Malware Analysis Report

2025-03-15 08:10

Sample ID 240529-1xmf8scc64
Target 2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike
SHA256 399a0ec2fcb54cb0c481c572ba4d321c04e455fc5103b2fba1adf0525e0981b4
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

399a0ec2fcb54cb0c481c572ba4d321c04e455fc5103b2fba1adf0525e0981b4

Threat Level: Known bad

The file 2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 22:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 22:01

Reported

2024-05-29 22:04

Platform

win7-20240508-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HXFWQFH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BLPYaDF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fXPOCVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rBiMpby.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iNGKnCQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fBUrzhg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OTRMlfE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BfONQiY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TXHcwIU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AQFrzNQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\igMzXsO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SqLLhpR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eIvSFIP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eFUJANf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LOyllnq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\liMwqKS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LrZGdcE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mIMleEv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DDVQRxJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JTICjnl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bHxyyNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXFWQFH.exe
PID 2992 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXFWQFH.exe
PID 2992 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXFWQFH.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rBiMpby.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rBiMpby.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rBiMpby.exe
PID 2992 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JTICjnl.exe
PID 2992 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JTICjnl.exe
PID 2992 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JTICjnl.exe
PID 2992 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLPYaDF.exe
PID 2992 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLPYaDF.exe
PID 2992 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLPYaDF.exe
PID 2992 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iNGKnCQ.exe
PID 2992 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iNGKnCQ.exe
PID 2992 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iNGKnCQ.exe
PID 2992 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHxyyNZ.exe
PID 2992 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHxyyNZ.exe
PID 2992 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHxyyNZ.exe
PID 2992 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBUrzhg.exe
PID 2992 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBUrzhg.exe
PID 2992 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBUrzhg.exe
PID 2992 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTRMlfE.exe
PID 2992 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTRMlfE.exe
PID 2992 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTRMlfE.exe
PID 2992 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqLLhpR.exe
PID 2992 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqLLhpR.exe
PID 2992 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqLLhpR.exe
PID 2992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIvSFIP.exe
PID 2992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIvSFIP.exe
PID 2992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIvSFIP.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFUJANf.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFUJANf.exe
PID 2992 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFUJANf.exe
PID 2992 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BfONQiY.exe
PID 2992 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BfONQiY.exe
PID 2992 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BfONQiY.exe
PID 2992 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LOyllnq.exe
PID 2992 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LOyllnq.exe
PID 2992 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LOyllnq.exe
PID 2992 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\liMwqKS.exe
PID 2992 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\liMwqKS.exe
PID 2992 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\liMwqKS.exe
PID 2992 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrZGdcE.exe
PID 2992 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrZGdcE.exe
PID 2992 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrZGdcE.exe
PID 2992 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TXHcwIU.exe
PID 2992 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TXHcwIU.exe
PID 2992 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TXHcwIU.exe
PID 2992 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXPOCVQ.exe
PID 2992 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXPOCVQ.exe
PID 2992 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXPOCVQ.exe
PID 2992 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQFrzNQ.exe
PID 2992 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQFrzNQ.exe
PID 2992 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQFrzNQ.exe
PID 2992 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\igMzXsO.exe
PID 2992 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\igMzXsO.exe
PID 2992 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\igMzXsO.exe
PID 2992 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIMleEv.exe
PID 2992 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIMleEv.exe
PID 2992 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIMleEv.exe
PID 2992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DDVQRxJ.exe
PID 2992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DDVQRxJ.exe
PID 2992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DDVQRxJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HXFWQFH.exe

C:\Windows\System\HXFWQFH.exe

C:\Windows\System\rBiMpby.exe

C:\Windows\System\rBiMpby.exe

C:\Windows\System\JTICjnl.exe

C:\Windows\System\JTICjnl.exe

C:\Windows\System\BLPYaDF.exe

C:\Windows\System\BLPYaDF.exe

C:\Windows\System\iNGKnCQ.exe

C:\Windows\System\iNGKnCQ.exe

C:\Windows\System\bHxyyNZ.exe

C:\Windows\System\bHxyyNZ.exe

C:\Windows\System\fBUrzhg.exe

C:\Windows\System\fBUrzhg.exe

C:\Windows\System\OTRMlfE.exe

C:\Windows\System\OTRMlfE.exe

C:\Windows\System\SqLLhpR.exe

C:\Windows\System\SqLLhpR.exe

C:\Windows\System\eIvSFIP.exe

C:\Windows\System\eIvSFIP.exe

C:\Windows\System\eFUJANf.exe

C:\Windows\System\eFUJANf.exe

C:\Windows\System\BfONQiY.exe

C:\Windows\System\BfONQiY.exe

C:\Windows\System\LOyllnq.exe

C:\Windows\System\LOyllnq.exe

C:\Windows\System\liMwqKS.exe

C:\Windows\System\liMwqKS.exe

C:\Windows\System\LrZGdcE.exe

C:\Windows\System\LrZGdcE.exe

C:\Windows\System\TXHcwIU.exe

C:\Windows\System\TXHcwIU.exe

C:\Windows\System\fXPOCVQ.exe

C:\Windows\System\fXPOCVQ.exe

C:\Windows\System\AQFrzNQ.exe

C:\Windows\System\AQFrzNQ.exe

C:\Windows\System\igMzXsO.exe

C:\Windows\System\igMzXsO.exe

C:\Windows\System\mIMleEv.exe

C:\Windows\System\mIMleEv.exe

C:\Windows\System\DDVQRxJ.exe

C:\Windows\System\DDVQRxJ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2992-0-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2992-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\HXFWQFH.exe

MD5 968098ccc5cb11b7a8058129a9e86f18
SHA1 b7d73001ce44c15c5cbc6dc775c2abe294092f7a
SHA256 63e83f08b63097f5e143ee1304a7120ea007b4299aa73361b1474dc1e9f31f30
SHA512 64d4a40abd0f2e5c923471a0fa88d8016511f65d39466bd36d5dc3a815595f0c09c39eb551c566a777164188f5970c8549428574aa272ce0c7012d85bae4681c

\Windows\system\rBiMpby.exe

MD5 72421ba88b1a0ecfa79b3b60c0d98985
SHA1 fbf5cad0e2d52205dd639a66ff1cc2e57d5780d5
SHA256 1ba419d3a39d0129b85a1e871fe63a32967a480c47ef122755d50b745c493d12
SHA512 5179c743e7e5a20ba7de0000103f8efa48b4de45893aa1c79094eaba80a7e234ba983646d7fc52fd76f69cc680e91c3315d24878cf3ff31389d96b0d6f353082

\Windows\system\bHxyyNZ.exe

MD5 b9d5418cedc2f459a381d93249915250
SHA1 67a2e6eac739ebcd505c9f544c57904980fb8de9
SHA256 ad7afb225576a6fffd6ec312a3dca539a7cb10c8cde96b6b1612529a96c6c06e
SHA512 cfacb59802ec5ea97d118eb7196d778cab9d7325c0112d78293586ad8b64a7af062156ac61900a58c0f4c5f54324e60bf79200af7775b68cd3bca460cd17f1d3

C:\Windows\system\BLPYaDF.exe

MD5 f3c47c0094ccf2e35da6866d4062a62b
SHA1 0a75cde8f449c49036bb0074de084b52eb739575
SHA256 fb69fb4db5eac8113b29553defaebe35f2c4236e2daf9e811386fda0fc963e68
SHA512 0db6d6399ea63ca95e1402e3bed53961ae1a0d899bc63b1e9bb4322767134c223b4aca747c0278749d158aaf904c114426bb45a2485fa4310fd9a29f4555484b

\Windows\system\eFUJANf.exe

MD5 bc2f88402ca32a603a2b4da44b7130fa
SHA1 9654749e36329bab282b868a5b7c9a63c430c818
SHA256 0b4136dfda62e6c50d64a7433b372010f067e24e20eba4b74771fc9e597a4f0b
SHA512 8af31860fe5ff8185b4273497f48515a11ff2c6e81a97e3b36525cf9f67874d7ad797b8331aca72045a74fbcec1653db7db3e19ef07084cf98e91a8dc89fcb34

\Windows\system\SqLLhpR.exe

MD5 a7cf3060e14f68a8e3e6abf4fea62626
SHA1 e2b6e7307cb65451b5482bcb42ed9ac032dbfc1c
SHA256 573b3df410a790c23734db32fc4a846146714f0688bd01662a3b616ef9d84ca9
SHA512 149321c0b10dfc6d1dce2a4e0c7edab645441c5dc7462c8a526eba1c1f6209b54cabea11f673101598f8c3b87f2c1932c827ef3ac59285111f97720f84a7d98d

C:\Windows\system\JTICjnl.exe

MD5 21448e35cf02f07e6ba67ae6b6270a78
SHA1 0c6860ec545418198b297bb0b11e834ffcdfe337
SHA256 0a8de2f0769f8474a4b6515c122b05db98924ef9aa5b64c98fd2396f4e18f370
SHA512 f0749c5803acde5679c7a95f96d18356f74488d35ca53565b6d4dd3a7f62862e64204e3e32b33be1b38d0ccd3fb1d477be31ee4d96d164b973131f7960efdf46

memory/804-19-0x000000013F130000-0x000000013F481000-memory.dmp

\Windows\system\fBUrzhg.exe

MD5 5d609cecbbf655b56222fea49859e023
SHA1 3d2be34bcf0f5bb2ce64a35d5f0a4e8def4b0faf
SHA256 bbcbc5ceb61c3d1b9df71860a3220469a65c7524d0e81ac422d406d52a205ea1
SHA512 85889333a4c8bd32db1dd704572eaa06873592bb07d3cce937cb8c53de181a2fa1c8a5e5a81db70a77d1dae09acaf97d21ef4216e2a821987d9b21cfd2aba01b

\Windows\system\iNGKnCQ.exe

MD5 be5e3fd224c69e7a9901048cbf512f88
SHA1 49567683122a1842fe87881f80b3a2871ebea8ec
SHA256 3fff84176168f91f85f90af2d6b93f487d7a77ccc349890fbbb921304994727e
SHA512 4e903621197a42513e3aca659490b71acae00725c2975aac37997125ad4866bbf07ddc904c194026ac05f663b690861c918c69a176337d2784c6aaa8a25abb7d

memory/2600-12-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2992-91-0x0000000002510000-0x0000000002861000-memory.dmp

memory/2656-90-0x000000013F670000-0x000000013F9C1000-memory.dmp

\Windows\system\DDVQRxJ.exe

MD5 b561ca3f0f85f85251181e18653e755b
SHA1 82445d130c0e93c320c91644ce86674be9233ca8
SHA256 89adbe033cb4b961f919dd423f228d97475a55b54c4ed9eb7a962b2d65345df4
SHA512 a5c041080396d48a3db0199ab533d52cacc5ab08d73f6db0749198a6ad3ea541b3ab93c33b7cf7619558d2aae1d08c291bd9111efb7b8f77ab39d2639ba96938

memory/2992-84-0x000000013FB90000-0x000000013FEE1000-memory.dmp

\Windows\system\igMzXsO.exe

MD5 a3e88b27bb609415d826c17a22ebf1c5
SHA1 b1bb014c1d462fd2485ee5e230994f425fd62ec7
SHA256 423ccdb0fa239f0bab116b33c8c2781a737e412d48ea529b34bd7cd298bbee3d
SHA512 e4d5b4fad09d502543b218e887f2d094bbe77fc2bce99f5dce72d080708cdfed429a7e8f97b2717c677b827d2731ea708e5c656eb56fe5218cea446e65834d35

\Windows\system\fXPOCVQ.exe

MD5 8b508f80fe422db0673c3a0fd474d67b
SHA1 9946c15c8590b85e2ae9eca41b0af099abc5ee32
SHA256 c6941a11cc921d63a54990a16af0bef9261100305d399e29758e568993f8dc40
SHA512 ddc3c09c73c846d2b485434b8f6cf19b8389b8ef235027f059f7152e649ca76f9df0847201a7798bb1cf2f6ef12312d1d09f16cec6e8858b8c29248dd4267886

\Windows\system\LrZGdcE.exe

MD5 fafd34cd3803e1dfbbbeb9f524d7cdc9
SHA1 c44b3b72ca1f48879bab6a3e390ba5f840898aad
SHA256 8562b27b2087a85918b1366a18b18fe689528a9d4e5c160bb2a40074979df375
SHA512 d3fdf039afa9ec1292ba83b1fc7c0cd892f905efe9e433a1501480f086af4695a4aa3f01470a7a49ee97beb2b0e8eae81edf15f73742d30b3c174e80c32adde7

\Windows\system\LOyllnq.exe

MD5 03e9f7485015c3e9f3acce41b3317a27
SHA1 efa95ba46f57cda6aeb490f4c6aeee15115aeddb
SHA256 7da84763da8d85de67fd2fb71655cb139b860619f46912ffa23092002f4a0673
SHA512 439b2232e0f7d8b698cfb9c6b5c191aa6c48ad382cea1f6f789299758e803214b2f9257dffc17e87e25025f05730e22389a6ad7493c3b3c39e19aabc8df2dac8

C:\Windows\system\TXHcwIU.exe

MD5 ededae0ebd32c55d857db863cf1071b4
SHA1 9cd7bfff60093c41887c2ee6879ed4fc752d4f6b
SHA256 e1bd578434972cf0161199940d679460ac2acd677165e50998a81b3d9ed9f675
SHA512 21d389fe762754e692829370dd446b25eb5344021da951e84e74cc89815d4d7c5d8d87a28d00abf80d9094dcbd7c39dc190fa875dfc7f822c3a1af8d220709ef

\Windows\system\mIMleEv.exe

MD5 8947fa19528851a27c00b06aa5bd1ff2
SHA1 24cd623dea83e04198d31f46295f98a6248ba214
SHA256 1094c19c657fbca5115f0b773ed14bc1770666b98c348770e3ef91d363e9c28e
SHA512 f716b3439a08734d23a47f35adcca36363611790b0635db7b201925c8256a77a076e18910ac04f5ce87194c36e476122cd4d365b735dabf902e35ca0a7d9573b

\Windows\system\AQFrzNQ.exe

MD5 d1fe08af60070575fae30bab65dd177d
SHA1 0d7ecc7fa8e5bc28e020d7f5e621c0d5a9ce9405
SHA256 c64d721590c0acc29548632c1ad505c8f2493997eb60ce2e8e42180f7a458174
SHA512 a8049c3fcfbd343aaefab88ae3f1f25f6451d597bef72085e338ef8f7d801c045d8377dfdd1e367f92907dfae34236d5b2c599347708ac5b340ccc7d61325247

\Windows\system\liMwqKS.exe

MD5 4fe992005f60be63f8c38d41835e1370
SHA1 db4d46a8bd3a94ff0184a504e7f0ac88711fc8eb
SHA256 166c30e66010a8dd0ec2a0a74424d7eb3a2c98a68568c382fdab3f3e4690a3a7
SHA512 44b9e1f0f5d4ceb825abcf9b7e680434ffe6988237456d6aef1f2aa890c6f59a803ede5b2230c6c43fd712de3b63a6bcfe8ea1127e8cf08567580fa28d3e9ca3

memory/2992-58-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2620-57-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2992-55-0x000000013FFB0000-0x0000000140301000-memory.dmp

\Windows\system\BfONQiY.exe

MD5 a8562f81337f0af6e59fdd20cd772c6d
SHA1 39d38d9f3abc7c6a98f111388a3f4e76ae88f6b5
SHA256 5992799d1b9aae4c1c0b762c23922e4f0afe034f4ec5e8abf7ad0ca85996e10c
SHA512 c2bb2a8a213adc6abde7e9778a1db75094681fe06fbb330d8a63a15bc0217f3495d0003d0b8dfe40acb547658f0ab47dfe3d0a89338a9a484de00253b1812833

\Windows\system\eIvSFIP.exe

MD5 2f0301be8d784ba064750f67f78c60b9
SHA1 ff7b37f6ab066ec2969849e7b15d5aae56606750
SHA256 d3f89ad188470f7019c0bfdd4287fd71dc135471302525707929c645e21d3a79
SHA512 1aa11628dc58a4f348757c2a452a70d0ec4d87da94b6a316ada1f44e47b46db9fcb61e88674c06519226eb3cb47a7558b905f3fa971afd9259cca36099de3ffa

memory/2992-39-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2992-34-0x0000000002510000-0x0000000002861000-memory.dmp

\Windows\system\OTRMlfE.exe

MD5 957f4b84e1ccad32a78db4ffc63e2060
SHA1 a728be9807f3f90df7819d290267ecdff85f49e2
SHA256 d9e5d6640e7811930839ff6bbf494611e87dd3255afe7b733504199e41f3be47
SHA512 985dbf04d0f2811d42cd757cfaeaab69c2598b22a57cf4333959de8b99633b1613b42405932f5f310068b63c197e42b4a5e37c1b9f1665b441bf6bd2aa15a224

memory/2992-118-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2100-117-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2992-116-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2776-115-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2992-114-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2156-113-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2992-112-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2992-111-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2992-110-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2992-109-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2992-108-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2992-107-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2992-106-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2992-99-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2800-97-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2992-29-0x0000000002510000-0x0000000002861000-memory.dmp

memory/2712-143-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/1928-141-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2820-139-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/804-135-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2992-133-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/3032-154-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/3028-153-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2912-152-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2892-151-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/1684-150-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2556-149-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/1436-148-0x000000013F300000-0x000000013F651000-memory.dmp

memory/1820-147-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2588-146-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/1048-145-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2992-155-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2992-156-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2600-201-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2156-205-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/804-204-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2776-207-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2620-209-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2800-212-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2656-213-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2100-215-0x000000013FFF0000-0x0000000140341000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 22:01

Reported

2024-05-29 22:04

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fdgzivV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CRPzXLc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FnNZMew.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZydCZLz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NkCgtGs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TCTMJQs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\giGiaUy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zXHLjEq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zqoDnrC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QfeJhGW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YTVUtlc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JSfBQPc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WDuqChN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BXFmkyx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\isXFKMv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MZjoCLb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OXAAeJO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JJerXRV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BvnBbFQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lbckSTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RlbtPwF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkCgtGs.exe
PID 1320 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkCgtGs.exe
PID 1320 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTVUtlc.exe
PID 1320 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTVUtlc.exe
PID 1320 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCTMJQs.exe
PID 1320 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCTMJQs.exe
PID 1320 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSfBQPc.exe
PID 1320 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSfBQPc.exe
PID 1320 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXAAeJO.exe
PID 1320 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXAAeJO.exe
PID 1320 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\giGiaUy.exe
PID 1320 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\giGiaUy.exe
PID 1320 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXHLjEq.exe
PID 1320 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXHLjEq.exe
PID 1320 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqoDnrC.exe
PID 1320 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqoDnrC.exe
PID 1320 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WDuqChN.exe
PID 1320 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WDuqChN.exe
PID 1320 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJerXRV.exe
PID 1320 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJerXRV.exe
PID 1320 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdgzivV.exe
PID 1320 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdgzivV.exe
PID 1320 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXFmkyx.exe
PID 1320 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXFmkyx.exe
PID 1320 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfeJhGW.exe
PID 1320 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfeJhGW.exe
PID 1320 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\isXFKMv.exe
PID 1320 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\isXFKMv.exe
PID 1320 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvnBbFQ.exe
PID 1320 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvnBbFQ.exe
PID 1320 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbckSTS.exe
PID 1320 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbckSTS.exe
PID 1320 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\MZjoCLb.exe
PID 1320 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\MZjoCLb.exe
PID 1320 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRPzXLc.exe
PID 1320 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRPzXLc.exe
PID 1320 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnNZMew.exe
PID 1320 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnNZMew.exe
PID 1320 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\RlbtPwF.exe
PID 1320 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\RlbtPwF.exe
PID 1320 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZydCZLz.exe
PID 1320 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZydCZLz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_c5df1ecbb3db5173724dd9be7a082f2c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NkCgtGs.exe

C:\Windows\System\NkCgtGs.exe

C:\Windows\System\YTVUtlc.exe

C:\Windows\System\YTVUtlc.exe

C:\Windows\System\TCTMJQs.exe

C:\Windows\System\TCTMJQs.exe

C:\Windows\System\JSfBQPc.exe

C:\Windows\System\JSfBQPc.exe

C:\Windows\System\OXAAeJO.exe

C:\Windows\System\OXAAeJO.exe

C:\Windows\System\giGiaUy.exe

C:\Windows\System\giGiaUy.exe

C:\Windows\System\zXHLjEq.exe

C:\Windows\System\zXHLjEq.exe

C:\Windows\System\zqoDnrC.exe

C:\Windows\System\zqoDnrC.exe

C:\Windows\System\WDuqChN.exe

C:\Windows\System\WDuqChN.exe

C:\Windows\System\JJerXRV.exe

C:\Windows\System\JJerXRV.exe

C:\Windows\System\fdgzivV.exe

C:\Windows\System\fdgzivV.exe

C:\Windows\System\BXFmkyx.exe

C:\Windows\System\BXFmkyx.exe

C:\Windows\System\QfeJhGW.exe

C:\Windows\System\QfeJhGW.exe

C:\Windows\System\isXFKMv.exe

C:\Windows\System\isXFKMv.exe

C:\Windows\System\BvnBbFQ.exe

C:\Windows\System\BvnBbFQ.exe

C:\Windows\System\lbckSTS.exe

C:\Windows\System\lbckSTS.exe

C:\Windows\System\MZjoCLb.exe

C:\Windows\System\MZjoCLb.exe

C:\Windows\System\CRPzXLc.exe

C:\Windows\System\CRPzXLc.exe

C:\Windows\System\FnNZMew.exe

C:\Windows\System\FnNZMew.exe

C:\Windows\System\RlbtPwF.exe

C:\Windows\System\RlbtPwF.exe

C:\Windows\System\ZydCZLz.exe

C:\Windows\System\ZydCZLz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1320-0-0x00007FF6BB7C0000-0x00007FF6BBB11000-memory.dmp

memory/1320-1-0x0000025489A30000-0x0000025489A40000-memory.dmp

C:\Windows\System\NkCgtGs.exe

MD5 834afd1150f6f5583fc9eb45217b6ac5
SHA1 470e15e27969675e6b5e9d2eef56dd6f1ce47cbb
SHA256 fd395abaf6ef142d40802b05e56593905aeb5705d0245a87c018a90a6daa37e7
SHA512 54cfcc04d084516c2e9add81a1adf0c89cf80322b317c5a7752cf21ae875bfa88520c4ed8cf868c86525b84533327566f1fcb053f7f78a9e832e960e55f1cb90

C:\Windows\System\YTVUtlc.exe

MD5 0ebe35220881669986b3c7b932010b2d
SHA1 7d9c717b18dd47a8583808010682980f298b5419
SHA256 839f23845ff5649b7c833d0381f9cc881d4cc43ceab9aab6f1854640444ad48e
SHA512 751f96100d0f54f7325dbc3b2b361bafd4b49a4e4a4a5dab9fe7b6ed956e6d0f5a13754dc65793e2678ca3f3bc9ef4eeaa7ffaf96c8ea98e5262990e1850a1eb

memory/1544-23-0x00007FF6FF7E0000-0x00007FF6FFB31000-memory.dmp

C:\Windows\System\OXAAeJO.exe

MD5 d5c476113d41c256ebc21297344af4bb
SHA1 2406941bff47a6fae37ab9e34aed0254fd87b98f
SHA256 9400a71c7e11a253c9360a6bc3a3273b6ed0c1c5e4774e32dd4b64ce456a4e33
SHA512 20ef62a57060384613ce7458b8cfa3da487cb7622db132a14125a490b2e9ef3f36d2c322e4325f7ca4a112e8c335f9d750f2431c1528cfe1e43866de3f29b5ef

C:\Windows\System\giGiaUy.exe

MD5 493b922c6681f141b7f8b638c8caba2b
SHA1 2aabf57925d08d4e0e0827448e156c04400f458a
SHA256 20b7321e969f9f2b1e9ac68ba68ea78ef32370022f1d0e7e9e9958cc19796264
SHA512 de022f04cd1f0e62b2fd2a8161882a82c487d7bde5aecdbc0abfe83b79184f8c8dd947d5a20b311a8b570f48d1aa5c16e4c44365e4192a9a1bf7b8d99b857871

C:\Windows\System\JSfBQPc.exe

MD5 91df922314a4caab432bba0c590ca3c0
SHA1 b91e20ca4d9be7c8e6fd75ac2830eb878c22eb76
SHA256 0cf813b51717aab8d4bf85c804cd17451a9e8a3cc11f9cb8db55a7f62fc7b809
SHA512 41834d81c15003ab88fdc17f65dd4d58bf778aa7f748c1778b8b4cf1f00ba4e25cbf41434779e3783c6b2862972c82761d5a6dbf80e22770db840e6a09a40184

memory/4324-30-0x00007FF60BB00000-0x00007FF60BE51000-memory.dmp

memory/4916-27-0x00007FF67EE50000-0x00007FF67F1A1000-memory.dmp

C:\Windows\System\JSfBQPc.exe

MD5 81e2929b75563211c1a50459e3381f8e
SHA1 c0e3cc0d53ababb6a6b1c52c81e23009e016c583
SHA256 744562ffe4d78d45cb867d8b360243ef34dcefec52f11260a82ec358c7e80bde
SHA512 faa26b00f78064536f7adc5c712d743738d6dc78d184255142e9aee23689c53d1a716acf7c532cfcb920be03769551ecf8f83772029e77074b5d6874dd30f9df

C:\Windows\System\TCTMJQs.exe

MD5 019ddcf396cd93c990aa49d4c0033455
SHA1 d3e7a5d035f42ec9689294f0dc7bdb3c289f050f
SHA256 aec148d5630b74d8211a1561f3d66744328305fa12d51536534705e629d3df98
SHA512 8079e3acfc8ddb061e05d81a3ec5e2a36105812bc55a12faa5961a91cdcdecf7ed8facac7dd2fe610a91a9c673efd64bd3710908bf1cd394ac6a27688ba86101

memory/4600-19-0x00007FF7DE820000-0x00007FF7DEB71000-memory.dmp

memory/64-8-0x00007FF718410000-0x00007FF718761000-memory.dmp

C:\Windows\System\zXHLjEq.exe

MD5 a088c8c47bb5a2d948c6bc7ebe271edb
SHA1 d7a031eb65e9ea603ae4af06ea3e9e1c384d589b
SHA256 b48b028981f773182978cc3aa230f3fc61f75f8abb154846cd38efbb113def3d
SHA512 a0c54f85249a34d233c6680edaab330849ec71bc1a4715307f465a30e92e8311022de103391097cd3d19092305607edd35678473bfc252c2fb2e818bbc98f36c

memory/2592-39-0x00007FF70BDE0000-0x00007FF70C131000-memory.dmp

memory/1020-42-0x00007FF67F0E0000-0x00007FF67F431000-memory.dmp

C:\Windows\System\zqoDnrC.exe

MD5 5964b58059889dd9859491f96bd10d8d
SHA1 69197c11984b535cd20c8bcc09ea32dab72123cd
SHA256 0eb24c85af0ced3d774af6420787f28be7fd78dfae18310c977a948a3104b6bf
SHA512 715abd74760a8056af3e38e64d77dc59bbe887a35340efe1ad3cfc3f801a5e8afd453a39bace57b12f44e7d1d33399aabf7cb283534ece4c7f5c9dc46c225bbb

C:\Windows\System\WDuqChN.exe

MD5 945ff60fda5ba3daa8cfea70f362b9d4
SHA1 02579ddefa461d950cf1422a6d546a34bf5f0850
SHA256 0130cddde078ae99d5e6f091fb7ee9103610608e24a3c6245902ae275fb4692a
SHA512 66123bb61af2e4c8246580bc441a6185aec2e33d03aa20c4375ab9410e17855d93b871ed318bd2ff3d3647e20923a9ad850f4d764972d97c52e916cfbbd74851

memory/4092-49-0x00007FF779160000-0x00007FF7794B1000-memory.dmp

C:\Windows\System\JJerXRV.exe

MD5 1ef535470e3191b18c1c97f3a131c30e
SHA1 e43a11aa0c49faaec307a08d00501194aa58ab99
SHA256 89343e0dbba48ecbb84302ff95ba984551b5864f3e3987bbeeb8253002df28d2
SHA512 5d5b6149bf4f717f8b2f9c12f95246bde709349c8124c328bd730458106e329857fb1511f4876e8ec9eb55153f574e703613635b6cf8c1a76a52b401438256a6

C:\Windows\System\fdgzivV.exe

MD5 19706a86f897175c5888bbf351da42a0
SHA1 c3ffaebd6c326825a4d46cff1ced9c0954477879
SHA256 a3bd6aa4a4ec199fbbb0d4967ffc15fb569125bea2500600e90f6227d9ba03fd
SHA512 d4e562641f026203f74ff649853eb1d6b927d7c79c50f1dd53778ae10841985af0edd6aed0daf787eece7e319601f82f0321e778f6a5147c981ad4e29c81585f

memory/4060-68-0x00007FF7D2CB0000-0x00007FF7D3001000-memory.dmp

C:\Windows\System\isXFKMv.exe

MD5 feb045a32085a1f34e58f30fda1695e7
SHA1 4bf7c50178395779b614a17bf10cff5239514c8e
SHA256 c78a5fd68f9713c32af40a1a511f2f69402367c42702e9f85c0bacb262f874bb
SHA512 55818cec08b455c43d1cddb282f26a2f7816dc53579143072dd50e09f7c545088a1f7a7409683f89f7d55be6fe0606552a127c9d514c431f42ce08e5f1bb13c3

memory/1712-89-0x00007FF6C4E30000-0x00007FF6C5181000-memory.dmp

C:\Windows\System\lbckSTS.exe

MD5 5ebfc77ec0168868b1e4c96e57a61dd7
SHA1 599584eaa4d7f84e0b5b578326b805d407e28d77
SHA256 edd4576ae412d8d7f883d66db9a4eabc3be3fb5329312f33c06091d613ca2b92
SHA512 2ece8589a57b80df7efa8e9b170d27f179b761e688768e225b167aa3c31c69cb5c8a2e978cabfe0b44d9e47f57f97aca6ed9456f9e3cad588ff08a4e38acaf39

C:\Windows\System\CRPzXLc.exe

MD5 0a451739471457a3e89581f9fef700b5
SHA1 1cebf4fabbd3fdc015ebecbb45ed4bc520de4ccb
SHA256 251b668626baa383fbd3025d79dbfb55be2eec37270a7a6f0cf5a5216c39e72f
SHA512 69e002a0a718d2f5475aff0f873e674999bdaeaa7f54f57404e0e481eba0261c6ec2da08bafab1c0bc8a654389148539be1ad1e623927b7b7d11a874299d84d9

memory/4324-114-0x00007FF60BB00000-0x00007FF60BE51000-memory.dmp

memory/3324-119-0x00007FF629850000-0x00007FF629BA1000-memory.dmp

C:\Windows\System\FnNZMew.exe

MD5 91792ea02e2b32834667fc566277504d
SHA1 230a5510c05ab95ad906e538cb8f9c247a431a61
SHA256 175ef208ab40b998dd17ff6b0d032e78b6d37b9725ef1c38612edee2063687cd
SHA512 4adfcc7e7dd908a940607dc313aa508ae5fb7158e9631a6826d5cfb8a36b129a0347116d5f2ec39e2a8a5ad2fb363da22f7c200ba80be813c2b47b27a3fe9a11

memory/3772-115-0x00007FF6DFC70000-0x00007FF6DFFC1000-memory.dmp

C:\Windows\System\MZjoCLb.exe

MD5 e4a475a2956bf1ccf47323230587339e
SHA1 37f9143dab12940d1746a09f383190caa85cd43f
SHA256 3de9afca2561c1ad7e35de39651552502096010d7775545f69deb7e9fe6306d7
SHA512 a13803183fa08942f08dc22f8c079a233e6be92927235ab7aca3ff17f1a9ce5ef418239007ad65711cfbf94ddda837ade7f257d2a01372069fbee98b2f0d97dd

memory/2932-108-0x00007FF718CA0000-0x00007FF718FF1000-memory.dmp

memory/2360-105-0x00007FF7615D0000-0x00007FF761921000-memory.dmp

memory/2032-107-0x00007FF7C2F60000-0x00007FF7C32B1000-memory.dmp

C:\Windows\System\BvnBbFQ.exe

MD5 f6e3f820152dabcdb658d2cbe2a9563f
SHA1 0b312f14cacd2e449029fb695c3dfd6c4508875e
SHA256 bdf637d46dca2a14edef29619de08575f8d77e3c254a9d8c0ccdd9607b7dfb31
SHA512 09c51315e4bf1df921cf450325e9d91d0d68cbb3898c28b129e28a210358e7b6d771e63cb72631770f694412d56fd4444d56dc1b1cc45050364533dcf5b8d630

memory/4916-88-0x00007FF67EE50000-0x00007FF67F1A1000-memory.dmp

C:\Windows\System\QfeJhGW.exe

MD5 b6921bdf45c9be045a1a4aca3b2fab2d
SHA1 17f7068a0c52eda278b79c762710cd0bdd351661
SHA256 bb4591c1f99b62f6d3e12432e95255f5fc9d8a112f5e284d7f845a45833e1707
SHA512 15a78d97e4531d19065a6fbf79855e8cd7da68ff5b93f62eb91f979c299ed5e57f2d9cdc9c123ad87eb9e8dbe814e5fe736b0c8df10ef97d131d43334ae1c774

C:\Windows\System\BXFmkyx.exe

MD5 70a2433a1e0593ef15674f16598a6417
SHA1 978e38c5d74f66d7abf6c80f5a239400a7cef7ad
SHA256 988b9d7231749fb22e0fe3e3ed540df0bd424a0f828b59ab0b4cf10fbbe02d6a
SHA512 cddcbbe62215750089638abc32fdfaf48e2f46c10a73805cdbf5624fec77b7c9e35279bd2428d9a4dda4fc71b8b28a065ad5eea1f7af3798368d6a268b19f26c

memory/4036-82-0x00007FF66ABD0000-0x00007FF66AF21000-memory.dmp

memory/1544-79-0x00007FF6FF7E0000-0x00007FF6FFB31000-memory.dmp

memory/3032-77-0x00007FF7C5B00000-0x00007FF7C5E51000-memory.dmp

memory/992-75-0x00007FF7F8770000-0x00007FF7F8AC1000-memory.dmp

memory/64-74-0x00007FF718410000-0x00007FF718761000-memory.dmp

memory/1320-62-0x00007FF6BB7C0000-0x00007FF6BBB11000-memory.dmp

memory/732-61-0x00007FF6C8F10000-0x00007FF6C9261000-memory.dmp

C:\Windows\System\RlbtPwF.exe

MD5 7e05c8b2fb0feeab1efbec8d54fd2034
SHA1 19532590ef80ddbf974ba79ad0bf53f1157628ec
SHA256 5d7e3ddf154b0a8167d6fe031d71a5b1a8ef81c747bbc85438a938053e266833
SHA512 9e0c1cc1ee88c4fdb3e561d4f6be0ae3a8fccd045401c5107168976d099d4a150d31a525d960b549294a4429f8fe476dfaa269efde80b444f14718a911e47c7e

C:\Windows\System\ZydCZLz.exe

MD5 8f40f22096882c05916004a5ecefed03
SHA1 0047794ccad9fbcd12d8ce6ba66aaf7f814e4baf
SHA256 bad785dbf83d980d59f896a2d2d7baf1881d561e1465504ff36a70b0f43d70f6
SHA512 2e0d5fdea93f304515b05f6696a1e21a49bf450311b9ff59d750d6d4fc3aa55788c825108b8e0975ba0190c0a883ceb8d71e0460a649a670056c5c001638f333

memory/732-133-0x00007FF6C8F10000-0x00007FF6C9261000-memory.dmp

memory/4788-135-0x00007FF75F710000-0x00007FF75FA61000-memory.dmp

memory/4092-131-0x00007FF779160000-0x00007FF7794B1000-memory.dmp

memory/1020-125-0x00007FF67F0E0000-0x00007FF67F431000-memory.dmp

memory/4840-127-0x00007FF772690000-0x00007FF7729E1000-memory.dmp

memory/1320-136-0x00007FF6BB7C0000-0x00007FF6BBB11000-memory.dmp

memory/3032-148-0x00007FF7C5B00000-0x00007FF7C5E51000-memory.dmp

memory/4840-156-0x00007FF772690000-0x00007FF7729E1000-memory.dmp

memory/3772-154-0x00007FF6DFC70000-0x00007FF6DFFC1000-memory.dmp

memory/4036-149-0x00007FF66ABD0000-0x00007FF66AF21000-memory.dmp

memory/3324-155-0x00007FF629850000-0x00007FF629BA1000-memory.dmp

memory/2932-153-0x00007FF718CA0000-0x00007FF718FF1000-memory.dmp

memory/1320-158-0x00007FF6BB7C0000-0x00007FF6BBB11000-memory.dmp

memory/64-203-0x00007FF718410000-0x00007FF718761000-memory.dmp

memory/4600-205-0x00007FF7DE820000-0x00007FF7DEB71000-memory.dmp

memory/1544-207-0x00007FF6FF7E0000-0x00007FF6FFB31000-memory.dmp

memory/4916-209-0x00007FF67EE50000-0x00007FF67F1A1000-memory.dmp

memory/4324-212-0x00007FF60BB00000-0x00007FF60BE51000-memory.dmp

memory/2592-213-0x00007FF70BDE0000-0x00007FF70C131000-memory.dmp

memory/1020-230-0x00007FF67F0E0000-0x00007FF67F431000-memory.dmp

memory/4092-232-0x00007FF779160000-0x00007FF7794B1000-memory.dmp

memory/732-234-0x00007FF6C8F10000-0x00007FF6C9261000-memory.dmp

memory/4060-236-0x00007FF7D2CB0000-0x00007FF7D3001000-memory.dmp

memory/992-238-0x00007FF7F8770000-0x00007FF7F8AC1000-memory.dmp

memory/4036-240-0x00007FF66ABD0000-0x00007FF66AF21000-memory.dmp

memory/1712-242-0x00007FF6C4E30000-0x00007FF6C5181000-memory.dmp

memory/3032-244-0x00007FF7C5B00000-0x00007FF7C5E51000-memory.dmp

memory/2360-246-0x00007FF7615D0000-0x00007FF761921000-memory.dmp

memory/2032-248-0x00007FF7C2F60000-0x00007FF7C32B1000-memory.dmp

memory/2932-250-0x00007FF718CA0000-0x00007FF718FF1000-memory.dmp

memory/3772-252-0x00007FF6DFC70000-0x00007FF6DFFC1000-memory.dmp

memory/3324-254-0x00007FF629850000-0x00007FF629BA1000-memory.dmp

memory/4840-257-0x00007FF772690000-0x00007FF7729E1000-memory.dmp

memory/4788-258-0x00007FF75F710000-0x00007FF75FA61000-memory.dmp