Malware Analysis Report

2025-03-15 08:12

Sample ID 240529-xq8jcafb68
Target 2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike
SHA256 fb053700c8e22da1f55e71ee2c0037319850e7396b579c795ab4c74525268737
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb053700c8e22da1f55e71ee2c0037319850e7396b579c795ab4c74525268737

Threat Level: Known bad

The file 2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobaltstrike

xmrig

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 19:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 19:04

Reported

2024-05-29 19:07

Platform

win7-20240221-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nkvRATi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kyWQHYX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VhxtMAr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CqbHoMa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fauNMFf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lKyVBSN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kiWnGSI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DSUDzUm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pAvtuID.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rPRbOHn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WAQbBHw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ldfgeyY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KadOLwo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ppAuObW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\avpFmpk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JVRgqNz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FEOzMbF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DVdZYma.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CjqOQnp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZwUzSPc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KnQvsHO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\kiWnGSI.exe
PID 1948 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\kiWnGSI.exe
PID 1948 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\kiWnGSI.exe
PID 1948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSUDzUm.exe
PID 1948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSUDzUm.exe
PID 1948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSUDzUm.exe
PID 1948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkvRATi.exe
PID 1948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkvRATi.exe
PID 1948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkvRATi.exe
PID 1948 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyWQHYX.exe
PID 1948 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyWQHYX.exe
PID 1948 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyWQHYX.exe
PID 1948 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhxtMAr.exe
PID 1948 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhxtMAr.exe
PID 1948 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhxtMAr.exe
PID 1948 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPRbOHn.exe
PID 1948 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPRbOHn.exe
PID 1948 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPRbOHn.exe
PID 1948 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjqOQnp.exe
PID 1948 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjqOQnp.exe
PID 1948 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjqOQnp.exe
PID 1948 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\CqbHoMa.exe
PID 1948 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\CqbHoMa.exe
PID 1948 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\CqbHoMa.exe
PID 1948 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAQbBHw.exe
PID 1948 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAQbBHw.exe
PID 1948 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAQbBHw.exe
PID 1948 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwUzSPc.exe
PID 1948 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwUzSPc.exe
PID 1948 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwUzSPc.exe
PID 1948 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\KadOLwo.exe
PID 1948 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\KadOLwo.exe
PID 1948 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\KadOLwo.exe
PID 1948 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ppAuObW.exe
PID 1948 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ppAuObW.exe
PID 1948 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ppAuObW.exe
PID 1948 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\avpFmpk.exe
PID 1948 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\avpFmpk.exe
PID 1948 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\avpFmpk.exe
PID 1948 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldfgeyY.exe
PID 1948 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldfgeyY.exe
PID 1948 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldfgeyY.exe
PID 1948 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAvtuID.exe
PID 1948 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAvtuID.exe
PID 1948 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAvtuID.exe
PID 1948 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\fauNMFf.exe
PID 1948 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\fauNMFf.exe
PID 1948 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\fauNMFf.exe
PID 1948 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\lKyVBSN.exe
PID 1948 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\lKyVBSN.exe
PID 1948 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\lKyVBSN.exe
PID 1948 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\JVRgqNz.exe
PID 1948 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\JVRgqNz.exe
PID 1948 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\JVRgqNz.exe
PID 1948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\FEOzMbF.exe
PID 1948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\FEOzMbF.exe
PID 1948 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\FEOzMbF.exe
PID 1948 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVdZYma.exe
PID 1948 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVdZYma.exe
PID 1948 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVdZYma.exe
PID 1948 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnQvsHO.exe
PID 1948 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnQvsHO.exe
PID 1948 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnQvsHO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\kiWnGSI.exe

C:\Windows\System\kiWnGSI.exe

C:\Windows\System\DSUDzUm.exe

C:\Windows\System\DSUDzUm.exe

C:\Windows\System\nkvRATi.exe

C:\Windows\System\nkvRATi.exe

C:\Windows\System\kyWQHYX.exe

C:\Windows\System\kyWQHYX.exe

C:\Windows\System\VhxtMAr.exe

C:\Windows\System\VhxtMAr.exe

C:\Windows\System\rPRbOHn.exe

C:\Windows\System\rPRbOHn.exe

C:\Windows\System\CjqOQnp.exe

C:\Windows\System\CjqOQnp.exe

C:\Windows\System\CqbHoMa.exe

C:\Windows\System\CqbHoMa.exe

C:\Windows\System\WAQbBHw.exe

C:\Windows\System\WAQbBHw.exe

C:\Windows\System\ZwUzSPc.exe

C:\Windows\System\ZwUzSPc.exe

C:\Windows\System\KadOLwo.exe

C:\Windows\System\KadOLwo.exe

C:\Windows\System\ppAuObW.exe

C:\Windows\System\ppAuObW.exe

C:\Windows\System\avpFmpk.exe

C:\Windows\System\avpFmpk.exe

C:\Windows\System\ldfgeyY.exe

C:\Windows\System\ldfgeyY.exe

C:\Windows\System\pAvtuID.exe

C:\Windows\System\pAvtuID.exe

C:\Windows\System\fauNMFf.exe

C:\Windows\System\fauNMFf.exe

C:\Windows\System\lKyVBSN.exe

C:\Windows\System\lKyVBSN.exe

C:\Windows\System\JVRgqNz.exe

C:\Windows\System\JVRgqNz.exe

C:\Windows\System\FEOzMbF.exe

C:\Windows\System\FEOzMbF.exe

C:\Windows\System\DVdZYma.exe

C:\Windows\System\DVdZYma.exe

C:\Windows\System\KnQvsHO.exe

C:\Windows\System\KnQvsHO.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1948-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/1948-1-0x000000013F8F0000-0x000000013FC44000-memory.dmp

C:\Windows\system\kiWnGSI.exe

MD5 7314b8ee3d03920b0f92c9748334ee36
SHA1 542bf86d7d6aafe90a3de3c13b07afca810c1fa4
SHA256 b5aaafe267ca341ad22eed32305f80fba87358642255b5398890cc5f717abfa2
SHA512 f8901c172531a481159f0b3ec0b83545ab6b6774224c0aa1e40c435e6b42de05c1c4b9f5562d5bdc93b8f8eccf36c3d8060b55ed543db0d466fcd7202f0aa819

memory/2228-9-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/1948-8-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\DSUDzUm.exe

MD5 bc69747e351d7ce386e8c3b64a9381bd
SHA1 ecca9714f1ac43d74ce9da34807ce9eebd860486
SHA256 3dabe4528231c523a991f3636329a8a178e73ae191815877a481f7690ce70ae2
SHA512 57e395389ce25ea1d0e2a5030307fb5a8bae3d49442b6f48f3ad3add1b158304fb098bae0c094935e061a28f65107982792aaf206b5b3c8acb3acd64531823c2

memory/2480-16-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/1948-15-0x0000000002560000-0x00000000028B4000-memory.dmp

C:\Windows\system\nkvRATi.exe

MD5 cb2f3c86cffb5aaf50088258cd646a5f
SHA1 2ccc8b2f7e3354a6a98067ebdd56597341914596
SHA256 7ec7f642e6db593574fe2ed5d796710078a237a4523493eab84fff2bcb5f8a96
SHA512 c9af1c12a9520d0dbc6adec36e83f41e5c313d5f98133b48b194e8279b3b29a29c92d22256451073c3e5c31f25b3f856faa2cfe0387022b8a665585827214d7e

C:\Windows\system\kyWQHYX.exe

MD5 713eb06b68e6edb9c2d27008fb2cb1ba
SHA1 cffe1fdbf79e736b3842256307ec40536d4c554f
SHA256 733e727a2cf192c65836281cec8e61cc3c8958359eacf0d568fc319e3ca17c3f
SHA512 4dd49d5479a3c7971a550f36002225cc02c6332aaf911e648d9d9da2864a8fae33d564cc207d93d276ea7cc246b4ab16b4da8ef8db89f455a3bc15e959580ee1

memory/1948-26-0x0000000002560000-0x00000000028B4000-memory.dmp

memory/2532-24-0x000000013F900000-0x000000013FC54000-memory.dmp

\Windows\system\VhxtMAr.exe

MD5 7b9e21708fb625ebaf34325e1f365348
SHA1 ffa4f6b30de8ff8d526f9078d0df8021e129a6fe
SHA256 208a162916e7b09816376e79af9a3992c3f717f4a8ce437fb38bba7b69d14834
SHA512 31d5cdaec3c0cdc015d881590c1d95c4d47d3e3b21b2c432b0ef057ef222844247c4d1d1f6983fc53c2d4ae8301d9ff869ff199400488a02841bf1df96816b6a

C:\Windows\system\CjqOQnp.exe

MD5 a37051daa1e26e2fdc5f3c18a994a290
SHA1 6754ac79d2e97d96e013d521e1570afe4bc20d76
SHA256 fcbfe7b55feb08e8f71b3dfa6a8a57b61ea55f62071804bc94b02c11e582f48b
SHA512 d1391a68ba9851e2acd92f05c81c67cb925edcefba6b9ad8854dfd6fbe6a047489f29652e4ff8a73e6b1cf4db1603eec76bf7d6438c93dee1db52bd1fdf23c15

C:\Windows\system\CqbHoMa.exe

MD5 056058903a9d4d0f01079c7860516940
SHA1 10cb11a049e642f6104e5afffdac2372bcf945c8
SHA256 973ade447d9a89dd16663ed58bf001654ee827577de31d626b58f47661555ea1
SHA512 baf8b02610db8dd8e9e501229509a0a5e5e94e04b5869fa1defa849b68e9d13df3581c57e4a346af3a0915a4186076f9f9efda3a7a106e99c001e229cf55f752

C:\Windows\system\ZwUzSPc.exe

MD5 7b421f14f8c3aa873b77b481a66e7f10
SHA1 aaa96aaab8342c16722062cab8e585555e4e8e69
SHA256 3c11c3ae018b16dd85491d959a3b9e4d29d9ad9d7657e361e521ecb7b071c416
SHA512 d7ccbb7b5a6021b46bb504c007707ff5c44603eca25c5f6795b3901d4b3fa2e2a112e116074ac03a5799e3540d1b8598b53a511336516f633c35b54689c5b35a

C:\Windows\system\fauNMFf.exe

MD5 18346f21c29b828398fac1af581d7253
SHA1 793215a6938128c3fcfd35fc43962b9687f126bc
SHA256 a4649ca0492d60611fad5a19552919dd05b51b5e0559568820dd6ba5f409899f
SHA512 1ebeebfb3a7250d78b08085ef860d0a48689278c4774b76888580f7b996368ac09a2cf0196a6671912db0ec7dda8d93a209083c4a43ea9e915464e2104b321ac

\Windows\system\KnQvsHO.exe

MD5 e83273e490364a5843cdd43f29f1f69e
SHA1 14f409f085a6cea586c787124e0bb5ae56e2ec86
SHA256 de49a3fbeca5ad4168b98b3dbc9dbd4d07ea8ac4b263f12fe23d9a0304e48aa0
SHA512 fd50b8a44b3bb5883eec498a709b133d7b091fce33aa917f5d3490d7302a1704ea85281cdea9e62597f65ce86f7bfcf1b2ae4e960f74c4c8c7b0d0c237e5e92a

C:\Windows\system\DVdZYma.exe

MD5 ed160aaf55237ba49cd940eac59593a4
SHA1 bd4a22c2d73be22c927cca58f8ea036fc34f61e0
SHA256 0c8f19cdfed2ab157210b9d787294674e15d5a9c4797aeaf1f4e29aea1f5fbe8
SHA512 0485f89b2fa277dec257b081c558c4ef2d8163a0a330bc497ff76ee188dc4b8ca1d462a89d8b5266d5190302e7b7095cc3789b7764aca10f7232e45e40279e22

C:\Windows\system\FEOzMbF.exe

MD5 52c0e89dd609f74b768fe63cf19622d9
SHA1 133f6c668be43d8e3cbdf0e746b384038fb5ddae
SHA256 dd85a8385ef577d171bb4dd79ff4a314fb97be621965051f9c5bca64b85b9c08
SHA512 3b2e1bcd9825586e6a12d934cc14e5dad6dc66e35e51bdb5f78126c335202e2d8c89f197801caac7cac24e472c6ce5f80fd3fae7ac1801b0b4d1238018b8d36d

C:\Windows\system\JVRgqNz.exe

MD5 f95aac0f59a9fce5534e93686c9198aa
SHA1 56d6d3dc959371db7a4afebfefc045b2ffeae149
SHA256 46d4ab3ef0a85289922d1569168e4983d99d258bd8b53ee16b9c123eaf66a1d3
SHA512 09ddf52750f97853b60397e321fec73a320e6c9651205a0e494f7a4a86598f040d3a6f54f8e430c329f8dadb8b318623ceb5ec3e70327c925f596b2992e065c3

C:\Windows\system\lKyVBSN.exe

MD5 dba1e268b3d98d3a5be16f8ec263f4c7
SHA1 5c2948da21e7743a55e7496e90ee728a062183d6
SHA256 a71cd1ff0c3417895bf868a98b322779d46c28b25174ad44fa341f6bcac16f5a
SHA512 33fc3dbe13deeff66cb5b01fe6dd5c2ff71235a9662f1986e4b6c6214aafc1e052197d5eed747293060858b67670d2767b0848d0a11fb60ef1681cc53f8cdb8b

C:\Windows\system\pAvtuID.exe

MD5 33f3122a8f88ef4b91c3e98150e63b4c
SHA1 b5280fb7c43f00c41eb515cca779dc7638d0b514
SHA256 8ad79ef5c0d32657344c046a663941ca5640f371cc435f49cb577e440ac5677f
SHA512 553a9b98cbff9bdf6e076cbf01f4ecf5fd785cd695f491f38c6e090d422590e151badea8a4255f0676a565051f371a25ec335efb7128fa1eacb49783d7f7e625

C:\Windows\system\ldfgeyY.exe

MD5 fefb75647526efa3772446e2ae9af5a4
SHA1 1b20adcd303b0e6df0338c4420cd78eef7a01eb9
SHA256 72ed8a65461f3412bf8f262645435ac3563a2a5ecaa3c9d2dea08e491d18f48b
SHA512 25ec3badb0e5324e441da3379c1a1947f36e738b8953a4a4a92beae51e493bcecb69562c44a2986595e0ba1b5b840e22c186526349b2ae4f324f3585e0172fdd

C:\Windows\system\avpFmpk.exe

MD5 9ddc862ec57dbdd11492be4b0e415d5c
SHA1 3f4ee259a14cf6c4dce108a10cd3c53d28fd17fc
SHA256 c4635f9c0ed4ff7aa5b2bafdba508ed7612006cb5e1918283e19eab965dfd1a3
SHA512 2f600a4d461370fff49ad06f7212a55d1a00b890e071c2da06bf1e47e8b92454ef15cb52b14702898665906fdd25310d21bfba8e32b517e86b624299fabdd8e5

C:\Windows\system\ppAuObW.exe

MD5 3ad865ca45fb6fbc6a7555aa47c28452
SHA1 1839a9e3d3e35c71f0242e8f52f3f6c85b505606
SHA256 07562b3694730a14613eb4fd1df04cf1ee307ff4732d3b3fe6602580e25293a2
SHA512 1ec7689c4a0f9f04fc7f6391e11ec5fca7a985cba30cbae14b297e38adfb2f5920dc20844411c2ebabf37576524b345f459ac120a9442e07dbecce6d9b13fe25

memory/2612-113-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2492-114-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1948-115-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/1948-117-0x0000000002560000-0x00000000028B4000-memory.dmp

memory/1948-121-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2412-120-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/1948-119-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2660-118-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/1208-116-0x000000013FC80000-0x000000013FFD4000-memory.dmp

C:\Windows\system\KadOLwo.exe

MD5 fbc0032cccc4435e4ed1d299a3e655fb
SHA1 636cb9802dd21637e79967f2c078ab2551339ff2
SHA256 de58efa57ea0e9fc85540ca32aa4e54d563e745c855080dd1237b78adc349ce9
SHA512 9f22bb770aceeb89963fdf9fc11d80f736d1245b881be6f98e4bc927f45305ba50551bb7085e948ce4ade660e11eace4b40cc7667faa133adadcfb69cf113ab8

C:\Windows\system\WAQbBHw.exe

MD5 a9e608bfabeb1a5a9f0fe315c6e58082
SHA1 b2d0afe43fc9d4de1a15f584cf41c8e4e8cabf16
SHA256 1d13f1c2114e1b5b2137d5d05265e33205f04923aff4473b266890cb73b43600
SHA512 26215c448fad2822d71f956ea07524d326dd29e1e3d928d368bcc034d6206770da51baf7740135395ad651b78140cebbf66d49abf3077219661b80a7d290b586

C:\Windows\system\rPRbOHn.exe

MD5 25cdbd1c99aaee2568bd82effd170611
SHA1 0ac6282b6be78816342fd00d9ef94c95a39a22ce
SHA256 680f547a54ce5d6148b3f2f06370397662369635186db44a43251ef2bb1766a2
SHA512 bb72d36cf045a1d5ae26ac42b74a3be9a99339d40dd803235881439f5ffb5f4cc971f8a5bab28846866511f54ea0bf9282d8974872102868f00429462e826a94

memory/2388-123-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/1948-126-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/3048-129-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/1948-131-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/1436-130-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/1948-128-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2852-127-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2440-125-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/1948-124-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2496-122-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1948-132-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/1948-133-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2532-134-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2612-135-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2228-136-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2480-137-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2532-138-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2612-139-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2492-141-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1208-140-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2660-142-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2412-143-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2496-144-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2440-146-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2388-145-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2852-147-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/3048-148-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/1436-149-0x000000013F720000-0x000000013FA74000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 19:04

Reported

2024-05-29 19:07

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kjHLEnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xMFbawp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\syllxbu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nMyHiZY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SVzFOzA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FxuQdXi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nFRosmP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rvTFjUt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZagpIdE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hqtgJfc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xdPViQd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TTSvtJX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CypEleV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cLOZBMn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\phrTarn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wpbCyWL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VxkbsTz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nMVciAI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qwqqrAJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EOToHCK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BrjjDPg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\rvTFjUt.exe
PID 5088 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\rvTFjUt.exe
PID 5088 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\kjHLEnQ.exe
PID 5088 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\kjHLEnQ.exe
PID 5088 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMFbawp.exe
PID 5088 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMFbawp.exe
PID 5088 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\syllxbu.exe
PID 5088 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\syllxbu.exe
PID 5088 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\BrjjDPg.exe
PID 5088 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\BrjjDPg.exe
PID 5088 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\wpbCyWL.exe
PID 5088 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\wpbCyWL.exe
PID 5088 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\VxkbsTz.exe
PID 5088 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\VxkbsTz.exe
PID 5088 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMyHiZY.exe
PID 5088 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMyHiZY.exe
PID 5088 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVzFOzA.exe
PID 5088 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVzFOzA.exe
PID 5088 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\FxuQdXi.exe
PID 5088 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\FxuQdXi.exe
PID 5088 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\CypEleV.exe
PID 5088 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\CypEleV.exe
PID 5088 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\phrTarn.exe
PID 5088 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\phrTarn.exe
PID 5088 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMVciAI.exe
PID 5088 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMVciAI.exe
PID 5088 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwqqrAJ.exe
PID 5088 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwqqrAJ.exe
PID 5088 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFRosmP.exe
PID 5088 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFRosmP.exe
PID 5088 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\xdPViQd.exe
PID 5088 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\xdPViQd.exe
PID 5088 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\TTSvtJX.exe
PID 5088 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\TTSvtJX.exe
PID 5088 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\EOToHCK.exe
PID 5088 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\EOToHCK.exe
PID 5088 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\cLOZBMn.exe
PID 5088 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\cLOZBMn.exe
PID 5088 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqtgJfc.exe
PID 5088 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqtgJfc.exe
PID 5088 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZagpIdE.exe
PID 5088 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZagpIdE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rvTFjUt.exe

C:\Windows\System\rvTFjUt.exe

C:\Windows\System\kjHLEnQ.exe

C:\Windows\System\kjHLEnQ.exe

C:\Windows\System\xMFbawp.exe

C:\Windows\System\xMFbawp.exe

C:\Windows\System\syllxbu.exe

C:\Windows\System\syllxbu.exe

C:\Windows\System\BrjjDPg.exe

C:\Windows\System\BrjjDPg.exe

C:\Windows\System\wpbCyWL.exe

C:\Windows\System\wpbCyWL.exe

C:\Windows\System\VxkbsTz.exe

C:\Windows\System\VxkbsTz.exe

C:\Windows\System\nMyHiZY.exe

C:\Windows\System\nMyHiZY.exe

C:\Windows\System\SVzFOzA.exe

C:\Windows\System\SVzFOzA.exe

C:\Windows\System\FxuQdXi.exe

C:\Windows\System\FxuQdXi.exe

C:\Windows\System\CypEleV.exe

C:\Windows\System\CypEleV.exe

C:\Windows\System\phrTarn.exe

C:\Windows\System\phrTarn.exe

C:\Windows\System\nMVciAI.exe

C:\Windows\System\nMVciAI.exe

C:\Windows\System\qwqqrAJ.exe

C:\Windows\System\qwqqrAJ.exe

C:\Windows\System\nFRosmP.exe

C:\Windows\System\nFRosmP.exe

C:\Windows\System\xdPViQd.exe

C:\Windows\System\xdPViQd.exe

C:\Windows\System\TTSvtJX.exe

C:\Windows\System\TTSvtJX.exe

C:\Windows\System\EOToHCK.exe

C:\Windows\System\EOToHCK.exe

C:\Windows\System\cLOZBMn.exe

C:\Windows\System\cLOZBMn.exe

C:\Windows\System\hqtgJfc.exe

C:\Windows\System\hqtgJfc.exe

C:\Windows\System\ZagpIdE.exe

C:\Windows\System\ZagpIdE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/5088-0-0x00007FF73AF80000-0x00007FF73B2D4000-memory.dmp

memory/5088-1-0x00000188FA170000-0x00000188FA180000-memory.dmp

C:\Windows\System\rvTFjUt.exe

MD5 78121881c098c0deff65397fdbb8a346
SHA1 703a40d3494d2ef9531f06f637964b477e8ceef5
SHA256 28e0683831f1ddbefca73a063ec03cdae0d769b64ca338a13e485cfc70b9e288
SHA512 4a5efea831bd29c6b3b7e9eb760b49f9ddb72b03deeff837e71d082c1db32201e64a0aa86343aa8c1f7f4221bb396ac25f5d7596466f8ac2d85195267f4458e9

memory/3040-8-0x00007FF75FE00000-0x00007FF760154000-memory.dmp

C:\Windows\System\xMFbawp.exe

MD5 8f54b179644aacfdc145ead4e542b6f6
SHA1 f7600e7cb578325f22b5ede17a62e2573af340a0
SHA256 ce3389032cd529c6ade77d2e2d94ee6bfdd17388f44e5831da46492f6095d7b7
SHA512 16fa37eb3ad469e3ec724ca906041b85df9a602883f06d8c0933f5f617186794f27acb2cff9998a28cb0d995e3bf78dcaeb572f32abbcea1a91398e9702090b1

C:\Windows\System\kjHLEnQ.exe

MD5 14f100f1dbcf3f240a52304952b9246a
SHA1 6819d41ccbfff3a90178c2ab04a62070a6618a60
SHA256 35864af4e0db6348b772db5ba70b4332bfd19eac18df12d239afce9179517842
SHA512 6b6e578c0ac83b2dc7a657d3e9b6861568ed92f8042e4c6cdfb8ace97fe9b77f99f7988dc1720a375b97f95ca5f0ac0933573d0c8de4140ff155d35768c52aea

C:\Windows\System\syllxbu.exe

MD5 0b98ece4e68ac7629d5ce0c09a682ed3
SHA1 163e257b732afcf6f90bc196e7983beb516b8908
SHA256 b9fb7c86733b5ba9c780be71ae4c1e955e02c1010f517dede34b93af01d16ac1
SHA512 a917a9b53777b22c5763be31d67f82aceff0d5d7e2fda56c2d2ce5a3104b84a7e265041add6dc48dbbd13d97d7f0f8e1f066611625fbcba23f7e7a301030403a

memory/3736-31-0x00007FF77C720000-0x00007FF77CA74000-memory.dmp

C:\Windows\System\wpbCyWL.exe

MD5 0e4dd2d74d63407bc621310ce848ba3c
SHA1 39245757485b54d77f8166b161e80165c9736b93
SHA256 dde816f233767e8cbf114aefe6de14825de752f396c689e7660b699074703497
SHA512 b3246ced9b8e9077178a03dfd42464f983b722309fa859e489de5880da588c4f5ce79ec87d0004cc0c2e9b41f77d87ebb0585c3de1e969487f6a4608dc8e2542

C:\Windows\System\VxkbsTz.exe

MD5 47fd7deccc4821a41c0bb7da546224e6
SHA1 6090025d9895c332346eec2a8245c964483df477
SHA256 590f2c763356c45743337426bea636af601b0c13787ac09c385dee2a8bad41c4
SHA512 89449fed6cc59bf99a0fee51bb91eb0b00398b616eccc1298df28d051bda944d5932afbbb2cf78f346ebc8c1aa258239d8a5f0fcef91caf2e2b940d1304231f4

C:\Windows\System\SVzFOzA.exe

MD5 b9798269112fd978a7fc64ef797bcf12
SHA1 4481c8331f7ccb58991d4f9d3d81d702f41c2b18
SHA256 69f30a175ab1263bb75788c55e99912be3e6103640b812bed967af00c66fe52d
SHA512 fa7ba9d141d115877e7cf6fcef65939027e3ee79589ad60450dfbed7e99b07ca887fd449761e29750aab6998c50f88541bb4b96454847763d22dbbb941c6cfd2

C:\Windows\System\FxuQdXi.exe

MD5 4dc04f4537ef83391695227b18c19ef1
SHA1 016e6b9c298424c18186097c57f8307e51841efb
SHA256 e44cb58648b3010cfbb2d222b82a26ee7b68d1211723b77ad485b5069eb025c5
SHA512 1354116bc74748a442ba961eb52daebe90cc623a15be7279cb4d4af4da8bc81fc36cbb45e39d86ef3717eaba2be4f6975da6993ab16bc6f5560a8a4c86279498

C:\Windows\System\CypEleV.exe

MD5 8fe4d289ac300c491955c9dd2d0c6c1c
SHA1 5f9e30873aa93db3360039910b7c279d2cbd000c
SHA256 3a14fd067d2ebf40232ccacf1b11e8339121178b3eceacfa559e30a81c1fd0df
SHA512 e61d3ef13202389e66b20f8c4f8d72df6b3a456c0407119324c7ab3740e659242629ce013007dc489dade4e19ec7474f4b0da926a4b412befe1c35bdb25fd172

C:\Windows\System\phrTarn.exe

MD5 8862d4b6405727649718eaa69601b4f5
SHA1 5d1aa6a90a935178149971fae6537df8b5a2666a
SHA256 55c48d8b6a0113e7a3a092b3b7453cf26f96973350cc22ec07750ae180fa9e4a
SHA512 b7b086bcbda0b7675005979f7e66f03a0d31ca89b2f9d3098843ac6a85ae2bdf6a9b01a46b5afb517ee5fe651da07e7c901ee15523161bfc790b8b42c2e952ee

memory/4568-74-0x00007FF64F950000-0x00007FF64FCA4000-memory.dmp

memory/2736-79-0x00007FF76BBC0000-0x00007FF76BF14000-memory.dmp

memory/1720-80-0x00007FF6D3C70000-0x00007FF6D3FC4000-memory.dmp

memory/2068-78-0x00007FF6F7120000-0x00007FF6F7474000-memory.dmp

memory/4228-77-0x00007FF7C07F0000-0x00007FF7C0B44000-memory.dmp

C:\Windows\System\nMVciAI.exe

MD5 1432dc9a7181f043bac00b477a1ac8cb
SHA1 1e198c458ea19b43aa4c6b22baf815784c949cd8
SHA256 45bf4a282b37b4994b0e5f2d350f2bb42e142df7621acb3b3e0cc61685f3b04a
SHA512 1681a553ed199c6e1a2509022c36e653d31e1c5e740b5d995d174240e49f8f292343f46ebcf879497c3a6daa0dd5778cc26420754a6334f4b5701ce12025a8c4

memory/4124-71-0x00007FF6AFC50000-0x00007FF6AFFA4000-memory.dmp

C:\Windows\System\nMyHiZY.exe

MD5 573b1efbf52e7413f894008c004379d0
SHA1 6c6ac242cb3fbc57084cc27504caa7a5427cdabd
SHA256 b79ea6bcaa9970989d15cbe8607a489285e4ae5db46229a9b8dd6a55200e873f
SHA512 05201c3b5adb88730f0f7e7fbc9cf05cd5f00c3dda23a1538e398ca812344bd0148ec76114a38bd4b8bd862c928b1ce71fc73822ac2608427080c6c524e26418

memory/1816-47-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp

C:\Windows\System\BrjjDPg.exe

MD5 e8ce01b3c5693de6214d081e50507575
SHA1 12f0a27a950524f6a6eda7498f128aa7ead0ecdf
SHA256 75f1f3896f54357280f8ba1c2967fb231fb36726e9d8ef081806dbe4c6a92ba3
SHA512 7200f390ccb0fef995e33aa385d6378502b486edde3540a40a3c1f9a5a9785bb8fc3bef75b55373c7fdb59655bc6732c4b782f491d679ced74b1ad1c7a4ca119

memory/2868-32-0x00007FF78A1D0000-0x00007FF78A524000-memory.dmp

memory/1424-29-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp

memory/1172-28-0x00007FF6DDFE0000-0x00007FF6DE334000-memory.dmp

memory/3880-20-0x00007FF7C3D20000-0x00007FF7C4074000-memory.dmp

C:\Windows\System\qwqqrAJ.exe

MD5 d95e25ebba614c23d26b9add44a24250
SHA1 7ae68d05a05f46e1205d43d99afe4a77654e9855
SHA256 fac29b003d9fbe86299428a8270ec69ba60d41dab017342b6583440834027bd9
SHA512 bb9a63e7b8998b73c4bb911d77d5c018b7f72db60ed9e5fb9d9fa1d86fbefae6794d9b714826618a529ac0bf502063b20289da445274de0e79322c8de7087927

C:\Windows\System\nFRosmP.exe

MD5 c9a233c3dc398ef48aec654984a8765f
SHA1 c1766321390b772e8f06304af7c58ebe85243434
SHA256 d7bb9c192c695a42b360f21ff73d313eba8cd8918e0bf52fcb1cb00bbe49d69a
SHA512 d92c3501e1b390ce4acc99786e1272fa55e57988ed7bdbaf1123186df7d922cd039ad2877e7a459fc12aaa5052325348622974c0fd180d6aa7d99c270137bada

C:\Windows\System\xdPViQd.exe

MD5 fefea277715290355710d390965a1f9b
SHA1 e817381ea27ebf0f173920d2260a3748d38cba88
SHA256 bfad433c3c74efc10833105a9e4a0e8a1c9261dafa72ff86a52e02f6840f14e3
SHA512 b46eaa4db230f858542a60fe28ef49d6e5df6bbcc911dee9bc7524002711083421b6f8e31bde3b6470caca2459c6c1b2d1b2318e14d2c44feea69c2cd8bff4c4

memory/1964-100-0x00007FF7FADD0000-0x00007FF7FB124000-memory.dmp

C:\Windows\System\TTSvtJX.exe

MD5 d9bf07ba1a10e478d12706576134883a
SHA1 1e04652eb4b92794b58ab442da9c168f25cc4869
SHA256 79456ef7e560508e61d676396b3655cb98453aab1366bff99fc21af32735e7e2
SHA512 c26c9a8790fc48e9914b0cb9631e69054bf71fbc831c52041c99079b275ba84804e28b573031a610ca65734579c48352d6a903683109ad11b26b0106e59e4dc1

memory/4752-110-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp

C:\Windows\System\EOToHCK.exe

MD5 f378f38f122a02a5ff72bba9e2cc8110
SHA1 55fece22f903d9e9b4c473150f6fe5c13ca657e1
SHA256 1eaf5d924ce90d96dd3fa1a03f51e90f338f444c1624e18c45d6a8899e415efd
SHA512 18c800ea6087272fd081229a7d7920e5f6d0736ecd70964829828b835126d3e2767acfa35e3f1fe5b6986e4c3d72a2fd4e9c88f481ad1db77c7bb1c3b37e62e1

memory/4468-109-0x00007FF659290000-0x00007FF6595E4000-memory.dmp

memory/3040-105-0x00007FF75FE00000-0x00007FF760154000-memory.dmp

memory/5088-98-0x00007FF73AF80000-0x00007FF73B2D4000-memory.dmp

memory/3712-96-0x00007FF65D140000-0x00007FF65D494000-memory.dmp

memory/4672-86-0x00007FF6FA300000-0x00007FF6FA654000-memory.dmp

C:\Windows\System\cLOZBMn.exe

MD5 63f7cf20107017862490e0631b0af8fc
SHA1 688381a73443372db7a56594e82f1ec8f43e2eb4
SHA256 39c95f9a5892d37ad5cb7cdce18d568f33bb09024f92d96cfc61832f4336c65d
SHA512 ef7d4daf4b21f26fcd1b4307f04060470d9982376f1c1e4cc8e86101c0a8920d2b973b5005be54b352aa74679afac70b081dbd2e9a1c714e02865fc1c9a40980

memory/1424-116-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp

C:\Windows\System\hqtgJfc.exe

MD5 5311ca3d45a634b1237433ec491d68e0
SHA1 f03f1482c841fec8f23bb6749ea942b345964a6d
SHA256 195b6cfd3b099a4a44ebb28b360bcce14fa514ed0b1f7d70429b044cd546b4b7
SHA512 af499166d87bb92b51018e6e89b240bb8e8247a209ffc74c9ec61aa5b9807d45ab9c70bbd9f085d819836c1f7dcefb3a00ccf32c9d827c2dcf6c033b61af386b

C:\Windows\System\ZagpIdE.exe

MD5 d2840a7433e9d3c2707b85fedc4df778
SHA1 187332f9e4f9e2a36f41b520490d968fbc8fd24a
SHA256 779138722bdda7fdc944dc69b45ebdf5bebf80ff949872e252af1ee066a6a20e
SHA512 5d6f40d5f081046c3b48836102ec4fecaf04677ee786a8fea328fb6a278cbc1039a59e5bfc026440be7dee148e49880be18683092503fe0b361d0bcbb8beed8b

memory/3372-129-0x00007FF6E5050000-0x00007FF6E53A4000-memory.dmp

memory/3736-120-0x00007FF77C720000-0x00007FF77CA74000-memory.dmp

memory/1528-130-0x00007FF78D380000-0x00007FF78D6D4000-memory.dmp

memory/4560-131-0x00007FF694870000-0x00007FF694BC4000-memory.dmp

memory/2868-132-0x00007FF78A1D0000-0x00007FF78A524000-memory.dmp

memory/1816-133-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp

memory/4672-134-0x00007FF6FA300000-0x00007FF6FA654000-memory.dmp

memory/1964-135-0x00007FF7FADD0000-0x00007FF7FB124000-memory.dmp

memory/4752-136-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp

memory/3372-137-0x00007FF6E5050000-0x00007FF6E53A4000-memory.dmp

memory/3040-138-0x00007FF75FE00000-0x00007FF760154000-memory.dmp

memory/3880-139-0x00007FF7C3D20000-0x00007FF7C4074000-memory.dmp

memory/1172-140-0x00007FF6DDFE0000-0x00007FF6DE334000-memory.dmp

memory/3736-141-0x00007FF77C720000-0x00007FF77CA74000-memory.dmp

memory/2868-142-0x00007FF78A1D0000-0x00007FF78A524000-memory.dmp

memory/1720-145-0x00007FF6D3C70000-0x00007FF6D3FC4000-memory.dmp

memory/4124-144-0x00007FF6AFC50000-0x00007FF6AFFA4000-memory.dmp

memory/1816-146-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp

memory/1424-143-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp

memory/4568-147-0x00007FF64F950000-0x00007FF64FCA4000-memory.dmp

memory/4228-150-0x00007FF7C07F0000-0x00007FF7C0B44000-memory.dmp

memory/2068-149-0x00007FF6F7120000-0x00007FF6F7474000-memory.dmp

memory/2736-148-0x00007FF76BBC0000-0x00007FF76BF14000-memory.dmp

memory/4672-151-0x00007FF6FA300000-0x00007FF6FA654000-memory.dmp

memory/3712-152-0x00007FF65D140000-0x00007FF65D494000-memory.dmp

memory/1964-153-0x00007FF7FADD0000-0x00007FF7FB124000-memory.dmp

memory/4468-155-0x00007FF659290000-0x00007FF6595E4000-memory.dmp

memory/4752-154-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp

memory/3372-156-0x00007FF6E5050000-0x00007FF6E53A4000-memory.dmp

memory/4560-157-0x00007FF694870000-0x00007FF694BC4000-memory.dmp

memory/1528-158-0x00007FF78D380000-0x00007FF78D6D4000-memory.dmp