Malware Analysis Report

2025-04-19 18:42

Sample ID 240527-cjhdcsce2y
Target 2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike
SHA256 6ab2aaad508b8ccf96101fdbcee0f6fb02b6d33b292a2da73c5834b943bcd690
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ab2aaad508b8ccf96101fdbcee0f6fb02b6d33b292a2da73c5834b943bcd690

Threat Level: Known bad

The file 2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

UPX dump on OEP (original entry point)

Cobaltstrike

Xmrig family

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike family

Detects Reflective DLL injection artifacts

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 02:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 02:06

Reported

2024-05-27 02:08

Platform

win7-20231129-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RbFxRxX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QYfXUJe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xzmHyov.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dTYspjL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cWtLIrt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CHaaJef.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DTZtXZn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oXNCMAE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXLUDPP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\snynvDT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YhOmhLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EBHVfpl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hLnkUPV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZhUjAPC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ITHhkAa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\snyDlGe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uAodUGY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kyKjHpl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oCRuHgg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LbVGGFk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CwNwtFB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\LbVGGFk.exe
PID 2392 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\LbVGGFk.exe
PID 2392 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\LbVGGFk.exe
PID 2392 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\EBHVfpl.exe
PID 2392 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\EBHVfpl.exe
PID 2392 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\EBHVfpl.exe
PID 2392 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTZtXZn.exe
PID 2392 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTZtXZn.exe
PID 2392 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTZtXZn.exe
PID 2392 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwNwtFB.exe
PID 2392 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwNwtFB.exe
PID 2392 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwNwtFB.exe
PID 2392 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYfXUJe.exe
PID 2392 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYfXUJe.exe
PID 2392 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYfXUJe.exe
PID 2392 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLnkUPV.exe
PID 2392 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLnkUPV.exe
PID 2392 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLnkUPV.exe
PID 2392 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzmHyov.exe
PID 2392 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzmHyov.exe
PID 2392 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzmHyov.exe
PID 2392 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhUjAPC.exe
PID 2392 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhUjAPC.exe
PID 2392 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhUjAPC.exe
PID 2392 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbFxRxX.exe
PID 2392 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbFxRxX.exe
PID 2392 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbFxRxX.exe
PID 2392 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\ITHhkAa.exe
PID 2392 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\ITHhkAa.exe
PID 2392 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\ITHhkAa.exe
PID 2392 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\snyDlGe.exe
PID 2392 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\snyDlGe.exe
PID 2392 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\snyDlGe.exe
PID 2392 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXLUDPP.exe
PID 2392 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXLUDPP.exe
PID 2392 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXLUDPP.exe
PID 2392 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\oXNCMAE.exe
PID 2392 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\oXNCMAE.exe
PID 2392 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\oXNCMAE.exe
PID 2392 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTYspjL.exe
PID 2392 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTYspjL.exe
PID 2392 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTYspjL.exe
PID 2392 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\uAodUGY.exe
PID 2392 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\uAodUGY.exe
PID 2392 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\uAodUGY.exe
PID 2392 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyKjHpl.exe
PID 2392 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyKjHpl.exe
PID 2392 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyKjHpl.exe
PID 2392 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\cWtLIrt.exe
PID 2392 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\cWtLIrt.exe
PID 2392 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\cWtLIrt.exe
PID 2392 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHaaJef.exe
PID 2392 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHaaJef.exe
PID 2392 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHaaJef.exe
PID 2392 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCRuHgg.exe
PID 2392 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCRuHgg.exe
PID 2392 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCRuHgg.exe
PID 2392 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\snynvDT.exe
PID 2392 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\snynvDT.exe
PID 2392 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\snynvDT.exe
PID 2392 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhOmhLZ.exe
PID 2392 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhOmhLZ.exe
PID 2392 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhOmhLZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LbVGGFk.exe

C:\Windows\System\LbVGGFk.exe

C:\Windows\System\EBHVfpl.exe

C:\Windows\System\EBHVfpl.exe

C:\Windows\System\DTZtXZn.exe

C:\Windows\System\DTZtXZn.exe

C:\Windows\System\CwNwtFB.exe

C:\Windows\System\CwNwtFB.exe

C:\Windows\System\QYfXUJe.exe

C:\Windows\System\QYfXUJe.exe

C:\Windows\System\hLnkUPV.exe

C:\Windows\System\hLnkUPV.exe

C:\Windows\System\xzmHyov.exe

C:\Windows\System\xzmHyov.exe

C:\Windows\System\ZhUjAPC.exe

C:\Windows\System\ZhUjAPC.exe

C:\Windows\System\RbFxRxX.exe

C:\Windows\System\RbFxRxX.exe

C:\Windows\System\ITHhkAa.exe

C:\Windows\System\ITHhkAa.exe

C:\Windows\System\snyDlGe.exe

C:\Windows\System\snyDlGe.exe

C:\Windows\System\kXLUDPP.exe

C:\Windows\System\kXLUDPP.exe

C:\Windows\System\oXNCMAE.exe

C:\Windows\System\oXNCMAE.exe

C:\Windows\System\dTYspjL.exe

C:\Windows\System\dTYspjL.exe

C:\Windows\System\uAodUGY.exe

C:\Windows\System\uAodUGY.exe

C:\Windows\System\kyKjHpl.exe

C:\Windows\System\kyKjHpl.exe

C:\Windows\System\cWtLIrt.exe

C:\Windows\System\cWtLIrt.exe

C:\Windows\System\CHaaJef.exe

C:\Windows\System\CHaaJef.exe

C:\Windows\System\oCRuHgg.exe

C:\Windows\System\oCRuHgg.exe

C:\Windows\System\snynvDT.exe

C:\Windows\System\snynvDT.exe

C:\Windows\System\YhOmhLZ.exe

C:\Windows\System\YhOmhLZ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2392-0-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2392-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\LbVGGFk.exe

MD5 4b54f1c3569226bcd770f0116cc0f976
SHA1 7017ae777e6c03c4ead7e6535796e7ad43291172
SHA256 4ac3c27f4fe163608c9c5848c84449fb77339298c29d77955b644f4713ba452d
SHA512 d30cf44664e8b76bcbe214543867103b7cf26e68bd79d394f91b6c37fb87eeb2dc72cd1cc41f71f7af985d9ed8681eceb8e21da3e9c55bae5dac8e95c129257d

C:\Windows\system\EBHVfpl.exe

MD5 b101e13a203992549325581276760b9b
SHA1 e3dfef74cb716d2db5c328dbd455a84671f18c4f
SHA256 29dc2b515ed499aa97ac51591718b9b9703db6402fbd9c1f13fc7ed98ac2995e
SHA512 9c85d933563f0c433123035b8408d2392f023713f845d223e9cb447b589a617fc709a8b8a6836d2ed487d91d43ec87b3478c2effa6320cef04c4e19b9299a8de

memory/772-30-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2392-29-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/2392-28-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/2668-26-0x000000013F400000-0x000000013F751000-memory.dmp

C:\Windows\system\DTZtXZn.exe

MD5 27d0e844ea4fc4c438f0ec11498e8d01
SHA1 c57ecdef5f03be9ff679a59a32dc44e14540c116
SHA256 14550ff4fd9f859dee1a3c21902ea9c6e3434e2c6b955285aef0f83fee784b48
SHA512 fcfd596837a0196edf151644d82324599d11788de0496287b58fa64c30c38940930bfdd811d1a5558c83ce315555b126a3392981ae2ac5da942cf48c18c189c5

memory/2392-24-0x000000013F400000-0x000000013F751000-memory.dmp

memory/3012-23-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2984-21-0x000000013FDE0000-0x0000000140131000-memory.dmp

C:\Windows\system\CwNwtFB.exe

MD5 6f8c7358ab04436594e0d25210cdfda2
SHA1 d14e4cc887df69ac61d760fa8394e48a1ddae2b2
SHA256 b8508110cb455e9f52468794d3d2aac7389a3aa2d4a5a790b5afddef0d883e01
SHA512 e7ae8dad2466166b04eb6f3bd2f474afc3d6c4862cfbe6cecfc09c04fc6b5adfbabe9bc41bb3b7144ae861d9c5eb645ed1f4822ba4955ca8241dd6be3848b928

memory/2392-9-0x000000013FDE0000-0x0000000140131000-memory.dmp

C:\Windows\system\QYfXUJe.exe

MD5 22f23cd727f7964ec48d19706c5bc7e9
SHA1 409e1a330ecd0343a24c9fb4bc1b197f665fb0b4
SHA256 4ccd285f19feac4a73b1667d8928735af950f4880ac0e530618c2b57565e3230
SHA512 a603da3dba8d3044170702a03ac4cd9d307ef0d554c6fef73809762d47cebb7e5ebbca308a2e9ea916fb8f076a1947eb9e88505941b7ffa742b961b9eb77e559

memory/2652-36-0x000000013F950000-0x000000013FCA1000-memory.dmp

C:\Windows\system\hLnkUPV.exe

MD5 a390c7c64cf7faf11e56f3fd63b56f87
SHA1 48a5fbd52a6a80e59fdd3c487fb7e1f79be7ee01
SHA256 c4cb3a475ec05647a8fce6498907fe780589257ccc8f2e17f6e8de0d58fe7b53
SHA512 5eec7cd1547b5c0659485a6f8dca8ba9fcbbd727075bf3227904074c712054c20d3eb1d170c846eb248eba8928aef1ac0cf0bc6ba9ec564b11b6a6709fd4d347

C:\Windows\system\xzmHyov.exe

MD5 13b8306fc4089fbdcbe2441a735dc58f
SHA1 fffb5b6ce1512ef12f7767bfc93593d7830ac602
SHA256 14a1647740268c6359585d66efed1fa9f925aaa7b509c2117dd4b9b8c1d36786
SHA512 6c62d71c607e3c2aa8eb462d083f04fd9e8bc0af9ddcc774cef8749023c3655b055883776f95fb547881a21f2256c9bbe08d3107d463ea4584d6a1f212f2e320

memory/2952-49-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2956-48-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2392-50-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2392-46-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

C:\Windows\system\ZhUjAPC.exe

MD5 06c141744b9e885c26dea4e282205066
SHA1 0cd939628421223c14011420ee7ff4056dbe8300
SHA256 87739b7634adf3d3085d371031ddcb0f3e43415f2ccca985c8a0c805ceacf9c1
SHA512 49cb4c6db2e2f8cd278957cef5359b1b5aab364b84a1fdc862c4d67ac863fe7176d0bb2eb2206d23ccc9f8eed75c2cc2bb1f13bfc931bb4ceb2cc03fbe731c87

memory/2912-62-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2732-61-0x000000013F300000-0x000000013F651000-memory.dmp

C:\Windows\system\ITHhkAa.exe

MD5 5845b8f27bed273d7cb7d148c59fdca1
SHA1 b868cdaf57a0b0a45762a397948b4d7064fc82da
SHA256 09051e4cf9b2bdce819bb3bcd61e502bd42d923c9cc9dc3fe41113588d78690c
SHA512 e3587d42a059028032aa7318aaf5064fd42a991f9d30c0309daa53046e4d2bb884fa55f807de35be4fe77baa14b5189cc367e539eb9fd7fbdfbd94cfc571dbec

memory/2512-69-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2392-67-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/3020-76-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2392-77-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2392-75-0x0000000002290000-0x00000000025E1000-memory.dmp

C:\Windows\system\snyDlGe.exe

MD5 28d39d354e880e1b19c01f83027e4bdf
SHA1 10c9181ad7a61b0600f81d93ab2f1f12c325a4e5
SHA256 5dd3b328f7d02fa93e120426e35582f1494c1af444da315a0ded7e406dc8d22f
SHA512 17e1f591e29ef9a3fad17f7673dbeaa3c64956f3b381d8fd9b7207dab01f264828c418118c3c02b3bc3f37c9f62e427ea9935eff85412933d798933c92d0e42b

C:\Windows\system\kXLUDPP.exe

MD5 ddfc23fec82f7fb931ea38ae7216ce9a
SHA1 26e6448eb766c23c0edca4363644a25ff76dea2d
SHA256 522798b0beab6e70233c96b7bf155ed5d3605b3d7a88b68c94b50c0a62696d0d
SHA512 455272d6b5bb26651d0ab88da9b6bfc87707910916b82737ebba4064459b6aa55d89344d6353cf9cd0f4859bdc9068aef7e581c60b5bc91e38894f15fe1111fb

memory/1980-85-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2984-84-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2392-83-0x000000013F040000-0x000000013F391000-memory.dmp

\Windows\system\dTYspjL.exe

MD5 838ef49541ec334b2dcf68cef24f1789
SHA1 99c806081437106469ef82ec243864f6183fd4b1
SHA256 c4b954cb3f1b21ece70c17ff7bf12d3ec4dd629e01abee3c328eec90fe0fd7f8
SHA512 b8efdcb28f8ce03516185707c3c929a0d5fd8518423e30d054eabd4af817f9f1d9436f42421d98ccac16a90f39e42c394fdc9e6fe05a6dc9b5bb30b85ca19e7f

memory/2392-105-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2884-104-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2392-102-0x000000013F560000-0x000000013F8B1000-memory.dmp

C:\Windows\system\uAodUGY.exe

MD5 6be67e97bb360f3fa4128eadd56f6ed9
SHA1 8a5d01f51cb59eae4ec90fa7ecc326305d6853ce
SHA256 d4657c2fefa0e5ba1fecbe459382531cce404844491a55d02b0f0cfbb297a826
SHA512 1716cb4374e4a2f57be2f41b8eec47cd69ab3171cda38741455341f016444986b16732520124c1fdfdf89b6cc2a2c82b618cb9d226d91264140663b3c23943b6

memory/2632-100-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2392-99-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

C:\Windows\system\oXNCMAE.exe

MD5 ddf05584ef2a6f17e305374d92ec0ba0
SHA1 111852f5f931af70912dc6c48886aaa59f3ffc09
SHA256 9268411dca91110a970c13dbf519fba2eab46705fb9e15fd89586d165d9860d4
SHA512 e91b669fab303c3baeb35e06713713fe4ce53f3f37fd24bf9576a919fe26a522b9347a43819c96afa21da4d6dbf06e3f9ce52a6a0101c67fbce8f93c881346fd

C:\Windows\system\kyKjHpl.exe

MD5 72d4242b6e3878a4e8c1b24f1db886cf
SHA1 28a7f698a9f4d910fbb4e24b28a8c69d8ae43205
SHA256 66c5cd2e8852e4b06e26491b247b46a4507ad823b037315bc7ad6b74b47172ca
SHA512 a41f7a4d72a2cd1bc809d5022fd6d42c39b959f63f6fb8c44137b7c44b1713cf03029732d4a6ca6af6b341474bac13c57251c901e8ce778ea2627bb7f47db675

\Windows\system\oCRuHgg.exe

MD5 3c07efbb0b2aa0edce37e64def73bdff
SHA1 6611373c75d4799fb93e17d444b9b463f1cc6dfc
SHA256 e5dd50098e1280c9ca91b5d07d749c3934a5964c0abb41ec17c454cee3bac2c3
SHA512 2caeee9392b97ce346a1dde36f73d32b4faf40fca7d4b4eb496a08caeac1820398452622833a7e5737c701016a1d9d0cea4cfd91cefc6bfeb8ed9e5910e9f258

C:\Windows\system\snynvDT.exe

MD5 31751baa28ab2c49ece063d88475e947
SHA1 3320a70d2de8eeedb6335bd8218032c3a923d4d2
SHA256 8f96a6ab0d2dedfab882d25bea6b894b016c7104322f06d191aea4bcdb1035d6
SHA512 d15c89691413620ff06f4cc19a90a4b2d194887a04ea77b5b08e2f8340aa12fa4c0b69358de9b0303f9e9b9ec4f8dd87bee822c46868cc0c8c1b71d6f5464766

C:\Windows\system\YhOmhLZ.exe

MD5 fd70da0ee175680e51e8283a0f63bbf3
SHA1 63eb7b2c5b898adaef5926ddbba63b027beb1612
SHA256 0cc2af575a7acbe69e3f4bac483bf45286c42073597ba9af00f8501a6f2c56cb
SHA512 fd177626b617052e7619fc9a4b3da7c42ec7c0588c3afbf6bd749d685600a02a49bba80e68a6707c359cee26d2d6389fc5dcd1c07330597f7bd5700cc4c27541

C:\Windows\system\CHaaJef.exe

MD5 2fb6780d5df59335a502e6c91bc5fe56
SHA1 18fa6e3a43800ea1c5281c1f072f7c87b8050a8e
SHA256 03eb0caa9bb63df716f9729cd1a5ecc125639b2cb9d4569af16b80d0375179a9
SHA512 4fedc2759e4af483ce7ab5163b37d15d67c98e9d295b5e13e9e92df016389a34af1ce58d845c7849a001b52d96d74a51548460110885163f79182b1d048a00dd

C:\Windows\system\cWtLIrt.exe

MD5 fa748ddc715e4be8c2ca5efe24f9b1f5
SHA1 d5247839e7bebfcb10e1788a749dcadddd2c286d
SHA256 2187fbcf06d50c88afcb69f4ddf02e6bd5ef11ab94909f6866f95489a22708b1
SHA512 f75244c334b0eb1e7ebbeb71635c01a5f671e058cab0d18f3dad9041f80e6ca0057f5f33661cd6d5a15a85af7cd36999f288aae6210c1ba2caa826c38b2c1e69

C:\Windows\system\RbFxRxX.exe

MD5 6fda34475faf75aa96d964c6fc58a10f
SHA1 7ea4b53bbbd4725dfa443a54dea7ffab01f7d768
SHA256 ef82b514cfcd0849062828f3b4ee13327259885fbed898116175991cbd71a549
SHA512 40f44f47c0440f1f03a5ab1d9ed976a1b1ec7487f58004b56d432a56131eb3cff261d619c0eb24d13ccbe94fa877fd51163848d45194e6b53fbfae14cf2ab72e

memory/2392-135-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2392-136-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/2392-137-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2512-147-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2888-157-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/1996-158-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2864-156-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/1456-154-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2524-152-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2760-155-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2856-153-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2392-159-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2392-181-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2392-182-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2984-208-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/3012-207-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2668-210-0x000000013F400000-0x000000013F751000-memory.dmp

memory/772-212-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2652-214-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2956-216-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2952-218-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2732-220-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2912-222-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2512-224-0x000000013F120000-0x000000013F471000-memory.dmp

memory/3020-232-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/1980-234-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2884-236-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2632-238-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 02:06

Reported

2024-05-27 02:08

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fVKCyBj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jPNUhGR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YqsdzXh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TXKSSwv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SDsXGXi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EoNAvHi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ppsbyIr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eXifUEA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TNVVsqo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fNtKSho.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HLVcAcX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oOEXFsG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RuFlsmO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VVPALZb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\znrweZs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gNlGPaH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uuupOPd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DnGPQBr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bPmyCxe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uIcQPdm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\guBELRe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\fVKCyBj.exe
PID 824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\fVKCyBj.exe
PID 824 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLVcAcX.exe
PID 824 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLVcAcX.exe
PID 824 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOEXFsG.exe
PID 824 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOEXFsG.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDsXGXi.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDsXGXi.exe
PID 824 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\RuFlsmO.exe
PID 824 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\RuFlsmO.exe
PID 824 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\DnGPQBr.exe
PID 824 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\DnGPQBr.exe
PID 824 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\EoNAvHi.exe
PID 824 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\EoNAvHi.exe
PID 824 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\ppsbyIr.exe
PID 824 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\ppsbyIr.exe
PID 824 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\VVPALZb.exe
PID 824 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\VVPALZb.exe
PID 824 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\znrweZs.exe
PID 824 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\znrweZs.exe
PID 824 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXifUEA.exe
PID 824 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXifUEA.exe
PID 824 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPmyCxe.exe
PID 824 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPmyCxe.exe
PID 824 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\TNVVsqo.exe
PID 824 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\TNVVsqo.exe
PID 824 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPNUhGR.exe
PID 824 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPNUhGR.exe
PID 824 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNlGPaH.exe
PID 824 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNlGPaH.exe
PID 824 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\uIcQPdm.exe
PID 824 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\uIcQPdm.exe
PID 824 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\YqsdzXh.exe
PID 824 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\YqsdzXh.exe
PID 824 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\uuupOPd.exe
PID 824 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\uuupOPd.exe
PID 824 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\TXKSSwv.exe
PID 824 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\TXKSSwv.exe
PID 824 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\fNtKSho.exe
PID 824 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\fNtKSho.exe
PID 824 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\guBELRe.exe
PID 824 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe C:\Windows\System\guBELRe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fVKCyBj.exe

C:\Windows\System\fVKCyBj.exe

C:\Windows\System\HLVcAcX.exe

C:\Windows\System\HLVcAcX.exe

C:\Windows\System\oOEXFsG.exe

C:\Windows\System\oOEXFsG.exe

C:\Windows\System\SDsXGXi.exe

C:\Windows\System\SDsXGXi.exe

C:\Windows\System\RuFlsmO.exe

C:\Windows\System\RuFlsmO.exe

C:\Windows\System\DnGPQBr.exe

C:\Windows\System\DnGPQBr.exe

C:\Windows\System\EoNAvHi.exe

C:\Windows\System\EoNAvHi.exe

C:\Windows\System\ppsbyIr.exe

C:\Windows\System\ppsbyIr.exe

C:\Windows\System\VVPALZb.exe

C:\Windows\System\VVPALZb.exe

C:\Windows\System\znrweZs.exe

C:\Windows\System\znrweZs.exe

C:\Windows\System\eXifUEA.exe

C:\Windows\System\eXifUEA.exe

C:\Windows\System\bPmyCxe.exe

C:\Windows\System\bPmyCxe.exe

C:\Windows\System\TNVVsqo.exe

C:\Windows\System\TNVVsqo.exe

C:\Windows\System\jPNUhGR.exe

C:\Windows\System\jPNUhGR.exe

C:\Windows\System\gNlGPaH.exe

C:\Windows\System\gNlGPaH.exe

C:\Windows\System\uIcQPdm.exe

C:\Windows\System\uIcQPdm.exe

C:\Windows\System\YqsdzXh.exe

C:\Windows\System\YqsdzXh.exe

C:\Windows\System\uuupOPd.exe

C:\Windows\System\uuupOPd.exe

C:\Windows\System\TXKSSwv.exe

C:\Windows\System\TXKSSwv.exe

C:\Windows\System\fNtKSho.exe

C:\Windows\System\fNtKSho.exe

C:\Windows\System\guBELRe.exe

C:\Windows\System\guBELRe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/824-0-0x00007FF782E40000-0x00007FF783191000-memory.dmp

memory/824-1-0x000001C261410000-0x000001C261420000-memory.dmp

C:\Windows\System\fVKCyBj.exe

MD5 25056e6a76efa85c0c2536db2b9c80f5
SHA1 dd147adb522c2a2e92ed610bd1c38748f1e95c64
SHA256 e35f813728dc7b25a4388efeeedd4c7f20bd0f15ebafef808f0444043d9afd20
SHA512 fd040da931ae6a60565aab2b6d7bfdd4d2c7d42bd24f268eb9362081635bdded76c43e467d56826d6c6aaad345eceedbd3cb3415611573ecd7758bffb5a59abd

memory/2128-7-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp

C:\Windows\System\HLVcAcX.exe

MD5 a2946a0b0dbf7a4ac23ccc73530010c1
SHA1 fb367c40abb92d0f7f4db2704817673ba80bf8bf
SHA256 b5ebba03c718f9ef896919adc7311621fb5eeafe6284b4ac328ccd9cdd892905
SHA512 17d30431776d64a5f59e7307367e88f06dae4917d4c3b5c75cb1363e65d7a37d4b555a89edff20bf69a0d1b5154ef16b1672efe9c875dc83d78119a1622b017d

C:\Windows\System\oOEXFsG.exe

MD5 d1b121d24a06b7e82eba9f1312148b46
SHA1 2b6ae343c8aea47a3d8e97e2fdec4fa5edf436f1
SHA256 4d8549116da2f12bb6b8b85e964a6ade3cd397041a8fa22c826bf24bbe54213b
SHA512 61cd303f60c240406e0d7454e325a1032399a815a94b7e2e2155ebb0e5fe847c8a4113dde1dbbca37c659561f7af3acde6dc3cf34f8a579619c0bbf849d0fcfa

memory/3264-14-0x00007FF75FF20000-0x00007FF760271000-memory.dmp

memory/1920-18-0x00007FF705220000-0x00007FF705571000-memory.dmp

C:\Windows\System\SDsXGXi.exe

MD5 ac2490ec781ea6517cde0d6d048c3550
SHA1 44b0057183359ad21635007ce7f9c07b85537b90
SHA256 0d201671223be7a87b614f9658072332aa5cf15d6e764afe5f724e560652a355
SHA512 daf066f5a012dcb12dc9a3a991c0e38f04f0e1b8538e80611dccb13165e43cb4da807741e1953467d8be56ae2b30029824e145ba0d1a341a67da1a5205cd2868

memory/2612-26-0x00007FF681A90000-0x00007FF681DE1000-memory.dmp

C:\Windows\System\RuFlsmO.exe

MD5 628a9861b18c62c1c422b6e247a2a5a1
SHA1 05aad97322728fa68803244d18009b6192c212ad
SHA256 56ed32ef914146c1b33cf73857ff92525cf72c4dfff5afca7c3e06297920f5d8
SHA512 bd03bd17d68068e887e35917bf81fdf71986e850c90cb33cfc1f463744f09990844f9169b8a40af0c1e9d97a4abc9e04991bd917840a97684ded06668720107e

memory/2352-29-0x00007FF745450000-0x00007FF7457A1000-memory.dmp

C:\Windows\System\DnGPQBr.exe

MD5 f2ddce00f7834fa27ac1a18ab3a7e019
SHA1 c457c8a158567f377ce67271bcf8d4852fe32057
SHA256 0d72964f75adf4213ddfa5444e7f3122547fe9f61979d6b49b007855c2d81c90
SHA512 96a70fc7c5b48bacd4bda34cf0d927eca724ff46266f7c8a570023e8207bffc8b639a2d6180483c186cb3afd009fb0c163296920b531c1ee165311ee88d98f4c

memory/4668-38-0x00007FF7CE970000-0x00007FF7CECC1000-memory.dmp

C:\Windows\System\EoNAvHi.exe

MD5 1b69109c2451f6e745df1684ac62a247
SHA1 b7e36fc32384a2b5fd7d38d47a8fd8c4278c1f40
SHA256 43b4a0824da6e986a881e304d7e93124d76ef2d896dbc977054a62363484c046
SHA512 1f6cd83455b1973c69dba2a0a457bfed44ff94e4ef47d05b583d2addeef64626f15ef6a8d304799b209c96b2568857d5aa8efaa26e998e3078cc05df91a8cc15

C:\Windows\System\ppsbyIr.exe

MD5 5919b16777945a04dba6116958c191c7
SHA1 41c665ec2ec22b768f1ff760e221ebe6f8689f04
SHA256 3d10ed4387add5e59b654bc8b1b4b4493faeba79d193e9cdf3d87f2041dc0150
SHA512 4c1f5b104f0377691b90563f29cd3bfe753c43b6af51c627feaf83e72621d3446f4fb14e09950bd0b1cf7c4af8b4494dfcb33bf738b4a13fbae7481ed27cd295

C:\Windows\System\VVPALZb.exe

MD5 dc6301ea31196d4c900d6b941ff67e5c
SHA1 c444fb5213a9678e04a6a2a50c44fe1c3d0baf3c
SHA256 9099cd5f96e5734cc9f0dbf3782879a66f1416c98d33c9ef1949b5359ef2f950
SHA512 0930171c20d8e26657c584ebc68f53428f317a1d1c49f5eb81259fdbd3105ca6f14aff4d24c24d61827bab7787e8f82556fe955b1d6a86affa62092f12e2628a

C:\Windows\System\znrweZs.exe

MD5 ec4061d2696e4432e45ad27cac97636b
SHA1 c6ef53a09d46e7d8121c15bbc175652d883609f0
SHA256 8b83c870a3b1863c1e5eb8d511765536de82c9176fd4f57a35437e3ae00d0724
SHA512 ef94d8332bd5c6b069905316efb8b38f7e8b658df3bec8df780b50c62c80ab6ecab838d162a74ba92c523f05b4575a94290657aa76d2bed0789c551729f89af3

C:\Windows\System\eXifUEA.exe

MD5 16cc7967cfc41d77899b162d4ac7e3de
SHA1 8e2969c4738229d7e47df4e746d699d29c6f152e
SHA256 b950c3e96bcaa043f8f019b1691040487bc00f1d8bc5d80898db87e7cb241660
SHA512 e10ea04f5c047d61846465254a961976a4a3b1e51a6e782ad64251c8805fd19f08fb348e9d91fe51496eec216f0f2b6f5b3be3285ebabd370e7accec1f1fbeeb

C:\Windows\System\bPmyCxe.exe

MD5 7ca776c2cf8d69eff4c20e14275f6d74
SHA1 21e0f148c6ce29911e9e488fb9fb212b2dcfd5e5
SHA256 1f67c42fe31276ac0a5fcf8d8c1d8b3080018031332191f22120f888fb21cfd5
SHA512 9d1cd5321bae1c3e82bb61cbadd1e15e0d6f9c8053a5b556014f04bc77c227929aa1f7b61442f7c66f5b7fc8b29421866cc47ceb711f0e2ea4dab762164fabff

C:\Windows\System\TNVVsqo.exe

MD5 68cfd2ac81b259fff2c94a248c4cc2c9
SHA1 e3cb8e4d5acbb00df8450665414348825f0b3cc1
SHA256 f77b098b8028d2fc5e51c3da4ccc1bb5b8458430a57ae3512beda00d3802f150
SHA512 9115f62da00ac7259693d26402d1a35ba5aef75d8622afbb02970b7905cc7428edb64bffd853a2f2afacd18736c930337597ef6e39774ac36f93efb0117574de

C:\Windows\System\jPNUhGR.exe

MD5 272aa38d92be9467ea7e90dc4d4607c4
SHA1 0a7d2c28816efb6316e20d6eb5a3cfb80d194b87
SHA256 58a2c2db46e6552ca837a8e6485c91d34c6922cec38b24f5058a82a9f3bc8526
SHA512 ef185ad7a05a0f653e548d66bacba3752a8c9c0a69ec99eed03377ab6f6d3fedab18e12c3228f336f604c918254b3cd3ea99fa09b333641f8a010c8ee1f11c8f

C:\Windows\System\gNlGPaH.exe

MD5 32d0bb49be116c84fb63ddb9056b1ec4
SHA1 a22a7f748a63b1d15b48c9a0454752db7d2dc112
SHA256 5043bf5c71956d7b06b94493214b414bdc388db93258000398d7c7583e9db3ed
SHA512 be014c168eb4beca800c7480ae9f63eaf74ad79693908c85ad0ec20d9a985b28a4597c62fe1d18e3d45c6909329d640b1e0a1e716eaf9a784bd604e16930cb17

C:\Windows\System\uIcQPdm.exe

MD5 629222eaa80001c5c91c3c318ffa5926
SHA1 e5f6bc4f9d095a62bbdd3cb1c588445e341953a7
SHA256 f0e431ee9694ac9f9b086036d055959eb56734a510adbd1f200ef8c02128709f
SHA512 76fa22d5bae2e574c8e1b668c3e99e1efdef6f7dddfa9fd4669e4b81c1c381644589ea387befe29172f8bdd10a55b2712a31e1c7f3179ca9d919ababbd658507

C:\Windows\System\YqsdzXh.exe

MD5 5eb5a81f77cacc89b8dadfe5dbbce73d
SHA1 dc508167e0b7d4da0cc25c7dbc17df574ceeb6d1
SHA256 f208083d7f91eda74d05567873294fa6820f8a36fb582677a8ca0640df221d76
SHA512 47277da64fe35468badaa4bccfe8791d8651a0fb0c421b75f534ecd8078c982cdcc462c319ff9cf5dbb8128593de2a00ab0d99d323db3250806d5dc2b875bc9f

C:\Windows\System\uuupOPd.exe

MD5 916f79e1f2236b0097eef80f18283b16
SHA1 277516a8d07d09954f897239c076190ded07ae3d
SHA256 32d3c3d1d744012dd8eb9c5e1133b0aca9a63f5a2430ddc26870f4f837646887
SHA512 e5338d13dec101149f415b357ec788cedb87fbef7016375d9ec2e2e49ff098017a7f95d9a6e0e58d881daea7dadbc1ddeefe8f89bd725e5e654bd1f0c9d567fb

C:\Windows\System\TXKSSwv.exe

MD5 3baeb732b89165092c443ee8d061b145
SHA1 07bbd8861b2d56408c6f8319096c87ff6669c89d
SHA256 ff1c615e5fcbaafc29a5b0bbcae8003018437bdba788878c06a18634bfaeb49d
SHA512 feef8ca9a8964bb62717d3acd415e893c967e5dc872b857b41136ec34edc183263443049c4ea7b52988303ba8c927a9f1604865e38e50d67ead6b451d59ab408

memory/3084-104-0x00007FF645450000-0x00007FF6457A1000-memory.dmp

memory/2928-110-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp

memory/3652-114-0x00007FF7EC910000-0x00007FF7ECC61000-memory.dmp

memory/684-118-0x00007FF708AA0000-0x00007FF708DF1000-memory.dmp

memory/3544-121-0x00007FF6553F0000-0x00007FF655741000-memory.dmp

memory/4636-122-0x00007FF6E8740000-0x00007FF6E8A91000-memory.dmp

memory/4500-120-0x00007FF7025D0000-0x00007FF702921000-memory.dmp

memory/1988-119-0x00007FF7108B0000-0x00007FF710C01000-memory.dmp

memory/1336-117-0x00007FF7E9B30000-0x00007FF7E9E81000-memory.dmp

memory/1292-116-0x00007FF796010000-0x00007FF796361000-memory.dmp

memory/1136-115-0x00007FF7B1290000-0x00007FF7B15E1000-memory.dmp

C:\Windows\System\fNtKSho.exe

MD5 1f2c7a8831cdc38d767c4039bc1748f0
SHA1 1e300f8516f2e4278206768be3fec96e7ced890e
SHA256 56663d3deebf1b747377c6cc0ebea44d5c22c08641c85da331f1a1fd1c43a96b
SHA512 ca565c4eca51c0083effa724c8ced7025f29727b8d47f70d4b61a4489fbc5bcdc28139bf3f9c0f3fe736419ebb0d1edc9f92a75e4dbea8d4b3fb39f6c08f228d

memory/644-111-0x00007FF76E1F0000-0x00007FF76E541000-memory.dmp

memory/2112-109-0x00007FF7D2F10000-0x00007FF7D3261000-memory.dmp

memory/1636-107-0x00007FF694690000-0x00007FF6949E1000-memory.dmp

C:\Windows\System\guBELRe.exe

MD5 957bd37f38190c2ee5336fb30a029508
SHA1 58281b39bafd7ba6876dec24705d52c2d812a192
SHA256 fc838349d91197fd9e7b10bb274cbe2e0b83e951c11c0a18f9cceacc6810ff43
SHA512 bfa74b3ae2c9532f03f72918a3e136965cf6edffdd2792c8f7ea5a7d7a8aeabb38d5476da69ca583a2cd403e4b39a1de02db8ba2aff1f4e88ad2b8efc10047a8

memory/1920-130-0x00007FF705220000-0x00007FF705571000-memory.dmp

memory/2128-126-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp

memory/824-125-0x00007FF782E40000-0x00007FF783191000-memory.dmp

memory/2352-132-0x00007FF745450000-0x00007FF7457A1000-memory.dmp

memory/924-143-0x00007FF7B7DB0000-0x00007FF7B8101000-memory.dmp

memory/824-150-0x00007FF782E40000-0x00007FF783191000-memory.dmp

memory/824-151-0x00007FF782E40000-0x00007FF783191000-memory.dmp

memory/2128-201-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp

memory/3264-203-0x00007FF75FF20000-0x00007FF760271000-memory.dmp

memory/1920-205-0x00007FF705220000-0x00007FF705571000-memory.dmp

memory/2612-207-0x00007FF681A90000-0x00007FF681DE1000-memory.dmp

memory/2352-209-0x00007FF745450000-0x00007FF7457A1000-memory.dmp

memory/4668-211-0x00007FF7CE970000-0x00007FF7CECC1000-memory.dmp

memory/3084-216-0x00007FF645450000-0x00007FF6457A1000-memory.dmp

memory/1636-218-0x00007FF694690000-0x00007FF6949E1000-memory.dmp

memory/2112-220-0x00007FF7D2F10000-0x00007FF7D3261000-memory.dmp

memory/2928-222-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp

memory/644-224-0x00007FF76E1F0000-0x00007FF76E541000-memory.dmp

memory/3652-226-0x00007FF7EC910000-0x00007FF7ECC61000-memory.dmp

memory/1136-228-0x00007FF7B1290000-0x00007FF7B15E1000-memory.dmp

memory/1292-230-0x00007FF796010000-0x00007FF796361000-memory.dmp

memory/1336-232-0x00007FF7E9B30000-0x00007FF7E9E81000-memory.dmp

memory/684-234-0x00007FF708AA0000-0x00007FF708DF1000-memory.dmp

memory/1988-238-0x00007FF7108B0000-0x00007FF710C01000-memory.dmp

memory/4500-240-0x00007FF7025D0000-0x00007FF702921000-memory.dmp

memory/3544-242-0x00007FF6553F0000-0x00007FF655741000-memory.dmp

memory/4636-244-0x00007FF6E8740000-0x00007FF6E8A91000-memory.dmp

memory/924-248-0x00007FF7B7DB0000-0x00007FF7B8101000-memory.dmp