Malware Analysis Report

2025-03-15 08:11

Sample ID 240529-1q4f6sbb8t
Target 2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike
SHA256 d1a7ac0157631e73b2916835d7ea7a6ef13bd8677ca695db237d2c73050a24a8
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1a7ac0157631e73b2916835d7ea7a6ef13bd8677ca695db237d2c73050a24a8

Threat Level: Known bad

The file 2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

Xmrig family

xmrig

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 21:52

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 21:52

Reported

2024-05-29 21:54

Platform

win7-20231129-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lPQndmR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qZyfyKW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gGekhkx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CCFqXTq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bALRoPx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jgmtlJe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UvEtTcG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zvtySQl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GVKwqLl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ddjafmx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KElVvUJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qUXALsq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DxKfJZg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JKQrqiB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jzCOtmv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qbodWhw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tyXUpon.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUoTROe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tfaYHmy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZwQZDZc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vwvWwIh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tfaYHmy.exe
PID 2220 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tfaYHmy.exe
PID 2220 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tfaYHmy.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxKfJZg.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxKfJZg.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxKfJZg.exe
PID 2220 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKQrqiB.exe
PID 2220 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKQrqiB.exe
PID 2220 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKQrqiB.exe
PID 2220 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQndmR.exe
PID 2220 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQndmR.exe
PID 2220 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQndmR.exe
PID 2220 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzCOtmv.exe
PID 2220 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzCOtmv.exe
PID 2220 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzCOtmv.exe
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvEtTcG.exe
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvEtTcG.exe
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvEtTcG.exe
PID 2220 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZyfyKW.exe
PID 2220 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZyfyKW.exe
PID 2220 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZyfyKW.exe
PID 2220 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwQZDZc.exe
PID 2220 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwQZDZc.exe
PID 2220 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwQZDZc.exe
PID 2220 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwvWwIh.exe
PID 2220 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwvWwIh.exe
PID 2220 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwvWwIh.exe
PID 2220 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvtySQl.exe
PID 2220 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvtySQl.exe
PID 2220 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvtySQl.exe
PID 2220 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGekhkx.exe
PID 2220 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGekhkx.exe
PID 2220 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGekhkx.exe
PID 2220 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GVKwqLl.exe
PID 2220 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GVKwqLl.exe
PID 2220 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GVKwqLl.exe
PID 2220 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CCFqXTq.exe
PID 2220 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CCFqXTq.exe
PID 2220 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CCFqXTq.exe
PID 2220 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddjafmx.exe
PID 2220 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddjafmx.exe
PID 2220 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddjafmx.exe
PID 2220 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbodWhw.exe
PID 2220 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbodWhw.exe
PID 2220 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbodWhw.exe
PID 2220 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyXUpon.exe
PID 2220 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyXUpon.exe
PID 2220 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyXUpon.exe
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KElVvUJ.exe
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KElVvUJ.exe
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KElVvUJ.exe
PID 2220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALRoPx.exe
PID 2220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALRoPx.exe
PID 2220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALRoPx.exe
PID 2220 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUoTROe.exe
PID 2220 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUoTROe.exe
PID 2220 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUoTROe.exe
PID 2220 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgmtlJe.exe
PID 2220 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgmtlJe.exe
PID 2220 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgmtlJe.exe
PID 2220 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qUXALsq.exe
PID 2220 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qUXALsq.exe
PID 2220 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qUXALsq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\tfaYHmy.exe

C:\Windows\System\tfaYHmy.exe

C:\Windows\System\DxKfJZg.exe

C:\Windows\System\DxKfJZg.exe

C:\Windows\System\JKQrqiB.exe

C:\Windows\System\JKQrqiB.exe

C:\Windows\System\lPQndmR.exe

C:\Windows\System\lPQndmR.exe

C:\Windows\System\jzCOtmv.exe

C:\Windows\System\jzCOtmv.exe

C:\Windows\System\UvEtTcG.exe

C:\Windows\System\UvEtTcG.exe

C:\Windows\System\qZyfyKW.exe

C:\Windows\System\qZyfyKW.exe

C:\Windows\System\ZwQZDZc.exe

C:\Windows\System\ZwQZDZc.exe

C:\Windows\System\vwvWwIh.exe

C:\Windows\System\vwvWwIh.exe

C:\Windows\System\zvtySQl.exe

C:\Windows\System\zvtySQl.exe

C:\Windows\System\gGekhkx.exe

C:\Windows\System\gGekhkx.exe

C:\Windows\System\GVKwqLl.exe

C:\Windows\System\GVKwqLl.exe

C:\Windows\System\CCFqXTq.exe

C:\Windows\System\CCFqXTq.exe

C:\Windows\System\ddjafmx.exe

C:\Windows\System\ddjafmx.exe

C:\Windows\System\qbodWhw.exe

C:\Windows\System\qbodWhw.exe

C:\Windows\System\tyXUpon.exe

C:\Windows\System\tyXUpon.exe

C:\Windows\System\KElVvUJ.exe

C:\Windows\System\KElVvUJ.exe

C:\Windows\System\bALRoPx.exe

C:\Windows\System\bALRoPx.exe

C:\Windows\System\eUoTROe.exe

C:\Windows\System\eUoTROe.exe

C:\Windows\System\jgmtlJe.exe

C:\Windows\System\jgmtlJe.exe

C:\Windows\System\qUXALsq.exe

C:\Windows\System\qUXALsq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2220-0-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2220-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\tfaYHmy.exe

MD5 f7a5a083dc9dfabdd08dfe0f0c05f178
SHA1 56f6400079608a6f7097f8b655d71579b88b9029
SHA256 74346a56177ff1d7b2d4e66cb59d85b8648d8e5888b8580fad54cdf682a044a4
SHA512 d73fadc07032ad14094c988c9cef024d416085a45e9b91778d5720b5ab4f8b502183dab0a561f80cc7d95b9e13c25cf46f15a2fc70bfcad8fdc9ab70bbf6d637

memory/1844-9-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2220-7-0x000000013F3B0000-0x000000013F701000-memory.dmp

\Windows\system\DxKfJZg.exe

MD5 847c7ed3e5bcd1a8cd5f0964e5641c3c
SHA1 edf6d8b8b049188c14759f8c5f8829bf1cca20e6
SHA256 9ea3749033afc3751af0a552a4224954f36b81d2018dcb555f284b53bd47fee8
SHA512 0fa84911b10ef8ce1de7899206efcdc856aae918f4def88dc91f509eb898ee30227b5a5006950de324076fc6a75c8d90583783594f2b103d06bd0dd57633615f

memory/2220-14-0x000000013FA50000-0x000000013FDA1000-memory.dmp

C:\Windows\system\JKQrqiB.exe

MD5 7291e28569917f270ebb5d3a989d2b85
SHA1 314281b7ae65bd0fbb448a573adbc81bf3f2f40c
SHA256 5e4fe2a8f86ea8dd6e18dfb4451450c0958055a710703274998ba7bfe0e8a775
SHA512 9c27d7575e5d35c6d9fb72e79d023ae1c34270bc3fb8efc2b1bbc2743296296ede35e547cb2c56ab91165c6e8a713e7063e065aee224d65a0e795d513d26e889

memory/2220-24-0x000000013F5C0000-0x000000013F911000-memory.dmp

C:\Windows\system\lPQndmR.exe

MD5 c5b712572dc2142eaa2c54853d9f5acb
SHA1 dde2267559724e8417aa373aac7f7c9f970a01c3
SHA256 01af6ce8b9a7b5e8593e3b09f860564ced6d1bb9a59579a9afaa77054428fd3e
SHA512 7aa8d60a0b468e42cde997bcb33c899d2ceaf8547ee392a79aa386b76caf0daffb1c2c7ed6530820d0318f8a13266160ac46e4617ca6757b1eef89f5f60e7fae

C:\Windows\system\jzCOtmv.exe

MD5 b18217c515313160d79494a3f9f81403
SHA1 d5bf94d9f468ea7afc0d6a0ec131b4d6d906d2e2
SHA256 ce41b45bac6d7d368b69fe3c2b71c7f16ae5212c8ddff576f8aff0c60ccdbeb7
SHA512 acbd71c6db62f84a0f79a010a1ae5734d4643c392982060ed68e8e7c5b23ee711e22a54694a3e6ef7030959b76a91088f5638ca276f9704b1226262fb9a125c7

memory/2676-36-0x000000013F450000-0x000000013F7A1000-memory.dmp

C:\Windows\system\UvEtTcG.exe

MD5 cb732310ffdcc1dda30ed46900de8793
SHA1 ef9fbeb4910d007c6dd53aa9ef3b28f3f634d95a
SHA256 76e95b5fb4041e4b4d028b526ef2720482baf8c7ebfc7fb1f515db7438bc8929
SHA512 2a2d9cbeb0ff29eb211ff2cc360263d7e2d44f5e4e6bbae3d348a503ab0af0122ffa01b58207e11630ccabc50a7d41772da0fc4f1c27edb6fc5ee98f8f570132

memory/2772-42-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2220-41-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

\Windows\system\qZyfyKW.exe

MD5 1b9db92e29696007d89dc1f5ad5c4191
SHA1 b307e9659853c0e911a71bbbfad571077814003c
SHA256 28b2e1d42c3a1f64f222119651bc910f149e94c95bbb545095a6dd16c643e0a2
SHA512 b4f217b9d1a7902e83ad8a9c69e1192a1160de28523bac1c223d13f5a45a6c491b0f71b99d573ae87ca85d5027b580605aff88455549f57ee4e762b285f4ed56

memory/2220-34-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2220-33-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2688-32-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2612-31-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2564-18-0x000000013FA50000-0x000000013FDA1000-memory.dmp

\Windows\system\ZwQZDZc.exe

MD5 163cd014f9b5c492b7785879e2d7f161
SHA1 c7a3a90b1bfb05206b5ac5d92c5224bac2269007
SHA256 2de5a6fd9c1ff288f125da1a6eb754df839cfea8bbf4aeca4d41f01c8576aa01
SHA512 fd7ad25f9fc07b877be4377f1d81abef52eb6ab098db9c4b7ac69d7090845721721f5339913369bb9d8e9b0cf6b4e8ec379bfdd7651b27ac98e7d8d095611b12

memory/2220-55-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2220-57-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2608-59-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2564-58-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2812-53-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/1844-65-0x000000013F3B0000-0x000000013F701000-memory.dmp

C:\Windows\system\vwvWwIh.exe

MD5 2a0d17124a6524e6bb0ff503fb32c686
SHA1 0d557d9bf6a3e2594ac4440d7007af1303baa31c
SHA256 6af5b57465b971576d14b7f4f8ba1379069cc1bf8a55f53eec66c96ece4af64a
SHA512 a0aa6f0e15791f997c23ef64fd4140766cdb27c9174ae5f412976897d8111616ec73c04edc1a3ea1afbd881981addd051bee86c9496dc6be4335ecf3ee92212d

memory/2520-66-0x000000013FE40000-0x0000000140191000-memory.dmp

\Windows\system\zvtySQl.exe

MD5 efe8be7e006b534f172f863749fadf57
SHA1 b04bef57cc9a06fda5e0fdb5f57c448a7030b2d1
SHA256 073198f3240186f884cc9ab68d4c98cae101d429c647369ffc49a5861d30c6b5
SHA512 aec8c53afe0dee66494d65ae4b75c32f9d61d45ca9a28aab726662d6f045ae8a130adb40bc864ef5962dd57ef57223c720e4def61cc8276e4074011dc0a3f24f

memory/2220-71-0x000000013F5C0000-0x000000013F911000-memory.dmp

C:\Windows\system\gGekhkx.exe

MD5 4948adbe19f47ed91ded0363c0edde34
SHA1 cec04d3a2b70238d9fcf452248ed74f2c14dcec7
SHA256 c24b25d39d604ac76985c7f570dd838ac541fdd4bceedd8acf140fc981d04819
SHA512 010a36515da19b98feb06312c21c789d032eaa33ac89f84813f64421b1272a48c1ffa53f48b18884c926573eddacfe9038240a92b1eca57331d804a7179efcd1

C:\Windows\system\GVKwqLl.exe

MD5 fcd021b2b283209dcd365f3e6e372547
SHA1 a79ef71061c4f18fa799191eb9da03e918f3851c
SHA256 22bc0c40adfb944193006dd5a132051cab1d128097ff5aa0825c637b97160544
SHA512 2d335b2f4efa536bfb281fa900101bd473ff3abea7ae5ed15ed42f67ec63b41860a3bf7d289cf04c2176d03eb9c590531aa4fd51ad053c9fad7d544d1d7bbcab

C:\Windows\system\CCFqXTq.exe

MD5 52c0398d1fb424b9d71435cf8f1bede8
SHA1 84c4f093806cbb5ee0020c6a54abc58116ecca17
SHA256 ad9525b07b7006fbc9ebb1b618fd4405c6a2504d9b5b40a7a048f09669708090
SHA512 69ffbf2ec35b22cd494d6f16275c836c871f7022180686e3cfce8e75695f8f6b150daff7f23ef8c712e496eff5c78a07d8bd7c9ffd9eea0a94221b677cf929c0

\Windows\system\jgmtlJe.exe

MD5 6e56f2473df01bf782832a762dd58cf9
SHA1 906934b13ff61f436907d2e03de462f1e4c0520c
SHA256 811a9ee28df57c546b2ee7a637f881577b282409e8b707b9fffb98059a50f74f
SHA512 9bb3468040400486faf1937ac33d6e74f7e065041a46523846f8bcdf05c827191d4136110bf979d11d13fa96d1403dde9ab46f2bba777800d2641dd489a3e5d1

memory/2220-130-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2220-135-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2220-138-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/1236-137-0x000000013FC20000-0x000000013FF71000-memory.dmp

C:\Windows\system\qUXALsq.exe

MD5 544b34bda44244708ec0b40b9843df7e
SHA1 b17f322e2876bbe5f44478a33a3503b2e48a043b
SHA256 642c866f9c95eaa7e50e4bf2b84e781365e843f87897a351e3449413d3746876
SHA512 e9044ae6a2c834a7289fbf7170bb49413ba355bca65ef61ea045fa47cdccc106cd03716ac1840c7b7b28404bbd417852c4f361114cd8334a1da4c925352ae57c

memory/956-132-0x000000013FB40000-0x000000013FE91000-memory.dmp

C:\Windows\system\eUoTROe.exe

MD5 e079a532debf2aa09ed43399f7482a78
SHA1 d64d769e3852c50693e4939ff3c40188d985ada3
SHA256 f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11
SHA512 8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e

memory/1768-128-0x000000013FF10000-0x0000000140261000-memory.dmp

C:\Windows\system\KElVvUJ.exe

MD5 fb626791606e1958c28ae140a09b16b9
SHA1 74e3651cba2c7c636d0acae0d77696a1386cad88
SHA256 30fdb2de71f2c2f1f9cbf53d4510673fe28f05a44251feae920877a38654327c
SHA512 190f4b56a3fbb498d86c2a196db8e0be19bfe124e3c21065c224e5f26057fdf18d0910e3533d20bac313b0972bb830cdc105e0310745b073aea8e9c82cec2df6

memory/2220-125-0x000000013FF10000-0x0000000140261000-memory.dmp

C:\Windows\system\qbodWhw.exe

MD5 cf058a7cb5faa261068de48ef4791532
SHA1 1972a36fc2d7803acdf8aab88d54c24b8442e18b
SHA256 d7f2492661346e84512f9a03af3224f067be18c7f0ee0d2be7efd25136129e34
SHA512 61968aa8cac56175fdd1751206be26a5cbd3a14f9bdc87770a0fa45953d6d0e412c52222e89958eed1ce09ef82209e183ba926a79c5018cc9c37b5d6886de312

C:\Windows\system\bALRoPx.exe

MD5 abebd0977b94c3dfe70eea300e8ae311
SHA1 7ffd3b05f99cf4fdb522e6f652b369891401dbd0
SHA256 a0e8e1ca456e51d4e001777d0864d6f6da7e4269aae9e354b9d420a15a68339d
SHA512 97de7ad06b78cfffc921cc0a9f02265d2ed2d09bda987176a54e26533a45711f7891d6a48142f095ff203d59b54ab2e1f52cf276e2062f0f3d2245b137540a92

\Windows\system\eUoTROe.exe

MD5 756183cd86ace87cc47a6e9c227b1680
SHA1 98ad39c29d63141e99217336e79fe6675989159e
SHA256 cc61c56478f544fd1c302de7eebff5808e2a0788c1f5adf49f3a868962048c32
SHA512 1c3ef544907f2984036b25453cc2517367b50dcbdf8d0636dacb1cc49f61cf019d3aceceb60f7666194017d735939d4c37f28f0975ec56f32eebad9d647698ef

memory/2712-119-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2220-106-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1924-105-0x000000013FC90000-0x000000013FFE1000-memory.dmp

C:\Windows\system\tyXUpon.exe

MD5 657ab107cdab78ce658daf07a38fcd77
SHA1 311770ff63e67ea5713667dbc3f36132e2173568
SHA256 b03bbbf55cf3aaf4bb5a8f62a24dd0bee85abb21879ae401072a67df59300500
SHA512 e0fe472fda567575fbc9ae93bc86d042db4bb7c672c1f99cadafd58ca41b0cd8f9854425707ce86b687f0f5eb256ba68211b228f8dc6d2246411b2b08ba07bed

memory/2220-101-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2612-94-0x000000013F5C0000-0x000000013F911000-memory.dmp

C:\Windows\system\ddjafmx.exe

MD5 ff3ef7c39fdcaa422c63a3ca22d72ff4
SHA1 0347a9f831b6db44f3dc7b05dcd1e417e33e34d9
SHA256 d92774233100e72c93c910bbe8e0c6465f5d15c99542e1b4007b053686b6baf1
SHA512 a7ffb84601a69ae9efc7df15379c6e10af8b3303506dea2fda946729a019dad0278188b038ce4530c7aecb4727d0d661709beeeec57b03fb9e6b647cce8aad20

memory/2220-139-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2676-140-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2772-142-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2220-141-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2220-143-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/1924-154-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/1692-159-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2820-164-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2784-162-0x000000013F330000-0x000000013F681000-memory.dmp

memory/1636-161-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2704-160-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2716-163-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/1928-158-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2220-165-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/1844-218-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2564-220-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2612-224-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2688-222-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2812-228-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2772-227-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2676-230-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2608-232-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2520-234-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/1236-248-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2712-250-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1768-253-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/956-254-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/1924-257-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 21:52

Reported

2024-05-29 21:54

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UvEtTcG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qZyfyKW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gGekhkx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ddjafmx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KElVvUJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bALRoPx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jgmtlJe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tfaYHmy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DxKfJZg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JKQrqiB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lPQndmR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jzCOtmv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qbodWhw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZwQZDZc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vwvWwIh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GVKwqLl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tyXUpon.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUoTROe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zvtySQl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CCFqXTq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qUXALsq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tfaYHmy.exe
PID 1740 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tfaYHmy.exe
PID 1740 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxKfJZg.exe
PID 1740 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxKfJZg.exe
PID 1740 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKQrqiB.exe
PID 1740 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKQrqiB.exe
PID 1740 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQndmR.exe
PID 1740 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQndmR.exe
PID 1740 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzCOtmv.exe
PID 1740 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzCOtmv.exe
PID 1740 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvEtTcG.exe
PID 1740 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvEtTcG.exe
PID 1740 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZyfyKW.exe
PID 1740 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZyfyKW.exe
PID 1740 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwQZDZc.exe
PID 1740 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwQZDZc.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwvWwIh.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwvWwIh.exe
PID 1740 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvtySQl.exe
PID 1740 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvtySQl.exe
PID 1740 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGekhkx.exe
PID 1740 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\gGekhkx.exe
PID 1740 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GVKwqLl.exe
PID 1740 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GVKwqLl.exe
PID 1740 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CCFqXTq.exe
PID 1740 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CCFqXTq.exe
PID 1740 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddjafmx.exe
PID 1740 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddjafmx.exe
PID 1740 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbodWhw.exe
PID 1740 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbodWhw.exe
PID 1740 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyXUpon.exe
PID 1740 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyXUpon.exe
PID 1740 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KElVvUJ.exe
PID 1740 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KElVvUJ.exe
PID 1740 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALRoPx.exe
PID 1740 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\bALRoPx.exe
PID 1740 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUoTROe.exe
PID 1740 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUoTROe.exe
PID 1740 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgmtlJe.exe
PID 1740 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgmtlJe.exe
PID 1740 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qUXALsq.exe
PID 1740 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qUXALsq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\tfaYHmy.exe

C:\Windows\System\tfaYHmy.exe

C:\Windows\System\DxKfJZg.exe

C:\Windows\System\DxKfJZg.exe

C:\Windows\System\JKQrqiB.exe

C:\Windows\System\JKQrqiB.exe

C:\Windows\System\lPQndmR.exe

C:\Windows\System\lPQndmR.exe

C:\Windows\System\jzCOtmv.exe

C:\Windows\System\jzCOtmv.exe

C:\Windows\System\UvEtTcG.exe

C:\Windows\System\UvEtTcG.exe

C:\Windows\System\qZyfyKW.exe

C:\Windows\System\qZyfyKW.exe

C:\Windows\System\ZwQZDZc.exe

C:\Windows\System\ZwQZDZc.exe

C:\Windows\System\vwvWwIh.exe

C:\Windows\System\vwvWwIh.exe

C:\Windows\System\zvtySQl.exe

C:\Windows\System\zvtySQl.exe

C:\Windows\System\gGekhkx.exe

C:\Windows\System\gGekhkx.exe

C:\Windows\System\GVKwqLl.exe

C:\Windows\System\GVKwqLl.exe

C:\Windows\System\CCFqXTq.exe

C:\Windows\System\CCFqXTq.exe

C:\Windows\System\ddjafmx.exe

C:\Windows\System\ddjafmx.exe

C:\Windows\System\qbodWhw.exe

C:\Windows\System\qbodWhw.exe

C:\Windows\System\tyXUpon.exe

C:\Windows\System\tyXUpon.exe

C:\Windows\System\KElVvUJ.exe

C:\Windows\System\KElVvUJ.exe

C:\Windows\System\bALRoPx.exe

C:\Windows\System\bALRoPx.exe

C:\Windows\System\eUoTROe.exe

C:\Windows\System\eUoTROe.exe

C:\Windows\System\jgmtlJe.exe

C:\Windows\System\jgmtlJe.exe

C:\Windows\System\qUXALsq.exe

C:\Windows\System\qUXALsq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1740-0-0x00007FF6E1A50000-0x00007FF6E1DA1000-memory.dmp

memory/1740-1-0x000002204A890000-0x000002204A8A0000-memory.dmp

C:\Windows\System\tfaYHmy.exe

MD5 f7a5a083dc9dfabdd08dfe0f0c05f178
SHA1 56f6400079608a6f7097f8b655d71579b88b9029
SHA256 74346a56177ff1d7b2d4e66cb59d85b8648d8e5888b8580fad54cdf682a044a4
SHA512 d73fadc07032ad14094c988c9cef024d416085a45e9b91778d5720b5ab4f8b502183dab0a561f80cc7d95b9e13c25cf46f15a2fc70bfcad8fdc9ab70bbf6d637

memory/3772-8-0x00007FF7AA120000-0x00007FF7AA471000-memory.dmp

C:\Windows\System\JKQrqiB.exe

MD5 7291e28569917f270ebb5d3a989d2b85
SHA1 314281b7ae65bd0fbb448a573adbc81bf3f2f40c
SHA256 5e4fe2a8f86ea8dd6e18dfb4451450c0958055a710703274998ba7bfe0e8a775
SHA512 9c27d7575e5d35c6d9fb72e79d023ae1c34270bc3fb8efc2b1bbc2743296296ede35e547cb2c56ab91165c6e8a713e7063e065aee224d65a0e795d513d26e889

C:\Windows\System\DxKfJZg.exe

MD5 847c7ed3e5bcd1a8cd5f0964e5641c3c
SHA1 edf6d8b8b049188c14759f8c5f8829bf1cca20e6
SHA256 9ea3749033afc3751af0a552a4224954f36b81d2018dcb555f284b53bd47fee8
SHA512 0fa84911b10ef8ce1de7899206efcdc856aae918f4def88dc91f509eb898ee30227b5a5006950de324076fc6a75c8d90583783594f2b103d06bd0dd57633615f

memory/1956-18-0x00007FF7A9D70000-0x00007FF7AA0C1000-memory.dmp

C:\Windows\System\lPQndmR.exe

MD5 c5b712572dc2142eaa2c54853d9f5acb
SHA1 dde2267559724e8417aa373aac7f7c9f970a01c3
SHA256 01af6ce8b9a7b5e8593e3b09f860564ced6d1bb9a59579a9afaa77054428fd3e
SHA512 7aa8d60a0b468e42cde997bcb33c899d2ceaf8547ee392a79aa386b76caf0daffb1c2c7ed6530820d0318f8a13266160ac46e4617ca6757b1eef89f5f60e7fae

memory/5104-26-0x00007FF7B6AF0000-0x00007FF7B6E41000-memory.dmp

memory/392-22-0x00007FF7BA8F0000-0x00007FF7BAC41000-memory.dmp

C:\Windows\System\jzCOtmv.exe

MD5 b18217c515313160d79494a3f9f81403
SHA1 d5bf94d9f468ea7afc0d6a0ec131b4d6d906d2e2
SHA256 ce41b45bac6d7d368b69fe3c2b71c7f16ae5212c8ddff576f8aff0c60ccdbeb7
SHA512 acbd71c6db62f84a0f79a010a1ae5734d4643c392982060ed68e8e7c5b23ee711e22a54694a3e6ef7030959b76a91088f5638ca276f9704b1226262fb9a125c7

C:\Windows\System\UvEtTcG.exe

MD5 cb732310ffdcc1dda30ed46900de8793
SHA1 ef9fbeb4910d007c6dd53aa9ef3b28f3f634d95a
SHA256 76e95b5fb4041e4b4d028b526ef2720482baf8c7ebfc7fb1f515db7438bc8929
SHA512 2a2d9cbeb0ff29eb211ff2cc360263d7e2d44f5e4e6bbae3d348a503ab0af0122ffa01b58207e11630ccabc50a7d41772da0fc4f1c27edb6fc5ee98f8f570132

C:\Windows\System\ZwQZDZc.exe

MD5 163cd014f9b5c492b7785879e2d7f161
SHA1 c7a3a90b1bfb05206b5ac5d92c5224bac2269007
SHA256 2de5a6fd9c1ff288f125da1a6eb754df839cfea8bbf4aeca4d41f01c8576aa01
SHA512 fd7ad25f9fc07b877be4377f1d81abef52eb6ab098db9c4b7ac69d7090845721721f5339913369bb9d8e9b0cf6b4e8ec379bfdd7651b27ac98e7d8d095611b12

memory/3788-45-0x00007FF629480000-0x00007FF6297D1000-memory.dmp

C:\Windows\System\vwvWwIh.exe

MD5 2a0d17124a6524e6bb0ff503fb32c686
SHA1 0d557d9bf6a3e2594ac4440d7007af1303baa31c
SHA256 6af5b57465b971576d14b7f4f8ba1379069cc1bf8a55f53eec66c96ece4af64a
SHA512 a0aa6f0e15791f997c23ef64fd4140766cdb27c9174ae5f412976897d8111616ec73c04edc1a3ea1afbd881981addd051bee86c9496dc6be4335ecf3ee92212d

memory/852-55-0x00007FF6AD4A0000-0x00007FF6AD7F1000-memory.dmp

memory/1580-67-0x00007FF7AEC30000-0x00007FF7AEF81000-memory.dmp

memory/1396-74-0x00007FF7A11E0000-0x00007FF7A1531000-memory.dmp

C:\Windows\System\GVKwqLl.exe

MD5 fcd021b2b283209dcd365f3e6e372547
SHA1 a79ef71061c4f18fa799191eb9da03e918f3851c
SHA256 22bc0c40adfb944193006dd5a132051cab1d128097ff5aa0825c637b97160544
SHA512 2d335b2f4efa536bfb281fa900101bd473ff3abea7ae5ed15ed42f67ec63b41860a3bf7d289cf04c2176d03eb9c590531aa4fd51ad053c9fad7d544d1d7bbcab

memory/4908-81-0x00007FF6D2040000-0x00007FF6D2391000-memory.dmp

C:\Windows\System\CCFqXTq.exe

MD5 52c0398d1fb424b9d71435cf8f1bede8
SHA1 84c4f093806cbb5ee0020c6a54abc58116ecca17
SHA256 ad9525b07b7006fbc9ebb1b618fd4405c6a2504d9b5b40a7a048f09669708090
SHA512 69ffbf2ec35b22cd494d6f16275c836c871f7022180686e3cfce8e75695f8f6b150daff7f23ef8c712e496eff5c78a07d8bd7c9ffd9eea0a94221b677cf929c0

memory/1956-78-0x00007FF7A9D70000-0x00007FF7AA0C1000-memory.dmp

memory/3772-77-0x00007FF7AA120000-0x00007FF7AA471000-memory.dmp

memory/3892-76-0x00007FF646010000-0x00007FF646361000-memory.dmp

C:\Windows\System\gGekhkx.exe

MD5 4948adbe19f47ed91ded0363c0edde34
SHA1 cec04d3a2b70238d9fcf452248ed74f2c14dcec7
SHA256 c24b25d39d604ac76985c7f570dd838ac541fdd4bceedd8acf140fc981d04819
SHA512 010a36515da19b98feb06312c21c789d032eaa33ac89f84813f64421b1272a48c1ffa53f48b18884c926573eddacfe9038240a92b1eca57331d804a7179efcd1

C:\Windows\System\zvtySQl.exe

MD5 efe8be7e006b534f172f863749fadf57
SHA1 b04bef57cc9a06fda5e0fdb5f57c448a7030b2d1
SHA256 073198f3240186f884cc9ab68d4c98cae101d429c647369ffc49a5861d30c6b5
SHA512 aec8c53afe0dee66494d65ae4b75c32f9d61d45ca9a28aab726662d6f045ae8a130adb40bc864ef5962dd57ef57223c720e4def61cc8276e4074011dc0a3f24f

memory/1740-63-0x00007FF6E1A50000-0x00007FF6E1DA1000-memory.dmp

memory/1236-60-0x00007FF61C3B0000-0x00007FF61C701000-memory.dmp

C:\Windows\System\ddjafmx.exe

MD5 ff3ef7c39fdcaa422c63a3ca22d72ff4
SHA1 0347a9f831b6db44f3dc7b05dcd1e417e33e34d9
SHA256 d92774233100e72c93c910bbe8e0c6465f5d15c99542e1b4007b053686b6baf1
SHA512 a7ffb84601a69ae9efc7df15379c6e10af8b3303506dea2fda946729a019dad0278188b038ce4530c7aecb4727d0d661709beeeec57b03fb9e6b647cce8aad20

memory/4640-88-0x00007FF71F1C0000-0x00007FF71F511000-memory.dmp

C:\Windows\System\tyXUpon.exe

MD5 657ab107cdab78ce658daf07a38fcd77
SHA1 311770ff63e67ea5713667dbc3f36132e2173568
SHA256 b03bbbf55cf3aaf4bb5a8f62a24dd0bee85abb21879ae401072a67df59300500
SHA512 e0fe472fda567575fbc9ae93bc86d042db4bb7c672c1f99cadafd58ca41b0cd8f9854425707ce86b687f0f5eb256ba68211b228f8dc6d2246411b2b08ba07bed

memory/392-96-0x00007FF7BA8F0000-0x00007FF7BAC41000-memory.dmp

C:\Windows\System\KElVvUJ.exe

MD5 fb626791606e1958c28ae140a09b16b9
SHA1 74e3651cba2c7c636d0acae0d77696a1386cad88
SHA256 30fdb2de71f2c2f1f9cbf53d4510673fe28f05a44251feae920877a38654327c
SHA512 190f4b56a3fbb498d86c2a196db8e0be19bfe124e3c21065c224e5f26057fdf18d0910e3533d20bac313b0972bb830cdc105e0310745b073aea8e9c82cec2df6

C:\Windows\System\bALRoPx.exe

MD5 abebd0977b94c3dfe70eea300e8ae311
SHA1 7ffd3b05f99cf4fdb522e6f652b369891401dbd0
SHA256 a0e8e1ca456e51d4e001777d0864d6f6da7e4269aae9e354b9d420a15a68339d
SHA512 97de7ad06b78cfffc921cc0a9f02265d2ed2d09bda987176a54e26533a45711f7891d6a48142f095ff203d59b54ab2e1f52cf276e2062f0f3d2245b137540a92

C:\Windows\System\eUoTROe.exe

MD5 756183cd86ace87cc47a6e9c227b1680
SHA1 98ad39c29d63141e99217336e79fe6675989159e
SHA256 cc61c56478f544fd1c302de7eebff5808e2a0788c1f5adf49f3a868962048c32
SHA512 1c3ef544907f2984036b25453cc2517367b50dcbdf8d0636dacb1cc49f61cf019d3aceceb60f7666194017d735939d4c37f28f0975ec56f32eebad9d647698ef

C:\Windows\System\jgmtlJe.exe

MD5 6e56f2473df01bf782832a762dd58cf9
SHA1 906934b13ff61f436907d2e03de462f1e4c0520c
SHA256 811a9ee28df57c546b2ee7a637f881577b282409e8b707b9fffb98059a50f74f
SHA512 9bb3468040400486faf1937ac33d6e74f7e065041a46523846f8bcdf05c827191d4136110bf979d11d13fa96d1403dde9ab46f2bba777800d2641dd489a3e5d1

memory/4376-127-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp

memory/3788-134-0x00007FF629480000-0x00007FF6297D1000-memory.dmp

memory/536-132-0x00007FF7113E0000-0x00007FF711731000-memory.dmp

memory/760-131-0x00007FF71A4F0000-0x00007FF71A841000-memory.dmp

C:\Windows\System\qUXALsq.exe

MD5 544b34bda44244708ec0b40b9843df7e
SHA1 b17f322e2876bbe5f44478a33a3503b2e48a043b
SHA256 642c866f9c95eaa7e50e4bf2b84e781365e843f87897a351e3449413d3746876
SHA512 e9044ae6a2c834a7289fbf7170bb49413ba355bca65ef61ea045fa47cdccc106cd03716ac1840c7b7b28404bbd417852c4f361114cd8334a1da4c925352ae57c

memory/1980-126-0x00007FF749C20000-0x00007FF749F71000-memory.dmp

memory/1468-125-0x00007FF707090000-0x00007FF7073E1000-memory.dmp

memory/1892-121-0x00007FF7369E0000-0x00007FF736D31000-memory.dmp

memory/4360-114-0x00007FF67E220000-0x00007FF67E571000-memory.dmp

memory/3136-105-0x00007FF72F4E0000-0x00007FF72F831000-memory.dmp

C:\Windows\System\qbodWhw.exe

MD5 e54abc4bb4a619d0b59c102af28ad855
SHA1 a686c2a1ea36f14e152869153fa8e67afdf87d77
SHA256 fb0acc81330626d6fbac29e4b559ffeaf44c8dd43745051f8f38c404941fb2c9
SHA512 cbb8424a57b505cd9caf314303b8d7dbf2347dc6135f6d7dcf5ba65c2a90aba4a51b64e83505f4c0659e7af6aa7a1ff2e232a11002d4103ecde048bbb0c78f25

memory/1960-99-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp

C:\Windows\System\qbodWhw.exe

MD5 cf058a7cb5faa261068de48ef4791532
SHA1 1972a36fc2d7803acdf8aab88d54c24b8442e18b
SHA256 d7f2492661346e84512f9a03af3224f067be18c7f0ee0d2be7efd25136129e34
SHA512 61968aa8cac56175fdd1751206be26a5cbd3a14f9bdc87770a0fa45953d6d0e412c52222e89958eed1ce09ef82209e183ba926a79c5018cc9c37b5d6886de312

C:\Windows\System\qZyfyKW.exe

MD5 1b9db92e29696007d89dc1f5ad5c4191
SHA1 b307e9659853c0e911a71bbbfad571077814003c
SHA256 28b2e1d42c3a1f64f222119651bc910f149e94c95bbb545095a6dd16c643e0a2
SHA512 b4f217b9d1a7902e83ad8a9c69e1192a1160de28523bac1c223d13f5a45a6c491b0f71b99d573ae87ca85d5027b580605aff88455549f57ee4e762b285f4ed56

memory/536-39-0x00007FF7113E0000-0x00007FF711731000-memory.dmp

memory/4360-31-0x00007FF67E220000-0x00007FF67E571000-memory.dmp

memory/1236-139-0x00007FF61C3B0000-0x00007FF61C701000-memory.dmp

memory/1740-135-0x00007FF6E1A50000-0x00007FF6E1DA1000-memory.dmp

memory/1396-147-0x00007FF7A11E0000-0x00007FF7A1531000-memory.dmp

memory/760-156-0x00007FF71A4F0000-0x00007FF71A841000-memory.dmp

memory/4640-150-0x00007FF71F1C0000-0x00007FF71F511000-memory.dmp

memory/4376-157-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp

memory/1960-151-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp

memory/3892-148-0x00007FF646010000-0x00007FF646361000-memory.dmp

memory/1580-146-0x00007FF7AEC30000-0x00007FF7AEF81000-memory.dmp

memory/1740-158-0x00007FF6E1A50000-0x00007FF6E1DA1000-memory.dmp

memory/3772-203-0x00007FF7AA120000-0x00007FF7AA471000-memory.dmp

memory/5104-222-0x00007FF7B6AF0000-0x00007FF7B6E41000-memory.dmp

memory/392-223-0x00007FF7BA8F0000-0x00007FF7BAC41000-memory.dmp

memory/1956-219-0x00007FF7A9D70000-0x00007FF7AA0C1000-memory.dmp

memory/4360-225-0x00007FF67E220000-0x00007FF67E571000-memory.dmp

memory/536-227-0x00007FF7113E0000-0x00007FF711731000-memory.dmp

memory/3788-230-0x00007FF629480000-0x00007FF6297D1000-memory.dmp

memory/852-231-0x00007FF6AD4A0000-0x00007FF6AD7F1000-memory.dmp

memory/1236-233-0x00007FF61C3B0000-0x00007FF61C701000-memory.dmp

memory/1580-235-0x00007FF7AEC30000-0x00007FF7AEF81000-memory.dmp

memory/1396-237-0x00007FF7A11E0000-0x00007FF7A1531000-memory.dmp

memory/3892-241-0x00007FF646010000-0x00007FF646361000-memory.dmp

memory/4908-239-0x00007FF6D2040000-0x00007FF6D2391000-memory.dmp

memory/4640-243-0x00007FF71F1C0000-0x00007FF71F511000-memory.dmp

memory/3136-245-0x00007FF72F4E0000-0x00007FF72F831000-memory.dmp

memory/1960-247-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp

memory/1892-249-0x00007FF7369E0000-0x00007FF736D31000-memory.dmp

memory/1468-251-0x00007FF707090000-0x00007FF7073E1000-memory.dmp

memory/1980-253-0x00007FF749C20000-0x00007FF749F71000-memory.dmp

memory/4376-257-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp

memory/760-255-0x00007FF71A4F0000-0x00007FF71A841000-memory.dmp