Malware Analysis Report

2025-03-15 08:10

Sample ID 240529-2srqtsch3s
Target 2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike
SHA256 ea08bb104b32bb812df7622bf24f990860b5ca7dab866d88eb9b7f69e13a0b63
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea08bb104b32bb812df7622bf24f990860b5ca7dab866d88eb9b7f69e13a0b63

Threat Level: Known bad

The file 2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 22:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 22:50

Reported

2024-05-29 22:53

Platform

win7-20240215-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nMmyuqu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EiyCOev.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GXJQJwi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZLXCvIA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AlYpvZN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TVFSCJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yfuffHC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dzJBVFv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TarzKJG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hJqtThQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JJgCJJs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YqqYhII.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\inJcDXF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YVXVJtK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kaeabXr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oIbbvak.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UuvZGKq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bGfvSWK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cCigySK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UZRuUQG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jlfcLVt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UuvZGKq.exe
PID 1660 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UuvZGKq.exe
PID 1660 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UuvZGKq.exe
PID 1660 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMmyuqu.exe
PID 1660 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMmyuqu.exe
PID 1660 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMmyuqu.exe
PID 1660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiyCOev.exe
PID 1660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiyCOev.exe
PID 1660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiyCOev.exe
PID 1660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGfvSWK.exe
PID 1660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGfvSWK.exe
PID 1660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGfvSWK.exe
PID 1660 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfuffHC.exe
PID 1660 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfuffHC.exe
PID 1660 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfuffHC.exe
PID 1660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJgCJJs.exe
PID 1660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJgCJJs.exe
PID 1660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJgCJJs.exe
PID 1660 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YqqYhII.exe
PID 1660 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YqqYhII.exe
PID 1660 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YqqYhII.exe
PID 1660 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\dzJBVFv.exe
PID 1660 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\dzJBVFv.exe
PID 1660 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\dzJBVFv.exe
PID 1660 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXJQJwi.exe
PID 1660 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXJQJwi.exe
PID 1660 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXJQJwi.exe
PID 1660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\inJcDXF.exe
PID 1660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\inJcDXF.exe
PID 1660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\inJcDXF.exe
PID 1660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLXCvIA.exe
PID 1660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLXCvIA.exe
PID 1660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLXCvIA.exe
PID 1660 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlYpvZN.exe
PID 1660 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlYpvZN.exe
PID 1660 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlYpvZN.exe
PID 1660 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\cCigySK.exe
PID 1660 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\cCigySK.exe
PID 1660 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\cCigySK.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVXVJtK.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVXVJtK.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVXVJtK.exe
PID 1660 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZRuUQG.exe
PID 1660 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZRuUQG.exe
PID 1660 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZRuUQG.exe
PID 1660 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TarzKJG.exe
PID 1660 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TarzKJG.exe
PID 1660 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TarzKJG.exe
PID 1660 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVFSCJJ.exe
PID 1660 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVFSCJJ.exe
PID 1660 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVFSCJJ.exe
PID 1660 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlfcLVt.exe
PID 1660 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlfcLVt.exe
PID 1660 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlfcLVt.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJqtThQ.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJqtThQ.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJqtThQ.exe
PID 1660 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\kaeabXr.exe
PID 1660 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\kaeabXr.exe
PID 1660 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\kaeabXr.exe
PID 1660 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIbbvak.exe
PID 1660 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIbbvak.exe
PID 1660 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIbbvak.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UuvZGKq.exe

C:\Windows\System\UuvZGKq.exe

C:\Windows\System\nMmyuqu.exe

C:\Windows\System\nMmyuqu.exe

C:\Windows\System\EiyCOev.exe

C:\Windows\System\EiyCOev.exe

C:\Windows\System\bGfvSWK.exe

C:\Windows\System\bGfvSWK.exe

C:\Windows\System\yfuffHC.exe

C:\Windows\System\yfuffHC.exe

C:\Windows\System\JJgCJJs.exe

C:\Windows\System\JJgCJJs.exe

C:\Windows\System\YqqYhII.exe

C:\Windows\System\YqqYhII.exe

C:\Windows\System\dzJBVFv.exe

C:\Windows\System\dzJBVFv.exe

C:\Windows\System\GXJQJwi.exe

C:\Windows\System\GXJQJwi.exe

C:\Windows\System\inJcDXF.exe

C:\Windows\System\inJcDXF.exe

C:\Windows\System\ZLXCvIA.exe

C:\Windows\System\ZLXCvIA.exe

C:\Windows\System\AlYpvZN.exe

C:\Windows\System\AlYpvZN.exe

C:\Windows\System\cCigySK.exe

C:\Windows\System\cCigySK.exe

C:\Windows\System\YVXVJtK.exe

C:\Windows\System\YVXVJtK.exe

C:\Windows\System\UZRuUQG.exe

C:\Windows\System\UZRuUQG.exe

C:\Windows\System\TarzKJG.exe

C:\Windows\System\TarzKJG.exe

C:\Windows\System\TVFSCJJ.exe

C:\Windows\System\TVFSCJJ.exe

C:\Windows\System\jlfcLVt.exe

C:\Windows\System\jlfcLVt.exe

C:\Windows\System\hJqtThQ.exe

C:\Windows\System\hJqtThQ.exe

C:\Windows\System\kaeabXr.exe

C:\Windows\System\kaeabXr.exe

C:\Windows\System\oIbbvak.exe

C:\Windows\System\oIbbvak.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1660-0-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/1660-1-0x0000000000200000-0x0000000000210000-memory.dmp

\Windows\system\UuvZGKq.exe

MD5 137476a7edec52f60a47a9392e485944
SHA1 5f994d3c491f3dd056f9e591af2b36ea41d34eee
SHA256 fa8068e3b32a28c2fa4dd1ca597b347b65fa5278416023de2def1fdd2f86de09
SHA512 69333a01515992958f59d07f7107fdd8223347845186df5836b4b871ef4ab13baf4f8959ebde98ecb6fb124fce92a9819782547780053b9feb2c683077a90cbb

\Windows\system\nMmyuqu.exe

MD5 30cb41265a4975d5ed6c4a3249568c3f
SHA1 3396d48cf786a9e146f64c7e57111edb518ded0a
SHA256 69edd98ea57062862dc5c5c08f857e24d13d0077b954f092390cb2d8f0302fc1
SHA512 00b52ca4835862a854c348880011df77b0fb5b7389ccb1b0f87a4c09c92afdc4f5ceff3408dfb340538e0c60f3506684ef01a6737f2828c669281c1cf8491da4

memory/2192-14-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1660-13-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/1980-11-0x000000013F4F0000-0x000000013F841000-memory.dmp

C:\Windows\system\EiyCOev.exe

MD5 204a897f4f25be88a48a184cca569813
SHA1 266f532784f4b69fb42faf785ebda510e28ca8c9
SHA256 320e0eca289e85557571b89fc0138f475d67395e31c91017d290037e6e6874e5
SHA512 fd537893ee4219747e31ea8c84eb8d1759543a275a8222d24d4047edc1660453956d31eb2582016796a0f5cc686b8f44e2c2c27efa62941558e310708b541db4

memory/2604-22-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/1660-20-0x000000013F840000-0x000000013FB91000-memory.dmp

\Windows\system\JJgCJJs.exe

MD5 9f2976ad0724a32e84eb119801fce850
SHA1 fcd4554c57a7fa8a5f8f61b38bcfce11bad65c94
SHA256 f236b65693293711260b96bc3ed0d86cf09d60cf6a64ea6a8c0ad6eec7edbf82
SHA512 bf2d298cace5a53c8ae8a42203ff0052ce8a3e831373b420d87c6c1f2a85bb3cc617245c3915e982b756cc87c2b87d18474676f6d2c7f234087a2a131e53cd79

memory/1660-48-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/1660-47-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/1344-45-0x000000013F6D0000-0x000000013FA21000-memory.dmp

C:\Windows\system\YqqYhII.exe

MD5 67291b3f5e85e79e0bcf1711fa976d67
SHA1 ac9ad4f13629100a4f2e0b98823f758376a25cc9
SHA256 e4884909a8310118f52d4f7c956cd29719fa5bb7704c65e5c0cf6fdf7392e3a7
SHA512 9be7c4c01f9f035f4f46388ba65158fc2082dc1235cc011b7cbf0778d87503cf9411cd4b06fded267780e91c4619a076de9e1595da69eef9a48cee585d4dae2f

memory/2740-50-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2564-49-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1660-41-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2556-36-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1660-34-0x00000000022D0000-0x0000000002621000-memory.dmp

C:\Windows\system\yfuffHC.exe

MD5 7dbbd1f93db6270ac490019a7992c1bb
SHA1 d20bccddf392bc3d0a2eb4280866562d4de1c688
SHA256 aeea98626e453aa21b3610e7c410ab9d06669804cc5eaedd89a4ad11b577d986
SHA512 145074c04effe458a807dc7a60c8ff5043e23475b49a5de23ee364e3c02e60a91a464c4e8cd50870ad5b60d114d4df991880879e8fd18764d30cdc1926da7a42

C:\Windows\system\bGfvSWK.exe

MD5 e590f816213f4cb4b7bcae197988140f
SHA1 d4d7a044aec08c2f79502648decb9a1f38d37961
SHA256 f0093f406f2e464bb2e8e17c19d02b91f5f03c2afca8326abe1a65caf0556364
SHA512 4824b0bfcfce809398393e313dfd55962bb237a0aac17a07784ab580a710e3d1fbe6f7c9006fd958048d140ef1dd0d4a0944502f165e2d2fc1e056b15bc71137

C:\Windows\system\dzJBVFv.exe

MD5 be34652434e6d15fecd680db20d6e760
SHA1 979e08402a786bfdf0539ea8c4c7a5bc1af92648
SHA256 0ad13e55ba564531affafb1e56b7b3ca15002f33c2dd956bd5c82eb3febe506a
SHA512 037af29ea135a8de1a4227c8f75c81fd90a320cbc790c256f1ee9d3c1fdc654d84eb9c2d88f846aaa1559c34569a67eded1cd180fc758d5a83a35ae38c08b8b6

memory/1660-55-0x00000000022D0000-0x0000000002621000-memory.dmp

\Windows\system\GXJQJwi.exe

MD5 7ce660f919d7ca1fca12e0896a2c0e1a
SHA1 2150d758f729e8768b2758e02c6b9647fd79a2a2
SHA256 34cc844f6091e494a98e96eb946c0ec44ce3cc8d29bb4ac34687afa9df7a6148
SHA512 6547d30e6892c71628608259ce35575869a480bb1b85b2baef5bb9e23e0621f44ebdb9e749d57be31ddcb136e9827909a8706c808e6e1372bd58007bf368ddae

memory/2456-62-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2404-61-0x000000013F470000-0x000000013F7C1000-memory.dmp

C:\Windows\system\inJcDXF.exe

MD5 4e4010fa9fbd18cd2c08887e12b5a278
SHA1 8d149de33b90fb61ca9b7885befca8876b886c6e
SHA256 0900535ae3af05a537ddcb96879a9b7791f306a607d785db0e8c6a6eb06d8c21
SHA512 22054aacdf06d02e234b7978584a5d7b119119fed9136d441de9ef4b6a97ae7dcee2131207964f6d405f803fb12949ccb8a9db92f936b8e656ef2a5abc4be9ea

memory/2872-70-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1660-69-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1660-74-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2692-77-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1660-76-0x000000013F4D0000-0x000000013F821000-memory.dmp

C:\Windows\system\ZLXCvIA.exe

MD5 c902090eb84336a38c912f47d3acd99b
SHA1 265f6506fed4aaf52c4faad83bae204453fdf0ea
SHA256 a3da49163aec0fd9a73d20285c295a98f2268067eade3a107550acdc6b876591
SHA512 73e4c295f37c0725b75a242dbcb3d665d33b5bd1dba7e29bbd31c0d2941961dce392911bd9b50773144f739b380651d0852e3763ad92028e84fd632c364fe5e8

C:\Windows\system\AlYpvZN.exe

MD5 a6b8ee3626663e67afd9ba60176bc296
SHA1 a97f98f1702a312d7e4948e2a012f21830446a67
SHA256 9ea1d49b110e247303b712c2bc895ab5ef0ddecadc52d1f08e03a98334ca6aab
SHA512 e35088fa4fc36b418ab4a049f31d17e7a5809379bfce398c4e8b9aba8b93d00b9e7daa970a6098da3d194a782b136a8f9bf75e3f959862ce934ffcb3540aaf52

memory/1660-84-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2748-85-0x000000013F930000-0x000000013FC81000-memory.dmp

\Windows\system\UZRuUQG.exe

MD5 6c7a72e6af7088fb7d7598ce02983372
SHA1 5a337ccc1ec4823183dce41d70c9930d129b29ba
SHA256 99ec096b25e65b4c98c35085e129dc6a533965618efeaa7a5b82f843bf61ee23
SHA512 cd9d1d4aeb5a2baf24bc3c3838ba824a6e54c97f397a7c1b8cf7fac3629ef74513a7ef1aa9cb4133a0c8451f97a474e42b8a0ceca8b3d6bdf76b7d455759ae28

C:\Windows\system\TarzKJG.exe

MD5 e90b89844bafbfcff7d799556ac58526
SHA1 60966695b75bc46bd3f5e9a957f427d558a3ba15
SHA256 4668b4622f5d9702621f6c621bd05727dd5b741cf74d63ee1051e508834d530c
SHA512 793490f5b6e466e498622be8af7a9f45671f15f0c95bf1e5eb969eda4448f676d681302b9ec9fbc16062acce4124b941bc70d0299f7129f873bd7846fcfd1433

memory/1660-103-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2192-106-0x000000013F780000-0x000000013FAD1000-memory.dmp

C:\Windows\system\jlfcLVt.exe

MD5 51bffa6f923b361cef9ac20b7d7321c1
SHA1 7237c49d77932ef6bd0754ad7a7d031e7a3e1456
SHA256 af7a51b8c5f8df067d08cd3ff9c9f4f10d54c1bf76f47023da768dce82a65556
SHA512 bacc64f9b6e4a2ac023c2ed93b838b56dd0f01ca6a241b76a9034928806c85c1ea50d58c3324bf35f67671841f6bda409f1aa1458f53a8327c60623bef0371f0

\Windows\system\hJqtThQ.exe

MD5 df3339a162803453bba1dd4ee34beb1e
SHA1 820ebd5e27292e60b838518be61dc4a0b92ea0fe
SHA256 539f92bc2aebdab803dffc1baa973fd478a9112dce876485b45225f749ccf22d
SHA512 9e44fefdec218bf17afae6541c187009630af75f6ed1ba1ccefe3ecec5d56fc87e386d53a72ea1e9550a63e0e189cf0e5e02837bc6fd6202b3044857bb004ac4

\Windows\system\oIbbvak.exe

MD5 1dd2a5b496b3d5d052fa9e6c3787d7f8
SHA1 930b75eaa1063fa4fe856a785c837a680e547de0
SHA256 42e6ab6e2c957c6094f54e832947d027f21d1d4286017fbb2635fa1965473156
SHA512 d35715f95c0de9b417ce19ed99695ecce0f0576d0acbb73356c3e767cfea7b13c83d739c9c1178561f5923ce1fab4d04ab512c3f4c2546f53181007e50b93eed

memory/1344-118-0x000000013F6D0000-0x000000013FA21000-memory.dmp

C:\Windows\system\kaeabXr.exe

MD5 3b1baf30b742a51a514f26bc898e43ce
SHA1 0bb1d312021e15ae579333d625d0dd9245d15649
SHA256 4491a94cb1f3f50dc351cb0060a68296a96a9dd605c3b1bf6d6c7a15c279f4eb
SHA512 e26da4aa87098d2706b185bd3e60328a965dec12d2c3d9a0125f1a318b0866111059dc2b3189580240dcc6ee4ce152b4948179e431ab0aa06e98a497ee5779c4

C:\Windows\system\TVFSCJJ.exe

MD5 796ed3c2257e5bd8a9edbebde5fcb8a5
SHA1 4ed8394af4048d28989b279ed0d5a09b16163ac2
SHA256 90f537bf97ce1b17db202ebf77f291868b518fed0dd477945657f8efea115d8f
SHA512 3cbbf548994f164ef3431dbde39da958d5b60375d9d933cb52ddce74d38d999ecfddcf271e320b50c94fec4f16d6c6ee3e2b11e7748adfc41fd8d470180b28ce

memory/1660-116-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1660-115-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/1660-113-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/1812-112-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1660-111-0x000000013FD80000-0x00000001400D1000-memory.dmp

C:\Windows\system\YVXVJtK.exe

MD5 82cf58e3c009db7df303cfdfda852251
SHA1 2c05955e82979d9989842bf85744df8c33dcf266
SHA256 3e86be327591c82c55f761f15f862811c29d1ed71f78a300e6e785eccae81cf3
SHA512 96e426679db3f622ec39c2ed25fd0fd40734dbd35bb6094bba4fa69468cb9e0742039ce35fc37cecd55a382c7a1f1e1abc84c75a085af0854f965c3afede386b

memory/1980-93-0x000000013F4F0000-0x000000013F841000-memory.dmp

C:\Windows\system\cCigySK.exe

MD5 3dd7aebb0796a29c65968773c064d943
SHA1 cb0353afc5b86925fc10555669aec3b107a62ddc
SHA256 8afc514b6c86749e1f7095a97fe7ad2f12886e2cd0d0ba2ce6ee559f50db7a17
SHA512 3f8e08346f0869347ec5cf49a9b263a4ad410b3766823516060720da97db77704aa5640439434fd5f53992b4b0476d581c881510b07168afd3a520f5d2ed253d

memory/2404-139-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/1660-140-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2456-147-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1660-144-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2692-153-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1624-159-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2128-161-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1380-163-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/1260-162-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/1464-160-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2288-158-0x000000013F410000-0x000000013F761000-memory.dmp

memory/1768-157-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2864-156-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/1660-164-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/1660-176-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/1660-187-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1980-211-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2192-213-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2604-215-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2556-224-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1344-228-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2564-227-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2740-230-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2404-232-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2456-234-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2872-236-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2748-251-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2692-250-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1812-253-0x000000013FD80000-0x00000001400D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 22:50

Reported

2024-05-29 22:53

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bGfvSWK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JJgCJJs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TarzKJG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jlfcLVt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UuvZGKq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cCigySK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UZRuUQG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hJqtThQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kaeabXr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oIbbvak.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yfuffHC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dzJBVFv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GXJQJwi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\inJcDXF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AlYpvZN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YVXVJtK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YqqYhII.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EiyCOev.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZLXCvIA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TVFSCJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nMmyuqu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UuvZGKq.exe
PID 1480 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UuvZGKq.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMmyuqu.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMmyuqu.exe
PID 1480 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiyCOev.exe
PID 1480 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiyCOev.exe
PID 1480 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGfvSWK.exe
PID 1480 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGfvSWK.exe
PID 1480 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfuffHC.exe
PID 1480 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfuffHC.exe
PID 1480 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJgCJJs.exe
PID 1480 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJgCJJs.exe
PID 1480 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YqqYhII.exe
PID 1480 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YqqYhII.exe
PID 1480 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\dzJBVFv.exe
PID 1480 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\dzJBVFv.exe
PID 1480 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXJQJwi.exe
PID 1480 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXJQJwi.exe
PID 1480 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\inJcDXF.exe
PID 1480 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\inJcDXF.exe
PID 1480 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLXCvIA.exe
PID 1480 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLXCvIA.exe
PID 1480 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlYpvZN.exe
PID 1480 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlYpvZN.exe
PID 1480 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\cCigySK.exe
PID 1480 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\cCigySK.exe
PID 1480 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVXVJtK.exe
PID 1480 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVXVJtK.exe
PID 1480 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZRuUQG.exe
PID 1480 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZRuUQG.exe
PID 1480 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TarzKJG.exe
PID 1480 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TarzKJG.exe
PID 1480 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVFSCJJ.exe
PID 1480 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVFSCJJ.exe
PID 1480 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlfcLVt.exe
PID 1480 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlfcLVt.exe
PID 1480 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJqtThQ.exe
PID 1480 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\hJqtThQ.exe
PID 1480 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\kaeabXr.exe
PID 1480 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\kaeabXr.exe
PID 1480 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIbbvak.exe
PID 1480 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIbbvak.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UuvZGKq.exe

C:\Windows\System\UuvZGKq.exe

C:\Windows\System\nMmyuqu.exe

C:\Windows\System\nMmyuqu.exe

C:\Windows\System\EiyCOev.exe

C:\Windows\System\EiyCOev.exe

C:\Windows\System\bGfvSWK.exe

C:\Windows\System\bGfvSWK.exe

C:\Windows\System\yfuffHC.exe

C:\Windows\System\yfuffHC.exe

C:\Windows\System\JJgCJJs.exe

C:\Windows\System\JJgCJJs.exe

C:\Windows\System\YqqYhII.exe

C:\Windows\System\YqqYhII.exe

C:\Windows\System\dzJBVFv.exe

C:\Windows\System\dzJBVFv.exe

C:\Windows\System\GXJQJwi.exe

C:\Windows\System\GXJQJwi.exe

C:\Windows\System\inJcDXF.exe

C:\Windows\System\inJcDXF.exe

C:\Windows\System\ZLXCvIA.exe

C:\Windows\System\ZLXCvIA.exe

C:\Windows\System\AlYpvZN.exe

C:\Windows\System\AlYpvZN.exe

C:\Windows\System\cCigySK.exe

C:\Windows\System\cCigySK.exe

C:\Windows\System\YVXVJtK.exe

C:\Windows\System\YVXVJtK.exe

C:\Windows\System\UZRuUQG.exe

C:\Windows\System\UZRuUQG.exe

C:\Windows\System\TarzKJG.exe

C:\Windows\System\TarzKJG.exe

C:\Windows\System\TVFSCJJ.exe

C:\Windows\System\TVFSCJJ.exe

C:\Windows\System\jlfcLVt.exe

C:\Windows\System\jlfcLVt.exe

C:\Windows\System\hJqtThQ.exe

C:\Windows\System\hJqtThQ.exe

C:\Windows\System\kaeabXr.exe

C:\Windows\System\kaeabXr.exe

C:\Windows\System\oIbbvak.exe

C:\Windows\System\oIbbvak.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.210:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 210.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.209:443 www.bing.com tcp
US 8.8.8.8:53 209.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1480-0-0x00007FF734D60000-0x00007FF7350B1000-memory.dmp

memory/1480-1-0x00000188503D0000-0x00000188503E0000-memory.dmp

memory/3368-7-0x00007FF788280000-0x00007FF7885D1000-memory.dmp

C:\Windows\System\UuvZGKq.exe

MD5 137476a7edec52f60a47a9392e485944
SHA1 5f994d3c491f3dd056f9e591af2b36ea41d34eee
SHA256 fa8068e3b32a28c2fa4dd1ca597b347b65fa5278416023de2def1fdd2f86de09
SHA512 69333a01515992958f59d07f7107fdd8223347845186df5836b4b871ef4ab13baf4f8959ebde98ecb6fb124fce92a9819782547780053b9feb2c683077a90cbb

C:\Windows\System\nMmyuqu.exe

MD5 30cb41265a4975d5ed6c4a3249568c3f
SHA1 3396d48cf786a9e146f64c7e57111edb518ded0a
SHA256 69edd98ea57062862dc5c5c08f857e24d13d0077b954f092390cb2d8f0302fc1
SHA512 00b52ca4835862a854c348880011df77b0fb5b7389ccb1b0f87a4c09c92afdc4f5ceff3408dfb340538e0c60f3506684ef01a6737f2828c669281c1cf8491da4

C:\Windows\System\EiyCOev.exe

MD5 204a897f4f25be88a48a184cca569813
SHA1 266f532784f4b69fb42faf785ebda510e28ca8c9
SHA256 320e0eca289e85557571b89fc0138f475d67395e31c91017d290037e6e6874e5
SHA512 fd537893ee4219747e31ea8c84eb8d1759543a275a8222d24d4047edc1660453956d31eb2582016796a0f5cc686b8f44e2c2c27efa62941558e310708b541db4

memory/3044-22-0x00007FF6D6BE0000-0x00007FF6D6F31000-memory.dmp

C:\Windows\System\yfuffHC.exe

MD5 7dbbd1f93db6270ac490019a7992c1bb
SHA1 d20bccddf392bc3d0a2eb4280866562d4de1c688
SHA256 aeea98626e453aa21b3610e7c410ab9d06669804cc5eaedd89a4ad11b577d986
SHA512 145074c04effe458a807dc7a60c8ff5043e23475b49a5de23ee364e3c02e60a91a464c4e8cd50870ad5b60d114d4df991880879e8fd18764d30cdc1926da7a42

C:\Windows\System\bGfvSWK.exe

MD5 e590f816213f4cb4b7bcae197988140f
SHA1 d4d7a044aec08c2f79502648decb9a1f38d37961
SHA256 f0093f406f2e464bb2e8e17c19d02b91f5f03c2afca8326abe1a65caf0556364
SHA512 4824b0bfcfce809398393e313dfd55962bb237a0aac17a07784ab580a710e3d1fbe6f7c9006fd958048d140ef1dd0d4a0944502f165e2d2fc1e056b15bc71137

C:\Windows\System\AlYpvZN.exe

MD5 a6b8ee3626663e67afd9ba60176bc296
SHA1 a97f98f1702a312d7e4948e2a012f21830446a67
SHA256 9ea1d49b110e247303b712c2bc895ab5ef0ddecadc52d1f08e03a98334ca6aab
SHA512 e35088fa4fc36b418ab4a049f31d17e7a5809379bfce398c4e8b9aba8b93d00b9e7daa970a6098da3d194a782b136a8f9bf75e3f959862ce934ffcb3540aaf52

C:\Windows\System\dzJBVFv.exe

MD5 be34652434e6d15fecd680db20d6e760
SHA1 979e08402a786bfdf0539ea8c4c7a5bc1af92648
SHA256 0ad13e55ba564531affafb1e56b7b3ca15002f33c2dd956bd5c82eb3febe506a
SHA512 037af29ea135a8de1a4227c8f75c81fd90a320cbc790c256f1ee9d3c1fdc654d84eb9c2d88f846aaa1559c34569a67eded1cd180fc758d5a83a35ae38c08b8b6

memory/4220-70-0x00007FF6AB9F0000-0x00007FF6ABD41000-memory.dmp

C:\Windows\System\UZRuUQG.exe

MD5 6c7a72e6af7088fb7d7598ce02983372
SHA1 5a337ccc1ec4823183dce41d70c9930d129b29ba
SHA256 99ec096b25e65b4c98c35085e129dc6a533965618efeaa7a5b82f843bf61ee23
SHA512 cd9d1d4aeb5a2baf24bc3c3838ba824a6e54c97f397a7c1b8cf7fac3629ef74513a7ef1aa9cb4133a0c8451f97a474e42b8a0ceca8b3d6bdf76b7d455759ae28

memory/4224-93-0x00007FF619F50000-0x00007FF61A2A1000-memory.dmp

memory/3996-98-0x00007FF61B700000-0x00007FF61BA51000-memory.dmp

memory/4488-97-0x00007FF7AE060000-0x00007FF7AE3B1000-memory.dmp

memory/4872-96-0x00007FF7A20D0000-0x00007FF7A2421000-memory.dmp

memory/4732-95-0x00007FF7D5520000-0x00007FF7D5871000-memory.dmp

C:\Windows\System\TarzKJG.exe

MD5 e90b89844bafbfcff7d799556ac58526
SHA1 60966695b75bc46bd3f5e9a957f427d558a3ba15
SHA256 4668b4622f5d9702621f6c621bd05727dd5b741cf74d63ee1051e508834d530c
SHA512 793490f5b6e466e498622be8af7a9f45671f15f0c95bf1e5eb969eda4448f676d681302b9ec9fbc16062acce4124b941bc70d0299f7129f873bd7846fcfd1433

memory/892-90-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp

memory/4504-87-0x00007FF6538F0000-0x00007FF653C41000-memory.dmp

C:\Windows\System\YVXVJtK.exe

MD5 82cf58e3c009db7df303cfdfda852251
SHA1 2c05955e82979d9989842bf85744df8c33dcf266
SHA256 3e86be327591c82c55f761f15f862811c29d1ed71f78a300e6e785eccae81cf3
SHA512 96e426679db3f622ec39c2ed25fd0fd40734dbd35bb6094bba4fa69468cb9e0742039ce35fc37cecd55a382c7a1f1e1abc84c75a085af0854f965c3afede386b

C:\Windows\System\cCigySK.exe

MD5 3dd7aebb0796a29c65968773c064d943
SHA1 cb0353afc5b86925fc10555669aec3b107a62ddc
SHA256 8afc514b6c86749e1f7095a97fe7ad2f12886e2cd0d0ba2ce6ee559f50db7a17
SHA512 3f8e08346f0869347ec5cf49a9b263a4ad410b3766823516060720da97db77704aa5640439434fd5f53992b4b0476d581c881510b07168afd3a520f5d2ed253d

memory/3708-82-0x00007FF71F080000-0x00007FF71F3D1000-memory.dmp

memory/1156-79-0x00007FF745370000-0x00007FF7456C1000-memory.dmp

C:\Windows\System\GXJQJwi.exe

MD5 7ce660f919d7ca1fca12e0896a2c0e1a
SHA1 2150d758f729e8768b2758e02c6b9647fd79a2a2
SHA256 34cc844f6091e494a98e96eb946c0ec44ce3cc8d29bb4ac34687afa9df7a6148
SHA512 6547d30e6892c71628608259ce35575869a480bb1b85b2baef5bb9e23e0621f44ebdb9e749d57be31ddcb136e9827909a8706c808e6e1372bd58007bf368ddae

C:\Windows\System\ZLXCvIA.exe

MD5 c902090eb84336a38c912f47d3acd99b
SHA1 265f6506fed4aaf52c4faad83bae204453fdf0ea
SHA256 a3da49163aec0fd9a73d20285c295a98f2268067eade3a107550acdc6b876591
SHA512 73e4c295f37c0725b75a242dbcb3d665d33b5bd1dba7e29bbd31c0d2941961dce392911bd9b50773144f739b380651d0852e3763ad92028e84fd632c364fe5e8

C:\Windows\System\inJcDXF.exe

MD5 4e4010fa9fbd18cd2c08887e12b5a278
SHA1 8d149de33b90fb61ca9b7885befca8876b886c6e
SHA256 0900535ae3af05a537ddcb96879a9b7791f306a607d785db0e8c6a6eb06d8c21
SHA512 22054aacdf06d02e234b7978584a5d7b119119fed9136d441de9ef4b6a97ae7dcee2131207964f6d405f803fb12949ccb8a9db92f936b8e656ef2a5abc4be9ea

C:\Windows\System\JJgCJJs.exe

MD5 9f2976ad0724a32e84eb119801fce850
SHA1 fcd4554c57a7fa8a5f8f61b38bcfce11bad65c94
SHA256 f236b65693293711260b96bc3ed0d86cf09d60cf6a64ea6a8c0ad6eec7edbf82
SHA512 bf2d298cace5a53c8ae8a42203ff0052ce8a3e831373b420d87c6c1f2a85bb3cc617245c3915e982b756cc87c2b87d18474676f6d2c7f234087a2a131e53cd79

memory/3944-55-0x00007FF6E1D40000-0x00007FF6E2091000-memory.dmp

C:\Windows\System\YqqYhII.exe

MD5 67291b3f5e85e79e0bcf1711fa976d67
SHA1 ac9ad4f13629100a4f2e0b98823f758376a25cc9
SHA256 e4884909a8310118f52d4f7c956cd29719fa5bb7704c65e5c0cf6fdf7392e3a7
SHA512 9be7c4c01f9f035f4f46388ba65158fc2082dc1235cc011b7cbf0778d87503cf9411cd4b06fded267780e91c4619a076de9e1595da69eef9a48cee585d4dae2f

memory/4396-42-0x00007FF6E3F70000-0x00007FF6E42C1000-memory.dmp

memory/2440-31-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp

memory/1552-12-0x00007FF647810000-0x00007FF647B61000-memory.dmp

C:\Windows\System\TVFSCJJ.exe

MD5 796ed3c2257e5bd8a9edbebde5fcb8a5
SHA1 4ed8394af4048d28989b279ed0d5a09b16163ac2
SHA256 90f537bf97ce1b17db202ebf77f291868b518fed0dd477945657f8efea115d8f
SHA512 3cbbf548994f164ef3431dbde39da958d5b60375d9d933cb52ddce74d38d999ecfddcf271e320b50c94fec4f16d6c6ee3e2b11e7748adfc41fd8d470180b28ce

memory/3944-114-0x00007FF6E1D40000-0x00007FF6E2091000-memory.dmp

memory/4504-120-0x00007FF6538F0000-0x00007FF653C41000-memory.dmp

C:\Windows\System\jlfcLVt.exe

MD5 51bffa6f923b361cef9ac20b7d7321c1
SHA1 7237c49d77932ef6bd0754ad7a7d031e7a3e1456
SHA256 af7a51b8c5f8df067d08cd3ff9c9f4f10d54c1bf76f47023da768dce82a65556
SHA512 bacc64f9b6e4a2ac023c2ed93b838b56dd0f01ca6a241b76a9034928806c85c1ea50d58c3324bf35f67671841f6bda409f1aa1458f53a8327c60623bef0371f0

C:\Windows\System\kaeabXr.exe

MD5 3b1baf30b742a51a514f26bc898e43ce
SHA1 0bb1d312021e15ae579333d625d0dd9245d15649
SHA256 4491a94cb1f3f50dc351cb0060a68296a96a9dd605c3b1bf6d6c7a15c279f4eb
SHA512 e26da4aa87098d2706b185bd3e60328a965dec12d2c3d9a0125f1a318b0866111059dc2b3189580240dcc6ee4ce152b4948179e431ab0aa06e98a497ee5779c4

C:\Windows\System\oIbbvak.exe

MD5 1dd2a5b496b3d5d052fa9e6c3787d7f8
SHA1 930b75eaa1063fa4fe856a785c837a680e547de0
SHA256 42e6ab6e2c957c6094f54e832947d027f21d1d4286017fbb2635fa1965473156
SHA512 d35715f95c0de9b417ce19ed99695ecce0f0576d0acbb73356c3e767cfea7b13c83d739c9c1178561f5923ce1fab4d04ab512c3f4c2546f53181007e50b93eed

memory/4128-140-0x00007FF74F900000-0x00007FF74FC51000-memory.dmp

C:\Windows\System\hJqtThQ.exe

MD5 df3339a162803453bba1dd4ee34beb1e
SHA1 820ebd5e27292e60b838518be61dc4a0b92ea0fe
SHA256 539f92bc2aebdab803dffc1baa973fd478a9112dce876485b45225f749ccf22d
SHA512 9e44fefdec218bf17afae6541c187009630af75f6ed1ba1ccefe3ecec5d56fc87e386d53a72ea1e9550a63e0e189cf0e5e02837bc6fd6202b3044857bb004ac4

memory/2044-138-0x00007FF6385E0000-0x00007FF638931000-memory.dmp

memory/5060-137-0x00007FF7C3920000-0x00007FF7C3C71000-memory.dmp

memory/4048-135-0x00007FF68AEB0000-0x00007FF68B201000-memory.dmp

memory/64-132-0x00007FF7BD540000-0x00007FF7BD891000-memory.dmp

memory/1156-116-0x00007FF745370000-0x00007FF7456C1000-memory.dmp

memory/4220-115-0x00007FF6AB9F0000-0x00007FF6ABD41000-memory.dmp

memory/2440-111-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp

memory/4396-110-0x00007FF6E3F70000-0x00007FF6E42C1000-memory.dmp

memory/3044-109-0x00007FF6D6BE0000-0x00007FF6D6F31000-memory.dmp

memory/1552-108-0x00007FF647810000-0x00007FF647B61000-memory.dmp

memory/3368-107-0x00007FF788280000-0x00007FF7885D1000-memory.dmp

memory/1480-106-0x00007FF734D60000-0x00007FF7350B1000-memory.dmp

memory/1480-145-0x00007FF734D60000-0x00007FF7350B1000-memory.dmp

memory/5060-165-0x00007FF7C3920000-0x00007FF7C3C71000-memory.dmp

memory/2044-166-0x00007FF6385E0000-0x00007FF638931000-memory.dmp

memory/4128-164-0x00007FF74F900000-0x00007FF74FC51000-memory.dmp

memory/1480-167-0x00007FF734D60000-0x00007FF7350B1000-memory.dmp

memory/3368-199-0x00007FF788280000-0x00007FF7885D1000-memory.dmp

memory/1552-201-0x00007FF647810000-0x00007FF647B61000-memory.dmp

memory/3044-203-0x00007FF6D6BE0000-0x00007FF6D6F31000-memory.dmp

memory/2440-205-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp

memory/4396-208-0x00007FF6E3F70000-0x00007FF6E42C1000-memory.dmp

memory/3944-209-0x00007FF6E1D40000-0x00007FF6E2091000-memory.dmp

memory/4224-211-0x00007FF619F50000-0x00007FF61A2A1000-memory.dmp

memory/4732-213-0x00007FF7D5520000-0x00007FF7D5871000-memory.dmp

memory/4220-219-0x00007FF6AB9F0000-0x00007FF6ABD41000-memory.dmp

memory/3708-221-0x00007FF71F080000-0x00007FF71F3D1000-memory.dmp

memory/4872-218-0x00007FF7A20D0000-0x00007FF7A2421000-memory.dmp

memory/1156-216-0x00007FF745370000-0x00007FF7456C1000-memory.dmp

memory/892-227-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp

memory/4488-229-0x00007FF7AE060000-0x00007FF7AE3B1000-memory.dmp

memory/3996-225-0x00007FF61B700000-0x00007FF61BA51000-memory.dmp

memory/4504-224-0x00007FF6538F0000-0x00007FF653C41000-memory.dmp

memory/64-242-0x00007FF7BD540000-0x00007FF7BD891000-memory.dmp

memory/4048-244-0x00007FF68AEB0000-0x00007FF68B201000-memory.dmp

memory/2044-246-0x00007FF6385E0000-0x00007FF638931000-memory.dmp

memory/4128-248-0x00007FF74F900000-0x00007FF74FC51000-memory.dmp

memory/5060-250-0x00007FF7C3920000-0x00007FF7C3C71000-memory.dmp