Malware Analysis Report

2025-01-06 18:18

Sample ID 240527-wkd7wadd95
Target 2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike
SHA256 924307950a648626434c9637d783ece958986b7c84ebafbd283b99bddbcfb36c
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

924307950a648626434c9637d783ece958986b7c84ebafbd283b99bddbcfb36c

Threat Level: Known bad

The file 2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 17:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 17:58

Reported

2024-05-27 18:01

Platform

win7-20240221-en

Max time kernel

126s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sxSPMGA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KdesDgQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PTheKvD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qrICxvV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qbgHMBC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ThcuCBV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GeEYypr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HBNcugZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ctlaIAd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SRACesY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OCglYUj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MxEFHKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KNyleJf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ESbIZSe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LoPJUgr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Xhrysrg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nwQsfea.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mJbKzqh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YbOjAaD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wLnqUNX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yQaPSLH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxSPMGA.exe
PID 2136 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxSPMGA.exe
PID 2136 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxSPMGA.exe
PID 2136 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThcuCBV.exe
PID 2136 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThcuCBV.exe
PID 2136 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThcuCBV.exe
PID 2136 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\GeEYypr.exe
PID 2136 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\GeEYypr.exe
PID 2136 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\GeEYypr.exe
PID 2136 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\Xhrysrg.exe
PID 2136 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\Xhrysrg.exe
PID 2136 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\Xhrysrg.exe
PID 2136 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwQsfea.exe
PID 2136 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwQsfea.exe
PID 2136 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwQsfea.exe
PID 2136 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdesDgQ.exe
PID 2136 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdesDgQ.exe
PID 2136 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdesDgQ.exe
PID 2136 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\PTheKvD.exe
PID 2136 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\PTheKvD.exe
PID 2136 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\PTheKvD.exe
PID 2136 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNyleJf.exe
PID 2136 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNyleJf.exe
PID 2136 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNyleJf.exe
PID 2136 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBNcugZ.exe
PID 2136 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBNcugZ.exe
PID 2136 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBNcugZ.exe
PID 2136 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\mJbKzqh.exe
PID 2136 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\mJbKzqh.exe
PID 2136 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\mJbKzqh.exe
PID 2136 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbOjAaD.exe
PID 2136 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbOjAaD.exe
PID 2136 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbOjAaD.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ESbIZSe.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ESbIZSe.exe
PID 2136 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ESbIZSe.exe
PID 2136 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ctlaIAd.exe
PID 2136 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ctlaIAd.exe
PID 2136 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ctlaIAd.exe
PID 2136 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRACesY.exe
PID 2136 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRACesY.exe
PID 2136 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRACesY.exe
PID 2136 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCglYUj.exe
PID 2136 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCglYUj.exe
PID 2136 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCglYUj.exe
PID 2136 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\qrICxvV.exe
PID 2136 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\qrICxvV.exe
PID 2136 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\qrICxvV.exe
PID 2136 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\wLnqUNX.exe
PID 2136 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\wLnqUNX.exe
PID 2136 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\wLnqUNX.exe
PID 2136 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQaPSLH.exe
PID 2136 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQaPSLH.exe
PID 2136 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQaPSLH.exe
PID 2136 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbgHMBC.exe
PID 2136 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbgHMBC.exe
PID 2136 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbgHMBC.exe
PID 2136 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoPJUgr.exe
PID 2136 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoPJUgr.exe
PID 2136 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoPJUgr.exe
PID 2136 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxEFHKJ.exe
PID 2136 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxEFHKJ.exe
PID 2136 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxEFHKJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\sxSPMGA.exe

C:\Windows\System\sxSPMGA.exe

C:\Windows\System\ThcuCBV.exe

C:\Windows\System\ThcuCBV.exe

C:\Windows\System\GeEYypr.exe

C:\Windows\System\GeEYypr.exe

C:\Windows\System\Xhrysrg.exe

C:\Windows\System\Xhrysrg.exe

C:\Windows\System\nwQsfea.exe

C:\Windows\System\nwQsfea.exe

C:\Windows\System\KdesDgQ.exe

C:\Windows\System\KdesDgQ.exe

C:\Windows\System\PTheKvD.exe

C:\Windows\System\PTheKvD.exe

C:\Windows\System\KNyleJf.exe

C:\Windows\System\KNyleJf.exe

C:\Windows\System\HBNcugZ.exe

C:\Windows\System\HBNcugZ.exe

C:\Windows\System\mJbKzqh.exe

C:\Windows\System\mJbKzqh.exe

C:\Windows\System\YbOjAaD.exe

C:\Windows\System\YbOjAaD.exe

C:\Windows\System\ESbIZSe.exe

C:\Windows\System\ESbIZSe.exe

C:\Windows\System\ctlaIAd.exe

C:\Windows\System\ctlaIAd.exe

C:\Windows\System\SRACesY.exe

C:\Windows\System\SRACesY.exe

C:\Windows\System\OCglYUj.exe

C:\Windows\System\OCglYUj.exe

C:\Windows\System\qrICxvV.exe

C:\Windows\System\qrICxvV.exe

C:\Windows\System\wLnqUNX.exe

C:\Windows\System\wLnqUNX.exe

C:\Windows\System\yQaPSLH.exe

C:\Windows\System\yQaPSLH.exe

C:\Windows\System\qbgHMBC.exe

C:\Windows\System\qbgHMBC.exe

C:\Windows\System\LoPJUgr.exe

C:\Windows\System\LoPJUgr.exe

C:\Windows\System\MxEFHKJ.exe

C:\Windows\System\MxEFHKJ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

\Windows\system\LoPJUgr.exe

MD5 1fd93f23056b7aa11794fae48b0ffbf8
SHA1 83fb546fdc88d9bd0b7aa8b5bede08125847792d
SHA256 94c59da5b9f7c756c3c28c3a9aa8490db609849f6689fcc5d7ef15cd31680d17
SHA512 213d619efe73423274e0d59240cbe78e42b4d6cba59451d753056a4e03d452d071ff0f9b0067f8ea730727a4e78aabd217519fd960300aa651d925dc72b54867

\Windows\system\yQaPSLH.exe

MD5 1801ddcc3604db3ef49450bbe76d0bbf
SHA1 a79724effe516d60d38ceaa8047e51329876bed8
SHA256 6ec6a8d8feb51145ac796d83903da00dc85a685eb6309ab35a99d894374ed7e8
SHA512 14d589c6c32fb028c8f2b615d3bd0442a79bc90ec832d3400426e7af567e174ef1f6f464cda551f7dde776a0514e5b40ac2df862d588c1b7ca5cc9308941e621

memory/2136-83-0x000000013FB70000-0x000000013FEC4000-memory.dmp

\Windows\system\qrICxvV.exe

MD5 aa5bdecc8485f45006e80b07375dcb16
SHA1 c0d3d63443c4a181a6a12e23d1b7656d2598af26
SHA256 ababf987fa7aeade3872d62cf4357edaa9d33ca116b1a06a34cf8e360ba34f50
SHA512 ba8c45467c239a40df99fd52078e8d9f301050e6ddc9692bc7efd9d605b667c5dbe19ce749070a76d04634bff19b2ca49076150ed7c70c296c17521999f9b7d7

memory/2136-75-0x000000013FD50000-0x00000001400A4000-memory.dmp

\Windows\system\SRACesY.exe

MD5 26b9215d3d74a771ee112c258b441017
SHA1 5d45a7aa9319d239e0a6a6d42bcdef5229283d09
SHA256 dafe6b6040866f54af84448585522db0412b31f6c39497f63296095057f96a61
SHA512 dedb24d70a10f43cd1ecfdc1cc702fa60759dff66a42bd7aa2245120d38ff659d57377b755950a7c2bd5ac99e61dd8fadd7811289aff05374db28716e5dede49

C:\Windows\system\YbOjAaD.exe

MD5 b23fd6f39e2dacdf2ff21deaab367b0c
SHA1 5374d4060859b7de251739ec2c5b50918d87c1b2
SHA256 ebf7b997b24ef6177fd8e6ef6f084f46a9bdf7fcd27a36b4d79b597fc1a4232c
SHA512 ead3698d51aca1b89286e530fc0c3890405cb694e632631561be9feef8c9f25320344cfb9c02a86f8e9633ba8fe08f8c5591e0c3a4e17a4325a4c3dca1c1e75c

\Windows\system\ESbIZSe.exe

MD5 acfe7e8ba9cd4e93ea9dc21b9614f934
SHA1 d86f0b283384a45a6b67975ac22d11ce733597bd
SHA256 a4d6f3b02d91851fcf6ff9d52eb49001b3a7ce7cf54a161acf2cf40611ce6611
SHA512 3162f2df8c8d838f049bee2c137cff6f4f37e0d76e00228a24279f88d464c4c8636d5661a18b05e157a2870190690587d49aaed1afb1ec2fc5f042e37d304564

memory/2136-56-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/3012-55-0x000000013FD90000-0x00000001400E4000-memory.dmp

\Windows\system\mJbKzqh.exe

MD5 1878fa517e7d297d13bf2ea98ebd8ac8
SHA1 47a8d271d0715d84cf6412e1ced38133d0e9c862
SHA256 9301dd2fc66ba563c69d07b1d467e564aed281ae1b157b98e69483cf58ae7c7c
SHA512 b57306d95e4725a6697bf9690a02f01c173c36df31ca7f50e42bc80e20de8fae6196e635958f5edebebb547ade43648b147f0e7f9a45f208ab697cf36f74ae32

\Windows\system\KNyleJf.exe

MD5 9f2e153cf016992e972e6fd5648b8988
SHA1 ae3b57944633e83a6af2c4d7461d497250eaf13b
SHA256 5d7dae17d19db3aafbe868bfa00d1e512e9a0e3b4e98822957150de9f9a83ea2
SHA512 b8ef24a1c45f12d2aaa279ca7e0bff8591faf436d1caa649c6f746aafc5e204a565562560d984cdb75bd1fc8c2eda8e29c4a34e312303f4ff07125f69ffa8f1f

\Windows\system\KdesDgQ.exe

MD5 c60f896255d61b90f78d1e839fafecf2
SHA1 d3276d1d47e3d172ff02e7c16e29d06409a5b364
SHA256 42cebaccb8529eea63a8c8346fe86c4219e3ddfad6ef0444c72ebf6c8ab7a398
SHA512 9e51314c664e18c6591b48a05d8a4efa95a69e1180ff1ccd030b5970cbf06838e900dbab16dbf797c80465f469fefa568be586747f7e040ef141149974c7e06e

memory/2084-130-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2136-129-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2136-105-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2688-104-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2136-103-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1332-28-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

C:\Windows\system\MxEFHKJ.exe

MD5 67cf5914a8e61659fc9d865786377194
SHA1 befd760ce0bff0f20b027c87d9a1e3efc5366842
SHA256 5a03450d8a4639a4e13ae00a36c44bff4e59bd024920cb6638ba9bcf21415df8
SHA512 cbdcfdedf356676ec1a235894a29e5606b5a4f65ed2170464bfb5b29f8fab4f58a88a51c34e4e4b1c886fb6e4c006f6dfbfcfa5a5924592e7233dab2d06d3644

memory/2136-96-0x000000013F5E0000-0x000000013F934000-memory.dmp

C:\Windows\system\qbgHMBC.exe

MD5 c4feb3dcb5341b56e85342e5bc723c01
SHA1 03d494b7ed91e5f88dd6fae2cb4d6c9ec1c3e5c8
SHA256 3ae332769d9663ec4dc9725bb04eef36632a8a4133007c9be82304bce4a679e7
SHA512 97f4c2725a5c613a82eb779b4169609050f984c0223c82b67d26f8db1a294ece4f27a06231bfd83a11cae9af5bc6df4e13c83f972a99581a528d98cd850282d6

C:\Windows\system\wLnqUNX.exe

MD5 effe58465d46d82faeef1869ae2eba8b
SHA1 b414a65fdd33f5129d187cfeb65dc3d768d7eb2b
SHA256 fe56b05fde05167cb7d6a6434e61259b0e2c3e28fad1f936b95067a71d079faf
SHA512 b75a5ca45d830beba63991fc80907abb505931d08bad7e051c823d829960a2b7324f8bac5c3894b01de545e214b895ef2d9ec0f01725c9d6e5b482371c114a0d

memory/2644-86-0x000000013FB70000-0x000000013FEC4000-memory.dmp

C:\Windows\system\OCglYUj.exe

MD5 6b90c7020990a31615770376dd15b064
SHA1 4a4eba8fa01711ecf2240215d372b36d623ca3b9
SHA256 44e2db78360f44bc5e6fdbea1a15e54396e3fcfad9728b4a8d83c726195d9a3a
SHA512 5ef884f5631582b184ea05bf746f5ff33069ece54cbbee58c15ddb9c775dd04c88687623ce4135a4d380d5401ccc1d986cf82e7549712f1b00ad87af4fd49ae9

memory/2900-71-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2136-70-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2136-69-0x000000013F950000-0x000000013FCA4000-memory.dmp

C:\Windows\system\ctlaIAd.exe

MD5 18d52facace7bac81e1080aa3e6e7b79
SHA1 9b052d0cbefd27c72913030b2b71e6e66a575c47
SHA256 64e3b072422a32bca5293f17f2b28042da70b047b8ce03ad3d4f94899ca7dd54
SHA512 930e0de898bf01f39a0335da7513e210e9654f7bb2ea6172433ebdf434fbebf34a0fee5768165fbafd832312b8cb1a8741e3a8c211f000456f03d73d473b7465

memory/2668-60-0x000000013F2F0000-0x000000013F644000-memory.dmp

C:\Windows\system\HBNcugZ.exe

MD5 a0a1085053c662cdc6dc705962430c9e
SHA1 a245a6e9ff8333b46f8f7c6597b8631158d6d404
SHA256 43ec3eecab5f7f0846efc30cb69c51a641761fd168573eed8519bccf75075a13
SHA512 91bdd931f6d52eded662b0f2ec13cb914bbff0f85dd097be07eae1f0ed7d393ffa92a103bd8d1542497dce6c9c448f33d008ccad5362289583fc8ccca980ee74

memory/1332-131-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2136-44-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2272-41-0x000000013F470000-0x000000013F7C4000-memory.dmp

C:\Windows\system\PTheKvD.exe

MD5 4b7fc45a1f2fe4d9c11780e8e72e852b
SHA1 da683772cec899f357ead8edee2e954d8ddcf229
SHA256 84facd60c63048d77fce2e23cd2e52dd78e085dd23e213c19faa6bb5fe82392d
SHA512 d3256f94f0a5744ebb751d9dd5471b1917e00cc6806a5495f26dfc880f9cae7f09347e30cdba2da5f5099edc82eff909c8e6c6c743cfe21eaefc3f46995332cc

C:\Windows\system\nwQsfea.exe

MD5 10260679c7373af7e492fbe4add96641
SHA1 a9a397864f214acf1ff6c6d829e4ccb067d4fa12
SHA256 3cf3ab7761a457e14917b5ffa932fc28934787c8f09fce9fc63b23e046b7b9df
SHA512 dbbb2d94988ac7e972896aa4bfa39b0b72e3165938994b4318d308da5a36dba588b6a6ed51c9a50f965a5d59eda26f796dffc6297c94ba75cce5cf4644ef4ccb

C:\Windows\system\Xhrysrg.exe

MD5 6f2965141defb12dfbfe6add5b447424
SHA1 d6c8e04cdc2c5fd5d3341caa9e0d5cbab2a4e406
SHA256 76a716cab209b74551cf8d2d96cb922df9695c8158e9f010bb5596c6640fabc0
SHA512 316db95ad4dda67e727d07639071e2c4b70ea1b69a5b297a3bb06c0bc891cfd6ec53c0104e28322997d2076e011bb5aec30c7fac35dbcde5e3d6b18b48e52ea0

memory/2136-26-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2136-25-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2396-24-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2136-23-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2084-19-0x000000013FF90000-0x00000001402E4000-memory.dmp

C:\Windows\system\GeEYypr.exe

MD5 aec878b7847e7fed7169eb0d99a7a99d
SHA1 5450563c2f429d3ea614af5015a7e04751984d74
SHA256 60a949d9c59a96c28b59f0088ec04ef392638a2c06ca20323dceae4dbc40ede4
SHA512 1d2355fc961d926482c839122ecc28beb68c2a17233d0c0ee5da697388cd90b270ac99da4488d9f0243e4060c9920c52f795e485f1cfdc2b0f34773bd828be6e

memory/548-17-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\ThcuCBV.exe

MD5 b5bd8e76aa731d9e229b71d21f28443e
SHA1 77b03efa62b2e9bce5394be51e3bbe1c443dace1
SHA256 8699d94318ab7bfbfb054ca135e26acf623b1affc8bc66622dc2c9550612b976
SHA512 066b4d6e9aeab3831c57773df6d93333a7f7c3603128ffcbf29f6027b486d183cd9056c000c8d7c1608b5c0ae748d9404f4529863fd9cd78300a38f1d33f92d8

C:\Windows\system\sxSPMGA.exe

MD5 0ce8025aecb9d89c596344e03c9a9afc
SHA1 c9a8c491c62946879cf5196ecbca11ee2f2fee57
SHA256 3e4e2e52f15f65565574fd666193e5f110ee8c761da4dc0d1b6ad8efe3e2c335
SHA512 d1a872e568184a8bd4ed09504288e2d2f66b885f0c8998b287a6b2b2f2866b9d1c25e924ea1f1667bac9fcafaae5ae66c517ce2d8557bb91492d0bf07e90d6f5

memory/2136-1-0x0000000000200000-0x0000000000210000-memory.dmp

memory/2136-0-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2668-132-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2900-133-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2644-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2136-135-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2548-136-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2688-137-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/548-138-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2396-139-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2272-140-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/3012-141-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2084-142-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/1332-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2900-147-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2548-146-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2644-145-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2668-144-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2688-148-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 17:58

Reported

2024-05-27 18:01

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sSQamAX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OqOhdfz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vTGyVDo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LmfWaEf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nSpJYQv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVMzphV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qFGWqig.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UiJBJuo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FhcdCex.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rpHdrSS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SSSXbpW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FBMvBVG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CurNQie.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zFqNpVA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZWRIBdA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Fywdvyf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mtTsTLP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vsOXZJm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zpQqxhY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FIZtsFJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\veUGWrQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\CurNQie.exe
PID 3100 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\CurNQie.exe
PID 3100 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\UiJBJuo.exe
PID 3100 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\UiJBJuo.exe
PID 3100 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFqNpVA.exe
PID 3100 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFqNpVA.exe
PID 3100 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\FhcdCex.exe
PID 3100 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\FhcdCex.exe
PID 3100 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\rpHdrSS.exe
PID 3100 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\rpHdrSS.exe
PID 3100 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWRIBdA.exe
PID 3100 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWRIBdA.exe
PID 3100 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\sSQamAX.exe
PID 3100 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\sSQamAX.exe
PID 3100 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\OqOhdfz.exe
PID 3100 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\OqOhdfz.exe
PID 3100 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\Fywdvyf.exe
PID 3100 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\Fywdvyf.exe
PID 3100 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtTsTLP.exe
PID 3100 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtTsTLP.exe
PID 3100 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\vTGyVDo.exe
PID 3100 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\vTGyVDo.exe
PID 3100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\vsOXZJm.exe
PID 3100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\vsOXZJm.exe
PID 3100 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSpJYQv.exe
PID 3100 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSpJYQv.exe
PID 3100 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\zpQqxhY.exe
PID 3100 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\zpQqxhY.exe
PID 3100 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\LmfWaEf.exe
PID 3100 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\LmfWaEf.exe
PID 3100 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSSXbpW.exe
PID 3100 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSSXbpW.exe
PID 3100 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVMzphV.exe
PID 3100 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVMzphV.exe
PID 3100 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\qFGWqig.exe
PID 3100 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\qFGWqig.exe
PID 3100 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\FIZtsFJ.exe
PID 3100 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\FIZtsFJ.exe
PID 3100 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\FBMvBVG.exe
PID 3100 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\FBMvBVG.exe
PID 3100 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\veUGWrQ.exe
PID 3100 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe C:\Windows\System\veUGWrQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_46ec1227ad5ac0f2d4018bb56195e568_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\CurNQie.exe

C:\Windows\System\CurNQie.exe

C:\Windows\System\UiJBJuo.exe

C:\Windows\System\UiJBJuo.exe

C:\Windows\System\zFqNpVA.exe

C:\Windows\System\zFqNpVA.exe

C:\Windows\System\FhcdCex.exe

C:\Windows\System\FhcdCex.exe

C:\Windows\System\rpHdrSS.exe

C:\Windows\System\rpHdrSS.exe

C:\Windows\System\ZWRIBdA.exe

C:\Windows\System\ZWRIBdA.exe

C:\Windows\System\sSQamAX.exe

C:\Windows\System\sSQamAX.exe

C:\Windows\System\OqOhdfz.exe

C:\Windows\System\OqOhdfz.exe

C:\Windows\System\Fywdvyf.exe

C:\Windows\System\Fywdvyf.exe

C:\Windows\System\mtTsTLP.exe

C:\Windows\System\mtTsTLP.exe

C:\Windows\System\vTGyVDo.exe

C:\Windows\System\vTGyVDo.exe

C:\Windows\System\vsOXZJm.exe

C:\Windows\System\vsOXZJm.exe

C:\Windows\System\nSpJYQv.exe

C:\Windows\System\nSpJYQv.exe

C:\Windows\System\zpQqxhY.exe

C:\Windows\System\zpQqxhY.exe

C:\Windows\System\LmfWaEf.exe

C:\Windows\System\LmfWaEf.exe

C:\Windows\System\SSSXbpW.exe

C:\Windows\System\SSSXbpW.exe

C:\Windows\System\uVMzphV.exe

C:\Windows\System\uVMzphV.exe

C:\Windows\System\qFGWqig.exe

C:\Windows\System\qFGWqig.exe

C:\Windows\System\FIZtsFJ.exe

C:\Windows\System\FIZtsFJ.exe

C:\Windows\System\FBMvBVG.exe

C:\Windows\System\FBMvBVG.exe

C:\Windows\System\veUGWrQ.exe

C:\Windows\System\veUGWrQ.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/3100-0-0x00007FF6427E0000-0x00007FF642B34000-memory.dmp

memory/3100-1-0x0000020319150000-0x0000020319160000-memory.dmp

C:\Windows\System\CurNQie.exe

MD5 85ddb45af7e22b213cc258f14c844fbe
SHA1 92d6f4ad3f7a1db4ddce3e4af204d276006f7263
SHA256 10475be38cbc2a69ab1c01045a78b934544fcf31853625fefdf4a3edec4b01a7
SHA512 44744ce08dad328baad53e40ab521c04ae18d847ba89084f3a01523a644d153c8d9493d920437f3612723bfdcc579dbbdcc0dc5ad138921855892d0e105b2177

memory/2012-8-0x00007FF7DE420000-0x00007FF7DE774000-memory.dmp

C:\Windows\System\UiJBJuo.exe

MD5 b8fc0ba757ddf20dc7c34ad0a3e5566a
SHA1 963087df531ce20b5ab809d2f5e5fc2412abc0f5
SHA256 51301d5596ce32be440ed11f779d473538cd19e6a87d2c854a35d2e04869c71a
SHA512 13f6be40f2a47aa358ed430365b0824ba49d769e0a96db990ef961fde0226800f5e2fcec84683b63b1dc1fbc24b5a441a6d2760be1ae32ea0711c0f077f4dc31

memory/4580-14-0x00007FF6B0870000-0x00007FF6B0BC4000-memory.dmp

C:\Windows\System\zFqNpVA.exe

MD5 bfd3f8bb904a6f251e3d30ad8f0a57b9
SHA1 3ef94e7ae819429e896a318aada40e41e2470852
SHA256 95ce1512f3be3b2c59d7fb24dabd9cee491996b369fea9ac90ccf0a989e92003
SHA512 22341bf83990162e6b7962f7dc3b00df58d58e87708e07f2976969f65da4f5031391aef781369d8f28cb8fb21cdae37cb5bc58a47b3c587e9e8a5289c520a69d

memory/4016-20-0x00007FF66F680000-0x00007FF66F9D4000-memory.dmp

C:\Windows\System\FhcdCex.exe

MD5 644344abe07393843b97e021e23bc332
SHA1 8c7ede7831279c9b091bf83eb2ddaa6a1b203c32
SHA256 62444dd42b42fb9ccdbd5c0b345820524332f040da5d26fa941638397c83539f
SHA512 dcc34beddfb93c4c7ced07dc80ee85b1aff0dc148751b6b0c84f09b8a0103ee4e4d514ad7aea5f890fd905c8182b7599e52641fc54f2870c39e1b21f0cedce59

memory/4724-24-0x00007FF7782D0000-0x00007FF778624000-memory.dmp

C:\Windows\System\rpHdrSS.exe

MD5 3bad8301981bb11c933f1a16bdc39aa8
SHA1 c655323d1aba0bbd9bdf70f77d8c4ebd8df9f1de
SHA256 c36cbd724d2f7882b4c6ae954dbb6b64d8d7576849c3e790a79e0ae54d5b9df6
SHA512 856895be04e08f368819034cc0d4f625449e82a1dfcd743bcfea81eb374d7cf056e05d84180145acae0e24d743e738fb644a02d79ea735f5d51b029274e04d23

C:\Windows\System\ZWRIBdA.exe

MD5 66dad18706a2cc5714fc60a4d4e32eb2
SHA1 a4cf3eb0cd1c4ad5123ab1d4f79cfe337117bffb
SHA256 c028e77cc2fe98ff6663d9f80dc56bcb52ecf80ca667bc4b09d480a706818247
SHA512 04d02f594faad6f61e6e08bb4ec7c37926830174b154c0965b82f3b16c8bff0c2b2b7a98d969ac450d0296003f8f35b89f09a0743aa9eadc20a79c32972e3a9e

memory/3660-32-0x00007FF7DD7A0000-0x00007FF7DDAF4000-memory.dmp

memory/3608-36-0x00007FF62BC40000-0x00007FF62BF94000-memory.dmp

C:\Windows\System\sSQamAX.exe

MD5 727825133ca0b4d6beef6e136ee98021
SHA1 3ac4dd148c9f493cddc60b31d196a46239c2958d
SHA256 de79d98bce000593bbeb695a6d4d701eb0c2dff56174c5c1828cd7a6bad53df3
SHA512 8b912ac70e192fb321ed068db744e3952321b836484422623efb345b6a783b8a3ee534c34e0ef282f5827a7e9cee0b9070f6be31227bee9d1068eaefcce9dde6

memory/2196-44-0x00007FF7CB840000-0x00007FF7CBB94000-memory.dmp

C:\Windows\System\OqOhdfz.exe

MD5 be17f3e551c490b42069ce865387abb4
SHA1 533778ddc79ea903b38c0f2d9db8fa25bceada87
SHA256 fb9115b17a2cf18af7f0b96ae2a9540f11293e0c716823301d25e5033e2622a6
SHA512 4ec0b4b2d1381b786a987e1bfa5ef7b39b919272968d7e43495f4a320021632ece7c5d9afec0e13ebbef550efb0390e45ec8b2afa61e7c62ef1e29e2c4163a83

C:\Windows\System\Fywdvyf.exe

MD5 8517db7ef8368c31c9661eefa051f19d
SHA1 29a1ffcbc147711ecda7eb65142fcad7382e45f1
SHA256 184c5cf38ee9086e98a29040e953503ad0a9ff66a2de2b2d93e54364069a32bd
SHA512 110aa2466d762b0181856328ec354dcda8fefc9782af61a9895dafe91ef4990e073964da40332d1b90474a0eae28b6f4307c784f530ffabfc03d07627d7a7784

memory/3300-50-0x00007FF6FFCB0000-0x00007FF700004000-memory.dmp

C:\Windows\System\mtTsTLP.exe

MD5 52cb892ada9e80c9804384104f1d2a96
SHA1 dc2796719b6dabf1bd28cfabdbc6475caf17a9f6
SHA256 5f6a43e307af2f2fb5c7e245b4d3b2fa82aa1cfafa3c542ce29dd5142c758eee
SHA512 7523c24846bf7e4cf28981852d7ba37e4358eb4175aa68f55298f92d3e97f18312e55e1c13d3dec9f4925369c411072a9ee1620182e0ae9dc6d708a3fd3a7aa2

memory/908-57-0x00007FF79D370000-0x00007FF79D6C4000-memory.dmp

memory/3100-62-0x00007FF6427E0000-0x00007FF642B34000-memory.dmp

memory/2596-63-0x00007FF65E350000-0x00007FF65E6A4000-memory.dmp

C:\Windows\System\vTGyVDo.exe

MD5 c5bb923eb086b4d547c80de5df75eca4
SHA1 2e625cd3ad31ce8ef006a3285adf193a3354569d
SHA256 aa7c6aa278ffd1130d1d23c60745510372ff43abd541dd5e57b7bf01e812ba5d
SHA512 14a11dc8bb696f9e033c7f5de1ba63da2e9d18c82b2a8f419a58dea3e792893db5db89295d1b218379e43e56754a2cb4a6cb5f93556b04a996886733df8023be

memory/2012-67-0x00007FF7DE420000-0x00007FF7DE774000-memory.dmp

C:\Windows\System\vsOXZJm.exe

MD5 a20964c57db520634803a2061084f37b
SHA1 41635340edd1669547e3f91bf8b2a78c465b9561
SHA256 92c47e20ea9118c1946e6c6472d7c39f9d2c07baa6008bb12c29f617dfb90009
SHA512 7e63bd093a610af4ef0c7106c0a06e9761c1aac05eb37f200b1c4985487fda49592ab0e9cc60749ecd9c342e59866efe8d231c5a24692d0a523fd1cd68c7b2f2

memory/4044-73-0x00007FF733420000-0x00007FF733774000-memory.dmp

memory/4580-74-0x00007FF6B0870000-0x00007FF6B0BC4000-memory.dmp

memory/4844-75-0x00007FF635030000-0x00007FF635384000-memory.dmp

memory/4016-81-0x00007FF66F680000-0x00007FF66F9D4000-memory.dmp

C:\Windows\System\nSpJYQv.exe

MD5 868070b09a789e1c0343033c59ba7c0b
SHA1 ce9a4c0b729193334c20423df3a8fe74cd13a0ad
SHA256 961f6d54c4d1cb6306ee2401e1374976ac87313676ec6d50f4aee2a62a874c91
SHA512 f9284547378b38f3ccc640a4086008e952b1371a433c6757dba26f83fbf1630447b036b34fef6239a69e652b486f3d00de8654e71ec7f1202541deda08c617c1

C:\Windows\System\zpQqxhY.exe

MD5 55224baa98d1eb75644ca5ff78ccf83f
SHA1 9dfe9d51de03811fb3443f6391e6842bb757da96
SHA256 133e1889d09353d098d71cbb5fe6c9683492901f79d10e48d1f6d084aa63fb63
SHA512 e277a67eea9c4429ab01dc341900077a9ce2aa31230193d5a319ad1ffa3ab3298b50d43b5443bec5523e2632c96ba11323f7870526198a5ac2c8d414158520f7

C:\Windows\System\LmfWaEf.exe

MD5 2095aaddeedf83f67f497818e3f1c8b9
SHA1 f0c9550b333cba13415aa588f4e69ae47f5f8cd4
SHA256 3076a8334597cfa0b640e1ae543e906e67fde552f390f941e9e874dd8d632b87
SHA512 bbc548405aabf5ed869032c9c0092de5779da215c372576b8c3f687ec9060f790bac5b35e053dae3fa8ec5e239c78b7b3d3a8c93273252509886e07afbbae746

C:\Windows\System\SSSXbpW.exe

MD5 de5de2603bf279e99660abd22e386281
SHA1 f0cbff38344916f2c169a49ab4ee937de050da51
SHA256 3f8ae6a5f690b9258c7498235e658c30e4665d0fb1a07a1710eb91a9eee8d24d
SHA512 c28954f2fe7d51ac986d49091d22d64222aa310c38074844623703b31140af2dddde46ea7fe06ad6d6eec592bbd659bf1793a8e2da5d8f12ce7d7fd82a412363

C:\Windows\System\uVMzphV.exe

MD5 71cd26cd690548592a5fb26d5ed5f977
SHA1 57c7e38bcb60305c9b171c641c8c07454261e198
SHA256 322665f45a4320e4f3855d1cb59e452228b17fd44e5c13aebe5cf428024fb6a2
SHA512 6c49a429e2d5ea612ea456fcacc2f3ba64adec3c284a78903f69a4c66a3439f2172a7fa730786aa7532c3e120ce847fb8d2b94eda58f5de064e842206b436d8b

C:\Windows\System\qFGWqig.exe

MD5 0b1e8404dc976abcec0ff3bc6c726ff7
SHA1 100767aa9405b13a8a9705088e2836814e711b99
SHA256 1dc535e770727af5090ee9fb5ab7ec9f2cb2c8317d30a64343abb5e3df659790
SHA512 c4abd7aaaf5c4e87172e79ab7f5742e4b6903c2658135c4d291a00cdce62f8ae2d0c1d23dfbebc3a3ef403f87dd6225a6a3fb1a45b3003e0dae3edb2fb974b43

C:\Windows\System\FIZtsFJ.exe

MD5 8fb2a825e94fd63e28fec5d6900fc9ce
SHA1 633a2d5679e91b57c6527940f2b11603fb4b6df6
SHA256 effec9b98428ae3bcd343ef8130503318e8b44ab4210f7d51780505000e683c6
SHA512 81c4add85ebe6cec3360ab269ead50e2c844f57a28c257ac7008969d0bccd012235b0192b28eb1b9d2c3f7cb039a0778ac696a1146d50b46806a5426c80441a6

C:\Windows\System\veUGWrQ.exe

MD5 8a86ab4b62297f524bedbdc088bb4d71
SHA1 df065bbbdd7f2fcd9907ebe32bf521da0411859a
SHA256 3b6aa9197618d8ba4472d1e01717759a035e8af925a2602f8b076909f2105e60
SHA512 9ad8533277a45331ed70be00015c164b4712ee9f73401268b1ae6d11d5950d26914ec8e5a4656b10d5cd28dfb3507a0df89cb2e81d379a528840ddb84ea22bb7

C:\Windows\System\FBMvBVG.exe

MD5 7394486df3fffd1191790ee28b9c065e
SHA1 ccb8465a5145ba2dfc47c2ee87988481f6d14f2b
SHA256 ec9fd120fd7c4b15921cb300975b95181b724137d60bdc743f1b8617efb0320c
SHA512 2ac696bcfb5f6c8382665e9e6fb7a68e1d41ba8cd00e09c01264d65c3a33f91dcccde468b89e6d6eb9f21fb2da3e04b70bfaf7f2c8e7a95b26e0256ab0a1ee85

memory/4592-82-0x00007FF728FB0000-0x00007FF729304000-memory.dmp

memory/2008-122-0x00007FF674EE0000-0x00007FF675234000-memory.dmp

memory/1572-126-0x00007FF65D950000-0x00007FF65DCA4000-memory.dmp

memory/864-128-0x00007FF669CB0000-0x00007FF66A004000-memory.dmp

memory/1624-130-0x00007FF7E3D80000-0x00007FF7E40D4000-memory.dmp

memory/4012-129-0x00007FF65EC70000-0x00007FF65EFC4000-memory.dmp

memory/3652-127-0x00007FF760410000-0x00007FF760764000-memory.dmp

memory/4612-125-0x00007FF6162B0000-0x00007FF616604000-memory.dmp

memory/5012-115-0x00007FF64F240000-0x00007FF64F594000-memory.dmp

memory/4724-112-0x00007FF7782D0000-0x00007FF778624000-memory.dmp

memory/3608-133-0x00007FF62BC40000-0x00007FF62BF94000-memory.dmp

memory/3300-134-0x00007FF6FFCB0000-0x00007FF700004000-memory.dmp

memory/4844-135-0x00007FF635030000-0x00007FF635384000-memory.dmp

memory/2012-136-0x00007FF7DE420000-0x00007FF7DE774000-memory.dmp

memory/4592-137-0x00007FF728FB0000-0x00007FF729304000-memory.dmp

memory/4580-138-0x00007FF6B0870000-0x00007FF6B0BC4000-memory.dmp

memory/4016-139-0x00007FF66F680000-0x00007FF66F9D4000-memory.dmp

memory/4724-140-0x00007FF7782D0000-0x00007FF778624000-memory.dmp

memory/3660-141-0x00007FF7DD7A0000-0x00007FF7DDAF4000-memory.dmp

memory/4012-142-0x00007FF65EC70000-0x00007FF65EFC4000-memory.dmp

memory/1624-143-0x00007FF7E3D80000-0x00007FF7E40D4000-memory.dmp

memory/2196-144-0x00007FF7CB840000-0x00007FF7CBB94000-memory.dmp

memory/3608-145-0x00007FF62BC40000-0x00007FF62BF94000-memory.dmp

memory/3300-146-0x00007FF6FFCB0000-0x00007FF700004000-memory.dmp

memory/908-147-0x00007FF79D370000-0x00007FF79D6C4000-memory.dmp

memory/2596-148-0x00007FF65E350000-0x00007FF65E6A4000-memory.dmp

memory/4044-149-0x00007FF733420000-0x00007FF733774000-memory.dmp

memory/4844-150-0x00007FF635030000-0x00007FF635384000-memory.dmp

memory/5012-151-0x00007FF64F240000-0x00007FF64F594000-memory.dmp

memory/2008-152-0x00007FF674EE0000-0x00007FF675234000-memory.dmp

memory/4592-153-0x00007FF728FB0000-0x00007FF729304000-memory.dmp

memory/1572-154-0x00007FF65D950000-0x00007FF65DCA4000-memory.dmp

memory/864-155-0x00007FF669CB0000-0x00007FF66A004000-memory.dmp

memory/4612-157-0x00007FF6162B0000-0x00007FF616604000-memory.dmp

memory/3652-156-0x00007FF760410000-0x00007FF760764000-memory.dmp

memory/1624-158-0x00007FF7E3D80000-0x00007FF7E40D4000-memory.dmp

memory/4012-159-0x00007FF65EC70000-0x00007FF65EFC4000-memory.dmp