Malware Analysis Report

2025-04-19 18:42

Sample ID 240527-chlz6acd7x
Target 2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike
SHA256 99f7856d5e1c4ec54f6db1ca97b18f6ed1e6145d8ac5c277631b9e8a4e75fe49
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99f7856d5e1c4ec54f6db1ca97b18f6ed1e6145d8ac5c277631b9e8a4e75fe49

Threat Level: Known bad

The file 2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

xmrig

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 02:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 02:04

Reported

2024-05-27 02:07

Platform

win7-20240419-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZAToOOB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HiItscM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NTyJYav.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TbSGCbN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hsVojtx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TWufyTw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HlZfMDX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rPJrhzl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yDQsgsG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UBtOTzX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lOMJiAi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fQnWLGR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZhQLdeZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ofAcnjB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MkBVDDo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JlDETXk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qgRksHa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qxrqEKh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QCasUEf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\StVXWiR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NXKGpHg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UBtOTzX.exe
PID 2248 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UBtOTzX.exe
PID 2248 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UBtOTzX.exe
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QCasUEf.exe
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QCasUEf.exe
PID 2248 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QCasUEf.exe
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbSGCbN.exe
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbSGCbN.exe
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbSGCbN.exe
PID 2248 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\hsVojtx.exe
PID 2248 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\hsVojtx.exe
PID 2248 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\hsVojtx.exe
PID 2248 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\StVXWiR.exe
PID 2248 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\StVXWiR.exe
PID 2248 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\StVXWiR.exe
PID 2248 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOMJiAi.exe
PID 2248 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOMJiAi.exe
PID 2248 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOMJiAi.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhQLdeZ.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhQLdeZ.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhQLdeZ.exe
PID 2248 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofAcnjB.exe
PID 2248 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofAcnjB.exe
PID 2248 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofAcnjB.exe
PID 2248 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQnWLGR.exe
PID 2248 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQnWLGR.exe
PID 2248 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQnWLGR.exe
PID 2248 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlZfMDX.exe
PID 2248 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlZfMDX.exe
PID 2248 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlZfMDX.exe
PID 2248 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\TWufyTw.exe
PID 2248 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\TWufyTw.exe
PID 2248 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\TWufyTw.exe
PID 2248 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NXKGpHg.exe
PID 2248 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NXKGpHg.exe
PID 2248 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NXKGpHg.exe
PID 2248 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAToOOB.exe
PID 2248 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAToOOB.exe
PID 2248 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAToOOB.exe
PID 2248 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JlDETXk.exe
PID 2248 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JlDETXk.exe
PID 2248 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JlDETXk.exe
PID 2248 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkBVDDo.exe
PID 2248 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkBVDDo.exe
PID 2248 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkBVDDo.exe
PID 2248 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPJrhzl.exe
PID 2248 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPJrhzl.exe
PID 2248 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPJrhzl.exe
PID 2248 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qgRksHa.exe
PID 2248 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qgRksHa.exe
PID 2248 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qgRksHa.exe
PID 2248 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDQsgsG.exe
PID 2248 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDQsgsG.exe
PID 2248 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDQsgsG.exe
PID 2248 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxrqEKh.exe
PID 2248 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxrqEKh.exe
PID 2248 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxrqEKh.exe
PID 2248 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiItscM.exe
PID 2248 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiItscM.exe
PID 2248 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiItscM.exe
PID 2248 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NTyJYav.exe
PID 2248 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NTyJYav.exe
PID 2248 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NTyJYav.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UBtOTzX.exe

C:\Windows\System\UBtOTzX.exe

C:\Windows\System\QCasUEf.exe

C:\Windows\System\QCasUEf.exe

C:\Windows\System\TbSGCbN.exe

C:\Windows\System\TbSGCbN.exe

C:\Windows\System\hsVojtx.exe

C:\Windows\System\hsVojtx.exe

C:\Windows\System\StVXWiR.exe

C:\Windows\System\StVXWiR.exe

C:\Windows\System\lOMJiAi.exe

C:\Windows\System\lOMJiAi.exe

C:\Windows\System\ZhQLdeZ.exe

C:\Windows\System\ZhQLdeZ.exe

C:\Windows\System\ofAcnjB.exe

C:\Windows\System\ofAcnjB.exe

C:\Windows\System\fQnWLGR.exe

C:\Windows\System\fQnWLGR.exe

C:\Windows\System\HlZfMDX.exe

C:\Windows\System\HlZfMDX.exe

C:\Windows\System\TWufyTw.exe

C:\Windows\System\TWufyTw.exe

C:\Windows\System\NXKGpHg.exe

C:\Windows\System\NXKGpHg.exe

C:\Windows\System\ZAToOOB.exe

C:\Windows\System\ZAToOOB.exe

C:\Windows\System\JlDETXk.exe

C:\Windows\System\JlDETXk.exe

C:\Windows\System\MkBVDDo.exe

C:\Windows\System\MkBVDDo.exe

C:\Windows\System\rPJrhzl.exe

C:\Windows\System\rPJrhzl.exe

C:\Windows\System\qgRksHa.exe

C:\Windows\System\qgRksHa.exe

C:\Windows\System\yDQsgsG.exe

C:\Windows\System\yDQsgsG.exe

C:\Windows\System\qxrqEKh.exe

C:\Windows\System\qxrqEKh.exe

C:\Windows\System\HiItscM.exe

C:\Windows\System\HiItscM.exe

C:\Windows\System\NTyJYav.exe

C:\Windows\System\NTyJYav.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2248-0-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2248-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\UBtOTzX.exe

MD5 86506870a8977f37ed2cf5d6a911f010
SHA1 47d6aabcb3e6f1641e6cd68935a80f6cb8d86db4
SHA256 44043f8d9ecd075eb85e4dc095a885010522ad6564352f673e7ab95cf55d363c
SHA512 6c739a23e6917763196a8d798544ba9eca95cce6b890efbb6f416c366f8c352321d431ba92724d7484d9f07a32d8c61421eea89e0195f95083146660bf2321d6

memory/2028-10-0x000000013F560000-0x000000013F8B1000-memory.dmp

\Windows\system\QCasUEf.exe

MD5 1322b26d90eceb13bbd98b9fb1e88710
SHA1 c0252d0faebdb50115ddd14da2740e08dbea1264
SHA256 832fc954f419d7a28224a588229b78fe80e19957d65b661c9f7f774b63863a60
SHA512 da1b4607247f1f16cca4139804cc24cb433cb916d4b0451f1fe10045641e0f5de1cb49267cd05febf8eb36e9887eb3ef6626b90a280fc2016222e7bba3b1b4d8

memory/3048-19-0x000000013F150000-0x000000013F4A1000-memory.dmp

C:\Windows\system\TbSGCbN.exe

MD5 bc85c63a59294f12715edcce97330c5b
SHA1 8366b4dd2ac7b4957aae6740297909bd887f09f7
SHA256 2cb933fef40998acf33cbe170783c9aed13c85c39677ea6b8f456b54c5f810f0
SHA512 394569870a79bd55d2a091069f15a5f2fa7a392c7158a79ffddb0f8099c4b5b929dc0797fca655aed0d80bbbc328dc3327fd6eed838d033bbfaaad4d6ca92308

memory/2248-18-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2248-16-0x0000000002430000-0x0000000002781000-memory.dmp

memory/2196-21-0x000000013F7E0000-0x000000013FB31000-memory.dmp

\Windows\system\hsVojtx.exe

MD5 9830f50ae1892cc920563dd96b56a483
SHA1 169a12dde45422a4164c42abeb388992def55211
SHA256 1e80fe19d243c5597abe16d0ed51e5f9f75cdcbb2625921b9dbc7269c1421053
SHA512 35241b9bf2aaaf27e3e0f0c6d03453dfc4356cf36beebfcd3cea8ecb78486a96daa227f5fb8a2e04ecaf035f2e98e3a462d9d8bb9d83c6d464b5001a127e8170

C:\Windows\system\lOMJiAi.exe

MD5 00556f0b4a814fab62e1d1c77b5c96c0
SHA1 cea21cd51189bd78670036a4f90261c2c7ef0182
SHA256 4dab1e7aae3329f10b3bbd207c982340c5fa2746bbae0d74f6cc66111a091ffc
SHA512 988ed162d0ad19430d427e204889390508fe0e207e53e0e12a1eba112a11822c553134b3795f63a49c0b7644aad5c7810a619ac4ce70beb181ac58111bac3c9a

C:\Windows\system\StVXWiR.exe

MD5 d1f27b3bcd6251c710dc03762f862411
SHA1 bbe8162348d24605327e655b459c44766e621b46
SHA256 3eda8fd26972e07b85bbbf431302f761bbe85900cbc82af8de68e420aaa195c8
SHA512 a3684e9cf08dd4e8952b46a01517e095e304ca342241558a32d178a292985da3a47e5d1e727ec27bb1f6d2b032e107d93cc645bc4b7909e8e2285856e3767cf3

C:\Windows\system\ofAcnjB.exe

MD5 dc4e3a5891c22102e77e34a6634bbbdf
SHA1 1b23e7562afa8a9df5d7cd66e35eeb8958a57ab6
SHA256 2df69c677094b337e20f8f139fe8cc0278c8c8a44e73b9717415d7a36c07bca9
SHA512 31602e6d47bc09f18cdb7d47520e0846ac3b62292005bac1779cc3dc362a1109bc6671548729aa38e1fca4f35a64fbfb08a3b8ef8c3bb80c62bd381011711299

C:\Windows\system\HlZfMDX.exe

MD5 0ca683652a03c58de413989b35d3d0f6
SHA1 0f26871079d1456933e232cab1f9eed253df5bcd
SHA256 5daf33677997ddf86e03b36c8c94db24900eb290e4c620f5c2a83f207b9ae27c
SHA512 35b7b49587d693ec7eb638802ad8722a8a480712affa812d67810cbbbdb362832afac7290bfcd49a9410d5279dfef6aae298359841ff7a5431bec39a6dbcb614

C:\Windows\system\fQnWLGR.exe

MD5 c94a8c20889d418f4a771513fafb5003
SHA1 779cebe7579c1d9f865b87c6c15101a64f315ff4
SHA256 c59f1926f7c76178b0070ec2c231cebc1680bb8fae46bfb68981ec9137d4ca7c
SHA512 e4daaeca699218d60a9ab85ab03ac213ccd69b1b2511994acded070ac175eb133192961dfcdcd1902a5e581d809305890d82bbbe5951e3d9ce3620d49f9b1f72

memory/2756-58-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2692-61-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2248-64-0x0000000002430000-0x0000000002781000-memory.dmp

memory/2248-68-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2248-70-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2752-69-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2532-76-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2800-82-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2812-90-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/1504-97-0x000000013FA60000-0x000000013FDB1000-memory.dmp

C:\Windows\system\NTyJYav.exe

MD5 08590ec876dfac6ecbbcff517f922945
SHA1 81d483cb2b07208dc9d35ce69ab9adf6d2749b8d
SHA256 9e97511f704c1b5ae4c73775d9bb466535eb21aa6a51c1c140422c8740a8fdf9
SHA512 b46c875049493f112571352d58b07c5047ca31f446e93b673e55701a4cc2db2bb7ba4177c9b4bf463afa23630f969951a2b48ed62ecc73e6ff4d0f3b2765de56

C:\Windows\system\qxrqEKh.exe

MD5 1f899e27faa8239d048f7f4e20794793
SHA1 3eb7f5922fb194afdc59a0d421c840e413b219e7
SHA256 618e5a24b80be2b9a6cc5a27f3ed89220ac141337a6aef9731bca3d749fd74f4
SHA512 ae5eccf8f9646698f75bbd94e5471e9e131e71eb1c31108e2147bc67d22d8c9ad1c7f64fb59cf24d9703c675ffd1c26a363053f6d2427620ca1e696fbb893498

C:\Windows\system\HiItscM.exe

MD5 ffe3bbba6db3b924956b00e8141a3b4f
SHA1 4987c68dbe016d989603885f957b68c3245af107
SHA256 be6886bba4bba6a6dc17be56bcb69878a06699cdd38c0497b27fd3283413ab89
SHA512 337e983e9d0b16f450a3f425b4fa5441deac32f4e2340f5d3d6e7fd16abdc820151758c441190b2cb039d4e99277769e3f9a87b3f0f9bb3fd77e83fa64d4e7c2

C:\Windows\system\qgRksHa.exe

MD5 f44c8af3ea82c0739d682446145bfd66
SHA1 3d6dfe40891e28de9785d70bfd22f7a97eab1f44
SHA256 a0e3b86d1196633c87950460b78922bfc761f6e6f08a34aa5d3dc721668edd98
SHA512 9abf088695f6986cc749fd337c9295f6d9d3c733bd68cdbb600b1aefc6720e28b8974265d14049d430fe154282ee404fdbe48426bb7640822aa1416a77e949c8

C:\Windows\system\yDQsgsG.exe

MD5 11260c2c93bea6b7a263a507a30024c4
SHA1 5dfc5db3eb090969da774e8cc53813035cc7884b
SHA256 b63392a202db2a80591892b843248427beae257b6a59807d659dc88db82e653e
SHA512 f9efb2cc6e87a50a5ca98e84ea145df061dd25a985d5006ce8639f8c5e45005f9e61cc7554c7d0d6b2388321a31f16d8da46bb95af9cd7c5e42d161abb40f0ae

memory/2248-102-0x000000013F530000-0x000000013F881000-memory.dmp

C:\Windows\system\rPJrhzl.exe

MD5 d5fb97234af10797b011ae514f6912e2
SHA1 df47ef95262792b92144b5cec2e9abb7e9f3c7e3
SHA256 998f1a99f48d5ea6d47dfcfa3ab5e360b160c4fe90bcb847a9b23cfb4c27a5cd
SHA512 d3ca191f3000bdd1f2372474627f0dd9121382ed32d31f780e6648dc4904e91827a314fc50e225c01caab3f4c3bfb0d9c7ddf1382ae6b674e9e90ca71f342ec3

C:\Windows\system\MkBVDDo.exe

MD5 51192d328bc0af800b9fc93bdd1d2002
SHA1 afacfcbff9778c3dc65406310c65b587ae8a79c9
SHA256 176132a4fec136ec3fa5f37567380f1e843268fa77759af73047590a3ebf8eed
SHA512 da7096b3ee354d08dec5b4eb777b3b8c09d3c38e635f5edfa96a5896f4a31f9113cfbb7f0f5f552f773b394f0be0f11e6a96330519d71eb40b76fd2353375001

memory/2028-89-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2248-88-0x000000013F9D0000-0x000000013FD21000-memory.dmp

C:\Windows\system\ZAToOOB.exe

MD5 046a45ce5da95ac7ca7d06a2d3e2e948
SHA1 ddc8bf2f9dc82d1c7304fe759f53fb550fad5942
SHA256 32cd3c092583b25b76acf63cc28c3e8fd026c7aeec7d99375e94e8b0cf5c6f98
SHA512 78ab81cc03743f540ee88d8540a2c64074d2ad7c1cbc78d0c01cbc8d3997f80c1d427aaae75451432118065bc126a33d26fec7cdacfc92e641f4a223427746ff

memory/2196-133-0x000000013F7E0000-0x000000013FB31000-memory.dmp

C:\Windows\system\JlDETXk.exe

MD5 d1c85805b83d96223e1875518e15ff31
SHA1 11eebd73971b222d3b2027ea8a059239cd7d7630
SHA256 c39f404d28b33bd19750ba0b485c629c0bc2547c9a3df200c6b043c951fec8f6
SHA512 57574772316659ff41855d75f5fa013b0e39bbdb69ac565b43a62a3b1c19d5e1aa63de6d34b2e74110595d3f2dc65b70ec23d72aca65265fc0500e433d41a88a

memory/2248-81-0x0000000002430000-0x0000000002781000-memory.dmp

C:\Windows\system\TWufyTw.exe

MD5 7b1ddc88ff5af845aefa16f552e67105
SHA1 af0627398fefadf13c6a78d75994e63458e1bb99
SHA256 28aab2e3d1fedbc153bd1c97ec5c806456af14d3cb95e060627c7a80406af37a
SHA512 6f8fc938ae1ae4d71cf4ab2f587888c60cb4f426f086125313580921e0d64d6133c51495f6f9ac1e7c3d1cbee1cdb1de15b084d87a68a68b3ba7c09769bf65bc

memory/2248-72-0x0000000002430000-0x0000000002781000-memory.dmp

C:\Windows\system\NXKGpHg.exe

MD5 373453e966ac0f86bce1ac3f4df0f228
SHA1 30bdb698d210c03b935677a14bac855d8536d384
SHA256 0440f96974205c58b22e780c34c027175f056037c86b452877ae78ddcc339a26
SHA512 6d93ef0bd7255aa267fb0b52b04a89040ad23f2936b1c5e03829c2ccf68d2549e7202cda6fc3fc34ee8353ad96bcfb0db126f3ab6cb9a20327b50b9753c35a97

memory/2604-67-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2248-66-0x0000000002430000-0x0000000002781000-memory.dmp

memory/2856-65-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2764-63-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2248-62-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2248-60-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2612-59-0x000000013F030000-0x000000013F381000-memory.dmp

C:\Windows\system\ZhQLdeZ.exe

MD5 b9b8bcaf29d2432f2988817048f707a9
SHA1 a71c499b6186d44c9ae2416737bd22695450966e
SHA256 ebbc9c6c59c1734e049bd21da227d2476ea49a350131ccfe610d37833016f04f
SHA512 3b88a1f7d1c5d13c77647826836af1dfecd38a5945457e4006403c6de023cfc91770d5bac5a1e76f62b81e5242e875adda8c914af0665ea9caf0f46dc77b42ee

memory/2756-134-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2248-136-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2532-147-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2800-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1772-151-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2248-158-0x0000000002430000-0x0000000002781000-memory.dmp

memory/2836-157-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/1248-156-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1348-155-0x000000013F140000-0x000000013F491000-memory.dmp

memory/1760-154-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/108-153-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2812-149-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2284-152-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2248-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2248-181-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2028-205-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/3048-207-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2196-209-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2756-211-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2692-213-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2764-215-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2856-217-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2604-219-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2752-221-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2612-236-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2800-238-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2812-240-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/1504-242-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2532-251-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 02:04

Reported

2024-05-27 02:07

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yAwzEHf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wAWSnHB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dyJMObA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OeMziPJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AHAYYxS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iNmtTwh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hJTtmEr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RCHAbyy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HVRNoPG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aqaDLtm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QzOcmYO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eNWXLQO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JUHGFnk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oiytObP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GmrckWp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\svFehRb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MCDvtHW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DgHIFrs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sIIYexW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NqxVpyn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kZXYffT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyJMObA.exe
PID 2956 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyJMObA.exe
PID 2956 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RCHAbyy.exe
PID 2956 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RCHAbyy.exe
PID 2956 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MCDvtHW.exe
PID 2956 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MCDvtHW.exe
PID 2956 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzOcmYO.exe
PID 2956 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzOcmYO.exe
PID 2956 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OeMziPJ.exe
PID 2956 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OeMziPJ.exe
PID 2956 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\AHAYYxS.exe
PID 2956 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\AHAYYxS.exe
PID 2956 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgHIFrs.exe
PID 2956 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgHIFrs.exe
PID 2956 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIIYexW.exe
PID 2956 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIIYexW.exe
PID 2956 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\eNWXLQO.exe
PID 2956 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\eNWXLQO.exe
PID 2956 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVRNoPG.exe
PID 2956 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVRNoPG.exe
PID 2956 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\iNmtTwh.exe
PID 2956 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\iNmtTwh.exe
PID 2956 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqxVpyn.exe
PID 2956 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqxVpyn.exe
PID 2956 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZXYffT.exe
PID 2956 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZXYffT.exe
PID 2956 wrote to memory of 5624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJTtmEr.exe
PID 2956 wrote to memory of 5624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJTtmEr.exe
PID 2956 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUHGFnk.exe
PID 2956 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUHGFnk.exe
PID 2956 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqaDLtm.exe
PID 2956 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqaDLtm.exe
PID 2956 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\oiytObP.exe
PID 2956 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\oiytObP.exe
PID 2956 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAwzEHf.exe
PID 2956 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAwzEHf.exe
PID 2956 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmrckWp.exe
PID 2956 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmrckWp.exe
PID 2956 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\svFehRb.exe
PID 2956 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\svFehRb.exe
PID 2956 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAWSnHB.exe
PID 2956 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAWSnHB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dyJMObA.exe

C:\Windows\System\dyJMObA.exe

C:\Windows\System\RCHAbyy.exe

C:\Windows\System\RCHAbyy.exe

C:\Windows\System\MCDvtHW.exe

C:\Windows\System\MCDvtHW.exe

C:\Windows\System\QzOcmYO.exe

C:\Windows\System\QzOcmYO.exe

C:\Windows\System\OeMziPJ.exe

C:\Windows\System\OeMziPJ.exe

C:\Windows\System\AHAYYxS.exe

C:\Windows\System\AHAYYxS.exe

C:\Windows\System\DgHIFrs.exe

C:\Windows\System\DgHIFrs.exe

C:\Windows\System\sIIYexW.exe

C:\Windows\System\sIIYexW.exe

C:\Windows\System\eNWXLQO.exe

C:\Windows\System\eNWXLQO.exe

C:\Windows\System\HVRNoPG.exe

C:\Windows\System\HVRNoPG.exe

C:\Windows\System\iNmtTwh.exe

C:\Windows\System\iNmtTwh.exe

C:\Windows\System\NqxVpyn.exe

C:\Windows\System\NqxVpyn.exe

C:\Windows\System\kZXYffT.exe

C:\Windows\System\kZXYffT.exe

C:\Windows\System\hJTtmEr.exe

C:\Windows\System\hJTtmEr.exe

C:\Windows\System\JUHGFnk.exe

C:\Windows\System\JUHGFnk.exe

C:\Windows\System\aqaDLtm.exe

C:\Windows\System\aqaDLtm.exe

C:\Windows\System\oiytObP.exe

C:\Windows\System\oiytObP.exe

C:\Windows\System\yAwzEHf.exe

C:\Windows\System\yAwzEHf.exe

C:\Windows\System\GmrckWp.exe

C:\Windows\System\GmrckWp.exe

C:\Windows\System\svFehRb.exe

C:\Windows\System\svFehRb.exe

C:\Windows\System\wAWSnHB.exe

C:\Windows\System\wAWSnHB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2956-0-0x00007FF7ADC10000-0x00007FF7ADF61000-memory.dmp

memory/2956-1-0x000001CB8C9F0000-0x000001CB8CA00000-memory.dmp

C:\Windows\System\dyJMObA.exe

MD5 e4a789661e4138f8e065ddc974131dfa
SHA1 ad7b86c58f6a0dd06eecd3da137ca9a20a1c1d04
SHA256 5b182f0429fe717c7a8658477c20bdbaaec64bc01ed7875424ec81e6d15543ae
SHA512 fb2ccd56c059c811212b171991c00dfd73a463afd73e08a51cc5ffd69706aa824e0f890ca06d8ad0c35d8e0dbcb7b181f18a84b20f9f2e3be05deda46f44183e

C:\Windows\System\MCDvtHW.exe

MD5 d06205210451633e592ead9d8d821605
SHA1 af81e8171cd167caa54db484a2fd327d0eb23d15
SHA256 eafe0d0dbb947987e7d9754e7a9c1a2f4e9638655b447a3a098b5759ae761514
SHA512 5eb37f14fa46c1fe3d71ed12b5428e6c865c163cfe598bad5f3bfbeb17feb2934f013bb51278b7dfdc11d7cd47825ce573f62a501e568c8b989f6148d6cfa445

C:\Windows\System\QzOcmYO.exe

MD5 c9b03ad39356ec2e1e0067076aea901c
SHA1 90ef32dba862a8b861416c25918ba69c2aaaa9d8
SHA256 2d7be55828d6291f525470f6c5d6a97a67d47a7b3379432f94c95747b87441e8
SHA512 e060ada63829fd4fbd511fdc04816c8cb65e3304cd17a75218303ae86ccc25c59caea113d650a75645f9296dce7be5d640f967c12fd9875a426e94505a4914d2

memory/3828-17-0x00007FF7B5360000-0x00007FF7B56B1000-memory.dmp

memory/1320-11-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp

C:\Windows\System\RCHAbyy.exe

MD5 9b7826ec6b3591b30c9afc1ebc3f380f
SHA1 66e594b81d8aa5511b91f850831b75da6219d985
SHA256 d1a57b00e7260797042bb9393fd019fa9e8993affd2becf975ea450e28c431ab
SHA512 67a1205e62a0d2f787c021d050856f3bb75e28ecd137dc0b179dfbc74c7d2a46a6a3853ac7c2aac74e21744096a2a993e81d723c80a622114890c2b556a7653f

C:\Windows\System\OeMziPJ.exe

MD5 f004959ab9373cf65ca84fa7e0813eb3
SHA1 823e65f9d5954158e56427cda03567efed581750
SHA256 3c39d6b5a957dfc9a379e71ba01f7e3e19b1a7fdb8628c248a1dd903a709d584
SHA512 ebfdd1c70e1310f132231536ba70bd2c1fa19fd6d0c2aace545eb945361bbe7390af96f0902519d5d0cc5294bc83e5ca3ab7c656e68551f50fb72c24e23ba366

C:\Windows\System\eNWXLQO.exe

MD5 d55722a0ca4e3dcdcf61a91cfdff9f71
SHA1 4ea9d569beb7ebcf174abde95dc420c5503ddb47
SHA256 e11dd423420ae5f6b3bb78fe7bcdec9f5fa1702b3aff252e51135e8dc2af2370
SHA512 d26fb8722801d4084bb837015f98f2a410674dbf30955e48b2f4e4a985662386fa6e92470188921221fb711801061379dc410cffbd37ffdc9b673cb2e71f824d

C:\Windows\System\DgHIFrs.exe

MD5 3d0cca9938bcdf7e813fa31901dec1d0
SHA1 f9cb5a48869fd7a60c9a14bd369e35282242d5de
SHA256 a03bc8d5fd29e8212483912648333c3c17adb8de705ddb295b7a611d4b93fb05
SHA512 88c182c593a1f0b9ee8088e23b130ea5f95dc056ff31aecec42fe6530407f5c6ce453d0f6a64ca406e146eed24d16e0d7569894a9df6248f874aadf73f6b7d06

C:\Windows\System\NqxVpyn.exe

MD5 2f3f032848f8d1be097551e17d5847d2
SHA1 a32b260d00f160f0c9c7a7ae85d2682ca9ac237b
SHA256 1d8de5a27773a718e8b7c1d6e031b067dbd8c3f929b24ebd07a7e280ce155f42
SHA512 9888c8d12317bac1197bbf7c839ea0aca55cd012c6d250f655d7f6dab4a470f8c715967c51d62f0e13793886eb7becc09ca9a1670adb822c9d7544333d187f0e

C:\Windows\System\iNmtTwh.exe

MD5 39eabb711fd383d89f0adc1e3146ab96
SHA1 14f2e78d711f0d3f5156ad39ebcf4fd75a1efd49
SHA256 23fc5e858c8e8e4f45eb896f14bd9568cc004b1e93608390d05e966b7054fe22
SHA512 3c8a27b3c9e2d0d26ef3a4e566aa02927b1c9005c83292745c4550ca9ce878867f76b6eae168ecda197118b37385a0ecdeb523b539c21460dc0b29775104a9c2

C:\Windows\System\kZXYffT.exe

MD5 2355db2e5a881eb745794d4312c4432d
SHA1 7c876ca4e85556c9e4d68348c62f0f454c496730
SHA256 3575341f26ef7a996dd47cac25bc3ff211da701c22f752954c342b4abdb9b029
SHA512 fe485d37592298a037a77c4bfb139369ad422d8b2d5df8ee15dbfc55bdce931965c92b266a0109b8c17a387a1fdd9597ae9ff57292100793af6dbe8550c4aa72

C:\Windows\System\aqaDLtm.exe

MD5 06c91056edf2be5c5cc59e03ec276632
SHA1 b9f142023fb4369f9c4f5b0664e80a7a729be96d
SHA256 351c64c6d9f7f95239fb17b91735109c5400f96c188e0583b3769a02a0e10da4
SHA512 5272e3bd7261f5a015aafb3427e47130ffc20a1e23d88eb9a2c40b5809cf7c121cae27e34befd5c4e9bf98bbbae5a585a2c38f61a5b4c714cff33465775c7c2b

memory/5624-110-0x00007FF72BF30000-0x00007FF72C281000-memory.dmp

memory/3392-113-0x00007FF6BFE80000-0x00007FF6C01D1000-memory.dmp

C:\Windows\System\wAWSnHB.exe

MD5 7f952d444a487085c3bc6c14178a084c
SHA1 cf6991f9bb64566c3083c8ddd4e2911368c078e8
SHA256 0735a7b204a6eaac7ed78cc6d1388f4a89df61ffda2bf45e500ac3e0f0600e85
SHA512 277d0e30cdf7574c429bf3e239b51d711dfe8cbd475280b1634c3e4f64a2f7af64cb9deb4fc6cc20808a3906bb4b72e80ae47425c463d7ae612e600064d2887e

memory/1852-125-0x00007FF751640000-0x00007FF751991000-memory.dmp

memory/5532-122-0x00007FF7BD0B0000-0x00007FF7BD401000-memory.dmp

memory/2644-121-0x00007FF6A4370000-0x00007FF6A46C1000-memory.dmp

C:\Windows\System\yAwzEHf.exe

MD5 19a5d162929a691e2aab3a73e619e255
SHA1 71c7851a949341d6f95ff967bcd7929ccd3beabc
SHA256 835c305b5182fccc70d8cd57e151e52449738b7be5ad8b6d8e996f588fc5a548
SHA512 39553ef9cab35defda900a9ac283f68d6dfe5e296bc991e09395e4d623c8032a8ab92000fec9b44477921f2d20ea0c201c59a7a019d7799cff8309fca804aa44

C:\Windows\System\oiytObP.exe

MD5 822678c96b99c2187a8b4b5a3d99ea9e
SHA1 22fe5139da940042e97441cfa74ec69036374778
SHA256 e593fdb0c7072beead1d0d344eb22695d3d057e0d4eeb9d9c09ff0cc6d82bfa1
SHA512 60d31ae7049a97fefadf9a46f7d28179a18a713fbd1f0cdf88a4cbd56142e97f953d9e0143fb5d8338b0773ac8ed05ec3f949df53dbae6f1e0ebd98651460709

C:\Windows\System\GmrckWp.exe

MD5 2bb0256fc47cd8ec45b951c4b6ed0b13
SHA1 db34d289724914f353106c3f30058c66d0b3585f
SHA256 517b81248b6f38d479177343c73cd284d8e1d475a3b9399fff0302a341834bbc
SHA512 baed824f9e093375c3751b670e2e7ab728d7e898bd0fbd13342db6563e81f910494572216d2e29be9dc47a4b4a5494b468a4fb6f162724ae68f49bf7c9e8040b

memory/2440-112-0x00007FF6EDA90000-0x00007FF6EDDE1000-memory.dmp

memory/4536-111-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp

memory/512-109-0x00007FF6140F0000-0x00007FF614441000-memory.dmp

C:\Windows\System\svFehRb.exe

MD5 8b055fb3624491d1a2976c5b7c85025f
SHA1 e06df9dd7feaa2c20e1d1390b5b609424e5e8c5d
SHA256 91c0114c9ed757a18cfbd28323ab79f260d96dbfeec5d17f9f941eb2f92b3dc4
SHA512 44b205d6d0a0ae458ab0518b02981e5f7d9f963dfa210d61796ffee89fdc71f897cfc8f8faadc088a76d936b7f7acec7b487e8c0ab4d2681fd62e879e7a60a70

memory/1488-107-0x00007FF74A0D0000-0x00007FF74A421000-memory.dmp

memory/4548-106-0x00007FF74CDE0000-0x00007FF74D131000-memory.dmp

C:\Windows\System\JUHGFnk.exe

MD5 0420ac024e496c1019f877a536c569d8
SHA1 ac733e4629db6adb4b25ed8ad37f95bcfd710e00
SHA256 5335a3b7f523641ad81564e2e236650830f07f48de776f19bba440014f546044
SHA512 6d9554271bbef73fb0169fb0984c322f9aac0794944f1bc7acd8fd5e7901741b2fd994b5297a2c232f2649d33321404728a11e11a1327843f8f2adf1020a4db0

memory/5376-95-0x00007FF6D6690000-0x00007FF6D69E1000-memory.dmp

C:\Windows\System\hJTtmEr.exe

MD5 bbf175f89483ded976b4f598627992bb
SHA1 90ef5523ed1f7e9854f0f361ac45dd0a17eca8d3
SHA256 cb6febe26443f2d6f57612f2ca7814f6effbe59a40ad23ca292ccfb851210b36
SHA512 84ebd90e32db38173618a5550877d26b2806a2ba0894de0b35f2dd7424f65df3b530c9fa99c67694f358efa19afc187ce0ea822c5e37d507ff629e7c6f711283

memory/1304-81-0x00007FF717BB0000-0x00007FF717F01000-memory.dmp

memory/3648-73-0x00007FF7D17B0000-0x00007FF7D1B01000-memory.dmp

memory/2372-70-0x00007FF7F3B90000-0x00007FF7F3EE1000-memory.dmp

memory/4544-80-0x00007FF70DF80000-0x00007FF70E2D1000-memory.dmp

C:\Windows\System\HVRNoPG.exe

MD5 c8c6729cea9d8724e5d227b0342e959d
SHA1 65933bd5ff309963314a58162990dd47a6e4f30c
SHA256 2385a083f5ec301a93f195dfaa538c27837a0c5330d8c6d2539dad7f059819e2
SHA512 2c59420b16b5e86af90389f468a33ed0f40b1f66cb0d57182a39459e02ac518a06f4aed7da191d89cf11fc03f59f1ad5788d5a2e796164b2023e9aa09764155d

memory/4132-59-0x00007FF7CF1A0000-0x00007FF7CF4F1000-memory.dmp

C:\Windows\System\AHAYYxS.exe

MD5 91b5ec652db17d1212dbf9a75fb166e0
SHA1 b6ac80b1b00f6ed45540b076b72122b9653dbc27
SHA256 427ed22bf282a077c77690961ed25f6ac1d9a74fbe85c18d6a45f2cd0f56aa3a
SHA512 7b27c1d0c01360551da79d0d9ca8b1e7e6b5b277a585a3fe8b35b74fad5e9f5c141567132f10fb3edd4d8161c78b48b4c3b874c954d9b18549206659c248098a

C:\Windows\System\sIIYexW.exe

MD5 5be8dcbbd84628ca74104970ec4640f1
SHA1 f2231773c1d3a978d1bec40b0687c6d6f49aa287
SHA256 6b97ebabfa2592d0822a9e295ef5524bbc35408ebc4c8296d4845301c7711da2
SHA512 31f5c147d257fc489398c19d90f036a3ce3ba96b91c67dafe75624451a1c0158ba80680a45375848737d9f1f9cec9e2fb5a45baf20df991e57823cee2196151b

memory/828-45-0x00007FF6E2C60000-0x00007FF6E2FB1000-memory.dmp

memory/332-27-0x00007FF61C330000-0x00007FF61C681000-memory.dmp

memory/4552-24-0x00007FF6D8FB0000-0x00007FF6D9301000-memory.dmp

memory/332-132-0x00007FF61C330000-0x00007FF61C681000-memory.dmp

memory/5376-143-0x00007FF6D6690000-0x00007FF6D69E1000-memory.dmp

memory/5532-148-0x00007FF7BD0B0000-0x00007FF7BD401000-memory.dmp

memory/1852-149-0x00007FF751640000-0x00007FF751991000-memory.dmp

memory/2440-146-0x00007FF6EDA90000-0x00007FF6EDDE1000-memory.dmp

memory/2644-145-0x00007FF6A4370000-0x00007FF6A46C1000-memory.dmp

memory/3392-147-0x00007FF6BFE80000-0x00007FF6C01D1000-memory.dmp

memory/1304-141-0x00007FF717BB0000-0x00007FF717F01000-memory.dmp

memory/4544-140-0x00007FF70DF80000-0x00007FF70E2D1000-memory.dmp

memory/828-134-0x00007FF6E2C60000-0x00007FF6E2FB1000-memory.dmp

memory/4132-133-0x00007FF7CF1A0000-0x00007FF7CF4F1000-memory.dmp

memory/4552-131-0x00007FF6D8FB0000-0x00007FF6D9301000-memory.dmp

memory/3828-130-0x00007FF7B5360000-0x00007FF7B56B1000-memory.dmp

memory/2956-128-0x00007FF7ADC10000-0x00007FF7ADF61000-memory.dmp

memory/2956-150-0x00007FF7ADC10000-0x00007FF7ADF61000-memory.dmp

memory/1320-208-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp

memory/4552-210-0x00007FF6D8FB0000-0x00007FF6D9301000-memory.dmp

memory/3828-212-0x00007FF7B5360000-0x00007FF7B56B1000-memory.dmp

memory/332-214-0x00007FF61C330000-0x00007FF61C681000-memory.dmp

memory/4548-216-0x00007FF74CDE0000-0x00007FF74D131000-memory.dmp

memory/2372-218-0x00007FF7F3B90000-0x00007FF7F3EE1000-memory.dmp

memory/4132-220-0x00007FF7CF1A0000-0x00007FF7CF4F1000-memory.dmp

memory/828-222-0x00007FF6E2C60000-0x00007FF6E2FB1000-memory.dmp

memory/1488-224-0x00007FF74A0D0000-0x00007FF74A421000-memory.dmp

memory/3648-226-0x00007FF7D17B0000-0x00007FF7D1B01000-memory.dmp

memory/4544-228-0x00007FF70DF80000-0x00007FF70E2D1000-memory.dmp

memory/512-230-0x00007FF6140F0000-0x00007FF614441000-memory.dmp

memory/5624-232-0x00007FF72BF30000-0x00007FF72C281000-memory.dmp

memory/1304-234-0x00007FF717BB0000-0x00007FF717F01000-memory.dmp

memory/4536-238-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp

memory/3392-241-0x00007FF6BFE80000-0x00007FF6C01D1000-memory.dmp

memory/2644-242-0x00007FF6A4370000-0x00007FF6A46C1000-memory.dmp

memory/2440-244-0x00007FF6EDA90000-0x00007FF6EDDE1000-memory.dmp

memory/5376-237-0x00007FF6D6690000-0x00007FF6D69E1000-memory.dmp

memory/1852-246-0x00007FF751640000-0x00007FF751991000-memory.dmp

memory/5532-249-0x00007FF7BD0B0000-0x00007FF7BD401000-memory.dmp