Malware Analysis Report

2025-03-15 08:12

Sample ID 240529-xrnkkafb83
Target 2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike
SHA256 fe97a61e987af51c87a6457d9a95f39a1293bcc5fd040531e48dc04f7b474a79
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe97a61e987af51c87a6457d9a95f39a1293bcc5fd040531e48dc04f7b474a79

Threat Level: Known bad

The file 2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

UPX dump on OEP (original entry point)

Cobaltstrike

XMRig Miner payload

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike family

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 19:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 19:05

Reported

2024-05-29 19:08

Platform

win7-20240220-en

Max time kernel

138s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EBKxzgp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EtBUdkE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xWxtNuh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lAPJrxd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oNnTBiC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zbhnkYv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RtkdXqQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mGYqyRP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HsnfVRU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yOgSimH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UsXRIoD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cOXlLZk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aTmfVIR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IxXMLEp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lfvPjCc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZkDrUMS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cQVNgQa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\apqmRmT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AKPNuOK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lqXiyNd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SjVWKFZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqXiyNd.exe
PID 1856 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqXiyNd.exe
PID 1856 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqXiyNd.exe
PID 1856 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UsXRIoD.exe
PID 1856 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UsXRIoD.exe
PID 1856 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UsXRIoD.exe
PID 1856 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cQVNgQa.exe
PID 1856 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cQVNgQa.exe
PID 1856 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cQVNgQa.exe
PID 1856 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lAPJrxd.exe
PID 1856 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lAPJrxd.exe
PID 1856 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lAPJrxd.exe
PID 1856 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\apqmRmT.exe
PID 1856 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\apqmRmT.exe
PID 1856 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\apqmRmT.exe
PID 1856 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SjVWKFZ.exe
PID 1856 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SjVWKFZ.exe
PID 1856 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SjVWKFZ.exe
PID 1856 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOXlLZk.exe
PID 1856 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOXlLZk.exe
PID 1856 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOXlLZk.exe
PID 1856 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKPNuOK.exe
PID 1856 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKPNuOK.exe
PID 1856 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKPNuOK.exe
PID 1856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNnTBiC.exe
PID 1856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNnTBiC.exe
PID 1856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNnTBiC.exe
PID 1856 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zbhnkYv.exe
PID 1856 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zbhnkYv.exe
PID 1856 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zbhnkYv.exe
PID 1856 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxXMLEp.exe
PID 1856 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxXMLEp.exe
PID 1856 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxXMLEp.exe
PID 1856 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTmfVIR.exe
PID 1856 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTmfVIR.exe
PID 1856 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTmfVIR.exe
PID 1856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RtkdXqQ.exe
PID 1856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RtkdXqQ.exe
PID 1856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RtkdXqQ.exe
PID 1856 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGYqyRP.exe
PID 1856 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGYqyRP.exe
PID 1856 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGYqyRP.exe
PID 1856 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EBKxzgp.exe
PID 1856 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EBKxzgp.exe
PID 1856 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EBKxzgp.exe
PID 1856 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfvPjCc.exe
PID 1856 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfvPjCc.exe
PID 1856 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfvPjCc.exe
PID 1856 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZkDrUMS.exe
PID 1856 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZkDrUMS.exe
PID 1856 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZkDrUMS.exe
PID 1856 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HsnfVRU.exe
PID 1856 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HsnfVRU.exe
PID 1856 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HsnfVRU.exe
PID 1856 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EtBUdkE.exe
PID 1856 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EtBUdkE.exe
PID 1856 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EtBUdkE.exe
PID 1856 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWxtNuh.exe
PID 1856 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWxtNuh.exe
PID 1856 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWxtNuh.exe
PID 1856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yOgSimH.exe
PID 1856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yOgSimH.exe
PID 1856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yOgSimH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\lqXiyNd.exe

C:\Windows\System\lqXiyNd.exe

C:\Windows\System\UsXRIoD.exe

C:\Windows\System\UsXRIoD.exe

C:\Windows\System\cQVNgQa.exe

C:\Windows\System\cQVNgQa.exe

C:\Windows\System\lAPJrxd.exe

C:\Windows\System\lAPJrxd.exe

C:\Windows\System\apqmRmT.exe

C:\Windows\System\apqmRmT.exe

C:\Windows\System\SjVWKFZ.exe

C:\Windows\System\SjVWKFZ.exe

C:\Windows\System\cOXlLZk.exe

C:\Windows\System\cOXlLZk.exe

C:\Windows\System\AKPNuOK.exe

C:\Windows\System\AKPNuOK.exe

C:\Windows\System\oNnTBiC.exe

C:\Windows\System\oNnTBiC.exe

C:\Windows\System\zbhnkYv.exe

C:\Windows\System\zbhnkYv.exe

C:\Windows\System\IxXMLEp.exe

C:\Windows\System\IxXMLEp.exe

C:\Windows\System\aTmfVIR.exe

C:\Windows\System\aTmfVIR.exe

C:\Windows\System\RtkdXqQ.exe

C:\Windows\System\RtkdXqQ.exe

C:\Windows\System\mGYqyRP.exe

C:\Windows\System\mGYqyRP.exe

C:\Windows\System\EBKxzgp.exe

C:\Windows\System\EBKxzgp.exe

C:\Windows\System\lfvPjCc.exe

C:\Windows\System\lfvPjCc.exe

C:\Windows\System\ZkDrUMS.exe

C:\Windows\System\ZkDrUMS.exe

C:\Windows\System\HsnfVRU.exe

C:\Windows\System\HsnfVRU.exe

C:\Windows\System\EtBUdkE.exe

C:\Windows\System\EtBUdkE.exe

C:\Windows\System\xWxtNuh.exe

C:\Windows\System\xWxtNuh.exe

C:\Windows\System\yOgSimH.exe

C:\Windows\System\yOgSimH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1856-0-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/1856-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\lqXiyNd.exe

MD5 197e5d2b32846fcfaf0064e744c257f0
SHA1 2d7f52beb507a1651df012a41c91be3a28ca7870
SHA256 54501932cc2c20d9ffba1e38c379d3490ae619a5cdbee5bec2d8596d68c3a0b9
SHA512 7361150f95f5114767cfe718575a6072162d511b87b01b2d366de5f2964860b2f58a64c5b5202600b62d2a5b5e37319ac60736bd5ddbc7cf58834b1dba369cb0

memory/2252-8-0x000000013F470000-0x000000013F7C4000-memory.dmp

\Windows\system\cQVNgQa.exe

MD5 d769ef11758ab5bb49c28e9ce5c533ea
SHA1 cc39aa928faba7f636a1c259bf470a7ea464b164
SHA256 b88d12b4b707357e7f682c5665f99cb0dbf840471626f3e4620b88afacbd31d7
SHA512 e8fcbecd7bf591472277343bf9e8cc9d7eaca82b7629cd5f6aec7d9961c1391e5c9fe08efac7f57f94125ca6e38b9c6365a1e7d0ef75b2ee5e28fe64a1182714

memory/1856-13-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2220-20-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2216-19-0x000000013F310000-0x000000013F664000-memory.dmp

C:\Windows\system\UsXRIoD.exe

MD5 0a21fbff72396cab789dfc8e2f820ddc
SHA1 4dfec5da260f6f88f34333842868476661c55cbc
SHA256 96769250a52af645477a91dd5e0de48b7f3dcd5749e7262f7ceb083ef1c0e1ec
SHA512 c44f826d6ba0e1664bee5bf8e6a69b3a78833a3f918e986d19a61c83d4d614f45db364aa3b4b9a337a5e332d6a1d5b7911160b8b8d346e77a58c818aa996f363

C:\Windows\system\lAPJrxd.exe

MD5 24f5b4075d9e04be378311cba719be1f
SHA1 a4b66d524d8fc0723f98cae7e35fa11782c6fc1b
SHA256 78ce2952c8cfbce8587c35c67a298c6537fb4787c5bad1ee7b2002384762cea9
SHA512 cbe3a9f312b394ca9c10ed7bc3784de1ee064205d923b54ee6a1a721be367e8939b90cd755f36afc469bd2ccfb4f37ab5fceb0bc3f6c09645c18ca86f3d32825

\Windows\system\apqmRmT.exe

MD5 628b45324e6288d4a06cb9427e44676f
SHA1 d3b4fadc0918bb32ee468dc0b6a118a6c08021ed
SHA256 315c9c552f24448a9d1d3640dc144c66503b25b4bd29396e5c8efd295210799f
SHA512 0bb0e877804b968c62d6fb8b7ea2e3e11d690e500de797a2fefdce668f64880f34384bddeee5cd62aef62f056a545325dbd599912e6c925cfee813f342b8dbdd

memory/2644-63-0x000000013F540000-0x000000013F894000-memory.dmp

C:\Windows\system\mGYqyRP.exe

MD5 b97ddf9ae388645514f85a8787085d2c
SHA1 97b7782f249d9efa2aca1cb4b3593b7afc36d318
SHA256 5d4fc89bcd919979673d452ab03b4b3ea40c91baca511a9cd97afd6ea9f34ea8
SHA512 365e7ac63527fd9b563fc1f445359c3d7ba9d2fb273abe52a51c0cca45639f783f9eaaf26397a8907df8a935868a703a092c738a454f14598428e11eb333652f

\Windows\system\cOXlLZk.exe

MD5 51898746ab6d16a9dcfe8063871d7e65
SHA1 93a9d75ae49e10c74d9e3a34b7176c3822db84a3
SHA256 6e9c13e4321539bc70980c1708f2f7f7c4464b4fefbed05c18586acbae80c50d
SHA512 e1d9f2b65b36f31964a58ad4771c11daa1b0ec54df09685a5eec91eeb2306b8df986b7f1e7dc5e9e423821f9a18b3e4013e2cff364d967e09fad5730ee48a311

memory/1856-80-0x0000000002340000-0x0000000002694000-memory.dmp

memory/2544-41-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/1856-84-0x0000000002340000-0x0000000002694000-memory.dmp

memory/2856-85-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2692-87-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/1856-89-0x000000013FB30000-0x000000013FE84000-memory.dmp

C:\Windows\system\IxXMLEp.exe

MD5 6daa6988bcc1d415072c921f0866d0f4
SHA1 c5c041e1db173d7e4e6ade5905df995a3ac9873d
SHA256 67a3f6299f7cf2b68112918e3d84a1ce7d3ff4387d5e980d34859e44e5e8574c
SHA512 e21f34b35e53c289863cb562e2a9efd6e217868c64f25fac3d30a0f05e7a74f33f71d23484841a745847e8a96a57af011693e958bc21fd68cad3962c8640821e

memory/2252-93-0x000000013F470000-0x000000013F7C4000-memory.dmp

C:\Windows\system\lfvPjCc.exe

MD5 05a041ef731b32217459b3fb8f1a808d
SHA1 3c097967f4efb8d558e829e5ae7451aed43213c0
SHA256 b9c7fd61827fba7dcc26eda881b94777d8a6e78acce7ecd1fda731ee30e915b4
SHA512 93d8ad4176133ea5900f17225ba669d5eec56f5b101df0b4468d66abd7d4fa80b03297b77dfa8e11c2ae4a435ec28be7cbdd4d8f160119069eec66094dd63c5b

C:\Windows\system\HsnfVRU.exe

MD5 405f76b87df8fce1e20a48677e1255f0
SHA1 76a9dadc8bd85e977a401d95aebdc559617747c5
SHA256 4d77c5113098d6aed6ccb69846829f5e587c1adc19b0c780de64632d056e8817
SHA512 ee8b134a6ad66e6568a5ecb1fcad756c5f855682dc6f262b540d65d7c5135acfa5e3983af88d00bacc247203fa08d7e15696b79cb93ba64be06dea4d80b2a965

C:\Windows\system\ZkDrUMS.exe

MD5 c096fa6c5b754e68c968060d84ab9d8c
SHA1 de258a32f0b882305c840f17b96a2c0c6450e27b
SHA256 c8c3a2dbb82e0c86d05c733781b1109e5005e369747c7755122553d5d1fc90ff
SHA512 2679fa11bdc9442e3f17393169a012d34de7fa0a52bb339c1bd8b138dc4255b6fe84a5940a32e79854d793a457ce8b4f963937923451b99a0125e4a472bdc651

C:\Windows\system\yOgSimH.exe

MD5 26e3e18a6cf378f429157bd66410c7e5
SHA1 aee71dbd5100d9c1118d9bbd81fbabcc34dfb80c
SHA256 689f1c119b72cae099ff3aed285ce13e4017cd33c3e2c1c24764a395286af2a2
SHA512 f3d2b84c9321ece1ac798af004744aab5838caa5bd02046370bc33ac62374f67aafcea372487bf654552febd11a870478f3b0beddc9d1ec93365f08c6c46f92a

C:\Windows\system\EtBUdkE.exe

MD5 c10beefb156f569bb36c91ffb955c059
SHA1 05e4ab691f63e79dfe76a7874537850ccba0d2b0
SHA256 d15858412f6b6c56781d357066e568a0d2efbf28187642f0fe870584fe873cb0
SHA512 25370fd0781388079a1fee452a7b3d161d56b78d89b0f79855603a1fb2e4cc5ea84dc149872cfb5ed788dd88e902e77dea5cdc64b88d38ecc77a6d2962d60d32

C:\Windows\system\xWxtNuh.exe

MD5 3236a8708c26ba6048cffb16af31ce2f
SHA1 000db81ddff865959780d1c497e4eaec82fd6e99
SHA256 bf893dd17e95e1c1bafbcb0ef1840c305252a736fd6d1557ba44a88658a4f1d2
SHA512 9a2d77e7b680d7e24355cede89def60e88d3f4b53dbf6d980feb44b10475b6c0877a718161977e2eb423a2be122f4d9f827d6c544f17acc302dafa663e7dfa04

C:\Windows\system\EBKxzgp.exe

MD5 0840d46ab644def5fb23d35e8d2a3d70
SHA1 87c663094448431b52e379b85e82d997ab9d5767
SHA256 6b571e997f8a674792b7450ad6c37d1d7cba02c91c9c9637559b26599a406f12
SHA512 63eca6887e1d72cfbd04e31dc171e518263cea3978f2a0120287760b8ddf58332ef5b568bcec194c6cdf70661255a3cb3f222b381d123e183fd8c4d7b5b22ca1

memory/1856-102-0x0000000002340000-0x0000000002694000-memory.dmp

C:\Windows\system\aTmfVIR.exe

MD5 f7683e4af1d2208e829d9fb0cc1c2e9c
SHA1 71c09f02c0cdcdb975064596bad93e7b4b57cf7b
SHA256 a608237dc53f3962cc668c7f453c5182c16a2fa9b6b1f5cce6e54a9ac45dae2a
SHA512 80045c86dc9fbbbb11936454c567605bb120d09811cb8fd860f71901e5325969edbaef3ebabd8fa5e9e3fd6b9ee79d995c1c0036e1038a95ccbb54a1a4edfe78

\Windows\system\RtkdXqQ.exe

MD5 d5dcf85edc56bb03cbe490078032fe7a
SHA1 d2dc5f71a6ed2267b56f6098e63d9d0279058333
SHA256 f9f0aab77f4cebd6f3f952bcd3897de087152ae8d95d3d2bb6213e588ce13dad
SHA512 da306a4dd2595b67e6d361919a353d09bd9f1862732776c014d85997fe553c75b6c46b96145b18dc069d9c25eb17a764a199ae959db8b28f1d6d687f6f18a4de

C:\Windows\system\zbhnkYv.exe

MD5 5aa1f69e14d7b7f500328326eb2b8406
SHA1 b7031dbd60eb7c8a195e67b4e763adf49019c62e
SHA256 9da3ec45f0fd2f8d56c07522b6ceff341acd9a722259476350204ec109c51e76
SHA512 1544aacffa86cb95222e329245b5f0adaf1f0ba89648e6ba1eebe55bae4f8aa3ba151228f86caf44bf2c0e4426706a79d3642eccf08bad84b22b8a346c9a336b

memory/1856-56-0x0000000002340000-0x0000000002694000-memory.dmp

C:\Windows\system\AKPNuOK.exe

MD5 8e7a75854a310fe790ad812771711cd9
SHA1 bc29f5faafca64a5518ca11d853c5c77506b768b
SHA256 fb6040cb797832131072ae97b20e8c4558797444ab4e0c85cd3a6167694a2428
SHA512 497dc40827871c661fc5d29eb99802eec2460d1f9ab083282591b1ff4dcfec3f0e523370a14dfd05b0cc30532511f03eb4793fae778fa5b64a811a760deec192

memory/2776-48-0x000000013FFE0000-0x0000000140334000-memory.dmp

\Windows\system\oNnTBiC.exe

MD5 f09dc623acf9561bdf8dddfae27a019d
SHA1 ce38993345f60a80a0493a93b2711292653ce78e
SHA256 6babbe5ac49c64849e6f12157daaf015442f6646bcf89b17c732a91cc5d89719
SHA512 5b9cd15056a86e67031b5d0594f7ad1d8f9d18cdfc16901e6dfec09fb934ecd389cca1282d24ab1023127738de1ef2b2028d1249799d7888c6617febaaf50dd7

memory/2564-98-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2420-94-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2556-90-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1060-86-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2388-83-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/1856-82-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/1856-81-0x000000013F540000-0x000000013F894000-memory.dmp

C:\Windows\system\SjVWKFZ.exe

MD5 edb32c94caecb35b9a1765c381fdf565
SHA1 1e3d7c7beb5d655998bb695f0ba65133327a35fc
SHA256 a8c098e0bf40412d1a95943170726bd524f117aa9303fe443d7f5761de4071fd
SHA512 af4bb22b3a4f1300ea9764eb749006e53f8c1e6db550d9a882adde8bef7bded89b5d1a877c745e7ad04f72374f72555a9eba8b8f6341c907d5e6b3b681e684a3

memory/1856-79-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/1856-75-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/1856-72-0x0000000002340000-0x0000000002694000-memory.dmp

memory/2604-36-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/1856-31-0x0000000002340000-0x0000000002694000-memory.dmp

memory/2216-134-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2776-136-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/1856-135-0x0000000002340000-0x0000000002694000-memory.dmp

memory/2556-137-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2252-138-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2220-139-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2216-140-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2604-141-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2544-142-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2776-143-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2644-144-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2388-145-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2856-146-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1060-147-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2692-148-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2420-149-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2564-150-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2556-151-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 19:05

Reported

2024-05-29 19:08

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KIopqxY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LIwsxae.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TRIJrQo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eRDcyrk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qlIaqix.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uLjTzde.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FoRfdia.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MPfWJrm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\obQZKXs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qQnhmTO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qpmihIE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YBAprwC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oarNIoW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VAzKYnl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mzUVDPt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DZvvuuR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xaBhTDV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LAscMZP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LBqvtcY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\auiVBiA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OTdVEwe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oarNIoW.exe
PID 3004 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oarNIoW.exe
PID 3004 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\obQZKXs.exe
PID 3004 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\obQZKXs.exe
PID 3004 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIwsxae.exe
PID 3004 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIwsxae.exe
PID 3004 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LAscMZP.exe
PID 3004 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LAscMZP.exe
PID 3004 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQnhmTO.exe
PID 3004 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQnhmTO.exe
PID 3004 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAzKYnl.exe
PID 3004 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAzKYnl.exe
PID 3004 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzUVDPt.exe
PID 3004 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzUVDPt.exe
PID 3004 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRIJrQo.exe
PID 3004 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRIJrQo.exe
PID 3004 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpmihIE.exe
PID 3004 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpmihIE.exe
PID 3004 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LBqvtcY.exe
PID 3004 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LBqvtcY.exe
PID 3004 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eRDcyrk.exe
PID 3004 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eRDcyrk.exe
PID 3004 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\auiVBiA.exe
PID 3004 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\auiVBiA.exe
PID 3004 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YBAprwC.exe
PID 3004 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YBAprwC.exe
PID 3004 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTdVEwe.exe
PID 3004 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTdVEwe.exe
PID 3004 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZvvuuR.exe
PID 3004 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZvvuuR.exe
PID 3004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uLjTzde.exe
PID 3004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uLjTzde.exe
PID 3004 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qlIaqix.exe
PID 3004 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qlIaqix.exe
PID 3004 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FoRfdia.exe
PID 3004 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FoRfdia.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xaBhTDV.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xaBhTDV.exe
PID 3004 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MPfWJrm.exe
PID 3004 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MPfWJrm.exe
PID 3004 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KIopqxY.exe
PID 3004 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KIopqxY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\oarNIoW.exe

C:\Windows\System\oarNIoW.exe

C:\Windows\System\obQZKXs.exe

C:\Windows\System\obQZKXs.exe

C:\Windows\System\LIwsxae.exe

C:\Windows\System\LIwsxae.exe

C:\Windows\System\LAscMZP.exe

C:\Windows\System\LAscMZP.exe

C:\Windows\System\qQnhmTO.exe

C:\Windows\System\qQnhmTO.exe

C:\Windows\System\VAzKYnl.exe

C:\Windows\System\VAzKYnl.exe

C:\Windows\System\mzUVDPt.exe

C:\Windows\System\mzUVDPt.exe

C:\Windows\System\TRIJrQo.exe

C:\Windows\System\TRIJrQo.exe

C:\Windows\System\qpmihIE.exe

C:\Windows\System\qpmihIE.exe

C:\Windows\System\LBqvtcY.exe

C:\Windows\System\LBqvtcY.exe

C:\Windows\System\eRDcyrk.exe

C:\Windows\System\eRDcyrk.exe

C:\Windows\System\auiVBiA.exe

C:\Windows\System\auiVBiA.exe

C:\Windows\System\YBAprwC.exe

C:\Windows\System\YBAprwC.exe

C:\Windows\System\OTdVEwe.exe

C:\Windows\System\OTdVEwe.exe

C:\Windows\System\DZvvuuR.exe

C:\Windows\System\DZvvuuR.exe

C:\Windows\System\uLjTzde.exe

C:\Windows\System\uLjTzde.exe

C:\Windows\System\qlIaqix.exe

C:\Windows\System\qlIaqix.exe

C:\Windows\System\FoRfdia.exe

C:\Windows\System\FoRfdia.exe

C:\Windows\System\xaBhTDV.exe

C:\Windows\System\xaBhTDV.exe

C:\Windows\System\MPfWJrm.exe

C:\Windows\System\MPfWJrm.exe

C:\Windows\System\KIopqxY.exe

C:\Windows\System\KIopqxY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/3004-0-0x00007FF76C5E0000-0x00007FF76C934000-memory.dmp

memory/3004-1-0x0000016522DC0000-0x0000016522DD0000-memory.dmp

C:\Windows\System\oarNIoW.exe

MD5 9db95aa340c427cae86e72e7a70200d6
SHA1 e323a06b08a3e2943fc792c07cb0379c351b2fb3
SHA256 9bd8375c08bcf5eef0a15297331a0e991ae772f0d793f9456d10a594147eb0b6
SHA512 417dd31217c1f992224741aa0af7ab482870bd673ed68c50ed41e79b87efdf627b3c213f6538197dd5e9a647bbd9119e9e5d9b4ee89ab9b15a4ef28379b8cd02

memory/4940-9-0x00007FF626870000-0x00007FF626BC4000-memory.dmp

C:\Windows\System\obQZKXs.exe

MD5 be43e4cfb003446dfcbf27255c9078d3
SHA1 d520003d3de10a726b0418b36def2630893aa04f
SHA256 3795342b8bf68dd3e718acb33314715e90052e796e8f331244e3cbd01ee6e95a
SHA512 2df7c76d766a7335c9da5027ed5e3f01a0fd164902c816fc2e76d93fc035038dd0f39636c712e8fc1e12893c289f32d0b726f03f88367214757bb47eac5e37c5

memory/4500-14-0x00007FF726410000-0x00007FF726764000-memory.dmp

C:\Windows\System\LIwsxae.exe

MD5 b0eefe2f90f587f06a65d71193ee976d
SHA1 09e49703797bdc9be68f3407bed3cee55b415007
SHA256 45485556f5cce516d08d28e02155177199dbba0c62ad72fa01a7a08817449db5
SHA512 2df395ff12c88f43b5e6a03af938c19ad10d3d55177796142d1c0144cd4623238740956f3511a186bf01fbd72ceeeb5a9cea4b4f73c8630c4213f492b85f24d6

memory/3480-29-0x00007FF69B970000-0x00007FF69BCC4000-memory.dmp

C:\Windows\System\qQnhmTO.exe

MD5 7a8290a8a8531c8ada0d28d20e15c398
SHA1 654653a901b0f943004da66cd295ec92d4181f35
SHA256 0792d33ee42d43ae67774c9c22da8dac50e391952bace22d064325ccf092add1
SHA512 107117cd11f79998acbacaf70077a06f6aa3738c52b9d801621af73e5d1210e08b4b53ebff1cb27a00768998b44dc69773a7139497514aa1d1081da25c97283d

C:\Windows\System\mzUVDPt.exe

MD5 e54348ca3ba39e897a2114bb74eb2d05
SHA1 4492b468f55c18e44e54e9acf05f1763cc8c1174
SHA256 9913f76a8a5740babb343c0b72e7d643d2fb62744fdf0ab504363264a472c3cc
SHA512 81f09daaa88e50dfe198996e89496cc3fdabc2cbfaf0bdc28c1bc9a50b0bf29ea09c17247b8ae0189c60c7879869cc51fff7dd4c4955e921dffc0364f9e3a279

C:\Windows\System\VAzKYnl.exe

MD5 d385119242e219ad1804ebdc99cd78d5
SHA1 9b315c432de15acb55cbb8a0a04c5407c834b968
SHA256 fa0b957d2c9e8a6fcc56b8cc75cb68806fefc60d7383f740104c6e5600243942
SHA512 2ba04771ce59cd07ecfb8ca8cd0d617c6d0a9036c5dd89d61d19486b0fbaaafa9c2e53c5e95bfe354c6ff7c59aee730704c697c9ea7429a2982f06d5a9b030b2

C:\Windows\System\qpmihIE.exe

MD5 78930d4fb61c47a9abe5b27a0a093aef
SHA1 67333c0262c2801d5b0d02d7548b7a4fd2bda0e3
SHA256 63dfe603de531d6f6d6c80f585cb587d9cbe81e3abf8cc1be9fd0904e3bfc37b
SHA512 3811675f4442fa6608818533162f32c1c3311c172ea7b314ab0d3401819a3a7f566d34c05af109a7af43edd850c206ab51937da30f9b90a7039c9149d778d5fc

memory/3900-52-0x00007FF65B5F0000-0x00007FF65B944000-memory.dmp

memory/4808-56-0x00007FF727030000-0x00007FF727384000-memory.dmp

memory/4232-53-0x00007FF6750B0000-0x00007FF675404000-memory.dmp

memory/2492-51-0x00007FF7ABC10000-0x00007FF7ABF64000-memory.dmp

C:\Windows\System\TRIJrQo.exe

MD5 a1c7764d31884faf31a83833f78dc900
SHA1 985dddab57a7b5cc81d5e27ec0c45e37e5c3a32d
SHA256 e975372220b9ead8019a66a241bed093ab4ff3ea2bc98e7270948a6abcca18ad
SHA512 7476a6237addfd99aa2905829749074ec547bfc5d58360a987ea59f8a124879b38a1fc4b43ec24b6b283042ff6c0d650e0874e7ac3fdf6c6a974f75410531864

memory/4740-35-0x00007FF73FAE0000-0x00007FF73FE34000-memory.dmp

memory/2240-21-0x00007FF77A320000-0x00007FF77A674000-memory.dmp

C:\Windows\System\LAscMZP.exe

MD5 24e166f62ca43938265529f1a1a29921
SHA1 0888ca1348e2e1c0643d16525670d92c5f5d015a
SHA256 eb521d6e8d2501e6079aa28b1a1baf2fd7859219c7628f7131e911ea9b861716
SHA512 28e9f8dc0fb911f511acc2a8cbacfcc537c04d547093584aff9386edf0d9054e5a38518ffd2edaeb4e71a2055676f515832b40d1a9aa6b8ac1a20389561466cc

C:\Windows\System\LBqvtcY.exe

MD5 d3b934c2eab2b7ce64126aca94dcff29
SHA1 18ded9ed1551baf8188c31494416fa5081ce791f
SHA256 3b00ef9c57bd1a8c39c59e1d9c7010d710ec068609ffb340c9f7aea4dcccc62e
SHA512 10a6f0ee94a7b05f0e9373a80cfe2e8926b20664b4baad1a6cd6aa3bdcd2c46f71869a8b0840dddf461b95b6f7bf3efd57f03cfac948416b393fdbc2c869761f

memory/4764-62-0x00007FF71C8C0000-0x00007FF71CC14000-memory.dmp

C:\Windows\System\eRDcyrk.exe

MD5 48f531b5c1dd0602fb5697d825cf0e19
SHA1 1873725522b49999237f70a6d055f5ac9117635a
SHA256 bfe822ccf4da284b90a83c826d53b2d7c145877ff7f740459aa97f72e44c80b2
SHA512 1cb301c409397aee6f08f69d551778ddad16e93e66c5a7a30c538d9593103caf535b1172042b90412de8524f991555545cba49143a167ef52ca1c21026e14a08

memory/4532-68-0x00007FF766550000-0x00007FF7668A4000-memory.dmp

C:\Windows\System\auiVBiA.exe

MD5 3e5a65ee3d94b2237bd8c34d8f575bfe
SHA1 14a2b7a5a50943643dccdee8aca05e6ca9dacf24
SHA256 3598485654f417f394ef2f47daf14d73f2e8e27d3335a9db511c2712e88c7423
SHA512 c61b8bcbabf06d890cd3356210b8b276487561d32b13d1b41e211b6d0825f15b499de181763436a5afc878b0e6bf2cd14d03b3864105b54d52c13efb17cab3e9

memory/4940-72-0x00007FF626870000-0x00007FF626BC4000-memory.dmp

memory/940-73-0x00007FF77C990000-0x00007FF77CCE4000-memory.dmp

C:\Windows\System\YBAprwC.exe

MD5 6a51e5795eead7ffd18a65b83904e505
SHA1 dbecc5c1ae71886f380356345b5dfd0e97bb2fab
SHA256 da1b6efd0e09694106ddeb945ecacb936c02e7e90eced7fc7ebff97cfa5a3836
SHA512 be01fae8be70061110c7fa587dbaf536abc7212bc4d2223e7e950b48a03cd21d3742a5afb06ad91865bde25225e86b314950dc0acfe17c1a270403dc63f7d72f

C:\Windows\System\OTdVEwe.exe

MD5 0ef487bc7e5ef1228f6036d4bba321d7
SHA1 a247e7a8fa6f25e13b45c693192aa250a2ae80f2
SHA256 aabc57c0b15357b137fde4db3e372629bad08502d131b50665597fdab5c718ca
SHA512 441309053a71c02ae3d97f870f9897792463b059a4910ab6fab25c32cc66bb39cc22dcf22151a2b9a555351c03cabb4daff7b9d42da01b6f8b77fd0f0c53c8ff

C:\Windows\System\DZvvuuR.exe

MD5 0b71b67d5bd02f0917d2bd8fedc88932
SHA1 d536fbc8a1ad1d1ba2a5f28e6477fe85ecbe4c22
SHA256 6ff2185c8e4229b067ce4c9c6e18b76b00b14b7ba15dcefdd4344891231a382f
SHA512 23760f4247ed24167d71ca99825b9ac2e099e06eaf600736b0536ccef074c2bb0184035311917ff1e89f1959cf30eb003903fde478b9212147955c1afec94a10

memory/4500-92-0x00007FF726410000-0x00007FF726764000-memory.dmp

C:\Windows\System\uLjTzde.exe

MD5 a186f846094cf46d8ec111e95dba4351
SHA1 fa5bf78ff766728bb5dbbecbe9756cc9e2b36f19
SHA256 2325c80867351feea2d59ed98ba81966ee5a263cc2a19363bf7680a2bc4c5993
SHA512 3dd71e69e412b03ffb12238aa9f7baa5499917e17ab5912d20a7012b3d9b448ae8d89f157abf96a4ee0d96f031e04dc23738f775d217242bb0f347c6bbe5b85b

C:\Windows\System\FoRfdia.exe

MD5 a4f063f3bfb44c90a458cc6e3fcb7f97
SHA1 7ebbafd8ea326d122db12ee034fd2beefc75300b
SHA256 aa676182cee5f6986ef92865355a10e6a040906a42fd9a30e84fc57ea655d7d2
SHA512 bb69727304a1b6c30a360ab79336b3c92c93dbca941801de88402c3618bcc22b27190f394bf44cb5d549c8467055ef5c5ec3fe3fa01769d1f5679e2d9b4ad428

memory/4740-107-0x00007FF73FAE0000-0x00007FF73FE34000-memory.dmp

C:\Windows\System\MPfWJrm.exe

MD5 b66e872ffb52a8443541ef00ef782a39
SHA1 a33565e095108d37fd5d18b6ec13d5e26870fe3f
SHA256 aa449f2b7d5d78d27496222e0ec8d6074ddc110e29ce3d216b7dd3c2071ea63d
SHA512 917602176e2b2ab800c168729fcaf8d4101dc0076df66757d10e68c36416522264a5dd4f7ebbe084a251484562bd40678ae1cb57da6973cae115816c73f4cefe

memory/4536-125-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp

memory/1804-130-0x00007FF77B340000-0x00007FF77B694000-memory.dmp

memory/2676-132-0x00007FF6393A0000-0x00007FF6396F4000-memory.dmp

C:\Windows\System\KIopqxY.exe

MD5 7c4bf6ef85d03010670c7406e4fe1693
SHA1 9cacbdeb11a53f45d30a8c14f86ae548a0d62ebf
SHA256 223d0b9943b7f0463ef80fdc1285cbed1da6906777b289f98aadbf81c06bd44f
SHA512 fdce6330830625c5226714c49297b6c1d63159f79d008aae5157b5bf4781f1a5f0b642c768e7e511f4c7aa6f37ec4fbca6f0ceea0cdb7a9ac05dbea94303964c

C:\Windows\System\xaBhTDV.exe

MD5 700a48b5e32769adf416d474ce29d201
SHA1 1081765613e3c59e8a0e8ad2ef00e4a2165a3a08
SHA256 d86ffe8c9601760073fb09c06b2977e0c5164f2fd4c126baf7d53dcebc36a209
SHA512 042c00d7e4785654269584b60a4b7ce9fb999130295189254a21afcb831d3e7067fb84b89c867016fac51d1dc5e81cb8f3bb963e0cd9136cabf6f4e2d9975617

memory/1644-121-0x00007FF7EE9C0000-0x00007FF7EED14000-memory.dmp

memory/4328-116-0x00007FF7A6730000-0x00007FF7A6A84000-memory.dmp

C:\Windows\System\qlIaqix.exe

MD5 e6e61354b39490a1202edace0a0fc583
SHA1 3bf7a44e520e69331e6d93336c9e8645de8d641c
SHA256 8e23690a02074364f0f9fbff876e1cac93436c42983fe6eaa24b4678e359a612
SHA512 19b31a0c20c802399d1dfc611652f0b9aadfe992a4a3001aeb3ef39fbbe0279bacb88db8116f4a3992a094e0d2d475b9740e55903aad507642cee55448a6d835

memory/1948-106-0x00007FF625480000-0x00007FF6257D4000-memory.dmp

memory/3480-101-0x00007FF69B970000-0x00007FF69BCC4000-memory.dmp

memory/2240-100-0x00007FF77A320000-0x00007FF77A674000-memory.dmp

memory/3248-93-0x00007FF69BF50000-0x00007FF69C2A4000-memory.dmp

memory/2168-85-0x00007FF6C7B10000-0x00007FF6C7E64000-memory.dmp

memory/1240-82-0x00007FF686E30000-0x00007FF687184000-memory.dmp

memory/3004-80-0x00007FF76C5E0000-0x00007FF76C934000-memory.dmp

memory/940-134-0x00007FF77C990000-0x00007FF77CCE4000-memory.dmp

memory/1240-135-0x00007FF686E30000-0x00007FF687184000-memory.dmp

memory/2168-136-0x00007FF6C7B10000-0x00007FF6C7E64000-memory.dmp

memory/3248-137-0x00007FF69BF50000-0x00007FF69C2A4000-memory.dmp

memory/1948-138-0x00007FF625480000-0x00007FF6257D4000-memory.dmp

memory/4328-139-0x00007FF7A6730000-0x00007FF7A6A84000-memory.dmp

memory/4536-140-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp

memory/1644-141-0x00007FF7EE9C0000-0x00007FF7EED14000-memory.dmp

memory/2676-142-0x00007FF6393A0000-0x00007FF6396F4000-memory.dmp

memory/4940-143-0x00007FF626870000-0x00007FF626BC4000-memory.dmp

memory/4500-144-0x00007FF726410000-0x00007FF726764000-memory.dmp

memory/2240-145-0x00007FF77A320000-0x00007FF77A674000-memory.dmp

memory/4740-147-0x00007FF73FAE0000-0x00007FF73FE34000-memory.dmp

memory/3480-146-0x00007FF69B970000-0x00007FF69BCC4000-memory.dmp

memory/3900-148-0x00007FF65B5F0000-0x00007FF65B944000-memory.dmp

memory/4232-150-0x00007FF6750B0000-0x00007FF675404000-memory.dmp

memory/2492-149-0x00007FF7ABC10000-0x00007FF7ABF64000-memory.dmp

memory/4808-151-0x00007FF727030000-0x00007FF727384000-memory.dmp

memory/4764-152-0x00007FF71C8C0000-0x00007FF71CC14000-memory.dmp

memory/4532-153-0x00007FF766550000-0x00007FF7668A4000-memory.dmp

memory/940-154-0x00007FF77C990000-0x00007FF77CCE4000-memory.dmp

memory/2168-155-0x00007FF6C7B10000-0x00007FF6C7E64000-memory.dmp

memory/1240-156-0x00007FF686E30000-0x00007FF687184000-memory.dmp

memory/3248-157-0x00007FF69BF50000-0x00007FF69C2A4000-memory.dmp

memory/1948-158-0x00007FF625480000-0x00007FF6257D4000-memory.dmp

memory/4328-159-0x00007FF7A6730000-0x00007FF7A6A84000-memory.dmp

memory/4536-160-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp

memory/1644-161-0x00007FF7EE9C0000-0x00007FF7EED14000-memory.dmp

memory/1804-162-0x00007FF77B340000-0x00007FF77B694000-memory.dmp

memory/2676-163-0x00007FF6393A0000-0x00007FF6396F4000-memory.dmp