Malware Analysis Report

2025-03-15 08:10

Sample ID 240529-x1nlxsff72
Target 2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike
SHA256 f39875c1523d321881abaa9c06e6e0294292cc998115f18203a093df12b15eb9
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f39875c1523d321881abaa9c06e6e0294292cc998115f18203a093df12b15eb9

Threat Level: Known bad

The file 2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobaltstrike

Xmrig family

UPX dump on OEP (original entry point)

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 19:19

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 19:19

Reported

2024-05-29 19:21

Platform

win7-20240215-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BtywuiJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\edTFSYc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JVQCiAK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JkAykVh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YjRNVNX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TAwILIm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xEcMMep.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ithSLkS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xAuvTlN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iAdnYXX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EXzjbiq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kCkoRis.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bFbdeIt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JWxuRpu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RNixXau.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WhwKooo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vOZBwtd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DxKMyfu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hqOYwxm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UFdOzeD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NxlNMhB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxKMyfu.exe
PID 2208 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxKMyfu.exe
PID 2208 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxKMyfu.exe
PID 2208 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjRNVNX.exe
PID 2208 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjRNVNX.exe
PID 2208 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjRNVNX.exe
PID 2208 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAwILIm.exe
PID 2208 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAwILIm.exe
PID 2208 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAwILIm.exe
PID 2208 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAuvTlN.exe
PID 2208 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAuvTlN.exe
PID 2208 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAuvTlN.exe
PID 2208 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEcMMep.exe
PID 2208 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEcMMep.exe
PID 2208 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEcMMep.exe
PID 2208 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqOYwxm.exe
PID 2208 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqOYwxm.exe
PID 2208 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqOYwxm.exe
PID 2208 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAdnYXX.exe
PID 2208 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAdnYXX.exe
PID 2208 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAdnYXX.exe
PID 2208 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFdOzeD.exe
PID 2208 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFdOzeD.exe
PID 2208 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFdOzeD.exe
PID 2208 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NxlNMhB.exe
PID 2208 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NxlNMhB.exe
PID 2208 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NxlNMhB.exe
PID 2208 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ithSLkS.exe
PID 2208 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ithSLkS.exe
PID 2208 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ithSLkS.exe
PID 2208 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EXzjbiq.exe
PID 2208 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EXzjbiq.exe
PID 2208 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EXzjbiq.exe
PID 2208 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JWxuRpu.exe
PID 2208 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JWxuRpu.exe
PID 2208 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JWxuRpu.exe
PID 2208 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtywuiJ.exe
PID 2208 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtywuiJ.exe
PID 2208 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtywuiJ.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNixXau.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNixXau.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNixXau.exe
PID 2208 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\edTFSYc.exe
PID 2208 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\edTFSYc.exe
PID 2208 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\edTFSYc.exe
PID 2208 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFbdeIt.exe
PID 2208 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFbdeIt.exe
PID 2208 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFbdeIt.exe
PID 2208 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JVQCiAK.exe
PID 2208 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JVQCiAK.exe
PID 2208 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JVQCiAK.exe
PID 2208 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkAykVh.exe
PID 2208 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkAykVh.exe
PID 2208 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkAykVh.exe
PID 2208 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kCkoRis.exe
PID 2208 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kCkoRis.exe
PID 2208 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kCkoRis.exe
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WhwKooo.exe
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WhwKooo.exe
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WhwKooo.exe
PID 2208 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOZBwtd.exe
PID 2208 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOZBwtd.exe
PID 2208 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOZBwtd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\DxKMyfu.exe

C:\Windows\System\DxKMyfu.exe

C:\Windows\System\YjRNVNX.exe

C:\Windows\System\YjRNVNX.exe

C:\Windows\System\TAwILIm.exe

C:\Windows\System\TAwILIm.exe

C:\Windows\System\xAuvTlN.exe

C:\Windows\System\xAuvTlN.exe

C:\Windows\System\xEcMMep.exe

C:\Windows\System\xEcMMep.exe

C:\Windows\System\hqOYwxm.exe

C:\Windows\System\hqOYwxm.exe

C:\Windows\System\iAdnYXX.exe

C:\Windows\System\iAdnYXX.exe

C:\Windows\System\UFdOzeD.exe

C:\Windows\System\UFdOzeD.exe

C:\Windows\System\NxlNMhB.exe

C:\Windows\System\NxlNMhB.exe

C:\Windows\System\ithSLkS.exe

C:\Windows\System\ithSLkS.exe

C:\Windows\System\EXzjbiq.exe

C:\Windows\System\EXzjbiq.exe

C:\Windows\System\JWxuRpu.exe

C:\Windows\System\JWxuRpu.exe

C:\Windows\System\BtywuiJ.exe

C:\Windows\System\BtywuiJ.exe

C:\Windows\System\RNixXau.exe

C:\Windows\System\RNixXau.exe

C:\Windows\System\edTFSYc.exe

C:\Windows\System\edTFSYc.exe

C:\Windows\System\bFbdeIt.exe

C:\Windows\System\bFbdeIt.exe

C:\Windows\System\JVQCiAK.exe

C:\Windows\System\JVQCiAK.exe

C:\Windows\System\JkAykVh.exe

C:\Windows\System\JkAykVh.exe

C:\Windows\System\kCkoRis.exe

C:\Windows\System\kCkoRis.exe

C:\Windows\System\WhwKooo.exe

C:\Windows\System\WhwKooo.exe

C:\Windows\System\vOZBwtd.exe

C:\Windows\System\vOZBwtd.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2208-0-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2208-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\DxKMyfu.exe

MD5 9a7bf31b3323e556cab055192eb9095a
SHA1 3527da6a27f0a742b6c13a42eee45695e29ad20b
SHA256 90f532301046ae73e54b790d62cef53a591f7f9b1f4571e75c72d4acb829ddee
SHA512 35018a3cb52390a2c486ce2493219679dc4d00169c558a3ad6a72a1b3fc52c47ab1a3cd66d0d885c37513174fcc770c84bd000cc8a3e3726dba3eca273c1c686

memory/2280-8-0x000000013FEA0000-0x00000001401F4000-memory.dmp

\Windows\system\YjRNVNX.exe

MD5 ba7a5b669d151d589f6ce151ea20075b
SHA1 d8c66a56b2618a2729497fab8bfa333d6578f25f
SHA256 6725a88e08d12be71b4ac2127197dd0bb14e2db37cd950c82ec83e8b4997ee75
SHA512 7b7353b2e2700d191ed4e919b762346cf1394a3c89710bf7fdbf804f651ea6974a00a9211f8b824d30f3aa4691940293cce390527cf713ff5e6ae107cf35d7e6

C:\Windows\system\TAwILIm.exe

MD5 12903d5408477f8b4f58201eb000674a
SHA1 4ba2932876140d0a36c836b2a4d8fdcf429a5676
SHA256 823300d2a0b048b0f05d136d871eef8298c43c8d15f0c278ce75a76cffb914c1
SHA512 606971499442e2e4fd84fa9297ebc5ced62ce26c763edceeefa56b942a213cc798d2dca87d2d08a9099527f47382a4fa98bc8ffa8d502cd0573659b943844732

memory/2208-21-0x000000013F3C0000-0x000000013F714000-memory.dmp

\Windows\system\xAuvTlN.exe

MD5 f7e900695f326c98645628d6cd863a14
SHA1 4b6e8c12ebb894cd89f9940f0b23d3339dcd0bd3
SHA256 9e7fc6610150ab26f01bcf4da81f87f7568deccb78f4d1a6451a438c54da187c
SHA512 00ca52b30f041143dc2f004978a493d882422947710d18a17b410ab6b7924a58d00b212fbdb8122ed74b224eb977fee7ec1632c3cddfd2fa628c31c62fcd2c05

C:\Windows\system\xEcMMep.exe

MD5 5ca6a6f09dc2b081fc0277330bc59d0e
SHA1 abbe987cd63a3f5b268d10d97ef406f7049e3222
SHA256 433dbc65d72f5aa273a54c10e5d33854a659e4829ccc81eab448d3f45e6fc375
SHA512 f18eb2df47f0776eaffee87eb46e03f092441824e247861cf5051fe78093f823bc12257c1ff16a4e04014a3871ca3c7532f6302b78587b3c2106cebdd5974dcb

memory/2668-35-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

\Windows\system\hqOYwxm.exe

MD5 92ec7fb53443b48238adf53994062b95
SHA1 1f524e4cd05b3dda0eabb02e0196f6e16a3e974c
SHA256 0a77f61c09077d5cfea8b5c93b7a4157e08a0cac5c9512a813cf2c9bb36a2f53
SHA512 3fa5735f19b1cafe1a419060a0948d920f74d43bcd85da9c5d3cc52c97617131c5b6004173ac2480c1023be9dcb0b18a2c1e6241aafa8ada5fea7be4fbfd9dcd

memory/2868-42-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\iAdnYXX.exe

MD5 47e4b694befb82e85c1247ea78ce347a
SHA1 2ca9e69e275cf7ac210afd82772ca9e19b2db766
SHA256 cad6a15ece84593d5bc7fd6fe239b71f56ba2c9c2a17db489b474c76d8f359ef
SHA512 843aa3c6cfb21592ae2baf7cc048bf99149ccd89054d1a25a52ade9cfa0315edbc9f8410d7ba35a8801737f8d9a4d94198a83096ea7a94631c1e276bacc0200f

C:\Windows\system\UFdOzeD.exe

MD5 ef06349e6b44aa41d7c0e317fde69db4
SHA1 12e3f5dd3d59971b37890c8259930fc5ee5a97cb
SHA256 a4cb5bfbf09c48efe2abea7d463904287065ba5b93e627c6366d7415fd60a038
SHA512 15432efc7098729052e34614a9abe1e430b85a429b3aea8904f615370238f4e242ca9801074bc12b323b4793f1ddbf461f6332b779d8f7a0e458dbc1469a3ab1

memory/2592-50-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2492-56-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2280-68-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2524-61-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2488-73-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2208-72-0x0000000002300000-0x0000000002654000-memory.dmp

\Windows\system\JWxuRpu.exe

MD5 2e150af7dd38ab26c616236ccee9b9db
SHA1 725c7b4851fa299e5a68b787d08a7b09252361df
SHA256 a160b22b71371fa2407186a27d762b4dbf6148f7767edb580e4adf4e918ce7cd
SHA512 a29b4c80af4190a51189c9433bd12696e716e60697eaf50c7948276f36c57d65d88355d01c97f512db9cb70570cbed413d156c42c46e455bc88d562ac7b49c33

memory/2208-92-0x000000013FC40000-0x000000013FF94000-memory.dmp

C:\Windows\system\kCkoRis.exe

MD5 63404870d40a424180155f7030b4c9e9
SHA1 b48f495639f6113932237699d35547c094c5b6ba
SHA256 f45d935670380c7ae9338bbd2fca8fae042d5d8bfe36bf4543659b92f2fa0120
SHA512 ebfa4a9fd49c264261bfa2bff993e4086105a86a4b341c499c48c42b3989106a284f920f2e747b3fcafa5f6b16efc9923693bbe8df10cf357b5b28560727daff

C:\Windows\system\WhwKooo.exe

MD5 72828e3b5228509b95742c093470d79a
SHA1 84dca47c801ed30934afe1272ebe3249103b51c3
SHA256 dad243cabd2de801381f06d331fab2aea7f53ad6d424bb54cb7f2943111cd32c
SHA512 4319ce83ef08bbb24cc762bb0e16a596f6e26b5edb861bd848b49b8427e60c54c722dee61562c68e56fc4e038d8faf9979ce1a000e93d84c1fd05d286374ecf3

\Windows\system\vOZBwtd.exe

MD5 05bf191a8c84ebc60d00a59783cc89e0
SHA1 6275ed16ad5b265fa77d402e3db5e573a249b939
SHA256 39a09490c92a3d6cddef9884fac72636f653cd4e35b92c0bbbb345933f54a4bf
SHA512 1ec2e9cb0d4e42c8189f01440c7586a3064408aa10877b31d2f4cfd1bbba2746c3c8a18ca5955f5b281fdba0bc74031f60815ddaa67f0c3e36639148b97c055c

C:\Windows\system\JVQCiAK.exe

MD5 364002800f4c119fc6b5d66cd85fbcfb
SHA1 5aa45f8eb9763b4ca0060380cf5c4a51ed5f47c2
SHA256 0f76ff3c5220c76fb1e0777905f0a50b33edda2fbf3463cbca14808565db9faa
SHA512 9f33ec2182dccdc8b8e5ea506074490329b3b1ab7c4a9b2599ac8844e67d4f52de4d765aba427fc7f66c60c8a2cff5474f48b1533b841a3ac8ac092a10476369

C:\Windows\system\JkAykVh.exe

MD5 5a23da7297d50e4a59198419526902b2
SHA1 11eb6d6242040f2131db5d5130e83f269de476f3
SHA256 44f85021a6eced75ba0da24fabbc3888d037286012ba4fbe84db98e8d7248be3
SHA512 274b77b03fd60afc7eca7a9401547426397b7c97fb987b42dc3237fe358fa9a4f7215d3e56fe8b54dcdd1010c894a0cc088d2b672776ff2a17be91811f2bc0b4

memory/2208-106-0x0000000002300000-0x0000000002654000-memory.dmp

C:\Windows\system\edTFSYc.exe

MD5 bb2b04850154f86a8ec845f5e88d0763
SHA1 0d31755bb2ac16d686a2b4c5bcc741d10d746582
SHA256 118e6710ec224a0c022c5b9b32c4bfd0e1368eaf607dda5a0781c2a824d1edf2
SHA512 466aafda56789b99adc1b3f732eb76910a38859bbcc52ee7bab5d9de767e653a268f5f286caf169611454014bcdabf704b796c03e547cd013dbe83990dad3840

C:\Windows\system\bFbdeIt.exe

MD5 8136269455fb96d132e3585c33b5f6da
SHA1 df45e711f959964875ce66afb37db5e505d2a704
SHA256 14b07ce96a699d6477e66fbe666799c139cf035574674c484e3e643278591a0a
SHA512 106e8f3f2b392b5e3b7887f1d381162212a49c11a2ac1eb3ac2dc99b38626bdcf927f60e99a7d3723c131f589ee2f2a2fcddf8aa3dba08db8d26a142bd2c18d6

memory/2960-93-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2208-100-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2668-99-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

C:\Windows\system\BtywuiJ.exe

MD5 28ee9c7363c94483436a58c4105aa56a
SHA1 42c3167e4c0ebeb5b35e9916ac9c20e7fb0b4e7c
SHA256 6b202ffe89c5242f22afd323fbb1188c19f31997368e2c63d64fc19b6d4fd239
SHA512 a2802a0b83eaf9c757375865e1c1f5d9b397af7aab00dfbce06d1738a5254c990919f4eb5f984f6111ca13885eb5f7da0f322e1eda9c4c96e69f20006d970456

C:\Windows\system\RNixXau.exe

MD5 96555639d7ad5012f7a8b6507e5f6c1a
SHA1 f16e62edb627cc6aa3bc5f2dafc0e3791d15ebfe
SHA256 6903f4baba8395ff742b186dbf99aa4ef077ca0ab66735034e32c94d856add18
SHA512 e85f8de032a0436e5af48cb77c4e3bee445501b4f6b1c6c9cc1a941dcdcb1541af3e37b77cd6024a9ab29b2f1e6925645706113dfb972e37f5ad7c4756e8d209

memory/2652-86-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2208-85-0x0000000002300000-0x0000000002654000-memory.dmp

memory/1816-78-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2208-77-0x0000000002300000-0x0000000002654000-memory.dmp

C:\Windows\system\EXzjbiq.exe

MD5 aac6711d28aafaa9e63834bd8fea8d3f
SHA1 ea08276f244a92a9489f3f1118593a50cc2ce92c
SHA256 2cc8d5da6c87aa8fc7b465048793fb32ac7f2edc42b5c14ed9526b167a7a5e71
SHA512 9a6184f28cf680a855da7278e762c9915ae7ee451a1ffdd26e4d2050a5d9d5b66e39d9b5b7d1d772910aacbc017630fabf7c31197ed788e839f201db8a42fa6b

memory/3056-70-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2208-69-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\ithSLkS.exe

MD5 c7d49b3957cfd32afbee72a2f69c54d2
SHA1 7ce992e353be80d4d5889fc64001017ddc3371c4
SHA256 863befce98b048a64325b53647c94ad131ea19d47907caf7c006487ac453b1cf
SHA512 4a3785cdc969a7f07fdaf8aa50918278c2dca158e276d3f09f720a5d3c8f56b640e77a8921f9d959fb721c5f805ef1983fff739a09219befbcc0a64a3036905f

memory/2868-137-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\NxlNMhB.exe

MD5 d22e3b84d017d5c4533bfb4d42538ac6
SHA1 401fd6283a4de4ecef408824655ad9673222cb4b
SHA256 9c67287b58f3b15352f991dded8f8354e741e513dcb56babdd2fba77bccb3ebd
SHA512 0b30d35748eeb00a56187cb03425c4d78d2a2a7035001ffcb716435aa4d75383d5d95aac6050e2b29d05052b288981293132a3f925332b776b53fcbade8c99e3

memory/2208-55-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2208-49-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2208-37-0x000000013F230000-0x000000013F584000-memory.dmp

memory/1992-33-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2208-31-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2208-30-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/1828-29-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/3056-27-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2208-18-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2492-138-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2524-139-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2208-140-0x0000000002300000-0x0000000002654000-memory.dmp

memory/1816-141-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2652-142-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2208-143-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2960-144-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2208-145-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2644-146-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2280-147-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1828-148-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/3056-149-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1992-150-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2668-151-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2868-152-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2592-153-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2492-154-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2524-155-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2488-156-0x000000013F600000-0x000000013F954000-memory.dmp

memory/1816-157-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2652-158-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2960-159-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2644-160-0x000000013F3C0000-0x000000013F714000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 19:19

Reported

2024-05-29 19:21

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FvLhBQg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bhgARBn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qXjciqU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SJpnMHT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JKGfjZf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dkHStls.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FAKYIps.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JKUrgZx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NCHresP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lOOCDlm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lRYzgML.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\COPzAvi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FcIGBqC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JWobdFL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OKnTitp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AKMSZhy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GKlNGTa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NBEVZXB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OfBHjkf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tJwlAar.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\McBFBTA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4276 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKGfjZf.exe
PID 4276 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKGfjZf.exe
PID 4276 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NBEVZXB.exe
PID 4276 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NBEVZXB.exe
PID 4276 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\dkHStls.exe
PID 4276 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\dkHStls.exe
PID 4276 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FAKYIps.exe
PID 4276 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FAKYIps.exe
PID 4276 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOOCDlm.exe
PID 4276 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOOCDlm.exe
PID 4276 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRYzgML.exe
PID 4276 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRYzgML.exe
PID 4276 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\COPzAvi.exe
PID 4276 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\COPzAvi.exe
PID 4276 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcIGBqC.exe
PID 4276 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcIGBqC.exe
PID 4276 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKUrgZx.exe
PID 4276 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKUrgZx.exe
PID 4276 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NCHresP.exe
PID 4276 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NCHresP.exe
PID 4276 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvLhBQg.exe
PID 4276 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvLhBQg.exe
PID 4276 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JWobdFL.exe
PID 4276 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JWobdFL.exe
PID 4276 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\OKnTitp.exe
PID 4276 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\OKnTitp.exe
PID 4276 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfBHjkf.exe
PID 4276 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfBHjkf.exe
PID 4276 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bhgARBn.exe
PID 4276 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bhgARBn.exe
PID 4276 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJwlAar.exe
PID 4276 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJwlAar.exe
PID 4276 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXjciqU.exe
PID 4276 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXjciqU.exe
PID 4276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\McBFBTA.exe
PID 4276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\McBFBTA.exe
PID 4276 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKlNGTa.exe
PID 4276 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKlNGTa.exe
PID 4276 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKMSZhy.exe
PID 4276 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKMSZhy.exe
PID 4276 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJpnMHT.exe
PID 4276 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJpnMHT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\JKGfjZf.exe

C:\Windows\System\JKGfjZf.exe

C:\Windows\System\NBEVZXB.exe

C:\Windows\System\NBEVZXB.exe

C:\Windows\System\dkHStls.exe

C:\Windows\System\dkHStls.exe

C:\Windows\System\FAKYIps.exe

C:\Windows\System\FAKYIps.exe

C:\Windows\System\lOOCDlm.exe

C:\Windows\System\lOOCDlm.exe

C:\Windows\System\lRYzgML.exe

C:\Windows\System\lRYzgML.exe

C:\Windows\System\COPzAvi.exe

C:\Windows\System\COPzAvi.exe

C:\Windows\System\FcIGBqC.exe

C:\Windows\System\FcIGBqC.exe

C:\Windows\System\JKUrgZx.exe

C:\Windows\System\JKUrgZx.exe

C:\Windows\System\NCHresP.exe

C:\Windows\System\NCHresP.exe

C:\Windows\System\FvLhBQg.exe

C:\Windows\System\FvLhBQg.exe

C:\Windows\System\JWobdFL.exe

C:\Windows\System\JWobdFL.exe

C:\Windows\System\OKnTitp.exe

C:\Windows\System\OKnTitp.exe

C:\Windows\System\OfBHjkf.exe

C:\Windows\System\OfBHjkf.exe

C:\Windows\System\bhgARBn.exe

C:\Windows\System\bhgARBn.exe

C:\Windows\System\tJwlAar.exe

C:\Windows\System\tJwlAar.exe

C:\Windows\System\qXjciqU.exe

C:\Windows\System\qXjciqU.exe

C:\Windows\System\McBFBTA.exe

C:\Windows\System\McBFBTA.exe

C:\Windows\System\GKlNGTa.exe

C:\Windows\System\GKlNGTa.exe

C:\Windows\System\AKMSZhy.exe

C:\Windows\System\AKMSZhy.exe

C:\Windows\System\SJpnMHT.exe

C:\Windows\System\SJpnMHT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 163.126.19.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4276-0-0x00007FF70A960000-0x00007FF70ACB4000-memory.dmp

memory/4276-1-0x000001434D520000-0x000001434D530000-memory.dmp

C:\Windows\System\JKGfjZf.exe

MD5 6f10c360019f41a33ee92bc73119306d
SHA1 b5fbdbab85d5befeff028d0f6be617e6c6295ac2
SHA256 742e974803ecf2fb998fb0a4ffe6d1eef5bbec9831c00a835c272a0aeaebf0b2
SHA512 296454142ea538905091c03025d9ae1426bbf294a8eccaafa01559ff2abbcae6c21ee20e640c67cfac9e339058d4b02aebf74adacb1fa6552f8020321f4e2652

C:\Windows\System\NBEVZXB.exe

MD5 a81586582b60f91a9f3a56b5c99a23c5
SHA1 cfb197aff48a3c97277cfb7bae81eb056d86f5dd
SHA256 a69614b2f6e15da7f03ed502b8e88475428dc625134ce09117b65e8ebc9c1f0f
SHA512 e6c5987f293ca671fddf3272a50b118d81679b7812da3a0e3be3440dc65444634ef72de48832bcfbabd82b6526a24373b0b96519dd9fc818697e697c9ca36f7a

memory/1676-24-0x00007FF70D300000-0x00007FF70D654000-memory.dmp

C:\Windows\System\lOOCDlm.exe

MD5 711665b67ad710d2baf38afe461c0a30
SHA1 474a26979a96cd83b97a754c3e3bc7e7262da16b
SHA256 792b32e39f6240e79935befe7f34ce781c59a107ccf15518fc1d6a3754cbd4ee
SHA512 6ce6ed5b48cdcf13c79a69a9f7889cd840edfdc171b710fef98239fcea220b5ebb90ed91a588ac4e9e6e464027b45fa49db3da74779e38fb5117dcac840758e6

C:\Windows\System\FAKYIps.exe

MD5 fff41208026bc28971592c42d3d54c53
SHA1 db88d0d937aa5e1aca40080eadc234ea12aa35ac
SHA256 bc3d6dda3952739942dd4dba98b84c82c6775b725e34da7dc9a7949568730e89
SHA512 2e08fb398267620eaa44cfead2e15d1dff3ba3fe7586c41866b50e002fa4e1fab3060924fc5832f914b462e6cc5163965a18dfc8050ca074910cc2bf33f77afe

memory/2776-12-0x00007FF621A10000-0x00007FF621D64000-memory.dmp

C:\Windows\System\dkHStls.exe

MD5 befc0c3f403ea8848ac10b7971109d70
SHA1 06af5c4141a5050008d1aa6ac74c48990c1aeb57
SHA256 aa55e7d447407b290c536e95e4c3c46e7d128348930685239c928861aca5d2a2
SHA512 eea6292037077e23eb56b44ffc172756d24853a748e650f9ca7b4f40e707d00d8a5bb4e59f2480499116aadcfc4a65b21d9d0173f655213f1ab6e30c4e97c62f

memory/4792-36-0x00007FF628C90000-0x00007FF628FE4000-memory.dmp

C:\Windows\System\COPzAvi.exe

MD5 9ed815bf9e453559d9c9bdb911733518
SHA1 7ae5146e07384003c2ebe11243a7a9e83f3bbd25
SHA256 6867f438aa743e19c616fb43b9e4df624d8999034823f7500b82ac31c906573c
SHA512 04bd85566254f4e71f40679677a5df555a7fba25698419a61f7e598b8c308288880efa54dce90ed11b17894fad9c168c961b52c269137a1c52302b23e58d6c38

C:\Windows\System\FcIGBqC.exe

MD5 106ec3c6a4ef1f75f57836f4c3abfb04
SHA1 3db662c16eea7df480564f9a1eec9b4693d6fea9
SHA256 5a70cce253694d190346f5ac3f91d16b53d83dc83aa17b2ff0c922d0219c6291
SHA512 d9d4c814dac968f9204bce422c62f6435db8e6fe8d4beddc91fcfaada57a3f1dd11b2bffeb6b393a410fa494ce1f8f735041afe4ce762c3fa6ba731000fb70cd

memory/1792-42-0x00007FF727760000-0x00007FF727AB4000-memory.dmp

C:\Windows\System\lRYzgML.exe

MD5 82428a246feb9e81bdbd419d0b323fd6
SHA1 dc9563ee79b7de75d9a3e49220611a77eca00b35
SHA256 dfdca2ca9ab65df4ae05d24c9a821c89737d5332632b623468c51504351e4ab3
SHA512 605ca8d6cef08f27592b2b0326ca4ad71508c7d1c293a05a6709d60a36c36be7a24db44a1595ea002d1f3df95e16e9c8a739a8ea36207a1313a14232987477c8

memory/5004-35-0x00007FF653CC0000-0x00007FF654014000-memory.dmp

memory/2036-29-0x00007FF7AFDC0000-0x00007FF7B0114000-memory.dmp

memory/888-53-0x00007FF7840A0000-0x00007FF7843F4000-memory.dmp

memory/4640-52-0x00007FF724FF0000-0x00007FF725344000-memory.dmp

C:\Windows\System\JKUrgZx.exe

MD5 6cf3e99e49df873452f75987e58f627a
SHA1 941c8dfd598e5a55f67bf02c8749065c8d02c42e
SHA256 16ba25ee5b9ef6b8ed9f05635c003fc3eb61435c258bddecd783f979d56cc8b6
SHA512 2d96579aaef8367c9f9b36c6ee5d170c7e43b99e9d83eb949878928a7b35a3e8ef82e4d63c935c293685287448e4ba0ec7dd499fb153afb0c57a749121ffd01b

memory/4536-78-0x00007FF689CF0000-0x00007FF68A044000-memory.dmp

memory/5028-86-0x00007FF7F8520000-0x00007FF7F8874000-memory.dmp

memory/1556-98-0x00007FF7EA1C0000-0x00007FF7EA514000-memory.dmp

memory/4276-111-0x00007FF70A960000-0x00007FF70ACB4000-memory.dmp

memory/3860-114-0x00007FF68D1D0000-0x00007FF68D524000-memory.dmp

memory/1620-113-0x00007FF739530000-0x00007FF739884000-memory.dmp

memory/2556-112-0x00007FF6DD670000-0x00007FF6DD9C4000-memory.dmp

C:\Windows\System\tJwlAar.exe

MD5 e83dc697c821095642291bde162f0190
SHA1 b722247b6cdba5a6b3ab6be6b11a33e71bd921be
SHA256 9891e8b26d17536df5ef338e84ae7d2719c11c34d1f776ca66309a612fa8991b
SHA512 9671c295ae96612fb5fd81ccd679228cef85829c78e85aff4a0ab0a3ec0d4cfdfdd3805935e1843e935982b111f50a9ee7b8c7cb55e4c7fe8ef06011f0c2ed56

C:\Windows\System\qXjciqU.exe

MD5 c1c9ab2eab762e7637aad696bc9b7834
SHA1 f38d064b08d91a34d95996ca1f0ac70ca87b07ce
SHA256 a0ad79cb295262e890ecca05f9ee9a9290ef9f5b11664cf992278341ddda7568
SHA512 c45bc3dc07c63873a66894d359f71c16dce7764e0fd68d1184288304d9653fb1cde196934cd3100a1a04bafa8ce44d5468abb320e8fe54a127cbb6a166845c2f

C:\Windows\System\AKMSZhy.exe

MD5 60369095fd946619bd3b4f9b58ea853e
SHA1 add84c39b25d08956192d3fb8196f8c3f9d59288
SHA256 dd51b5612587731895e66fc1995e836c133a7ab22499f0e09c6bafe60bbed87c
SHA512 f7ca9999a073485329b97808a0c7c5d524f54d92c628aee9090fa1d46025ef3e9207b312538222898688742d48da5993ad13cfd18e2750e8fd6f29ae8048dd6f

C:\Windows\System\GKlNGTa.exe

MD5 95b7b91897fe14c65c0fbbac0b8e11ab
SHA1 c06f300262148262e370e6d188a31e2d166a8338
SHA256 5a66ff86debe4b56a4cc556b02821e77f9aaa1595351105bc42ea869cf9d5559
SHA512 47f5eda504e799d78809505cca250030a2ddb82f9c0eb87f2e061cf8e3c8fd67d7ef762e3174a4cad3d53ff7e41ff3c25c9d0b025cb542ed4020db0b755e3c4a

C:\Windows\System\McBFBTA.exe

MD5 9d6f5ca47d46743200a90a00eb28b95a
SHA1 b27d7a1eac2f8aa06fdb05fffea5d2e418cedd1e
SHA256 d87d5b828d4b1c8de019550f8be46efeae267f84ab9b8ab6ebdcddd560b8b3e3
SHA512 72e98aab0f933eee17bc71241ca51583f62e8969b0d0c222c66e4eadba8eaae10e1aad3dfb6ca8826709c3f6782f8c0d78d4855bee813bbe89de3af80db45dc5

C:\Windows\System\bhgARBn.exe

MD5 d81c810b5fd75d6afd408c279176f672
SHA1 e2a563904841d02a27441c807d48d21ab1d3fc7c
SHA256 f9a2b640b66d05f1f734230255e2daac19aab1bd4c918feb58528597147476ff
SHA512 4035539a921853a03b1373325766d8f5f3629821a88e8b82f1e60fe319bc14e1e28b1cc9468077025de80d8c9beae26a94101d010d9c5919c6303356bdc37c56

memory/3324-96-0x00007FF66B0F0000-0x00007FF66B444000-memory.dmp

memory/2524-97-0x00007FF752720000-0x00007FF752A74000-memory.dmp

C:\Windows\System\OKnTitp.exe

MD5 45459b4b4de665bd0fbe7237f5c8be69
SHA1 2c5d251921faa391cfe0f24159e45dcc1c8cbf9b
SHA256 6468a34de1138728029fd2ff62fec0367bc03465bf3b1df115f2a5d1c59a1e8d
SHA512 a94986468bf442dc6c6e13928dbbf63c8bea6642190f6ce56d9ea23a370a3d9d6f5459c40acac36f612e5742453c2bb3f03e2b66532133b22ac94d51fa47d5e7

memory/4564-91-0x00007FF6B47C0000-0x00007FF6B4B14000-memory.dmp

C:\Windows\System\OfBHjkf.exe

MD5 89179cfc8a5e54139d16793532a834d6
SHA1 dc0c3fe583a5736cf72c0ab61395d3baed602ffb
SHA256 14a47b82e5e6d43b3ca8bc32e1ac7fbb6c380847eace9322f307ca2c1b89a5cf
SHA512 7e075422b328ec3a8c62389092871f429e09e3af80ae01a1dbabebd7c09322db4af1973c36905c270b2de52598e052606f427d97bfaec05912a1841488ed1732

C:\Windows\System\FvLhBQg.exe

MD5 60da67c0054987f7fe0cc2c3758d36a7
SHA1 0b6238c6340604d38dfe8967c9a2a3949859e268
SHA256 9074a07ea9b69c5d8100bb3752b1f3e977c903534150b7ed99cf12f06093b3c5
SHA512 5067bd031a4a61858b72c6f7fa5fed1e27dae1b1a8590b0e8161f51337e5e8fbcb0f7d7bffcc2c766ed05cfcefb1f6712da749cf3794b57092a3f560b6d4d188

memory/4068-73-0x00007FF7A2960000-0x00007FF7A2CB4000-memory.dmp

memory/2212-70-0x00007FF633340000-0x00007FF633694000-memory.dmp

C:\Windows\System\JWobdFL.exe

MD5 c57a76759b4bd496d3d37ed2a79f465a
SHA1 047d8c9f11361504f3751607d5bbad11b729f7f5
SHA256 31542a5ca415b519517e0bb27752e247349222211161ab62eabd6e960be06a04
SHA512 d3dc84ad4c57369959035883e056479a574af3028c9f8bf42454b97ff6eab567a1c0c8f717d1c3a3f1106b8cc358633297935ae07530cf454f95c670fcb1bdbe

C:\Windows\System\NCHresP.exe

MD5 aeabd90e84cb0740e97a722391a33ba1
SHA1 4f82756ec89b7da6f98984d9b1a85229a7b74acf
SHA256 99caf59de4b24e3cf2467a39062a9cf9efbde2087df92638b7b05290727a7521
SHA512 fa11e18477481117b26a7568e8fcb08c3b3578066fa4569ded3472cae5ced509c20fde0c5d96c4a07bf5365f6c725b3d30d9ffd8f376c2b5ceb7060c91610d09

memory/4016-56-0x00007FF655130000-0x00007FF655484000-memory.dmp

C:\Windows\System\SJpnMHT.exe

MD5 8fdc6546b6330de09a6f7806b3541d1d
SHA1 990af01bfd3830e101a7b85a40fe7d7a2b7b8b52
SHA256 5938f78e1c5903fce1e996fc59ad6e3252c14b8f65b00bb145d3b601d288cbd2
SHA512 02975597314cd5302b984ad75d63cc37e7dd618da49660d9e3a6c38abe9a087586311b3320e9b0e854dcac85615ef0f9c2cfeac9c63231ea02c7cb339fbcf0db

memory/2036-129-0x00007FF7AFDC0000-0x00007FF7B0114000-memory.dmp

memory/1676-128-0x00007FF70D300000-0x00007FF70D654000-memory.dmp

memory/3340-130-0x00007FF7CDBF0000-0x00007FF7CDF44000-memory.dmp

memory/4792-131-0x00007FF628C90000-0x00007FF628FE4000-memory.dmp

memory/4016-132-0x00007FF655130000-0x00007FF655484000-memory.dmp

memory/4068-133-0x00007FF7A2960000-0x00007FF7A2CB4000-memory.dmp

memory/5028-134-0x00007FF7F8520000-0x00007FF7F8874000-memory.dmp

memory/4564-135-0x00007FF6B47C0000-0x00007FF6B4B14000-memory.dmp

memory/2524-136-0x00007FF752720000-0x00007FF752A74000-memory.dmp

memory/1556-137-0x00007FF7EA1C0000-0x00007FF7EA514000-memory.dmp

memory/2556-138-0x00007FF6DD670000-0x00007FF6DD9C4000-memory.dmp

memory/3860-140-0x00007FF68D1D0000-0x00007FF68D524000-memory.dmp

memory/1620-139-0x00007FF739530000-0x00007FF739884000-memory.dmp

memory/2776-141-0x00007FF621A10000-0x00007FF621D64000-memory.dmp

memory/5004-142-0x00007FF653CC0000-0x00007FF654014000-memory.dmp

memory/1676-143-0x00007FF70D300000-0x00007FF70D654000-memory.dmp

memory/2036-144-0x00007FF7AFDC0000-0x00007FF7B0114000-memory.dmp

memory/4792-145-0x00007FF628C90000-0x00007FF628FE4000-memory.dmp

memory/1792-146-0x00007FF727760000-0x00007FF727AB4000-memory.dmp

memory/4640-147-0x00007FF724FF0000-0x00007FF725344000-memory.dmp

memory/888-148-0x00007FF7840A0000-0x00007FF7843F4000-memory.dmp

memory/4016-149-0x00007FF655130000-0x00007FF655484000-memory.dmp

memory/2212-150-0x00007FF633340000-0x00007FF633694000-memory.dmp

memory/4536-151-0x00007FF689CF0000-0x00007FF68A044000-memory.dmp

memory/4068-152-0x00007FF7A2960000-0x00007FF7A2CB4000-memory.dmp

memory/3324-153-0x00007FF66B0F0000-0x00007FF66B444000-memory.dmp

memory/5028-154-0x00007FF7F8520000-0x00007FF7F8874000-memory.dmp

memory/4564-155-0x00007FF6B47C0000-0x00007FF6B4B14000-memory.dmp

memory/2556-157-0x00007FF6DD670000-0x00007FF6DD9C4000-memory.dmp

memory/3860-159-0x00007FF68D1D0000-0x00007FF68D524000-memory.dmp

memory/1556-158-0x00007FF7EA1C0000-0x00007FF7EA514000-memory.dmp

memory/1620-156-0x00007FF739530000-0x00007FF739884000-memory.dmp

memory/2524-160-0x00007FF752720000-0x00007FF752A74000-memory.dmp

memory/3340-161-0x00007FF7CDBF0000-0x00007FF7CDF44000-memory.dmp