Malware Analysis Report

2025-01-06 16:08

Sample ID 240525-staz2ahd59
Target 2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike
SHA256 3e9c816833879bb1fc7c1c3aeb66b87d9d613c80768ce8a10a4c78e6fc571751
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e9c816833879bb1fc7c1c3aeb66b87d9d613c80768ce8a10a4c78e6fc571751

Threat Level: Known bad

The file 2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobaltstrike family

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 15:24

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 15:24

Reported

2024-05-25 15:27

Platform

win7-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SzmouWp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\knPBEaK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IjICirB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\snTBEyo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XJrPdqZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zDLXPXR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nSMMBrF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UFVYNfu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ITdtBIL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PgKYNEa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xLYTlex.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gBMCSnM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YdbtKnh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\asRlCwC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dryzaVp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATNeSvg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iBKVGWJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GlaqWjO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KehCghC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jRJZJoe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jYxAXsN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFVYNfu.exe
PID 2416 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFVYNfu.exe
PID 2416 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFVYNfu.exe
PID 2416 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ITdtBIL.exe
PID 2416 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ITdtBIL.exe
PID 2416 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ITdtBIL.exe
PID 2416 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\asRlCwC.exe
PID 2416 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\asRlCwC.exe
PID 2416 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\asRlCwC.exe
PID 2416 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzmouWp.exe
PID 2416 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzmouWp.exe
PID 2416 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzmouWp.exe
PID 2416 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\knPBEaK.exe
PID 2416 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\knPBEaK.exe
PID 2416 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\knPBEaK.exe
PID 2416 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PgKYNEa.exe
PID 2416 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PgKYNEa.exe
PID 2416 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PgKYNEa.exe
PID 2416 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IjICirB.exe
PID 2416 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IjICirB.exe
PID 2416 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IjICirB.exe
PID 2416 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GlaqWjO.exe
PID 2416 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GlaqWjO.exe
PID 2416 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GlaqWjO.exe
PID 2416 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xLYTlex.exe
PID 2416 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xLYTlex.exe
PID 2416 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xLYTlex.exe
PID 2416 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gBMCSnM.exe
PID 2416 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gBMCSnM.exe
PID 2416 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gBMCSnM.exe
PID 2416 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\snTBEyo.exe
PID 2416 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\snTBEyo.exe
PID 2416 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\snTBEyo.exe
PID 2416 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KehCghC.exe
PID 2416 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KehCghC.exe
PID 2416 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KehCghC.exe
PID 2416 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\dryzaVp.exe
PID 2416 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\dryzaVp.exe
PID 2416 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\dryzaVp.exe
PID 2416 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATNeSvg.exe
PID 2416 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATNeSvg.exe
PID 2416 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATNeSvg.exe
PID 2416 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jRJZJoe.exe
PID 2416 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jRJZJoe.exe
PID 2416 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jRJZJoe.exe
PID 2416 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJrPdqZ.exe
PID 2416 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJrPdqZ.exe
PID 2416 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJrPdqZ.exe
PID 2416 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYxAXsN.exe
PID 2416 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYxAXsN.exe
PID 2416 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYxAXsN.exe
PID 2416 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDLXPXR.exe
PID 2416 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDLXPXR.exe
PID 2416 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDLXPXR.exe
PID 2416 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdbtKnh.exe
PID 2416 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdbtKnh.exe
PID 2416 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdbtKnh.exe
PID 2416 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBKVGWJ.exe
PID 2416 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBKVGWJ.exe
PID 2416 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBKVGWJ.exe
PID 2416 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSMMBrF.exe
PID 2416 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSMMBrF.exe
PID 2416 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSMMBrF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UFVYNfu.exe

C:\Windows\System\UFVYNfu.exe

C:\Windows\System\ITdtBIL.exe

C:\Windows\System\ITdtBIL.exe

C:\Windows\System\asRlCwC.exe

C:\Windows\System\asRlCwC.exe

C:\Windows\System\SzmouWp.exe

C:\Windows\System\SzmouWp.exe

C:\Windows\System\knPBEaK.exe

C:\Windows\System\knPBEaK.exe

C:\Windows\System\PgKYNEa.exe

C:\Windows\System\PgKYNEa.exe

C:\Windows\System\IjICirB.exe

C:\Windows\System\IjICirB.exe

C:\Windows\System\GlaqWjO.exe

C:\Windows\System\GlaqWjO.exe

C:\Windows\System\xLYTlex.exe

C:\Windows\System\xLYTlex.exe

C:\Windows\System\gBMCSnM.exe

C:\Windows\System\gBMCSnM.exe

C:\Windows\System\snTBEyo.exe

C:\Windows\System\snTBEyo.exe

C:\Windows\System\KehCghC.exe

C:\Windows\System\KehCghC.exe

C:\Windows\System\dryzaVp.exe

C:\Windows\System\dryzaVp.exe

C:\Windows\System\ATNeSvg.exe

C:\Windows\System\ATNeSvg.exe

C:\Windows\System\jRJZJoe.exe

C:\Windows\System\jRJZJoe.exe

C:\Windows\System\XJrPdqZ.exe

C:\Windows\System\XJrPdqZ.exe

C:\Windows\System\jYxAXsN.exe

C:\Windows\System\jYxAXsN.exe

C:\Windows\System\zDLXPXR.exe

C:\Windows\System\zDLXPXR.exe

C:\Windows\System\YdbtKnh.exe

C:\Windows\System\YdbtKnh.exe

C:\Windows\System\iBKVGWJ.exe

C:\Windows\System\iBKVGWJ.exe

C:\Windows\System\nSMMBrF.exe

C:\Windows\System\nSMMBrF.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2416-0-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2416-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\UFVYNfu.exe

MD5 37d570a77f9b64340cbd013d334569f0
SHA1 09910a6b1122499c1d4676ab924fad3bac1213d7
SHA256 6880e1fb72448a939b74e882ab865e47d50e65d9f8918fcef831f691f9d1bc8a
SHA512 88ef41730b382731aae182671d8084f36cda9d4dd8cb8e1d298dc6ce0bb59c18ace657c821baafe374b4b736acf2690c2def20fa0811f9b33e64d6002af80deb

memory/2060-8-0x000000013F0F0000-0x000000013F444000-memory.dmp

C:\Windows\system\ITdtBIL.exe

MD5 2c4640c6e6d896d502c3e4156d85386e
SHA1 23b4ae915e010a71b3d07f56f6056a1ae5fff88f
SHA256 ba13e509d182cdb27158e6c5e2d5711c5e750c73c72174b8f097fd42b875a2c4
SHA512 6714bd5cfb4b64006e1348491a31403d7c7645987d59c360fe07ddd2329195b037f5f34ef841cad2c0f564dab80ed40920afbd309e070c2e61b150828c18b090

\Windows\system\asRlCwC.exe

MD5 3a90a6e8dd0105bb473a06896b2ee883
SHA1 631fa73d8c6cdf1496fe4d5d01a5de48f35fe475
SHA256 bd61bce683d8b1bf465f008c507bf27eff0ca1a92756486b81c37bef4f3683dd
SHA512 defc297125fc76be7afda5d0f9f852feb8f4954652081dd4f79cd530c974ff8d2c6613bc6e353b2f77abb8b374763c85636fc797ed4258f112e4d35a720e62c7

memory/2416-18-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2416-22-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/3052-21-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/3004-20-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\SzmouWp.exe

MD5 44eb89081527513f930f7c6ee60bceed
SHA1 55dd84ed28343baea56e7775cd49396533d96425
SHA256 4b23d1f9e7e6140236fec8e7a5533fec2e5a31741f23f0273caee9602cf12ef7
SHA512 3046f60cfb2f8312e7171ec122b92c06f969f319a630bb321be272bce65148d0f620fed0bc7a2e6a94d7584e227ec9051b5df06c51d3e76d428d8e6ddf26550f

memory/2736-29-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2416-28-0x000000013FDB0000-0x0000000140104000-memory.dmp

C:\Windows\system\knPBEaK.exe

MD5 af66fcf550ee2da7bfe45aa6b5d3df88
SHA1 3665f89375b2fa38f63c5090173918cad29f496e
SHA256 2133466fd66cc50a6c5518e88782afd147744315790bb8e762a60adf0522e8a0
SHA512 b2a86d5609820a5483d384b72b0c962ae2b889aaf3ebfcb30d6f1ed06d89f4bc433f2514cd206e7480756c553f3587765300ac26161766b0bfd4d9d46947dcc3

C:\Windows\system\PgKYNEa.exe

MD5 71d6fed7ab332ff5fb8c81db57957167
SHA1 a6cfbfc75254343ec4db6521626471ce94c15b15
SHA256 32eccdb83aeda256d91cf3814734c1e6a3923d332d469af955c7cd16edbc5331
SHA512 9d29bdb8e3b85584341ea4ef2707e134a2def687d0e7799fb8e1289f28e5ad839d83ba5139d55a8e51c349c6e9b1df2fd556be7d6a15509292f0bd47d4743d0f

memory/2808-41-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2416-40-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2812-36-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2416-32-0x0000000002400000-0x0000000002754000-memory.dmp

\Windows\system\IjICirB.exe

MD5 ab73b33336ef96a59d254f02acc4493e
SHA1 1419557337c2ad84de35c02e72a0b1767a72a95c
SHA256 6b07c7b6d057d60307c3933ac08b6c30fae7aa530b362e0d70036f6c7690681f
SHA512 6a255346baa9fd85cb8036cea507d1a1c2ff21c887fddebbaa11e98d98a153f00e090c5ae3d481b44f39b3fa196359dc92983b1fdf88ff114fbe5e3119b20e00

memory/2416-51-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2416-62-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2592-68-0x000000013FC40000-0x000000013FF94000-memory.dmp

\Windows\system\KehCghC.exe

MD5 e94547090ab2157896cdee39046bb2da
SHA1 fc4b5b45c951024e0e3e2d22e03e7ccd642da22b
SHA256 5417f5da48d0e8b0e63aff77f36cbd0aea7cd1b2a89c7d8a988de8b95b01e639
SHA512 fe42306c2922485d9bd6124c7961231d0b1cb1d5e31f02c7d2fd5055267c7c259c5de6dd3ef675ff31fb06f92aecc8195b9b6ccdfb41d75cf32b48fdc2d5024c

memory/2416-79-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1776-81-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2520-83-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\xLYTlex.exe

MD5 f0773ea96c9a3348623176e536e93660
SHA1 d5a383043441bd6f15106a84862defc6b4a70220
SHA256 71f3931f61d18d27b12c458e2b6ce8230eaaec330785416f47b88484d0d8cadd
SHA512 6c61c35c8b9191b501476a43967d610acedbe09668f8bc088e1396a3783c7f288dbf805c5c6ca99ac85b1e6bc0b9d770100ab047d5c3cb44da89320d7963b07b

memory/2416-80-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/3008-100-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/1728-105-0x000000013FFE0000-0x0000000140334000-memory.dmp

C:\Windows\system\jRJZJoe.exe

MD5 940661839f674160d161c8bc60c8308f
SHA1 f0ab787cc501e07f98477d6343bbf1d549f89522
SHA256 a14c1e562514982ec7d0011e5448118d7c140da2f0e3f42fc2f2cdab5b71e558
SHA512 df6302e90f640f8ca2d8941a4d1e671978c49e5601979c60d74de7523a0d915b9c6c8ac036836f3f4fc64574d8b9301ab90323f760607b5a35eaa7bd9574e101

C:\Windows\system\iBKVGWJ.exe

MD5 76d49150f84709b0505c5ca5f958972d
SHA1 39b28391122b222f5182c72b6a25fd9e91869098
SHA256 e3ad0aa61f531b0719f13aa4c9725afa650a3c946509a3c630355df22bc5c366
SHA512 989a2c8351e59415980a65cb34c034a7e8298a7578faa93b5723c3e1d5e369b742960d1d14227969a7e94146f61c428c1c992dca30d293b2f4fe3fa7bcd79659

\Windows\system\nSMMBrF.exe

MD5 ba94d46054b54468eddf8d819b757a49
SHA1 b329e7fb371281945143539d844c1f0de9566ff6
SHA256 acd9c9c9bb06a70a7838a402b96cc5afe34acb7e317dcb0acd900e4ed887fde0
SHA512 822ba588420d4cc8a26a4ae59e120117e50cb08b96d7911eee0318bf62d705e2a6f1d0e9a01c059ac23db394aa2d87ab20fe7dfb1b576a365d8483a9bb96c955

C:\Windows\system\YdbtKnh.exe

MD5 44ef0845b675e18cddb947ff811448f8
SHA1 445dbb21c4359e83fc7927f37470199e17d41be5
SHA256 7498ecca27a7d10ce9aeaf898eebdcbea712c641b060b98b39a2916c633cd943
SHA512 4e62c9e34c223011cdfc02f141c6de3b5d88cb85a7135419968fda301c066ffae0adc5c0aa6e9d44988b940257ce4693b99f0dd93bdb80934d6b5fa37e5c3b60

C:\Windows\system\zDLXPXR.exe

MD5 73c397b83e62091dde0c52e9744732af
SHA1 64b8a1ca009f0ccc03088da04cb26d4072d4f0f6
SHA256 7ea7c3c2b43208d5ec214289b41860f682e5c6d5f6dd002c94150b95e260ea5a
SHA512 626623633a77f350d33747d01afcc08d547520f6d24b6c8944733edce91ba73b0cb526dd4786f71c30c000e820e465cef4f8012aebe097d388866762a8c9b2f0

C:\Windows\system\jYxAXsN.exe

MD5 d029f884f13a08b8c8fd2262c60d3467
SHA1 6af64fd51bae86f44b40ca2097c7d1320418dd7b
SHA256 72bf01654a47e00352853e3cc855b453b09a3aee1c8807f6b053d68e64fae660
SHA512 a7ad3207661e7ff0998e94fc8ebcbbe059932b601ec1510951726b41823dfa811d68fbc6a159f60d3d3dbcdf7f0783d83ceb532ba52c6dc7e6e98ba01d6cff1b

C:\Windows\system\XJrPdqZ.exe

MD5 d309c2246811c45e4e2f8f75f199c51f
SHA1 129050e527c5b74f78f472f23c89a41aa0eb411f
SHA256 f26b07aa735727f539ed2708a8bf283a5493336383a4ad9c37575781f9578d63
SHA512 fab00d4bf5d7343a0288cab393061b70050671ba791ced778b854e976d99bba1b7ca309e0d08b0fcd2382b449a9877cffd1a931ebf087f9bb83e70f13005b750

memory/2416-112-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2684-104-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\ATNeSvg.exe

MD5 77088142801c8f3f973bbfaefbda4fa9
SHA1 a8f834c9cef658eb9e359e19019db70451b94caa
SHA256 68723a792c1df24efeab960fbbdc33e99d013851aa5ed8562e0a1bf3a08514ec
SHA512 5f65b9c35bef49536f1e209095ea14be64e3e76b533f03ef82bc09fe6d5b01cf609774d1fabc44a43e3b989cdb818cfbf7fe400169c18c8e7da41ffc1157d02c

memory/2416-101-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2416-99-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2808-98-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2868-94-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2988-93-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2812-92-0x000000013F6B0000-0x000000013FA04000-memory.dmp

C:\Windows\system\dryzaVp.exe

MD5 d78728e5360baab7e03548009a3688bc
SHA1 8a4b1783287d7516f400b9aeddcb1f5952665d65
SHA256 304562c98a30bd4cb28b9682db7780ac5f8f2b9b438967cd4926d33f02f810ad
SHA512 09bc0ef0368d60f3016bd0c652c38e185f69ba3887b3dabd9e5006b0d7e7c01af23002cf4cc81743804137243251d55a170276a23ae41c83c23ac73b71a7c874

C:\Windows\system\snTBEyo.exe

MD5 c01b7d715e5b09a54b50358e67b9e17c
SHA1 f4e7795afa8360f0326e432c889e2ce8c80587eb
SHA256 15fa32ff2724c422bc73c3d077a378ae45a5dc222980d610489a18e1c75f9bd4
SHA512 3bea6d76aea81af8317e7d5d004e8cef39a5d9759aa434ef3fed3f7ed596199ab727c8728b52d189ecde1b84167f2e27bdc79d259eada59978f596b30e018bd4

memory/2416-88-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2060-72-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2684-58-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/3008-56-0x000000013F150000-0x000000013F4A4000-memory.dmp

C:\Windows\system\GlaqWjO.exe

MD5 19e4e51e92ca36ba30fc007b5d36af11
SHA1 3956f9c56eb1cfe663203d4da1e6c774d65f22c1
SHA256 ad34117856153ca4a78e790ec61f2bced3bd3457f799f7fba3df33201a194d0a
SHA512 0c05938b89e3999264856fa82f108b4d6e61916aa89d9b852bc5bc9326c653fc0fef09f1c1a3b2dba5438b9645c04e9bf85fa094d045b00c60f48d0d0cb1107a

memory/2416-76-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2416-74-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2416-66-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2416-64-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\gBMCSnM.exe

MD5 f73120b068ec9d3d944459fc78832e38
SHA1 888ab97e307a3b4cb42ef56f81f4aaab9fdd18b5
SHA256 2f50fe5780c4e8f1873784a5ab93bb947e03e059b3ab09d5d8e3c1b191da19e3
SHA512 25e4b16d1ef9a039f6929d2a817c61cf099eeeee768cde71ff93168209f62c50f33e5bb85ada103dd46190aaac1e57375fd4c0436f3c0022693ea59c3f85f91e

memory/2416-143-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1776-144-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2520-145-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2416-146-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2988-147-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2868-148-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2416-149-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/1728-150-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2416-151-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2060-152-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/3004-153-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/3052-154-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2736-155-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2812-156-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2808-157-0x000000013F120000-0x000000013F474000-memory.dmp

memory/3008-158-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2684-159-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2592-160-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/1776-161-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2520-162-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2868-163-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2988-164-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/1728-165-0x000000013FFE0000-0x0000000140334000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 15:24

Reported

2024-05-25 15:27

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eClWJIX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JUKAQBe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OeTPRTZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZrdSskn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YuIKCYS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GsBjHkZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WQynLBT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\misGKEV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SXqmVGj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EIGVeoD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oSTfqro.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UOIHnLY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TTDaukT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BHYcFKF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oYGlQGC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YlLcmzm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KwNRgYK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hiWJkML.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pQvqqlH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yszfomq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VHjVQYM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eClWJIX.exe
PID 1472 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eClWJIX.exe
PID 1472 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUKAQBe.exe
PID 1472 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUKAQBe.exe
PID 1472 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TTDaukT.exe
PID 1472 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TTDaukT.exe
PID 1472 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHYcFKF.exe
PID 1472 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHYcFKF.exe
PID 1472 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oYGlQGC.exe
PID 1472 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oYGlQGC.exe
PID 1472 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WQynLBT.exe
PID 1472 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WQynLBT.exe
PID 1472 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\misGKEV.exe
PID 1472 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\misGKEV.exe
PID 1472 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXqmVGj.exe
PID 1472 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXqmVGj.exe
PID 1472 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIGVeoD.exe
PID 1472 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIGVeoD.exe
PID 1472 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlLcmzm.exe
PID 1472 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlLcmzm.exe
PID 1472 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OeTPRTZ.exe
PID 1472 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OeTPRTZ.exe
PID 1472 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwNRgYK.exe
PID 1472 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwNRgYK.exe
PID 1472 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQvqqlH.exe
PID 1472 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQvqqlH.exe
PID 1472 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrdSskn.exe
PID 1472 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrdSskn.exe
PID 1472 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuIKCYS.exe
PID 1472 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuIKCYS.exe
PID 1472 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsBjHkZ.exe
PID 1472 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsBjHkZ.exe
PID 1472 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hiWJkML.exe
PID 1472 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hiWJkML.exe
PID 1472 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yszfomq.exe
PID 1472 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yszfomq.exe
PID 1472 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oSTfqro.exe
PID 1472 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oSTfqro.exe
PID 1472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOIHnLY.exe
PID 1472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOIHnLY.exe
PID 1472 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VHjVQYM.exe
PID 1472 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VHjVQYM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\eClWJIX.exe

C:\Windows\System\eClWJIX.exe

C:\Windows\System\JUKAQBe.exe

C:\Windows\System\JUKAQBe.exe

C:\Windows\System\TTDaukT.exe

C:\Windows\System\TTDaukT.exe

C:\Windows\System\BHYcFKF.exe

C:\Windows\System\BHYcFKF.exe

C:\Windows\System\oYGlQGC.exe

C:\Windows\System\oYGlQGC.exe

C:\Windows\System\WQynLBT.exe

C:\Windows\System\WQynLBT.exe

C:\Windows\System\misGKEV.exe

C:\Windows\System\misGKEV.exe

C:\Windows\System\SXqmVGj.exe

C:\Windows\System\SXqmVGj.exe

C:\Windows\System\EIGVeoD.exe

C:\Windows\System\EIGVeoD.exe

C:\Windows\System\YlLcmzm.exe

C:\Windows\System\YlLcmzm.exe

C:\Windows\System\OeTPRTZ.exe

C:\Windows\System\OeTPRTZ.exe

C:\Windows\System\KwNRgYK.exe

C:\Windows\System\KwNRgYK.exe

C:\Windows\System\pQvqqlH.exe

C:\Windows\System\pQvqqlH.exe

C:\Windows\System\ZrdSskn.exe

C:\Windows\System\ZrdSskn.exe

C:\Windows\System\YuIKCYS.exe

C:\Windows\System\YuIKCYS.exe

C:\Windows\System\GsBjHkZ.exe

C:\Windows\System\GsBjHkZ.exe

C:\Windows\System\hiWJkML.exe

C:\Windows\System\hiWJkML.exe

C:\Windows\System\yszfomq.exe

C:\Windows\System\yszfomq.exe

C:\Windows\System\oSTfqro.exe

C:\Windows\System\oSTfqro.exe

C:\Windows\System\UOIHnLY.exe

C:\Windows\System\UOIHnLY.exe

C:\Windows\System\VHjVQYM.exe

C:\Windows\System\VHjVQYM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

memory/1472-0-0x00007FF7E5180000-0x00007FF7E54D4000-memory.dmp

memory/1472-1-0x000001BEFFE60000-0x000001BEFFE70000-memory.dmp

C:\Windows\System\eClWJIX.exe

MD5 b080cfc6eb0fba19509a293a5dc7cdd1
SHA1 c451e335440ec59ac10c7fc0390f1191a53f966e
SHA256 9d9b7a575a4d61927f9240cfc7677a75414e6334ed2de0ad5edf8786265b4030
SHA512 d3a6126b1211d365a02e8cbb982b6d56d95035a842bc92a4724f98ae81b7b2d59e41f0125d54a297ad91b57d7311ebdf36a8dd74492ce43edce515728d35c38c

memory/2868-8-0x00007FF79F8E0000-0x00007FF79FC34000-memory.dmp

C:\Windows\System\JUKAQBe.exe

MD5 0969fdfbf8525dfaa65cf3c8c45721e5
SHA1 643c778df73b906792fc2201d2b625ac45aa0a2b
SHA256 32562a3cd470e7f9c2eb5ae8f37792ac772074d2648ee6143cf533f2ecf4c4b4
SHA512 43a36bcfbec44c37468a8f4b6ecb4dd3f4ecf8c967a15103d61657500ae696525145c2623b1365bc253b904e98d4da76c55d2236063145c377e20edd0ec98747

C:\Windows\System\TTDaukT.exe

MD5 adbfded45d5c0171993aa33fbac3ffc2
SHA1 2356554eeabc6cbea9edb26b5fec61ee95a010a9
SHA256 1fe6abfe5bdefdc0f7c1a36277a28e9c51e034243ccc4550958b8dde2c859b2e
SHA512 473034ce554a9e7c5b1c9aa2ab4e7a5ad44dcf94b89c288d1498522a7b93b64bc9266dffa028d8351e9e7b82e3b98d384e73c5020d052929ff8118991954e7a1

memory/2516-14-0x00007FF60F7B0000-0x00007FF60FB04000-memory.dmp

C:\Windows\System\BHYcFKF.exe

MD5 9700d967b6fdc103452a5349b6da5af1
SHA1 d0d191c85fede1988489ebacb96176336a987f56
SHA256 e9549756607b051acef01c1a46a6c4f72eae7abec4f17389acd835d6ce61378e
SHA512 11560b5a0309224438fdf90478512d7772a1da9ef3c0d794178e3c285377d344e961ec76a591e952bca0ed13c937166e26dfb4e3340e219a11da96b555272e5e

memory/972-29-0x00007FF6AFAB0000-0x00007FF6AFE04000-memory.dmp

C:\Windows\System\oYGlQGC.exe

MD5 c6d833cee896dc03df1391ecbdb2f933
SHA1 a8de2ca18c270121ace99442e06393513f4d3e9f
SHA256 ecdf756febea6a160f16ae43311ba94c14c9d5fc7652247528768c6dc5006d1b
SHA512 d4ade4df98918ddda3f5d4a7d749a9821c68e7d4340bdcde0d286a6262b2452abc6d48bb1f6d3576a6dff33655df052bf676f443aaff43a6977944c2ce815ffa

memory/2608-36-0x00007FF7ABEE0000-0x00007FF7AC234000-memory.dmp

C:\Windows\System\WQynLBT.exe

MD5 49448f67ff408f9b4a2e0ef3fc5c9a05
SHA1 78a190745531baea9f69c0da43770d1805d4019b
SHA256 c299e0b9979842e05b5f322352376cbd79d12021ab8a739bc1ef5ad346a4ec81
SHA512 3619ae33e729de584ccfc9b32444f63f66eb84ae101df71e3f9d1e1c14fc593fecc5a160de9509b6280e02946fe99ab96355d1a16f5580ffd0798d9eb912cfc6

memory/2184-31-0x00007FF60BA70000-0x00007FF60BDC4000-memory.dmp

memory/1128-20-0x00007FF718910000-0x00007FF718C64000-memory.dmp

C:\Windows\System\misGKEV.exe

MD5 cc2fac417824c29350cc5c19f3aac57d
SHA1 d3ea25d9ed19906b01a1483c67870bf4b8304a7f
SHA256 21928f45d6af2d0bc4cbe253d5b14bf501990b0469b86272c176baeba0b36b6e
SHA512 c233ca3f4c29b488b58a9a1a150a73425ea2f69abf74c06e31254e5e993591e453c27ed357373894e9cc52796f5a6edf78dfe21c397ffdbacd6d7bad7d112a39

C:\Windows\System\SXqmVGj.exe

MD5 81cafa302b25ecb6eba961f985e63143
SHA1 a90d41e0c8b0069e8d31bf56c1a2ba16c4989525
SHA256 bfe8191461c82b988f01df92233607ac803655992c8998bf4abf12d686bab562
SHA512 431557ddaacff7618e4a2deb1efa7518036bd54f137e59b3a3ba810bf268506b41c3064bc0c80aa04eae4d7965d3cc2a281165ec49ab806c69eec9ccd255baad

C:\Windows\System\EIGVeoD.exe

MD5 1f7a65e1f5f5846eb40fb1f4ab6c4ebc
SHA1 700e157f260d82b443ec846ebf6a548dd0d6bae7
SHA256 2931ac325670f048357e8f1c5ffa615a7faf2985db7276ab8f5d1cd626e794d0
SHA512 516824eb5b8ffc5fb0c0bdb908a5c7f156a0c043c93d352b55651a946a88eb1f016b4f9985ffa7058216168be99411fc4220a9ab831129c51a3aa89007bea7d2

memory/3260-50-0x00007FF747D80000-0x00007FF7480D4000-memory.dmp

memory/464-44-0x00007FF6DC8F0000-0x00007FF6DCC44000-memory.dmp

memory/1344-56-0x00007FF63EE90000-0x00007FF63F1E4000-memory.dmp

C:\Windows\System\YlLcmzm.exe

MD5 2030d61f5896860e13097de9d09dc6e7
SHA1 79a8438901d0492062de836b491964400961e6ae
SHA256 66641a4cf88f1626ecfb5515b67530ba7aa75a24ce12ef152d835b13028aa6a9
SHA512 0604d592975500b28ef4b2431b99a4ad1ed18d2528853dde51b84e1ed304e411ca2e32feb9cf03b7a0e0e8628f7b817b9886e135f4fbd1ee1ae414d186f84fc6

memory/1472-62-0x00007FF7E5180000-0x00007FF7E54D4000-memory.dmp

memory/4228-63-0x00007FF703B90000-0x00007FF703EE4000-memory.dmp

memory/3204-70-0x00007FF6C45C0000-0x00007FF6C4914000-memory.dmp

memory/2868-69-0x00007FF79F8E0000-0x00007FF79FC34000-memory.dmp

C:\Windows\System\KwNRgYK.exe

MD5 fae571fa902ace3be82dd9db5c86dca4
SHA1 26f1773d1c4311a2b9d13620389e9c0f3a6ec4d1
SHA256 e7fdb4ef779254a11c6536952900b6c7e84e629d5f317b490a1355b49a03c759
SHA512 6a9406779bbc27cad70a6245e294403e7a130dd84526b1bdbd10cfdb8e20d99b5dd3ae6bec3f4c5d8e0f48e793cf929019e5e3ed97233fea02e9570fa9c3da07

C:\Windows\System\pQvqqlH.exe

MD5 12f4dca857996c8afb14151508773eb0
SHA1 8c920828f3a1b32a03fe32ae5cdf5053566ce410
SHA256 0530773ee62ff9a85c021a845a8f2847e58cba55ea7641e2d82422cfe4210a10
SHA512 f40db514437333818c56d1b895bdc8910218e7979b485cb7d33db48e1ab577b139cd27a0b864f3af668d9f6e1a3f465f7acb4717f0138d59fb19b1f19089d811

memory/1100-78-0x00007FF65B1C0000-0x00007FF65B514000-memory.dmp

memory/2516-76-0x00007FF60F7B0000-0x00007FF60FB04000-memory.dmp

C:\Windows\System\OeTPRTZ.exe

MD5 df54609db16b074f4e1179c74a8bbda8
SHA1 24d4bad0dd3ddcc32e3c41501f1abde55124215e
SHA256 a4e380131d9670a764bd17ce301cb98347f39c86a957fefa42b686aa34e34d54
SHA512 a7e4cf9510ec56cbaaa7aa73289b596646e20600d8a8f22310e47e1b75f07b7738df4c445610e60d51ae14c8820e482b256f937eea3bc3ace0b6b128d62696d8

C:\Windows\System\ZrdSskn.exe

MD5 d9be6fd2364ccce384582d8c5c38dd11
SHA1 0b6bb6b48bb4ab0de0dd589bd8ca12524fe84fb3
SHA256 7cf5888023c61cb5bd997df65c5d4758c0999fd82961051152119cbafff39e0f
SHA512 cbe4e0fdd1a023a049c6ef718504f24c7ead9772d4673d25954c16f5937899b6ebca7545cf6bd0c318fe20f0c997105da5962a4da0aab6456a5eda3b498a931a

C:\Windows\System\hiWJkML.exe

MD5 6db09ab39fe4d47333390af0f8e16e2c
SHA1 1a2de607f503f8690e1e62e51d712ed6648ed57d
SHA256 62ea984143a5bc26887777b92aa3c9b3334466623817c407bd0052f797b76456
SHA512 e704f2816f4d91ef5c3d173d2cf22c9cf04a92fa66235885900b92e6b62de68678cf2cf867c548d9f805e79b4054ef353ce33883cf0c6a5c1f9758439c048b8d

C:\Windows\System\GsBjHkZ.exe

MD5 5584f82a8e5588e56718c6a16999a6a1
SHA1 77896cc8008b930e8c44799bed99a6d5334248ae
SHA256 4ab3d50372ba8026f0b0da185fd540a50f380533ac7fbefdfee378be33d68134
SHA512 d21ced731d3663cc9747b6f5adadb040e3df563273e379522ca7d6c262a83d32dd5ce5a23cc37b8f5f9da877ed186c584e8c93dbd8d0d5ddc38b5736ad999dab

C:\Windows\System\VHjVQYM.exe

MD5 90654058c37e8b58190a6f7bcd49aaa3
SHA1 c88232bb5f62ce864338b7883f904164ac5f8781
SHA256 8382cb120f8c93ebdfc53ce875cbba45eb683dc143eb28d6294687c07f31c928
SHA512 a537ca54f3a392c22e8440301c8345292e903d6b5cee0e216d830f5f4bef0bc14ba0a24a1dce3822d04dc71986456cbd565bfcc0783b92a6984a9492faf6dbad

C:\Windows\System\oSTfqro.exe

MD5 c6304bfdc59cb23f7f56abc57eed6e66
SHA1 6133d251802a836204152c600abdef81c46c3439
SHA256 6fa94cee58825f749b0dfb51df36a845b773697bc852dd9bb09440ca528e4014
SHA512 20360453e7f2b9418301716ea780cfc3a083590b5f0f9ebb67715bbad3c310f909b9a83c5e95c4699e493bf5e0809b0f53971c36a0888cf837e50c0faaddaddc

memory/2608-127-0x00007FF7ABEE0000-0x00007FF7AC234000-memory.dmp

memory/4512-130-0x00007FF646BA0000-0x00007FF646EF4000-memory.dmp

C:\Windows\System\UOIHnLY.exe

MD5 5cd96634ddbc211f8586353137e9b8a0
SHA1 0ba98ea163da8a7740753e3fa22272f481cf600b
SHA256 7b8718d148f7da5c4856f911454afaa8251920e2e44b56ac5297761e7fa5cd6c
SHA512 f305f70b803211bf7b438d471441a819bd2c1f6102bf84225bf35709e6c37f66f227c38dca6d7032f97f55db7520b425dffbf36e6840da3a9f3b65f76296b61b

memory/748-129-0x00007FF648DF0000-0x00007FF649144000-memory.dmp

memory/2144-128-0x00007FF6FBB90000-0x00007FF6FBEE4000-memory.dmp

memory/1356-118-0x00007FF6542D0000-0x00007FF654624000-memory.dmp

C:\Windows\System\yszfomq.exe

MD5 025854bce5255cadb9ccb4dff38c8319
SHA1 e95c308b96848f412166ee1a5d8f81290a45987a
SHA256 138fd2503ed52ba7934b30f93cfee2de14d7944cf1a4dc5f59eaa0377daf200d
SHA512 206501fc45fad017d677f498689439b46912ea6fa6683fec7ace98fab4c4771b5c0576264891ce3b245da2a2e4fac9c3b8012c54d8131c342ec2bdeb59e6a0c9

memory/4488-110-0x00007FF7944E0000-0x00007FF794834000-memory.dmp

C:\Windows\System\YuIKCYS.exe

MD5 e40c4b59872163964d82f9274bd64fc9
SHA1 7ff3cae738b1404970b721b5371ff457ba56b67f
SHA256 e7da74808c2ece0fa0f5d7aa9618c4b650836fb03d728c6779ecf4d0db3990e7
SHA512 9e164932b4367df65b62c615d01f8bc949c68d6dcc5a43294f014033182941cb4e3b84b1aa0a24d033dc5351208a573b9cf5e6ef6d12430f4bec25ba882a94fd

memory/1896-115-0x00007FF719730000-0x00007FF719A84000-memory.dmp

memory/2184-107-0x00007FF60BA70000-0x00007FF60BDC4000-memory.dmp

memory/1004-101-0x00007FF76F4B0000-0x00007FF76F804000-memory.dmp

memory/4052-96-0x00007FF631EE0000-0x00007FF632234000-memory.dmp

memory/2020-88-0x00007FF785F80000-0x00007FF7862D4000-memory.dmp

memory/1004-133-0x00007FF76F4B0000-0x00007FF76F804000-memory.dmp

memory/4488-134-0x00007FF7944E0000-0x00007FF794834000-memory.dmp

memory/1356-135-0x00007FF6542D0000-0x00007FF654624000-memory.dmp

memory/748-136-0x00007FF648DF0000-0x00007FF649144000-memory.dmp

memory/2868-137-0x00007FF79F8E0000-0x00007FF79FC34000-memory.dmp

memory/2516-138-0x00007FF60F7B0000-0x00007FF60FB04000-memory.dmp

memory/1128-139-0x00007FF718910000-0x00007FF718C64000-memory.dmp

memory/972-140-0x00007FF6AFAB0000-0x00007FF6AFE04000-memory.dmp

memory/2184-141-0x00007FF60BA70000-0x00007FF60BDC4000-memory.dmp

memory/2608-142-0x00007FF7ABEE0000-0x00007FF7AC234000-memory.dmp

memory/464-143-0x00007FF6DC8F0000-0x00007FF6DCC44000-memory.dmp

memory/3260-144-0x00007FF747D80000-0x00007FF7480D4000-memory.dmp

memory/1344-145-0x00007FF63EE90000-0x00007FF63F1E4000-memory.dmp

memory/4228-146-0x00007FF703B90000-0x00007FF703EE4000-memory.dmp

memory/3204-147-0x00007FF6C45C0000-0x00007FF6C4914000-memory.dmp

memory/1100-148-0x00007FF65B1C0000-0x00007FF65B514000-memory.dmp

memory/2020-149-0x00007FF785F80000-0x00007FF7862D4000-memory.dmp

memory/4052-150-0x00007FF631EE0000-0x00007FF632234000-memory.dmp

memory/1896-151-0x00007FF719730000-0x00007FF719A84000-memory.dmp

memory/4488-152-0x00007FF7944E0000-0x00007FF794834000-memory.dmp

memory/1004-153-0x00007FF76F4B0000-0x00007FF76F804000-memory.dmp

memory/1356-154-0x00007FF6542D0000-0x00007FF654624000-memory.dmp

memory/4512-156-0x00007FF646BA0000-0x00007FF646EF4000-memory.dmp

memory/2144-155-0x00007FF6FBB90000-0x00007FF6FBEE4000-memory.dmp

memory/748-157-0x00007FF648DF0000-0x00007FF649144000-memory.dmp