Malware Analysis Report

2025-03-15 08:10

Sample ID 240529-yrsd7aga8s
Target 2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike
SHA256 8eb295fa5533ba5f03e0053c166f7c1e4296cdef80d8d307a209736e541e5ed7
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8eb295fa5533ba5f03e0053c166f7c1e4296cdef80d8d307a209736e541e5ed7

Threat Level: Known bad

The file 2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Cobaltstrike family

UPX dump on OEP (original entry point)

Xmrig family

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 20:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 20:01

Reported

2024-05-29 20:04

Platform

win7-20240221-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xdkILSj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LNIrDgN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SVVGZyJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tIkSZdj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sXZGJnJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fGkEWEJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JkMWpDV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zAdetgs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DosVLMA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KHCSfcP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yZBExeV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IcPxMbg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kVnlEOz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oZtMOWs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EoJedcU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FPStyNU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oRWdcrz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JJEzLYV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uIPpedE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HvZIqwx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TyFFMAL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xdkILSj.exe
PID 1756 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xdkILSj.exe
PID 1756 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xdkILSj.exe
PID 1756 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcPxMbg.exe
PID 1756 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcPxMbg.exe
PID 1756 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcPxMbg.exe
PID 1756 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fGkEWEJ.exe
PID 1756 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fGkEWEJ.exe
PID 1756 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fGkEWEJ.exe
PID 1756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkMWpDV.exe
PID 1756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkMWpDV.exe
PID 1756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkMWpDV.exe
PID 1756 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAdetgs.exe
PID 1756 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAdetgs.exe
PID 1756 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAdetgs.exe
PID 1756 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DosVLMA.exe
PID 1756 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DosVLMA.exe
PID 1756 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DosVLMA.exe
PID 1756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJEzLYV.exe
PID 1756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJEzLYV.exe
PID 1756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJEzLYV.exe
PID 1756 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVnlEOz.exe
PID 1756 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVnlEOz.exe
PID 1756 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVnlEOz.exe
PID 1756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oZtMOWs.exe
PID 1756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oZtMOWs.exe
PID 1756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oZtMOWs.exe
PID 1756 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNIrDgN.exe
PID 1756 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNIrDgN.exe
PID 1756 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNIrDgN.exe
PID 1756 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EoJedcU.exe
PID 1756 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EoJedcU.exe
PID 1756 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EoJedcU.exe
PID 1756 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uIPpedE.exe
PID 1756 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uIPpedE.exe
PID 1756 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uIPpedE.exe
PID 1756 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVVGZyJ.exe
PID 1756 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVVGZyJ.exe
PID 1756 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVVGZyJ.exe
PID 1756 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHCSfcP.exe
PID 1756 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHCSfcP.exe
PID 1756 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHCSfcP.exe
PID 1756 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPStyNU.exe
PID 1756 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPStyNU.exe
PID 1756 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPStyNU.exe
PID 1756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oRWdcrz.exe
PID 1756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oRWdcrz.exe
PID 1756 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oRWdcrz.exe
PID 1756 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yZBExeV.exe
PID 1756 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yZBExeV.exe
PID 1756 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yZBExeV.exe
PID 1756 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tIkSZdj.exe
PID 1756 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tIkSZdj.exe
PID 1756 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tIkSZdj.exe
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXZGJnJ.exe
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXZGJnJ.exe
PID 1756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXZGJnJ.exe
PID 1756 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HvZIqwx.exe
PID 1756 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HvZIqwx.exe
PID 1756 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HvZIqwx.exe
PID 1756 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TyFFMAL.exe
PID 1756 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TyFFMAL.exe
PID 1756 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TyFFMAL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\xdkILSj.exe

C:\Windows\System\xdkILSj.exe

C:\Windows\System\IcPxMbg.exe

C:\Windows\System\IcPxMbg.exe

C:\Windows\System\fGkEWEJ.exe

C:\Windows\System\fGkEWEJ.exe

C:\Windows\System\JkMWpDV.exe

C:\Windows\System\JkMWpDV.exe

C:\Windows\System\zAdetgs.exe

C:\Windows\System\zAdetgs.exe

C:\Windows\System\DosVLMA.exe

C:\Windows\System\DosVLMA.exe

C:\Windows\System\JJEzLYV.exe

C:\Windows\System\JJEzLYV.exe

C:\Windows\System\kVnlEOz.exe

C:\Windows\System\kVnlEOz.exe

C:\Windows\System\oZtMOWs.exe

C:\Windows\System\oZtMOWs.exe

C:\Windows\System\LNIrDgN.exe

C:\Windows\System\LNIrDgN.exe

C:\Windows\System\EoJedcU.exe

C:\Windows\System\EoJedcU.exe

C:\Windows\System\uIPpedE.exe

C:\Windows\System\uIPpedE.exe

C:\Windows\System\SVVGZyJ.exe

C:\Windows\System\SVVGZyJ.exe

C:\Windows\System\KHCSfcP.exe

C:\Windows\System\KHCSfcP.exe

C:\Windows\System\FPStyNU.exe

C:\Windows\System\FPStyNU.exe

C:\Windows\System\oRWdcrz.exe

C:\Windows\System\oRWdcrz.exe

C:\Windows\System\yZBExeV.exe

C:\Windows\System\yZBExeV.exe

C:\Windows\System\tIkSZdj.exe

C:\Windows\System\tIkSZdj.exe

C:\Windows\System\sXZGJnJ.exe

C:\Windows\System\sXZGJnJ.exe

C:\Windows\System\HvZIqwx.exe

C:\Windows\System\HvZIqwx.exe

C:\Windows\System\TyFFMAL.exe

C:\Windows\System\TyFFMAL.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1756-0-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/1756-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\xdkILSj.exe

MD5 22ba9721c2a73f7dc6e9dbe966e219c4
SHA1 5fac9764d157d07e567b9a3125200d19b2aceac3
SHA256 23ab4d9ee336e088bb97b767d4ced9bfa7470f7ea9ed7d739461907135a69557
SHA512 d4d1ef2b2380755091ffcbac0f9a270815b6544f0231e70ffaaa593a56dc3101ce1dd53800f869daed664ac1961c776c10c396ce3ec3b036ad53a095992f179c

C:\Windows\system\IcPxMbg.exe

MD5 c53848d7d775fe6036bf8d9e1d42c818
SHA1 c3c38c08c2564e1d4fe6d7faf15d02e6f2b590eb
SHA256 9d7d6c782c22a3a0a44346a4a270d65eab823c03e12e38bde334ad30c9cc4817
SHA512 06a44332645649fea909447642ef1c2c580c399122f635a7e3560ed7d0af09c188a5da675f066e0c9f69a865fc0ced41d59e6c540dbacdad85a1e81c8d8465d2

C:\Windows\system\fGkEWEJ.exe

MD5 ec68c56ec6c3abf84a9f584cbe08fbcf
SHA1 0d8c971c938ae48ccd2a13ba995eebe2d68ad9cd
SHA256 e6d8a672e8b72e593b413d703239a46308c6005d4db83dcb23dc71124e9ea279
SHA512 b66a5e71a39470ec423a0bb8832964559267dbffbca1b03c1cb6e9fac713f3dcae74b8468f25f559c1feb334fec852d057ed065cf90b80c55e7b1c35595a4331

memory/1756-9-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2944-30-0x000000013F300000-0x000000013F651000-memory.dmp

C:\Windows\system\DosVLMA.exe

MD5 969cbe7fc5f8a0fd8f8e9c9a3bf98851
SHA1 7532b2e7311cd5e6c0684f7de35b950cf415a2a1
SHA256 93ac71175db2007c228e151ec813264addb6a2a176c4fea4a4d7c413b0597793
SHA512 e115417ee6161da159f5678d50353ed314a811dda4920908c88ef1e4331fa06aa81d0cc0236e55550f41ff70db39185d677b09297adf83f0c4ed8e4f6c76c88e

C:\Windows\system\LNIrDgN.exe

MD5 2f43a63acbdb60ed8a81e3372a002e28
SHA1 617ba8865ba69656338ddf12698499abf837f8d9
SHA256 b47c08563b1bcc0fb5e4993ccb88e31ab0dcc54f63e5472525b94b43d1f4bbeb
SHA512 14636f79ec7b6256f1f1968ace020a7bf11bf1f3267565b4e0b06eefccab4761e632106b972b317f4749cc895050c4d448a4a436d1691200a6a2713c4f69198b

memory/1756-62-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2792-72-0x000000013F3B0000-0x000000013F701000-memory.dmp

\Windows\system\uIPpedE.exe

MD5 3bf269d5d2235d687afeea391933f81b
SHA1 12f18fe2ae3271be7a7eeb7e87314d54081d0ecc
SHA256 68332c2c699705ae0be7bdade2ddb93609598ebb8d44901bc138afa4d1c65fbf
SHA512 401176ea1d2a088b0667e64883e477b829cf198f168d8300055b190557802903f23a44e18fb2f82b5628f149da7a7493aae9612ebde66f19bc42c959ce4b94d2

memory/1756-61-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2664-48-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2200-90-0x000000013FA80000-0x000000013FDD1000-memory.dmp

C:\Windows\system\SVVGZyJ.exe

MD5 59eeaeb8917707a5924e33a60eae4a60
SHA1 5ede9035b52a16804b5191c1b2be2600478126eb
SHA256 c259f5637bbf7f13edb3e883a90e2a15641e43b74a9f52ca5f975245c12bd20b
SHA512 b4378e0ab8bac61c350da6f87497d029e5c7ca836908fb68fb3904243b18690e697a885e065128019fa66022828433c6a09bd80bd937e017f20e00520fb1bb32

memory/2524-88-0x000000013F910000-0x000000013FC61000-memory.dmp

C:\Windows\system\EoJedcU.exe

MD5 3ab50e559f69c88adc64a89c434c850a
SHA1 eddd018a5ea756fa23cb794020cdfa1414a73286
SHA256 2fab00edffebf0123ee319e13992d1fba11086e24b18b8740d9fa000e31995a5
SHA512 4b2cae6cd4068fef3200dd581811b6dfa1b21de7a8a3f51ee61a6932280ae188cdf10fe0fdb3f8531b86adb55b65ada2a7aff5a591d361e432c90f8c06244a50

memory/2692-84-0x000000013F500000-0x000000013F851000-memory.dmp

C:\Windows\system\oZtMOWs.exe

MD5 7f6a87f6fa60471db5c9c0b75dda7402
SHA1 80b6501230979ccb7f3a02717d8702c0d445dbc4
SHA256 cb1daa64db08e9f0e2e72e120621bff3699fc0b8cdc81b7ee5836cd19de92b5c
SHA512 72bc9159cada7e273f22022eff4cf6e69a8507f0406d4f469e46138f51489c73d96b9c62ef0c9b66a64605244542e35916dfb6dd7f0811491ebc0f4a0b7a8202

memory/2644-81-0x000000013F690000-0x000000013F9E1000-memory.dmp

C:\Windows\system\JJEzLYV.exe

MD5 d040cb46e54d259af992eb861d60dcda
SHA1 d7fa1a89be04e36e2389b0a1d50693dd373f9879
SHA256 5e88e040866d8afc8b703600101e051f664a67aa1c58386c3dd7bffacd2d96e5
SHA512 8531060f828592402c147487f048a655a3925f0408d0aa0ff6c9b8eb3476bdd42215caf7d03fd399aaf1ddbb6f370e9d87175fbaf5225507fc6eea9202faa18d

memory/1756-78-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2868-77-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/1756-75-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2484-68-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1756-67-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1756-64-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1756-39-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1756-37-0x000000013F410000-0x000000013F761000-memory.dmp

memory/1756-27-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2616-60-0x000000013F980000-0x000000013FCD1000-memory.dmp

C:\Windows\system\zAdetgs.exe

MD5 2c337b84d0860de5898000a8e10d8058
SHA1 6220e486d7cd6290aa22db9a565853355451fa71
SHA256 bf51288e4e4a8a48e1755255d61efa20774d19b230666d5bba427e809307521b
SHA512 f4d84635f1e8538e4119e13eb2e637dc6e60def239045abdbaef92d39365e1d948501a245ee5281cf3de13cff93586a10a406ef90f3770820068df92ddeee3c0

memory/1756-55-0x000000013F500000-0x000000013F851000-memory.dmp

C:\Windows\system\kVnlEOz.exe

MD5 9d5db982689804a7078c606ca09caf85
SHA1 69ba4e6e35b35e217acc452300de05eaf70db8ec
SHA256 01ccdc3d517eeaabd061a09408f4ff692f4d29c46932c3e738e23a96af0a42c5
SHA512 6143bff57b44f9618e093744030c9e2619ae4c95a913372c8fb0d2dedde49fabef1ecea2cd277a8379081823efef3b45fd083ba556e63d830de5f45f4bb9c33f

memory/3000-25-0x000000013F440000-0x000000013F791000-memory.dmp

memory/3000-94-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1744-93-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/1756-92-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2572-51-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/1744-17-0x000000013FA10000-0x000000013FD61000-memory.dmp

C:\Windows\system\JkMWpDV.exe

MD5 965d9f7710243f85266bf839d90bbb6a
SHA1 b4c26bf92e04266b7aca406f8816b4a7a105bbf9
SHA256 94aa36fa545a0014d46133e629cf55278ea887a654f01d63a6c5dd0a81fc4672
SHA512 8d1c07cd5a52ad68cc28c896bbc3c40154de5d8d43ae452e0c1c1be36fe420013f3426b6b407b066318e31200a24c416e31e93de1bb5bd74c6b066a07498a1ef

memory/1756-21-0x000000013F440000-0x000000013F791000-memory.dmp

\Windows\system\KHCSfcP.exe

MD5 0d2c4548a704e4e23a195150342d208d
SHA1 1f42f2da7cd77fa7bdabdb9877b2fbc9a702f043
SHA256 b61ab509efae29233715a4dfa4c360ce40861393abb48c36e8e84dc68964c161
SHA512 91d3a6024c079423e394a5b077f690f56f65eee4eeb5da42570f893760958e3c750b0197c3e866a81268e89511656d92a8dda3c466587ec1d40312ccbcaa9409

C:\Windows\system\FPStyNU.exe

MD5 a8120b8e71d160b67aaea469e53b8c75
SHA1 cf1a9a8a2e99993be033b99fb9d2c736f5d9cf5f
SHA256 7e1b3c3b6cac6e5d1cc23c1cb2853c74de4d423c0549a60f504a12441973dcc5
SHA512 94e03e882f3242823d90b2872013a6aa2a91ab9e32c6c00cc72b95a4ece8b7a87dc47953d4bf9392799d3e057d80f5a556c05cde2289fc35eb15b4724da751be

memory/1756-107-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2240-109-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/1756-108-0x000000013FA60000-0x000000013FDB1000-memory.dmp

C:\Windows\system\oRWdcrz.exe

MD5 87093181e8162a0dadc75d315a2db0a3
SHA1 e50b22256632be1f89c5a81a33470a2fbbe3e398
SHA256 b278c0b5a7835bb1637cc7e131e3f6c664d07f452542a0aa8bbf42480f9b7f51
SHA512 a362efb95ce2f1e956fa4fd42d540b4b491df640272c1fabe4b9d1419809a7871ccc2b248909ecaab9d87bdcc7e63c07fdd0189acf265dad0244a4b156fff531

memory/2616-106-0x000000013F980000-0x000000013FCD1000-memory.dmp

C:\Windows\system\tIkSZdj.exe

MD5 ed8ef6de53cba273dc84cfbd25b35c4e
SHA1 359f3fd242a8f837e7ee621637a44440c98ce701
SHA256 6916c2124bf1c4771b3114d6896a4868ff52316402944d05b50f8b0020228545
SHA512 5d82da33575eaf7832f3117593b4ec0f951b6d9e6eaded2811ffa3ca21f34a9699ee3e61b73a03b124070b9f5f6e870eefc548b1ed4f7d6126f657f8d927e275

\Windows\system\sXZGJnJ.exe

MD5 6c0d5d7a45ccb706df1f2789aff26ee9
SHA1 0cc2372dfdc6b8d5db38122a6d7a4705b380c23f
SHA256 34d4bfc097447666beed09ba4302a58cf0dcd232e6c8506972f1b76040ef0c91
SHA512 81cc9ce5bdb5f08fa4d96e9fffe259dad9f255a800f54906eedd5f483c4e1d5e5bf306ad8c1ea8bd67da53dbf5e35bd91eebdccaf382979e88097470da656132

C:\Windows\system\yZBExeV.exe

MD5 81e84cc6a4bccb73554cf35a0ec919ca
SHA1 29fd284e918f0039c32935ea60517ec17705bd44
SHA256 04f37a4177c4e24b8839d9e0f6b7b008d6350f307b295172897bd0e46a8e1fd4
SHA512 f0ffad62dbc0996403dbe038edcb2b5aa2a4b5bca7e520c62226c55e032781f7c93c97f2bd063e1b58b39ff74ff2127f54ad731b78b1671bca37e2576ad08fc2

C:\Windows\system\HvZIqwx.exe

MD5 8b15dd2fd9bcb3958e088591345378c9
SHA1 d731d2714fb32c7e45ff7579a14abdfc02247481
SHA256 08c336194588df1bac33afde7244f63b556bede32b6638753e90a5ebd63e1264
SHA512 665f9b9b1bd93d259ae59ab4bdcb257d528cf6cd63f5fdfef49b70d02ea08acb26adad45222fd8a1dfa05da689cd1cd460bbaadaa0949537d8abf46503503396

C:\Windows\system\TyFFMAL.exe

MD5 c76d54951d763e58da9c71c37d93f2e3
SHA1 d215bb184bd8a7672e31cf77def0043b1ca65bb1
SHA256 8712bd2a2bdda2f6cf04ae3af34e79b547b4ddde3fe767f9091992f8685afbc1
SHA512 2d18e238f6d1b9b109c9b176971c2818e5093943dced791c7f58cb1d3f601a7d50162b645c24048fbeb1ae36d1b803531dc7db15d864448dcbf847ab678491e0

memory/1756-139-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2644-146-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2868-152-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/1756-151-0x0000000002200000-0x0000000002551000-memory.dmp

memory/2200-154-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/1728-162-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2244-161-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1336-160-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/1236-159-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/868-158-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2360-156-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2024-157-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/1756-163-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/1756-185-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/1756-186-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2944-210-0x000000013F300000-0x000000013F651000-memory.dmp

memory/3000-212-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2664-228-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2572-230-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2616-232-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2792-236-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2484-235-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1744-227-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2868-238-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2692-240-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2644-242-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2524-244-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2200-246-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2240-252-0x000000013F790000-0x000000013FAE1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 20:01

Reported

2024-05-29 20:04

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DGbQtVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gEWImYr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KAHfFff.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JkBXECu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IHclOAT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mxXxsLc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rQtJIIu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CJsgZSN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PkiQOEK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZCyeWhA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XiRJnQh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aVpCyrL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wPudVqc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NPlNoDb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eTcjlBT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\svhoKVz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kkdoCUH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MnJVoQl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wcIiqoV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\miLIzHg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gBHYxvO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aVpCyrL.exe
PID 3560 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aVpCyrL.exe
PID 3560 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnJVoQl.exe
PID 3560 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnJVoQl.exe
PID 3560 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkBXECu.exe
PID 3560 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkBXECu.exe
PID 3560 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHclOAT.exe
PID 3560 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHclOAT.exe
PID 3560 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPudVqc.exe
PID 3560 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPudVqc.exe
PID 3560 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gBHYxvO.exe
PID 3560 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gBHYxvO.exe
PID 3560 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\mxXxsLc.exe
PID 3560 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\mxXxsLc.exe
PID 3560 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DGbQtVQ.exe
PID 3560 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DGbQtVQ.exe
PID 3560 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rQtJIIu.exe
PID 3560 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rQtJIIu.exe
PID 3560 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJsgZSN.exe
PID 3560 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJsgZSN.exe
PID 3560 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NPlNoDb.exe
PID 3560 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NPlNoDb.exe
PID 3560 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTcjlBT.exe
PID 3560 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTcjlBT.exe
PID 3560 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkiQOEK.exe
PID 3560 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkiQOEK.exe
PID 3560 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wcIiqoV.exe
PID 3560 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wcIiqoV.exe
PID 3560 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gEWImYr.exe
PID 3560 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gEWImYr.exe
PID 3560 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCyeWhA.exe
PID 3560 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCyeWhA.exe
PID 3560 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\svhoKVz.exe
PID 3560 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\svhoKVz.exe
PID 3560 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kkdoCUH.exe
PID 3560 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kkdoCUH.exe
PID 3560 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\miLIzHg.exe
PID 3560 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\miLIzHg.exe
PID 3560 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XiRJnQh.exe
PID 3560 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XiRJnQh.exe
PID 3560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAHfFff.exe
PID 3560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAHfFff.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\aVpCyrL.exe

C:\Windows\System\aVpCyrL.exe

C:\Windows\System\MnJVoQl.exe

C:\Windows\System\MnJVoQl.exe

C:\Windows\System\JkBXECu.exe

C:\Windows\System\JkBXECu.exe

C:\Windows\System\IHclOAT.exe

C:\Windows\System\IHclOAT.exe

C:\Windows\System\wPudVqc.exe

C:\Windows\System\wPudVqc.exe

C:\Windows\System\gBHYxvO.exe

C:\Windows\System\gBHYxvO.exe

C:\Windows\System\mxXxsLc.exe

C:\Windows\System\mxXxsLc.exe

C:\Windows\System\DGbQtVQ.exe

C:\Windows\System\DGbQtVQ.exe

C:\Windows\System\rQtJIIu.exe

C:\Windows\System\rQtJIIu.exe

C:\Windows\System\CJsgZSN.exe

C:\Windows\System\CJsgZSN.exe

C:\Windows\System\NPlNoDb.exe

C:\Windows\System\NPlNoDb.exe

C:\Windows\System\eTcjlBT.exe

C:\Windows\System\eTcjlBT.exe

C:\Windows\System\PkiQOEK.exe

C:\Windows\System\PkiQOEK.exe

C:\Windows\System\wcIiqoV.exe

C:\Windows\System\wcIiqoV.exe

C:\Windows\System\gEWImYr.exe

C:\Windows\System\gEWImYr.exe

C:\Windows\System\ZCyeWhA.exe

C:\Windows\System\ZCyeWhA.exe

C:\Windows\System\svhoKVz.exe

C:\Windows\System\svhoKVz.exe

C:\Windows\System\kkdoCUH.exe

C:\Windows\System\kkdoCUH.exe

C:\Windows\System\miLIzHg.exe

C:\Windows\System\miLIzHg.exe

C:\Windows\System\XiRJnQh.exe

C:\Windows\System\XiRJnQh.exe

C:\Windows\System\KAHfFff.exe

C:\Windows\System\KAHfFff.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 89.43.201.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/3560-0-0x00007FF675F00000-0x00007FF676251000-memory.dmp

memory/3560-1-0x000001C2D4960000-0x000001C2D4970000-memory.dmp

C:\Windows\System\aVpCyrL.exe

MD5 faf6b29c4f34fa309b044448258c72a0
SHA1 7653d5127dcc64cd78fbc921fd1748780aa1eecc
SHA256 cf6c307b8ae30ffd66ae12d0304329e7e6a47c38620b29ad8b7e714e862a82f5
SHA512 6e1ab44d251239540496f3325fba4bc189da0104e919965ec951dcad9c023620d1269fddc64af52c8385d49b66377df9cba31ac865024b786c02def459c0514b

memory/3552-8-0x00007FF69D560000-0x00007FF69D8B1000-memory.dmp

C:\Windows\System\MnJVoQl.exe

MD5 fc6ee45252a0f516de5067a2ae53033e
SHA1 ba65253849bda21e64ccc0aa829273cfe9dcc2b0
SHA256 e00756fd446296b19658c9a95412d89e43c7f9dfe138dba324fb5012fb6965ce
SHA512 6304dce45ae1235551abeab521c66e3f70d157af87a365a12f273cc4f4e4c411aa96bb4268af34116836eb666631b2e5deb5c0e4e01e5d7ed31bbe9549fc337e

C:\Windows\System\JkBXECu.exe

MD5 36421678a85001913b01e0b80f7a82e5
SHA1 bb3127783b4066ab1dc21cfb01b004e40ec37261
SHA256 cce31fc2e26fdee14800fa761ff13bb2dabde4adbf0e9263ea43d03f2af7941a
SHA512 242435f2fc787051d6d8be2444e28fc43736fc1a9afd3ec0ed53f01246929ef518aa56550c7c59636fa34baaec928036d96658bbabbfb756aa0d26b4579d7235

memory/380-24-0x00007FF746870000-0x00007FF746BC1000-memory.dmp

C:\Windows\System\IHclOAT.exe

MD5 11f493eb7e41f463ccc0c2e12adb5bd1
SHA1 b88ed2afb3182c2dffb5002b0b87583777332912
SHA256 e30aa91b3e2cdb67062f40b495ecacd64ff3e66689e3d2142a82f9663e34cd8f
SHA512 8e21ab5d3e359d6885a41d9ab57fd3a087da6eee27a03b925e7939cf2b8b0ecefacae16815ee5c365ad84d246422e7475f083eebac2f78cae840161041586554

memory/3324-20-0x00007FF7610E0000-0x00007FF761431000-memory.dmp

memory/2572-14-0x00007FF696E50000-0x00007FF6971A1000-memory.dmp

C:\Windows\System\wPudVqc.exe

MD5 0f867467e8bfeb9602f77f5f97b28d7c
SHA1 ef2297f8b4cf13ff887121e3e86ca2a352a9524c
SHA256 81d0043efba07099a20faaa75cae19df70d2eef9be6e4aa294ec829e6d424d4c
SHA512 a09eab20b4b2931af42ba6bd77c29817f2268dc876646e635971d4164129efa9e5a728798c690167d6f71ff39cf5d37c4a376b058f034561581eef882933a60b

C:\Windows\System\gBHYxvO.exe

MD5 b8f318949bc09b06162327801cd8a74a
SHA1 cb4c407a9cccb4376f978396a98e77a9b021a7c7
SHA256 ee2a24c8b46ca08e8cbf1997934816e208e096f379bd7d92d9193549b22dd0a9
SHA512 8ff1291a6c2e5e9af1ad4fa2fa7a52bcdee8e6f89bbacab854e742d8c6b8a74b2cfdf2d88f3e410a76ecc2e4d86f156d06de945971a9ed81fa82e7c318cf72df

memory/1948-38-0x00007FF785B60000-0x00007FF785EB1000-memory.dmp

C:\Windows\System\mxXxsLc.exe

MD5 964aecd2ef553d271d92865ca63b1833
SHA1 e0602424ff15602cb8caccb9400f99066225eb68
SHA256 0a3e9e5d3ccbdbbc013092173c3a018dd12363a0e267a583446fb3e87135d38e
SHA512 4c85cf59cebbbc5b108a380c6bd53bc16cbf6babd2df2cffe746c0a6da53f96979c6ec31b45ab1aec6a183c6da17f1d266970585a323174ae307bbb1a6f7900c

C:\Windows\System\DGbQtVQ.exe

MD5 8487720a616b7ae4647cd5d9f73e793c
SHA1 0e1eb2d56d90a1469c2a3b0c1cd2f2e3ae1e2176
SHA256 526f7625b97692f7a1b0780352c369ced5ae03c5dfcfc7b64c82c7235f21dd6d
SHA512 21220ec6dc00767ec3a727d4761c41994275d64381161fa402235adc7c0acbbf647e68957528eef846d274ea57c61bcb025bce4c608ed7f7e86e72980a3f7de8

memory/4688-30-0x00007FF6A2B50000-0x00007FF6A2EA1000-memory.dmp

C:\Windows\System\CJsgZSN.exe

MD5 b55b2e2fa2afd93dbd2644f29713aaba
SHA1 c742925c35780af99f475b7aec5941ae451e4786
SHA256 0f7f3f5d5571b66435072831e103721d676b4f7fee94d94d758199d47a5ece0e
SHA512 38d9b4ff4a4fc77729164bffcab2861084675c92c7c3d52e5706aedb7343d62d62cbd0f48749904967c381ea2fc9a567ae38252366eb377d38790bb486ad9c2c

C:\Windows\System\rQtJIIu.exe

MD5 f053e1f82d77c56c1d559738b453ca06
SHA1 781542b1bd22ec061999ddd20b92e5c6e5cf6443
SHA256 c95b9faac029e9cc5feb58859e91844f262be0386e200ca9c8c32e8d2b6de124
SHA512 6f5863f4b7a358c793e40dd23077d3a29adb24ec77fc7aa38afe281dc09c5f743af2a88402b51f637cb6bbe5867a72210c5b3e4a5f0637f5216efb1f818aaac4

C:\Windows\System\gEWImYr.exe

MD5 cb53b51e069a941c947eed01bf937018
SHA1 c75f6c0c65ad35750878e5715b9dceb11799ccad
SHA256 d5cb9694a65333fe9c342992bbb7cc7014f78148072d14a15d01f1aa9a5edab9
SHA512 d8b060bc3caac8366436277ca8637843396e566c78b8fecd879d137cd7f7d990b2c6616beffa0909081d6d2c0d8fa84fe98777cf82e96fa2d19b83e34d4b3ee4

C:\Windows\System\ZCyeWhA.exe

MD5 e2bb22990a6d56492ba8a2611cca307e
SHA1 ddf5f62d0f869a32c8fe62a6fc2eecd4e5d5b721
SHA256 8780e02e957b867b0e86762ca150000dc3744c76dbf016c9036e2695f8b13ae9
SHA512 46e29f94ff62c5fd05682b2188c4ab835752dba966969189f214e1f4c56c4272e77bed9ab4d29c57329215faabec0a34d58542c41450a061e657802dc1cbd792

C:\Windows\System\miLIzHg.exe

MD5 5a89f304524c7e49004d421445980f61
SHA1 7dec6965391f519b854df72cc3382e0780999bb1
SHA256 88f453b8e677498d5b3c9cee506b3b86989b76fea2d1897f1b8b1bce00b8a3c4
SHA512 53556aefd7fcece9177ae2e20ec163a83d80880c81623d91ab314e42ca0bf64d16b250eadababc5608ace44ab38e050311bdc5152d3ca90fcff5467ad9bffaf6

C:\Windows\System\XiRJnQh.exe

MD5 ef3c5d717a3f3335182d8f2793544d1b
SHA1 121627cfc39c8737a66426d5cf27a31872557727
SHA256 269977bebc6263ba795f10d38e9c4bfd159b1e832885c3ae0d8748b71926fbbe
SHA512 e8da2c49283974f838d4df457d0893cff22fee00d4bc33c9c03b1f8781d70b48b0ed9cf5804c047d26dcf3a22428aa65c2e2b302f4e02acb1e7aa251018a2d08

C:\Windows\System\KAHfFff.exe

MD5 807989f32a6c983e09c766c78b0cb8a1
SHA1 b1fea8a0532bb5fbedc5b129c8e05eb8c5ac3036
SHA256 47d610019308af3e642b398c482d02a60ccc23831694b86f2956961f5da9f5a7
SHA512 858eeb5330117a506a3feafb10e94fe09cddbd500bc46e8a5ce8275203763d4fe8e7e4839527acd1fb81355d2493913706ac729b67707057abc2b3702c51bfee

C:\Windows\System\kkdoCUH.exe

MD5 2161ee46c954372ef0c71b5f1225abf3
SHA1 5128ad42c1ade9b8191d212834f2d324789443a6
SHA256 fae4d26ba8b6e4c0baac99c4cc93beb42abffb58610e0125b47534a01c287b2c
SHA512 1f999d425b72f16826cdb449304c5114a8c5f92a72b6dc4113982d8f68a191facea3a9a94d15fa19ea82853d3a96018cc25605962ec9699d48f5346af9d22336

C:\Windows\System\svhoKVz.exe

MD5 823ec2c63181ed5feaa6aaca04e30dd2
SHA1 3d1c6e790cc6f13b597b849e9cf0f4a3813a6add
SHA256 758119086b3db881aea1f7be4ff3ce16b96abc6f4efb10d6582224f870e97241
SHA512 71820a14d1809318a700030a6eb85f1d421e54912c249e40195be16a1f8fcea096f80aa9fa2f20ee72ee8bd6a61de5a88eacd55a40fabc2ed3e71589b60dc4a1

C:\Windows\System\wcIiqoV.exe

MD5 7d7ecb83128ac67aade7b57981d20403
SHA1 5723850c55349cad056810f5ce02a8ff626cfb4e
SHA256 a1cc10b400447ddf36b282934db2f909e87daf119f82e9e4e9d893a4dca4c187
SHA512 5ccc43674485b2822731c915271477a61ed225f199e01ecb4ae472ba8a1dc0429e65942b3418ec4dfa0f909814d54d9df52793ec2ef94130248f70efe6e6bf5b

C:\Windows\System\PkiQOEK.exe

MD5 7555fb472e6eff1974c29796f538c753
SHA1 d37ea11ca5dc96ecf6bff420bbdfe16a5a140859
SHA256 8f2bcf8a76e561417bb2fb8776cf3f64d5dab4227f7df3b80474e800fcc5ec08
SHA512 abd43d8d7b85ec5721e1ef13b38e7a8ad3ddf575ce7172ecbca6f095cda9fbd8f7a240b8426ded30b7982214a2ae39bdca38dcbb9f88d78b9be8fc65bab38291

C:\Windows\System\eTcjlBT.exe

MD5 6f301cbef8af48635d78ac1da028588e
SHA1 62abffe5f9634bf0b76399b0a49db5100ac792f7
SHA256 3086c379566fa7a7599beda88c512f8b0ca26f9fffd1a47dab80d8fd95144e04
SHA512 14c1c179725f0d7a295324ad5b227dee6712ce0bcb69a4fa10df904388ee57fb2405d1940c0d15b171c3adae54db7ab8f116fbae124660fd3d17be1b694edea0

C:\Windows\System\NPlNoDb.exe

MD5 db2f63679fc5d0ec4fbcc983ce9f1241
SHA1 54021d26c73f89281db783f3e720c8311fa135a5
SHA256 afe4ed2b106159e9780b12802433e1e30d9bf967720bdc36e5a6e2d7dcc470cb
SHA512 0063b4f9c0b2c380dee04082af0ab2494935a166f6d3ebe39eb227d26e3474cc9019848ae77c77ddae7b6ed5c7f9bfe9539bc5fa662b1f3cb1a9c3a33d1b50da

memory/3280-57-0x00007FF7CAA30000-0x00007FF7CAD81000-memory.dmp

memory/5116-56-0x00007FF73D8B0000-0x00007FF73DC01000-memory.dmp

memory/3328-52-0x00007FF658A20000-0x00007FF658D71000-memory.dmp

memory/4628-116-0x00007FF7C8AA0000-0x00007FF7C8DF1000-memory.dmp

memory/3560-117-0x00007FF675F00000-0x00007FF676251000-memory.dmp

memory/3552-118-0x00007FF69D560000-0x00007FF69D8B1000-memory.dmp

memory/380-121-0x00007FF746870000-0x00007FF746BC1000-memory.dmp

memory/3328-124-0x00007FF658A20000-0x00007FF658D71000-memory.dmp

memory/3280-126-0x00007FF7CAA30000-0x00007FF7CAD81000-memory.dmp

memory/1948-123-0x00007FF785B60000-0x00007FF785EB1000-memory.dmp

memory/2104-129-0x00007FF716570000-0x00007FF7168C1000-memory.dmp

memory/1860-128-0x00007FF716150000-0x00007FF7164A1000-memory.dmp

memory/4688-122-0x00007FF6A2B50000-0x00007FF6A2EA1000-memory.dmp

memory/2808-130-0x00007FF785C00000-0x00007FF785F51000-memory.dmp

memory/4472-135-0x00007FF6C3960000-0x00007FF6C3CB1000-memory.dmp

memory/5024-134-0x00007FF7BC370000-0x00007FF7BC6C1000-memory.dmp

memory/3320-133-0x00007FF66F040000-0x00007FF66F391000-memory.dmp

memory/1068-132-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp

memory/2376-131-0x00007FF6DF150000-0x00007FF6DF4A1000-memory.dmp

memory/4296-137-0x00007FF7DAED0000-0x00007FF7DB221000-memory.dmp

memory/3036-138-0x00007FF79D370000-0x00007FF79D6C1000-memory.dmp

memory/592-136-0x00007FF67A1F0000-0x00007FF67A541000-memory.dmp

memory/3560-139-0x00007FF675F00000-0x00007FF676251000-memory.dmp

memory/3552-185-0x00007FF69D560000-0x00007FF69D8B1000-memory.dmp

memory/2572-187-0x00007FF696E50000-0x00007FF6971A1000-memory.dmp

memory/3324-189-0x00007FF7610E0000-0x00007FF761431000-memory.dmp

memory/380-191-0x00007FF746870000-0x00007FF746BC1000-memory.dmp

memory/4688-199-0x00007FF6A2B50000-0x00007FF6A2EA1000-memory.dmp

memory/1948-201-0x00007FF785B60000-0x00007FF785EB1000-memory.dmp

memory/5116-204-0x00007FF73D8B0000-0x00007FF73DC01000-memory.dmp

memory/3328-205-0x00007FF658A20000-0x00007FF658D71000-memory.dmp

memory/3280-207-0x00007FF7CAA30000-0x00007FF7CAD81000-memory.dmp

memory/4628-209-0x00007FF7C8AA0000-0x00007FF7C8DF1000-memory.dmp

memory/2808-212-0x00007FF785C00000-0x00007FF785F51000-memory.dmp

memory/1860-215-0x00007FF716150000-0x00007FF7164A1000-memory.dmp

memory/2104-214-0x00007FF716570000-0x00007FF7168C1000-memory.dmp

memory/2376-217-0x00007FF6DF150000-0x00007FF6DF4A1000-memory.dmp

memory/1068-229-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp

memory/4296-231-0x00007FF7DAED0000-0x00007FF7DB221000-memory.dmp

memory/592-228-0x00007FF67A1F0000-0x00007FF67A541000-memory.dmp

memory/3320-225-0x00007FF66F040000-0x00007FF66F391000-memory.dmp

memory/5024-224-0x00007FF7BC370000-0x00007FF7BC6C1000-memory.dmp

memory/4472-222-0x00007FF6C3960000-0x00007FF6C3CB1000-memory.dmp

memory/3036-220-0x00007FF79D370000-0x00007FF79D6C1000-memory.dmp