Malware Analysis Report

2025-03-15 08:10

Sample ID 240529-2vf24sdh36
Target 2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike
SHA256 5845551224007c22914672f9a41dbca30e82d88a1cc64b3fcf76ce629830e7a4
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5845551224007c22914672f9a41dbca30e82d88a1cc64b3fcf76ce629830e7a4

Threat Level: Known bad

The file 2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

XMRig Miner payload

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 22:53

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 22:53

Reported

2024-05-29 22:56

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GcEgKcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WnqUqry.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MhAycUo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tXZwquF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BqKGLyy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YhgKXqs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XbjYyFq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\etCdboC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BOwKsWC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dvktIcv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bhFDRQz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VaEtSTq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yPlXNSa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PZAkaCh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\isVNqop.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TypySei.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DOVLnsU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BgJAAiP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eeWvFQS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\chWvwtP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lfpnYst.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\eeWvFQS.exe
PID 2740 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\eeWvFQS.exe
PID 2740 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\eeWvFQS.exe
PID 2740 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbjYyFq.exe
PID 2740 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbjYyFq.exe
PID 2740 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbjYyFq.exe
PID 2740 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\chWvwtP.exe
PID 2740 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\chWvwtP.exe
PID 2740 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\chWvwtP.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\isVNqop.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\isVNqop.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\isVNqop.exe
PID 2740 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\etCdboC.exe
PID 2740 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\etCdboC.exe
PID 2740 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\etCdboC.exe
PID 2740 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\TypySei.exe
PID 2740 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\TypySei.exe
PID 2740 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\TypySei.exe
PID 2740 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOwKsWC.exe
PID 2740 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOwKsWC.exe
PID 2740 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOwKsWC.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\GcEgKcJ.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\GcEgKcJ.exe
PID 2740 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\GcEgKcJ.exe
PID 2740 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvktIcv.exe
PID 2740 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvktIcv.exe
PID 2740 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvktIcv.exe
PID 2740 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\MhAycUo.exe
PID 2740 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\MhAycUo.exe
PID 2740 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\MhAycUo.exe
PID 2740 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXZwquF.exe
PID 2740 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXZwquF.exe
PID 2740 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXZwquF.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqKGLyy.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqKGLyy.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqKGLyy.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhgKXqs.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhgKXqs.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhgKXqs.exe
PID 2740 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOVLnsU.exe
PID 2740 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOVLnsU.exe
PID 2740 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOVLnsU.exe
PID 2740 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BgJAAiP.exe
PID 2740 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BgJAAiP.exe
PID 2740 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BgJAAiP.exe
PID 2740 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfpnYst.exe
PID 2740 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfpnYst.exe
PID 2740 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfpnYst.exe
PID 2740 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnqUqry.exe
PID 2740 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnqUqry.exe
PID 2740 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnqUqry.exe
PID 2740 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPlXNSa.exe
PID 2740 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPlXNSa.exe
PID 2740 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPlXNSa.exe
PID 2740 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\bhFDRQz.exe
PID 2740 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\bhFDRQz.exe
PID 2740 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\bhFDRQz.exe
PID 2740 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZAkaCh.exe
PID 2740 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZAkaCh.exe
PID 2740 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZAkaCh.exe
PID 2740 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\VaEtSTq.exe
PID 2740 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\VaEtSTq.exe
PID 2740 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\VaEtSTq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\eeWvFQS.exe

C:\Windows\System\eeWvFQS.exe

C:\Windows\System\XbjYyFq.exe

C:\Windows\System\XbjYyFq.exe

C:\Windows\System\chWvwtP.exe

C:\Windows\System\chWvwtP.exe

C:\Windows\System\isVNqop.exe

C:\Windows\System\isVNqop.exe

C:\Windows\System\etCdboC.exe

C:\Windows\System\etCdboC.exe

C:\Windows\System\TypySei.exe

C:\Windows\System\TypySei.exe

C:\Windows\System\BOwKsWC.exe

C:\Windows\System\BOwKsWC.exe

C:\Windows\System\GcEgKcJ.exe

C:\Windows\System\GcEgKcJ.exe

C:\Windows\System\dvktIcv.exe

C:\Windows\System\dvktIcv.exe

C:\Windows\System\MhAycUo.exe

C:\Windows\System\MhAycUo.exe

C:\Windows\System\tXZwquF.exe

C:\Windows\System\tXZwquF.exe

C:\Windows\System\BqKGLyy.exe

C:\Windows\System\BqKGLyy.exe

C:\Windows\System\YhgKXqs.exe

C:\Windows\System\YhgKXqs.exe

C:\Windows\System\DOVLnsU.exe

C:\Windows\System\DOVLnsU.exe

C:\Windows\System\BgJAAiP.exe

C:\Windows\System\BgJAAiP.exe

C:\Windows\System\lfpnYst.exe

C:\Windows\System\lfpnYst.exe

C:\Windows\System\WnqUqry.exe

C:\Windows\System\WnqUqry.exe

C:\Windows\System\yPlXNSa.exe

C:\Windows\System\yPlXNSa.exe

C:\Windows\System\bhFDRQz.exe

C:\Windows\System\bhFDRQz.exe

C:\Windows\System\PZAkaCh.exe

C:\Windows\System\PZAkaCh.exe

C:\Windows\System\VaEtSTq.exe

C:\Windows\System\VaEtSTq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2740-0-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2740-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\eeWvFQS.exe

MD5 3fb3053495fdff2872578292412ffd6a
SHA1 e55297d2803a821080b75b983e393438c2ab7295
SHA256 c28f22edc13c216d8947d975bcddc135ad8586b3ed35202fb02c3d567d152b29
SHA512 d232baccaa4ce418f8e24807aac63fef65792f13b03e13bf2797a580f9d59a7e98477c083bb2185bdcee17d2fa5880132f8e6f67149991cc41b318b42ecb7772

memory/2740-6-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\XbjYyFq.exe

MD5 141f20cbdd48deb52beb176e72c08b4f
SHA1 fb01ca9a06f782331dad2dd2a922d675a65b218f
SHA256 f6c59ed3507ede456c94412561d92929abf9e040ef2f1b705051abf47e2d279b
SHA512 cf8accb1c7937dacb6b220f138f54dad8430110ded1e39a0770a4fb6c4ed60905ec6b20f3eeb7378162a4609e84eb31c6a1437c5dce357261cbfa7c1b731d732

memory/2196-14-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2740-12-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2112-16-0x000000013FF30000-0x0000000140284000-memory.dmp

C:\Windows\system\chWvwtP.exe

MD5 da429fcfbe8187f84833680805884ab1
SHA1 f12505f61ea244f824e3a5ecd2edce4808cb71fb
SHA256 eabd79705a492657731a6a57b11f9f9c34d33d5bee02a478c25fa85743127ac6
SHA512 b761df70ef3dbd61f5b6468213542c48f302ce713a2f6a6529e4b1f46958ac4429862137459bdeb160087edc95112a8c814a7329a117e8e0ba93c3c42ab9620d

C:\Windows\system\isVNqop.exe

MD5 daed953314233b872f9ff6a3057e3b64
SHA1 2b57d29c95309f31b0efc52032acb859d039f165
SHA256 3724a2a5a7def7b448d741c3cbeef495f1bb2e29fb8cb6e65e8b7bff2e367b38
SHA512 a6cc215776e5d8c227ca0948526e6adb1d8c68097cfa02ef06bba80889b420738e9b5976b8e8d76520790193ea39af061abca449972a6c8d060afdf147051703

C:\Windows\system\TypySei.exe

MD5 4a7577e2f323f252eaecf44217912db8
SHA1 76526bf63d399f1e2487476ee2d7c9d1209b9c52
SHA256 33c44c359cdcc6f79b7b5bf7fcec22485b5f0dce4c6e26ee1d80d2d500641ccc
SHA512 395bd1a5d6d443344bfbde59ec3385acbe914a719a7257d7221188194e63b5a2061dd5550a5fca831fa14444fcdc330c4f7f72868233bf9857e525a1bd889d0f

memory/2740-40-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2160-29-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2644-42-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2636-41-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2740-37-0x000000013F390000-0x000000013F6E4000-memory.dmp

C:\Windows\system\etCdboC.exe

MD5 c27072dc7c4f575d83d2597b689337d9
SHA1 c8d19db4806e973b5811d87fc431febf2c312f7b
SHA256 96e61368f2d8e8468727da1b2754b176f3ba9fa79fc40cb953f4e6e9125c6360
SHA512 51689eb498946efb6b80fa1f9f9da203cabc3f117bdc3abb87624e345559aca9aafdf95abbaf18177d0d440d3146b6097d2b9a861710a8320e18eadf8ed25c5b

memory/2580-33-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\BOwKsWC.exe

MD5 bd24fc52679fbc91c78e9390408a6769
SHA1 97af6e774630dd07766351e2ce1ed6354b048eb2
SHA256 cf0b8d1603e5e703971ffaef036fe07157a980603bd22441bcb35cd4cdae8340
SHA512 4bc9457f5ff2783bf7f121eea237d3f2b8b90db9072c62b1c26ccf5ca05c52951ffe327b709f91f3a2c97775eeeb35405febca3f1d17baebf0c036a01e110159

memory/2740-48-0x0000000002370000-0x00000000026C4000-memory.dmp

\Windows\system\GcEgKcJ.exe

MD5 1dabf39dd8bc322208f22dc103747ef9
SHA1 c804737f2bdc254f1f434b6391cd8ea06d782b21
SHA256 ca3999dd6e45206f8cba8658f72eb26d8c2a19bbbd6413f6922ff58a6e3a2da9
SHA512 131ea41b3e009c1f9bffd1659fc6ab66958c9cfaf8b22af3ac6d0da279ed8fdb2097c18f4411665e9c2e7f2fa3f0da4a06bf6b5b7169146bc90e4f342fcb0a1d

memory/2740-55-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2552-56-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2476-49-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2740-62-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2504-63-0x000000013FAF0000-0x000000013FE44000-memory.dmp

C:\Windows\system\dvktIcv.exe

MD5 40fe0046010825c090becf3ac257e742
SHA1 1b26f219f9f20f028aa5236ccb4f268091f73154
SHA256 45851780344c485f9cc913564f7b2ea33febbf705d65c3bebf7af5920162d5d8
SHA512 d6479c8d9df9685bad18ade17d501486483db0f201fa865680b93dca6b70488f2c5e406591cbae9438790222b07598b619cb622af121cd56ab49c0a9d55e844a

C:\Windows\system\tXZwquF.exe

MD5 f756387f9cc4381abdc05674655e4a6a
SHA1 095f5ec3db913b33c4eeca624910796ff59e19e6
SHA256 2612f046d90a199853fa7235fc4a695d7841b3e5beee249ca8adcdcb124393c0
SHA512 bd0a6be0b9c211ee95c8a1117f46da32f177c98a05503f5108036ae60c8b9679ac393f06504ddaeb1fb918e1f65dd788cb73ddd935ba846d1d945e2f5c8ee5bb

memory/2956-78-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2704-85-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2740-82-0x000000013F530000-0x000000013F884000-memory.dmp

\Windows\system\BgJAAiP.exe

MD5 e192019364cf0e49d117704eafdaac94
SHA1 514a8770e135f592170f9f76c970da42e2106438
SHA256 c31950acfc7d6df51184bee47b8e17001adce5a7154599aa229e633c1b0835e8
SHA512 ff18e741981cf2e48eaf8998c476e80826fb0fb5f63d512ccbeccc54605c4f67f6409afe44b73ed077a40c2be228ba0b77bd41a8e7a5dab948465fadf31416df

C:\Windows\system\YhgKXqs.exe

MD5 7feefea09010d1dca6776dc14ccf614a
SHA1 a939a05fd7eadcb6d5114d510ebd84c019d91c42
SHA256 e7b01ae26180d668fc63966de249098983ae2f37197902078329d945c8ed9c0b
SHA512 2588b7f7a9b603d262ce958afdff97ae28d0919fe277fe57cca36c3728f1555a3c46621cef48b178494502925fbdfe16f71448b36dae101c5f98c05652544c93

C:\Windows\system\lfpnYst.exe

MD5 6a6bea7524e87d6388febb1a6c8bbd8f
SHA1 58866849d58367ce76bb1a2d72725b85295c44a7
SHA256 d73464ba0712d83f487497b6b678d7e33b993f351e00512c6c766ad8ef0943f6
SHA512 83162b174a713941f38743a1bbb30c98a2d95505b7fa71a933baec712a664b0b482dff4cb252e7c20456aac83ed438d918f8dd8195e9739cdecb46c2b716978c

C:\Windows\system\yPlXNSa.exe

MD5 2d15922da46d9259e8983b8575b8c402
SHA1 027448b12a8e83c21ad347d7846e868a66461e0f
SHA256 899974a77d88ef55bd0f846a23c884bbced34569fb0d811f2da91d3a7a417a6b
SHA512 83374bb5d4ea80ed447038e43fc845ed362b0b59b4d36a2e03681d9589a31d52a737c9e2e234ce2e744045b5fe2e83147010ef445ba5b26a25c11da1406ade31

C:\Windows\system\PZAkaCh.exe

MD5 9731ecc4a2b27273a67c8e84b2caa240
SHA1 0a221cc5a066cad53f1baa56503968962019cd15
SHA256 6993e73b9fd7daffa92cb818c5a734f1bba52d617340f4bb9b684a8b61404137
SHA512 7dd4fa5b9d02e44932cf4078c891520bed881f3ec1fe4ca07fa519a260e68a70c3d501a33972f8eca1c80b0c717e33cf130d8b1b668b6512654c47a15d72d558

\Windows\system\VaEtSTq.exe

MD5 08b83c1988b1744b76a353603cea4e3b
SHA1 a730601abe644f119889dc76800c8ce4f0d95c1f
SHA256 d6280250e27bfa718bde70c26064260015f970550516981f238b375f189ebf38
SHA512 c74bb059c31cc0b854764455ee05dff8ddfa58242d6558974d15009ad20cf5d6242d095ded26bd40042ed6de40db9775e3a617d87831f026bcf77ecd9d30ee52

C:\Windows\system\bhFDRQz.exe

MD5 cf9b6c82fea5ee0cc31333ab4341f40f
SHA1 e17fa30140513e63acb788fa4dd865400d3681ab
SHA256 ae1e0b8eaecd3e75e674de9abdee951265e02b2873eb0bd0f0ec18071c947146
SHA512 d434a9ae43f201ec63448f38c2a7a8c1441deea660786e916219752ab8000a431e5fb1d14e2c5ef6b84aebc7e53d93a4caf262fff63e33315fe2eec869a3ffcb

C:\Windows\system\WnqUqry.exe

MD5 2667284e899a71998e4569e7ee74631a
SHA1 c91431464e10c1e8b96aeeb581fe822c0bc3272e
SHA256 cbf57ef1dafd11c6ec6990b638fa063a8dd458042a6009f5c8deb622f986085c
SHA512 9d68b6dad202278f8ec486c125a70a997c923e737ca7fdef48ed834056d5bc7ea6e1dcac99304274e8e6de75c0974a7c0060e4dbb92cb13ad3a2be13d3e2a6b8

memory/2812-100-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2740-99-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2764-98-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2580-97-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\DOVLnsU.exe

MD5 2a88ed449a99b2697eb296f4379b8cf2
SHA1 9787450999467ae57ad9519cba476d94450fc21e
SHA256 1011638aff4e13c36b7631220af1472cea2e95a91e7627231ca05ec2da426a48
SHA512 a1cbd7c0cf6f855b783886b1d11d4fb3d63b6d9184b350c3db299b1382455fb9f41e68a94956f0b23fa5cae9bdf0ae9a3b2b0ec1c5e8e0642955818f2164b530

memory/2740-95-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2112-94-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2968-81-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2740-80-0x000000013F880000-0x000000013FBD4000-memory.dmp

C:\Windows\system\BqKGLyy.exe

MD5 623c859fbfd13d1be1d5aa8606dd4eeb
SHA1 fff601208c4d6dcf70f372dc7adff39965cbdb01
SHA256 489c67fc4fcdae4492371bf04df0d01268f19a0ba26c147773f68c13ffc204f0
SHA512 690e256f20bb321e32c3927eb9f0bfa27dcc7e184ae1bc56d9314c95ed3434e8af17f5857f95f96fff4a780f8cd40e6e69a85a152eafb2c577abec30c06230fd

C:\Windows\system\MhAycUo.exe

MD5 deb7fd63fd425b7db87a5975eca26846
SHA1 a2726743a3099af24080bdf6cf7463415630cb1d
SHA256 39631006e6931f60d85fdb60a4dd7c87cbd65d22e980bf8378318e242a0aafb9
SHA512 e2720e2734e850dd3a7f086e65178fb10d29672ca98dbb385d92164877ce30ce225d733ec523f6a75006a365c9a363f18e9ce47fe6b74c1859e0297b77555899

memory/2740-134-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2740-135-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2812-136-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2196-137-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2112-138-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2160-139-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2580-140-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2644-141-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2636-142-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2476-143-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2552-144-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2504-145-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2956-146-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2968-147-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2704-148-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2764-149-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2812-150-0x000000013FE00000-0x0000000140154000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 22:53

Reported

2024-05-29 22:56

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mRhFWOV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZITXdUr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zkevyLa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EiKvvCy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tuPsLvq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KDoTSvr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lDlmYcv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BiBeXGX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VcrWdCU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ryaYEpI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\riaPudu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dyMiTBY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DwCuqhJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\krSGiRD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EtXgCXU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rslqYsU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sNUfZpf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yxxcGBp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gZyZulG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HggUHDx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sIvedIt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 800 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\krSGiRD.exe
PID 800 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\krSGiRD.exe
PID 800 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\EtXgCXU.exe
PID 800 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\EtXgCXU.exe
PID 800 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRhFWOV.exe
PID 800 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRhFWOV.exe
PID 800 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\rslqYsU.exe
PID 800 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\rslqYsU.exe
PID 800 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\KDoTSvr.exe
PID 800 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\KDoTSvr.exe
PID 800 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZyZulG.exe
PID 800 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZyZulG.exe
PID 800 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcrWdCU.exe
PID 800 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcrWdCU.exe
PID 800 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\ryaYEpI.exe
PID 800 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\ryaYEpI.exe
PID 800 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZITXdUr.exe
PID 800 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZITXdUr.exe
PID 800 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\riaPudu.exe
PID 800 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\riaPudu.exe
PID 800 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\lDlmYcv.exe
PID 800 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\lDlmYcv.exe
PID 800 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BiBeXGX.exe
PID 800 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\BiBeXGX.exe
PID 800 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyMiTBY.exe
PID 800 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyMiTBY.exe
PID 800 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\HggUHDx.exe
PID 800 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\HggUHDx.exe
PID 800 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkevyLa.exe
PID 800 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkevyLa.exe
PID 800 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiKvvCy.exe
PID 800 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiKvvCy.exe
PID 800 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\DwCuqhJ.exe
PID 800 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\DwCuqhJ.exe
PID 800 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIvedIt.exe
PID 800 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIvedIt.exe
PID 800 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxxcGBp.exe
PID 800 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxxcGBp.exe
PID 800 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuPsLvq.exe
PID 800 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuPsLvq.exe
PID 800 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\sNUfZpf.exe
PID 800 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe C:\Windows\System\sNUfZpf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_cb1fd333ccc99c539478bffb7fe1b480_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\krSGiRD.exe

C:\Windows\System\krSGiRD.exe

C:\Windows\System\EtXgCXU.exe

C:\Windows\System\EtXgCXU.exe

C:\Windows\System\mRhFWOV.exe

C:\Windows\System\mRhFWOV.exe

C:\Windows\System\rslqYsU.exe

C:\Windows\System\rslqYsU.exe

C:\Windows\System\KDoTSvr.exe

C:\Windows\System\KDoTSvr.exe

C:\Windows\System\gZyZulG.exe

C:\Windows\System\gZyZulG.exe

C:\Windows\System\VcrWdCU.exe

C:\Windows\System\VcrWdCU.exe

C:\Windows\System\ryaYEpI.exe

C:\Windows\System\ryaYEpI.exe

C:\Windows\System\ZITXdUr.exe

C:\Windows\System\ZITXdUr.exe

C:\Windows\System\riaPudu.exe

C:\Windows\System\riaPudu.exe

C:\Windows\System\lDlmYcv.exe

C:\Windows\System\lDlmYcv.exe

C:\Windows\System\BiBeXGX.exe

C:\Windows\System\BiBeXGX.exe

C:\Windows\System\dyMiTBY.exe

C:\Windows\System\dyMiTBY.exe

C:\Windows\System\HggUHDx.exe

C:\Windows\System\HggUHDx.exe

C:\Windows\System\zkevyLa.exe

C:\Windows\System\zkevyLa.exe

C:\Windows\System\EiKvvCy.exe

C:\Windows\System\EiKvvCy.exe

C:\Windows\System\DwCuqhJ.exe

C:\Windows\System\DwCuqhJ.exe

C:\Windows\System\sIvedIt.exe

C:\Windows\System\sIvedIt.exe

C:\Windows\System\yxxcGBp.exe

C:\Windows\System\yxxcGBp.exe

C:\Windows\System\tuPsLvq.exe

C:\Windows\System\tuPsLvq.exe

C:\Windows\System\sNUfZpf.exe

C:\Windows\System\sNUfZpf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/800-0-0x00007FF66B740000-0x00007FF66BA94000-memory.dmp

memory/800-1-0x0000022E58960000-0x0000022E58970000-memory.dmp

C:\Windows\System\krSGiRD.exe

MD5 eaae17063a78df5a110860dc4be9ea14
SHA1 8795f47989bdee85ee5e773d917aac845e29d1ea
SHA256 05304caf8af7ce111312d37cddcfd391c42265688360659fa98bc7ccdf08231c
SHA512 a7e7f9134504ae2995d8c05dc62d9bf221063eaffcef075460de3508fa6c53e461298e500aa4093f681091cc256b5f3c8b62429f7245240a9e94ece9b4c361c1

C:\Windows\System\EtXgCXU.exe

MD5 8cf6a54198b2960bec18c9987b2e42a1
SHA1 60820d39912186dfdc034a4cb7d2984cabf4e94e
SHA256 f5aaec7e231c8da0dbe16437cfbe1c9a51c6f14f831bb1730592567400e23d3a
SHA512 7308fe12b3a2c84133c314b7c2d6125507d058490783c3f985f1f29e77af81ea8c4986a14e8fbb02fc6c1f818b7944c6ef06587169f87141085bbcb9f787a448

C:\Windows\System\mRhFWOV.exe

MD5 9d12ff4ad78c692307f0ae3c8a00d53b
SHA1 71ae3ff075993c42b82608bf07f19166b4832b2f
SHA256 0c3b4cfcaf1764fce4f0e0d930185f1159ecc9482b4598bac3f8b547d5790587
SHA512 a59a42bc1214c49d05b8dbbf50b207f60de3f588ff35528f41c5d04018368e3989f12c17d80751f7207a07f64671ede54e45c0279b5e244fbfcfdd83760eec66

memory/2324-16-0x00007FF77F7F0000-0x00007FF77FB44000-memory.dmp

C:\Windows\System\KDoTSvr.exe

MD5 a5f003b7f4a84a1e8f56fcb82af02e82
SHA1 9b884078f2ab582babe42163cfe8e34034aa687c
SHA256 213e977848fe4ffa6e76edb7817490e5cc4680ffbdcf1d176b8a7db0f099999e
SHA512 4e4354a0bf9c2bedba6f9f0bcae6d6aba6e916490e88bf91db509cc881e06474ca5c02d4a4912c73efbde2e3d7a536e5c0e97245a6071f88f3203568bb960d59

C:\Windows\System\gZyZulG.exe

MD5 4258555f719880514b34bc3a7931be6d
SHA1 05b5554da4a2ffeb2603e5cec41932199a7405b2
SHA256 27da0052a7419dacc44586e97ef56799d517ab54084afe9e34630d254638a9f7
SHA512 a1c58fb747c2aa494da79fc415292d9fd71208d8e720453c1d44d73878a5dd24b6981a0ad7d9db311f3fac42c91a2a5778f67fa2aa5d97bf4743e23553afc525

C:\Windows\System\ryaYEpI.exe

MD5 ad551564eb7b4c0d026913adf7b7c36b
SHA1 7bf31535dfe7bddc9c42c7589e64376e723453cd
SHA256 98e97cc279bc418ea7805e33087ae541d940695ac000498a68bb42131e0a7e50
SHA512 04981e888939b0ab2842a36a39ed02dcc03856c7c21da639402082770b62eca2e2cc4d44a44cfbed97ee9d21a1cd2b6a67ff2fd7ab7294283a3a770786e23272

C:\Windows\System\VcrWdCU.exe

MD5 8a6eb55dc6c0de67d9ae30bdd2c06b0e
SHA1 e34b77cea091f0ff6b4281ce969456aeb22bbb64
SHA256 c656af932529cd746d3be0522b4ae75eaebd6fe5815b84ec70d1bbcf3bf50fb2
SHA512 351135c7885534c667ab80dd2667ac241fd2714babd39ea76de3b772f39d916f65c879fdee09ccbbd8aa42e5f6f52f8c04d4e0fb24cd3857a022bc9a89e9ee41

memory/4972-50-0x00007FF696F40000-0x00007FF697294000-memory.dmp

C:\Windows\System\riaPudu.exe

MD5 d1dabe4d580377d4b71acc9935ce5b8c
SHA1 a934a79ccbf59bbb25f2a7c6c152e3d49ee81fb7
SHA256 6ebf87371f5da3f94d15965ad8993e190081e8998334249fad13cf2141b31c6d
SHA512 cbcdada6d63b641b7f60ec113ba2e5d6234bf867af250c99c29a9029ad7ecb3d4782194df5514c6300a50db54ef23fcec12cdad1b2e9a7538244ac381a31ec49

memory/1284-48-0x00007FF7FADA0000-0x00007FF7FB0F4000-memory.dmp

memory/1980-44-0x00007FF6FF860000-0x00007FF6FFBB4000-memory.dmp

memory/3000-34-0x00007FF675520000-0x00007FF675874000-memory.dmp

C:\Windows\System\ZITXdUr.exe

MD5 2bcf3432fc50472ac5eff0af6db82b97
SHA1 392c4e975f1091e239ace297d7934b29b911f686
SHA256 9f81443844c316a4710a2355760e24f19194b34a799c0e9cf6f224f404350e80
SHA512 9d8e1c979de0254a65ac8dcfe95c1f665989057f6538f5ef0e3e6bef944954e43dbf57c2ef9ead8427ac8fcc0a2c297e20dba9d058c2936986cfd55f566e1406

memory/4820-67-0x00007FF7096C0000-0x00007FF709A14000-memory.dmp

memory/2564-70-0x00007FF7221D0000-0x00007FF722524000-memory.dmp

C:\Windows\System\dyMiTBY.exe

MD5 1f641a1b83734e4c35649dac59bdfeb3
SHA1 6b8c1361e8efe235c4536145785b4d538433f21b
SHA256 9f39a8c9ecd5bbc34519da194c1945c7cb9333703e825f5c1d67762271e1c6fa
SHA512 c96fc517ecb7da8f44af484714624fab8420677d8786cfa4da0940854412d1399c5ee3d7397a3c6c0eba0aa99ed22c1e811d7802d512877b1f455b1e8dfa6c27

C:\Windows\System\zkevyLa.exe

MD5 6083d3d8fe88875943471b8a9a322b7c
SHA1 9eee5808b08e4829509d896a63f092104751a95a
SHA256 046c407b7f00008c8baa3175dcb82acb5557fd28eedd344801b5799f6f24460e
SHA512 e67bf70efa4b8e9f8f4c5498668e9c6d10f7e8796ea914141236fcbcd7d822c93295e5b99502e618c2f2fa208647e567c37d51a6aca7f1809823137578c32b02

memory/4188-90-0x00007FF74C250000-0x00007FF74C5A4000-memory.dmp

C:\Windows\System\HggUHDx.exe

MD5 72d8121a6690c34b61a6c3a69aec3ca0
SHA1 bedfea511f539ba8b017562acfb46eea9498f14a
SHA256 5ae81e765f06b4b9892d834f9ed7c563335192757b52f973a6640a02bfa92177
SHA512 db8093788aa04e501655edf3f89556e7241c2413d752f69b09be4965aa44a2ddc1ed1ef3b5436071b3d870a07970c0e6218c46150257233e434e5f141f1c45fb

C:\Windows\System\sNUfZpf.exe

MD5 5563022841042a4d6e3cb27b59070100
SHA1 72ceb781e954600d3510dd0e46213e41dc5ae7de
SHA256 df962a114df5e2c18f99fa9bd3e4dce5fe4e625c977344dd237be0f575496337
SHA512 f3d4d9520752365e59a7c39ba3dec7fd5a1c8dca2a6fecfd47daa73cbea0b4fb71040efffef9add8e7224e84072e1263a95b44619b92a0b46bd64573e4b18edf

C:\Windows\System\tuPsLvq.exe

MD5 99e3acd9e6a5e0a195d2ba0576b31048
SHA1 b50bc729ce8b74b277a8ec3918835e63b370599b
SHA256 b4f2c0f8b8c8610338f831aa64c8c7917c765b24998a667082e7f7ea7675f6ce
SHA512 092b67771d74f6b097f8ce18faa9502d539bbea58f98c3193b502c29be250053fae1fd3beeac867ead87937229067f139a774f122fd05d0d74386ad22d91720b

C:\Windows\System\yxxcGBp.exe

MD5 262d72f4269a7ad166e76e6ef8e28c12
SHA1 6a88f64e3c39516de2b5cd0f1248fa9e24c674ea
SHA256 05fe371990b49384213c2c34ad5fdca7a2d968d2fd9031f19baaeff114cb118c
SHA512 b9069cfa2ae433ed4fbd0980ca7aa87cba52e5fc0c292c0ca410ee43b126308bdeabfbb4370825fec4b048e75eac901b5761a86dce4c818556f983a500e16de9

C:\Windows\System\sIvedIt.exe

MD5 845d33673794a82dab8139bdcebbb683
SHA1 8aef4e39c0b30203f3b9efbd88410407ff8d73cc
SHA256 b8f9f477915c0b7fef1dcd2a8f42306f9e84f90da8fb88adfeb8c2223a441835
SHA512 17f1cc00adbd8950205d926492e5862376e90ebcc3cf82a95f90ad4b6587a58af311d711ed7cff82b9f31620cf1d5f32e4ac24e7a49da7e5669a40e24ab39ba5

C:\Windows\System\DwCuqhJ.exe

MD5 c8653bf5b6ea8df58dd82eee7b34b603
SHA1 e5affdb9aaec014317b5a153aba395fe52a73139
SHA256 2dd5287416fe8abae0fdc2f124abf5d686f2aeee24e60de1ad793d4d26215e90
SHA512 70932d8960d1cb71c4480f68c48b14f44ad4ed54dbc03f1770e84a00cfbee1b5ee3555fab2969c9bba47c2102d52d392fde4db97a6ef90c4d259457f813e7900

C:\Windows\System\EiKvvCy.exe

MD5 605ef43b519627bb115ff6a6594ca143
SHA1 204748e918185cc98a82e8d37bcfd192c84e9956
SHA256 25c8d6c34d6d86ab076d5a2936fbe64af2dc601de10f5acfdaa728d33a537a91
SHA512 4c49c4b32b8a28f6dd9e18776ecb9e340a3e05ad61beef110f3c7309b54eb8fb629b17a3dc372b4588e3a336aefa6528df0ce6e3aca42b850b277f370743f216

memory/1492-100-0x00007FF755CA0000-0x00007FF755FF4000-memory.dmp

memory/1440-94-0x00007FF7415D0000-0x00007FF741924000-memory.dmp

memory/1160-81-0x00007FF71B320000-0x00007FF71B674000-memory.dmp

memory/800-79-0x00007FF66B740000-0x00007FF66BA94000-memory.dmp

C:\Windows\System\lDlmYcv.exe

MD5 ec558317dc8aa44e0fc6e31ab4284565
SHA1 70f512f9f53138c13a72b18314ca53033cc48a25
SHA256 3c8475e96aeb4ab2e5a0df597f1582d48bce32661a829e5fb92b50a102ed67bc
SHA512 421cc86a5ac5ad79e0862d2263d663ead1143eb896539b36018c785b1cb517323097c0562fb163a90ccd7268bc3384f84962b0898b789b4c84b191bcd86120a5

C:\Windows\System\BiBeXGX.exe

MD5 882198598fa4649b2abd601a5a6ec993
SHA1 7afb5444e7f9fb71d4587f4890141d0fe8e96da4
SHA256 7d98a6fc71ebdadd6301150aac5d160b0abf6b68c992037fbd70e20a6c5ab102
SHA512 47178d0c53793ec824cd50ece6b5820c5789448a5494f8e334193178cfc6667a1fe987c8371c76d2d53b83c935c0b66c95876fd98258b2a0af3d808ccbb0b513

memory/4560-64-0x00007FF7462D0000-0x00007FF746624000-memory.dmp

memory/3932-57-0x00007FF644A20000-0x00007FF644D74000-memory.dmp

memory/1056-31-0x00007FF63B1D0000-0x00007FF63B524000-memory.dmp

C:\Windows\System\rslqYsU.exe

MD5 4756cfc038985fafaf562acd840e946e
SHA1 545157c3ded7f91e233f05353a5c40d8c63fa26f
SHA256 aee48e97463b7d9a3b05702332ba077e4358e79db1a5276f2e12f95969942190
SHA512 5a5cf12bbe6b2d3225b3651215b9af04c7ba2d055d5f4b0c636a161fe80ad1b8498d74c506244d88b5c1dbe6a801b987407b9a20847a01ccd15d0f5add0e3c4c

memory/4716-22-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp

memory/1440-8-0x00007FF7415D0000-0x00007FF741924000-memory.dmp

memory/5076-124-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp

memory/4932-125-0x00007FF71BE50000-0x00007FF71C1A4000-memory.dmp

memory/5084-126-0x00007FF6A0650000-0x00007FF6A09A4000-memory.dmp

memory/4316-127-0x00007FF707AE0000-0x00007FF707E34000-memory.dmp

memory/2284-128-0x00007FF69E580000-0x00007FF69E8D4000-memory.dmp

memory/4716-130-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp

memory/1704-129-0x00007FF796B70000-0x00007FF796EC4000-memory.dmp

memory/1284-131-0x00007FF7FADA0000-0x00007FF7FB0F4000-memory.dmp

memory/4972-132-0x00007FF696F40000-0x00007FF697294000-memory.dmp

memory/4560-133-0x00007FF7462D0000-0x00007FF746624000-memory.dmp

memory/3932-134-0x00007FF644A20000-0x00007FF644D74000-memory.dmp

memory/4820-135-0x00007FF7096C0000-0x00007FF709A14000-memory.dmp

memory/1160-136-0x00007FF71B320000-0x00007FF71B674000-memory.dmp

memory/2564-137-0x00007FF7221D0000-0x00007FF722524000-memory.dmp

memory/4188-138-0x00007FF74C250000-0x00007FF74C5A4000-memory.dmp

memory/5076-139-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp

memory/1440-140-0x00007FF7415D0000-0x00007FF741924000-memory.dmp

memory/2324-141-0x00007FF77F7F0000-0x00007FF77FB44000-memory.dmp

memory/4716-142-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp

memory/1056-143-0x00007FF63B1D0000-0x00007FF63B524000-memory.dmp

memory/3000-144-0x00007FF675520000-0x00007FF675874000-memory.dmp

memory/1980-145-0x00007FF6FF860000-0x00007FF6FFBB4000-memory.dmp

memory/1284-146-0x00007FF7FADA0000-0x00007FF7FB0F4000-memory.dmp

memory/4972-147-0x00007FF696F40000-0x00007FF697294000-memory.dmp

memory/3932-148-0x00007FF644A20000-0x00007FF644D74000-memory.dmp

memory/4560-149-0x00007FF7462D0000-0x00007FF746624000-memory.dmp

memory/4820-150-0x00007FF7096C0000-0x00007FF709A14000-memory.dmp

memory/2564-151-0x00007FF7221D0000-0x00007FF722524000-memory.dmp

memory/1160-152-0x00007FF71B320000-0x00007FF71B674000-memory.dmp

memory/1492-153-0x00007FF755CA0000-0x00007FF755FF4000-memory.dmp

memory/4188-154-0x00007FF74C250000-0x00007FF74C5A4000-memory.dmp

memory/1704-157-0x00007FF796B70000-0x00007FF796EC4000-memory.dmp

memory/5076-158-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp

memory/4316-159-0x00007FF707AE0000-0x00007FF707E34000-memory.dmp

memory/5084-156-0x00007FF6A0650000-0x00007FF6A09A4000-memory.dmp

memory/4932-155-0x00007FF71BE50000-0x00007FF71C1A4000-memory.dmp

memory/2284-160-0x00007FF69E580000-0x00007FF69E8D4000-memory.dmp