MD5 1069c1a4498510990f2fa5895c5a45e2
SHA1 0324c84d2a4e083a0f2f885aa26302d6e3126754
SHA256 445bd01008820febd1adfd1d7d2ce7fbed5e05025307cfd0351aa2d84d461ebd
SHA512 c92399abe85ee5c77ac6d42e136c84eac6b441de000d8465cd9c1a8146d18ef5d573c873920441c36ade544bab6d910decb364717abf9264f3c8c7ab7bed96fe

C:\Windows\system\Ferzrsc.exe

MD5 2f7b79474d871d3a3d1a3568580f12d8
SHA1 9cf722d5741b844a92229aa9e3fc0f65fac2010f
SHA256 18ea12819f7f3409091f71c5a4ae57c1994566a577a9ee42ea74a81fda824e27
SHA512 e6f17911aef2273bf846537f418605896bc0563e02601e96bf57475a195b362c0cb082b9f632431750187bdc3423f28024f8c2670e440e48efccfdc64e1e3311

memory/1636-118-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/1636-111-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/1636-109-0x00000000023E0000-0x0000000002734000-memory.dmp

\Windows\system\HMjHqSa.exe

MD5 c4e449c14766983b9f799a1076166d86
SHA1 28dd31dc5e85fb9a619e67f6df9b94736fc6095b
SHA256 050036f56df99474c1649c998452281b45d19025a56d455af5f7ac40bb984bc7
SHA512 c5cbc0fb3667d7fe25fa583287425c47d9cb1aecafcfae95443b9737d935d8b8a26b1a0baf5c68362ac829381a50a20094a5a07d8f50946d1a3505ff1b24a02b

memory/2380-102-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/1616-96-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1636-92-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1636-138-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/1636-139-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/1636-140-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1616-141-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1636-142-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2968-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2572-144-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2036-145-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2820-146-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2380-147-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/892-148-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2732-149-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2672-150-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2668-151-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1876-152-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2596-153-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2756-154-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/1616-155-0x000000013F280000-0x000000013F5D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 15:23

Reported

2024-05-25 15:26

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kugObyK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xSiEPXl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hUYOJqt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sHrCOTL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\htzPFrg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xpaPJRI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wEUCMeH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YMRBiuh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RgWfLoC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jKRYFqn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NfjKOhf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ixufXpA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EyZarqw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uGqrscQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CpSOrkW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QhQRwGu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LtudMsO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CjBvHRl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RCtDZhW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kRJkmZK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eKRcJgC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpaPJRI.exe
PID 2124 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpaPJRI.exe
PID 2124 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wEUCMeH.exe
PID 2124 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wEUCMeH.exe
PID 2124 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhQRwGu.exe
PID 2124 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhQRwGu.exe
PID 2124 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YMRBiuh.exe
PID 2124 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YMRBiuh.exe
PID 2124 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kugObyK.exe
PID 2124 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kugObyK.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RgWfLoC.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RgWfLoC.exe
PID 2124 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\LtudMsO.exe
PID 2124 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\LtudMsO.exe
PID 2124 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jKRYFqn.exe
PID 2124 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jKRYFqn.exe
PID 2124 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixufXpA.exe
PID 2124 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixufXpA.exe
PID 2124 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSiEPXl.exe
PID 2124 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSiEPXl.exe
PID 2124 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjBvHRl.exe
PID 2124 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjBvHRl.exe
PID 2124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RCtDZhW.exe
PID 2124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RCtDZhW.exe
PID 2124 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRJkmZK.exe
PID 2124 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRJkmZK.exe
PID 2124 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKRcJgC.exe
PID 2124 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKRcJgC.exe
PID 2124 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGqrscQ.exe
PID 2124 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGqrscQ.exe
PID 2124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CpSOrkW.exe
PID 2124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CpSOrkW.exe
PID 2124 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUYOJqt.exe
PID 2124 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUYOJqt.exe
PID 2124 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHrCOTL.exe
PID 2124 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHrCOTL.exe
PID 2124 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EyZarqw.exe
PID 2124 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EyZarqw.exe
PID 2124 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NfjKOhf.exe
PID 2124 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NfjKOhf.exe
PID 2124 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\htzPFrg.exe
PID 2124 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\htzPFrg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\xpaPJRI.exe

C:\Windows\System\xpaPJRI.exe

C:\Windows\System\wEUCMeH.exe

C:\Windows\System\wEUCMeH.exe

C:\Windows\System\QhQRwGu.exe

C:\Windows\System\QhQRwGu.exe

C:\Windows\System\YMRBiuh.exe

C:\Windows\System\YMRBiuh.exe

C:\Windows\System\kugObyK.exe

C:\Windows\System\kugObyK.exe

C:\Windows\System\RgWfLoC.exe

C:\Windows\System\RgWfLoC.exe

C:\Windows\System\LtudMsO.exe

C:\Windows\System\LtudMsO.exe

C:\Windows\System\jKRYFqn.exe

C:\Windows\System\jKRYFqn.exe

C:\Windows\System\ixufXpA.exe

C:\Windows\System\ixufXpA.exe

C:\Windows\System\xSiEPXl.exe

C:\Windows\System\xSiEPXl.exe

C:\Windows\System\CjBvHRl.exe

C:\Windows\System\CjBvHRl.exe

C:\Windows\System\RCtDZhW.exe

C:\Windows\System\RCtDZhW.exe

C:\Windows\System\kRJkmZK.exe

C:\Windows\System\kRJkmZK.exe

C:\Windows\System\eKRcJgC.exe

C:\Windows\System\eKRcJgC.exe

C:\Windows\System\uGqrscQ.exe

C:\Windows\System\uGqrscQ.exe

C:\Windows\System\CpSOrkW.exe

C:\Windows\System\CpSOrkW.exe

C:\Windows\System\hUYOJqt.exe

C:\Windows\System\hUYOJqt.exe

C:\Windows\System\sHrCOTL.exe

C:\Windows\System\sHrCOTL.exe

C:\Windows\System\EyZarqw.exe

C:\Windows\System\EyZarqw.exe

C:\Windows\System\NfjKOhf.exe

C:\Windows\System\NfjKOhf.exe

C:\Windows\System\htzPFrg.exe

C:\Windows\System\htzPFrg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2124-0-0x00007FF656620000-0x00007FF656974000-memory.dmp

memory/2124-1-0x00000219AA1C0000-0x00000219AA1D0000-memory.dmp

C:\Windows\System\xpaPJRI.exe

MD5 1b66d455a400c476cca1c79fb0f8d598
SHA1 99aed1319323ddb94c0e7069574e3d0256290560
SHA256 09d64b784153333800589a37bcf43d3001b5b757b04212210978da700107b209
SHA512 c79a346243204c0b44965101cf73bfa2de7e41308aec37db7f0fe49c44b75d392b885e32c79bcf6ab0664c8df10e6211fe2d2ad584dd5115a481c9e0988d5974

memory/3400-7-0x00007FF7345F0000-0x00007FF734944000-memory.dmp

C:\Windows\System\QhQRwGu.exe

MD5 761a0f8d85a07ba36ef03be9c3122e9f
SHA1 a89cf559825becc1b42fcdfdb77485edf50c9abd
SHA256 5acba74fe2d1213fb2b4104606e77e3b8050af6763fbe15d33907822141320d2
SHA512 153fbcb4b8e24dd060955ae65ea6a2696196b38c3378c5c354d73361c19a9d9612669335b04f7cd6d2f21108262e0b504a973a7f90288720d8afea7d7c9e8de5

C:\Windows\System\wEUCMeH.exe

MD5 3a62a57556138b74d2c41a1bbd6868ce
SHA1 51100dd2694629aa1a4cef79a38454940eb6a887
SHA256 c2cbf9c5a9663ba059f3e31b003b5dab54a9c060c3b20be160786db9cafed063
SHA512 fe0ee9bfd055b6c4a3aba089ba3ce6db3288b26e1fff89072c846ac5f743bec6184998d011eb480a051f4c8e14cbf663dee610522f1d9ced68a9347bb89fed10

C:\Windows\System\YMRBiuh.exe

MD5 5ce7de4e5065e55919b3326fd5261da9
SHA1 cb5aa70784df230e3d4f73bbc6cd8b6723ca160b
SHA256 68ea716eb21e54c72d65e2c12d82d6b8ccc25b1cff840f28e6054235609d5036
SHA512 75f419bfa16505b38cedd4e9aca8aded164a754db7d17940fc8d73cb0b6eb095d880012609588900fcef6d5b358822cbe96656533d63ef53e2f6bca4023bcac6

C:\Windows\System\kugObyK.exe

MD5 a15c77a66640ffe40f5a146acdc4e003
SHA1 09359c9e92a414a3bb6f90c04656e40ba1380cb9
SHA256 e07f2884c7337d160abbacbbe718157ee336783321c0d9b8b2e54c2db6b46d22
SHA512 c4352d058b03bff7cfbf5d336f162acc4c13087168c305b841534afb6536fabcb302d64f217bdaa2587d43bcd898b404f2f2eccda18f5a1b65834be5272bd35d

C:\Windows\System\RgWfLoC.exe

MD5 e16e8c4baafed2d8ed5f933ceb4bb89b
SHA1 97fd5b2e6ac78d97fd4a9fb27c6cc5e376fc6e67
SHA256 72fa2c254fd5b6d03d9969bab824aa8a8c008274f4c2a255f7e537bf12dd2888
SHA512 d8a570064138d74a77c9ccb87896b3f700588a1f5faef6b44eca9cda8e4bb3d25a66a9950d44f4074125384ca30b71b154e6729b8f0ade024eb16686719c15af

memory/436-42-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp

C:\Windows\System\CjBvHRl.exe

MD5 bfb220dc8a3ff8cecda49cf02f35affb
SHA1 09dcc6228b31ca5c530f7a5a093dcb0a1b04fc69
SHA256 0805d7dafb554e41345e79c52754499556d1cb2a46c15f5e17677d33709ecd57
SHA512 6c226842ab826bc4f4d6523bb3df583bfdb5f41fa09179416d089beafe58b417114a9e6ddf3d5bdbf7e04df655185181469d79d4847ef7a193213899d5a905b2

C:\Windows\System\eKRcJgC.exe

MD5 6f68feb1463a6527678d297f6d41c87b
SHA1 4640bc30597c8841ff8c42adc45c669cb7cfcbd1
SHA256 0b29f7a25332687f440b8c6b72771ca40ea9a2604d749d82b40170629e5db6f4
SHA512 484e5fbd27edf604f6ee46b21585e8622764a6188bd930cc4a7a37260a9d3660bcde9087753f74c09b91c6a4e5f936207d12fbaf18518e955e0ed3759cc0ef9b

C:\Windows\System\sHrCOTL.exe

MD5 79e926f43341cc6579e391c537f4f288
SHA1 a4fef9bbaf5ead5a86f55d95bfe7cb0dc0c7eab6
SHA256 89225619df74dbd0bd3a482f03d0a32c21ba4f98a1df10dd0c325abaac47357f
SHA512 9d0b86e8526f04602f35baae1fd54712d10ea425f4676dbd2e61b3629faf46bdf1ebdf5fef192759373c1bea3b2d61d3968b5c0a927b045473834ad56e97ad59

C:\Windows\System\htzPFrg.exe

MD5 37a145dbf452cb928c6a854326b6d120
SHA1 586632d449236e217891ea32617a12afd0b869a5
SHA256 e9161790ea26c269afea239df0dc8a48d032b22ab0c5c38042b8055dc8f7afe4
SHA512 a9709e85e266ccf14ee1783057a70b426ce790c32442d3be64d2cb7ce2654204b98edc3a6bfe663fc6dbb7f65ac4292ae93a59b5e9c78155bae8f3e779ec38b1

C:\Windows\System\NfjKOhf.exe

MD5 1ec7eb4050bf977d7d6e90cdc934c9c1
SHA1 c8376ff119b22fc3f3d21974a8e682ef59bf9df1
SHA256 9d575e28aa5754401e90fa26ede8526bc92a6622783c00c1f58e97376708c502
SHA512 8043cefd1d98e259e0665f5a32d74000f0f1c0089ccd9f5fe1f2138d4c4a645c458a870e9383a21613e295254f40b1b442d32d46ec68855f077b29a879ea78c8

C:\Windows\System\EyZarqw.exe

MD5 be20456fd34809f83bced88d8c33a573
SHA1 74fc5d14f625907a7716f5f4eec24e443be95bf8
SHA256 ad9b6b0b866c289c4978f91f6676a8570d6b31fe4afcfc29ab54abc6a9a09722
SHA512 7c20b9ba511cd9188ed9e6798b6dc6a784f78d55fa624dee448b90393f036993eebc81eb69bab47b2e35e43bf449f33ad840986c73e7de1338a04a73a25c405c

C:\Windows\System\hUYOJqt.exe

MD5 7b280dc74117c37291cac13c98421656
SHA1 ec21c35b62d37bcd4aa9e4204e99cce1eba677f0
SHA256 e7ab5622838e64752cd7988f0a30cbecb4f8ca4db6bc89b147f112fb10cfba32
SHA512 47ef5625616933ecc6aacdedc5be3cbcd4760fdbb3c76c9137ee2da6c4905caa009a1a6b51413bbbf078c01596ae9a86247fdea6088b88103056af106f9a9a48

C:\Windows\System\CpSOrkW.exe

MD5 ec545cbdcdc8e9444d799d57898369e9
SHA1 afdcf6a575376170acc119e8a4ee12da47117a24
SHA256 6c89af8ce72e5bbc4418ed8a3a630c1a95289728fa26c795b6a6c9ed63dad09c
SHA512 9447fea94a55640e5c68ed29ae1237eb5e9381e78d34625c10b6e9693b2fde2fae55f2ba8c0c0bf086db37a2b78ef18a2c2db31b12a37ecf361dfc8871e37f4c

C:\Windows\System\uGqrscQ.exe

MD5 6119e1b668df983e8d470f0c324716f3
SHA1 e678128dab4ff09f92c0a3a3b4b176773368f02e
SHA256 0a454ea6454785aa6f2fa72905059d763178efbf4a545747e635b21f864ad09c
SHA512 19c3f305ad8179e7a186887f840075dd582e447478870eba20f26c37037fb7583417cce4117c8263f85631a5a113fd43745f8837012fa4a45da418d3e9cf8516

C:\Windows\System\kRJkmZK.exe

MD5 2b2a64426b2abbd822ac3213a65a8160
SHA1 590ecca68b64ed4d8461c5ecac02645e60fe956b
SHA256 08d2454435fc4dff54e368afe932850e017986002c65d26bdd9cbae65f84820a
SHA512 7dd98fea3543bcffbbd1028b05d65be0159b62d812b78f59c3c68fe0752113ce83577c2f1daadbd16113425e873b9a71db46ec864562be3ae55b5eba99fedda6

C:\Windows\System\RCtDZhW.exe

MD5 f14b021dd578fd5acdb23dcbb742bded
SHA1 fe0ac18895ee7dcac84ed4172c8282345b56b9c5
SHA256 1ecf5790b332ab1b036c0c875a5e4c61e6f556c2a4c3853d7a90eb379edc4c82
SHA512 f6ac46f4b115946bc806e136d0b9883ab549efa50a86dc3fad17493bc5d1f7171446d4476b8ee27161add34b57e8752e53c53b9ff8ebaa556990fd929dc69d65

C:\Windows\System\xSiEPXl.exe

MD5 4ef3f1bed284cada17e4c3b7b773bc99
SHA1 2f5bb6c06e37b45ae9f4e370e873ac61625422a4
SHA256 b0067214d472b034ba2365f2fc9fc52cc4f208551100ca876b879144cf7b4942
SHA512 2aec2045b5656e1ce286f7e68ebb88d19bc5a4410ea921415ff1dcaca4a0dc1fdcede7939891a45d0c5a060d793f62dd98c2f7d58a99a42ccd859559e9c5e19b

C:\Windows\System\ixufXpA.exe

MD5 44ebc699b35531c4dc7bd870193ebc67
SHA1 89186ae0b4d136ecac28541d060fe1e48caff4a7
SHA256 e8679cd290caf2fafecea2e8bc772a2a72afd338561ebaa0cf340b2875f919d2
SHA512 79a84a7f456dd6508708f8b6fc93143153e143adcfcbd5c7255ec47cba921e811c538fb9b6e7bef80284c5915751d5dfc54bf013543a16355643357bcebd1d56

C:\Windows\System\jKRYFqn.exe

MD5 33e61ff27d98a34d4f4f12beaa16a21f
SHA1 9b1b02a4dc791a1234e7d8d16b7c795323a5468e
SHA256 2ba4df53f1b0a9c12cf9745b3b950db0caf3a692a393d686c10fe63975100684
SHA512 d0545b9af8412d04076d37eb2afd8f9c7544f0c544a47e532d810fd8d4a616fbf3e52e6cf613f868c27759181dd108895c26eaed21e23c3e1829a19b5a7aba2b

memory/4140-47-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp

C:\Windows\System\LtudMsO.exe

MD5 10a5f2a37242d1e5588f726b6630de44
SHA1 7fe46280f6e6032771e4df33f3b0e5d041f8439b
SHA256 48ab444b29438cf8b8eb4e81179bf6d2c5ad029af5cc0da123bff793e2424da0
SHA512 355eafda0a2c9c332a04cf28754fa7e11a0d4998aaaa52fd2890823745947cbee14d81967ca1a3d4fa4a773348ff700fea5410c2f6b1463328cbb6ca1715c386

memory/2732-43-0x00007FF6745B0000-0x00007FF674904000-memory.dmp

memory/4348-37-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp

memory/3340-34-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp

memory/4540-113-0x00007FF711710000-0x00007FF711A64000-memory.dmp

memory/4628-114-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp

memory/1860-115-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp

memory/2864-116-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp

memory/4796-117-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp

memory/2684-118-0x00007FF770B00000-0x00007FF770E54000-memory.dmp

memory/1096-120-0x00007FF67E6A0000-0x00007FF67E9F4000-memory.dmp

memory/4612-119-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp

memory/1384-121-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp

memory/4968-122-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp

memory/4424-124-0x00007FF614C60000-0x00007FF614FB4000-memory.dmp

memory/904-125-0x00007FF766110000-0x00007FF766464000-memory.dmp

memory/3240-126-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp

memory/1140-127-0x00007FF6071B0000-0x00007FF607504000-memory.dmp

memory/4960-123-0x00007FF63B610000-0x00007FF63B964000-memory.dmp

memory/2124-128-0x00007FF656620000-0x00007FF656974000-memory.dmp

memory/3400-129-0x00007FF7345F0000-0x00007FF734944000-memory.dmp

memory/4140-130-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp

memory/3400-131-0x00007FF7345F0000-0x00007FF734944000-memory.dmp

memory/3340-132-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp

memory/904-133-0x00007FF766110000-0x00007FF766464000-memory.dmp

memory/4348-134-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp

memory/436-135-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp

memory/2732-136-0x00007FF6745B0000-0x00007FF674904000-memory.dmp

memory/3240-137-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp

memory/4140-138-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp

memory/4540-139-0x00007FF711710000-0x00007FF711A64000-memory.dmp

memory/1140-140-0x00007FF6071B0000-0x00007FF607504000-memory.dmp

memory/4628-141-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp

memory/1860-145-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp

memory/4612-146-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp

memory/2864-144-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp

memory/4796-143-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp

memory/2684-142-0x00007FF770B00000-0x00007FF770E54000-memory.dmp

memory/1384-150-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp

memory/4968-151-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp

memory/4960-149-0x00007FF63B610000-0x00007FF63B964000-memory.dmp

memory/4424-148-0x00007FF614C60000-0x00007FF614FB4000-memory.dmp

memory/1096-147-0x00007FF67E6A0000-0x00007FF67E9F4000-memory.dmp