Malware Analysis Report

2025-03-15 08:10

Sample ID 240529-ys4tlsgb5t
Target 2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike
SHA256 a2ec239fca9800c766df2f42903f4511bc495df019b3bf0bbc3a2d708275a1d8
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2ec239fca9800c766df2f42903f4511bc495df019b3bf0bbc3a2d708275a1d8

Threat Level: Known bad

The file 2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

xmrig

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 20:03

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 20:03

Reported

2024-05-29 20:06

Platform

win7-20240508-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FINKrVS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MfHLxkn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MMikwcx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mAGebnH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BomeBqD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GmOUSEm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fOnxuri.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LtKYhlb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ojEzgJO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGIcIGS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NtOlwmb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CLQZGTa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GuIbCia.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\inAkJoE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hkmtpFz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jyVEmqb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SLgqoSK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GvEvrLx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PHwughQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uqEyYKA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wurkJxN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOnxuri.exe
PID 2136 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOnxuri.exe
PID 2136 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOnxuri.exe
PID 2136 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LtKYhlb.exe
PID 2136 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LtKYhlb.exe
PID 2136 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LtKYhlb.exe
PID 2136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SLgqoSK.exe
PID 2136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SLgqoSK.exe
PID 2136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SLgqoSK.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojEzgJO.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojEzgJO.exe
PID 2136 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojEzgJO.exe
PID 2136 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GvEvrLx.exe
PID 2136 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GvEvrLx.exe
PID 2136 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GvEvrLx.exe
PID 2136 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MMikwcx.exe
PID 2136 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MMikwcx.exe
PID 2136 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MMikwcx.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGIcIGS.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGIcIGS.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGIcIGS.exe
PID 2136 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PHwughQ.exe
PID 2136 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PHwughQ.exe
PID 2136 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PHwughQ.exe
PID 2136 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\mAGebnH.exe
PID 2136 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\mAGebnH.exe
PID 2136 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\mAGebnH.exe
PID 2136 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uqEyYKA.exe
PID 2136 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uqEyYKA.exe
PID 2136 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uqEyYKA.exe
PID 2136 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\NtOlwmb.exe
PID 2136 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\NtOlwmb.exe
PID 2136 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\NtOlwmb.exe
PID 2136 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLQZGTa.exe
PID 2136 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLQZGTa.exe
PID 2136 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLQZGTa.exe
PID 2136 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FINKrVS.exe
PID 2136 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FINKrVS.exe
PID 2136 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FINKrVS.exe
PID 2136 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuIbCia.exe
PID 2136 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuIbCia.exe
PID 2136 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuIbCia.exe
PID 2136 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmOUSEm.exe
PID 2136 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmOUSEm.exe
PID 2136 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmOUSEm.exe
PID 2136 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfHLxkn.exe
PID 2136 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfHLxkn.exe
PID 2136 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfHLxkn.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\inAkJoE.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\inAkJoE.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\inAkJoE.exe
PID 2136 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wurkJxN.exe
PID 2136 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wurkJxN.exe
PID 2136 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\wurkJxN.exe
PID 2136 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\hkmtpFz.exe
PID 2136 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\hkmtpFz.exe
PID 2136 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\hkmtpFz.exe
PID 2136 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BomeBqD.exe
PID 2136 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BomeBqD.exe
PID 2136 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BomeBqD.exe
PID 2136 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jyVEmqb.exe
PID 2136 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jyVEmqb.exe
PID 2136 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jyVEmqb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fOnxuri.exe

C:\Windows\System\fOnxuri.exe

C:\Windows\System\LtKYhlb.exe

C:\Windows\System\LtKYhlb.exe

C:\Windows\System\SLgqoSK.exe

C:\Windows\System\SLgqoSK.exe

C:\Windows\System\ojEzgJO.exe

C:\Windows\System\ojEzgJO.exe

C:\Windows\System\GvEvrLx.exe

C:\Windows\System\GvEvrLx.exe

C:\Windows\System\MMikwcx.exe

C:\Windows\System\MMikwcx.exe

C:\Windows\System\eGIcIGS.exe

C:\Windows\System\eGIcIGS.exe

C:\Windows\System\PHwughQ.exe

C:\Windows\System\PHwughQ.exe

C:\Windows\System\mAGebnH.exe

C:\Windows\System\mAGebnH.exe

C:\Windows\System\uqEyYKA.exe

C:\Windows\System\uqEyYKA.exe

C:\Windows\System\NtOlwmb.exe

C:\Windows\System\NtOlwmb.exe

C:\Windows\System\CLQZGTa.exe

C:\Windows\System\CLQZGTa.exe

C:\Windows\System\FINKrVS.exe

C:\Windows\System\FINKrVS.exe

C:\Windows\System\GuIbCia.exe

C:\Windows\System\GuIbCia.exe

C:\Windows\System\GmOUSEm.exe

C:\Windows\System\GmOUSEm.exe

C:\Windows\System\MfHLxkn.exe

C:\Windows\System\MfHLxkn.exe

C:\Windows\System\inAkJoE.exe

C:\Windows\System\inAkJoE.exe

C:\Windows\System\wurkJxN.exe

C:\Windows\System\wurkJxN.exe

C:\Windows\System\hkmtpFz.exe

C:\Windows\System\hkmtpFz.exe

C:\Windows\System\BomeBqD.exe

C:\Windows\System\BomeBqD.exe

C:\Windows\System\jyVEmqb.exe

C:\Windows\System\jyVEmqb.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2136-0-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2136-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\fOnxuri.exe

MD5 55944352cffeeb84468dad8113071cce
SHA1 69c56d0de5dec2012c1a3f801940ade9a7c3196b
SHA256 96e3ce12e9818e82a5ffa056430d6341893083ad95a4dc3e11a065ca7cbbb024
SHA512 de21996003e871a7b3d630f9f8e95ba2fe6cbfc91f76649f412bc5a2c14c2c139b97b7813a15f4c4be37ecdc0ec8becc74a9c494e17c291a6d2f677c3b820a9e

\Windows\system\LtKYhlb.exe

MD5 c64cf151779083aa787d577c024ac1be
SHA1 ac74b13d0eb136e1407ba4a93898b986ad0a3989
SHA256 a69d4664e0d68870d503e3f6a123080be0f781a05a768aed21262a2d99817cba
SHA512 363eda0b283b2a94108163fcd111b00bb7a277b06ef4bdd3e2f7f03c6ebb7a33ea9da339ab93129ce9fad7cddf650edb2513048200e130668be4ac16384ca67f

memory/2136-17-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2936-22-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2872-21-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2656-20-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2136-30-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

C:\Windows\system\ojEzgJO.exe

MD5 f3fd5d10cd3b64dd3ae2c952e2cc6f4e
SHA1 21cc9fb079671e0f48ce03b699c550b6a2d35598
SHA256 a9b98756f4f360d2bade3e55d928f06e3711dfbe4c5bc42e0f9d187fa8ebbfe7
SHA512 a496ca414cb9dd86f69b26131dd8eefcafc4f628739423d632e0ad01db42df2398ebf0367b86051c0ffcade1fb73e6edff9fc19075c652ea4a1df08b4061dc3a

memory/2748-74-0x000000013FA60000-0x000000013FDB1000-memory.dmp

C:\Windows\system\uqEyYKA.exe

MD5 d303a7f664837f83106c82cbce4cd3f9
SHA1 15428fb7daace6856142e65fd8ee3a2871d159e7
SHA256 e6129b8a2b03a5879a6c23bf24a1be94879a1bd238dd6724333f34badb3bae77
SHA512 c031ba9cf1235644a28867b0d654ff3d752b583d624f96c2bc2b08cb2656bc0bd87741048b4e78ef5c4e9c1261c8c11191eb1ec1f920e6e875c27dc972af67e2

C:\Windows\system\CLQZGTa.exe

MD5 c4d300c1ebf1388f9c9f5690649f3df3
SHA1 e3685f3ce949edc00cac2d6e9d46b65dd6ba83ab
SHA256 6a931d4cdec7cbaefbd0fabcec130620c85f1c32f15138f539c7893313f88b0f
SHA512 efff5ab93b332be5089060c146c7e6b38603216116ccd36c6ea0bba37e5b728fcf6b6d274f885ef5e44758851a86afe025a2af568b72b5005e8afdf20ae2c7d3

C:\Windows\system\MfHLxkn.exe

MD5 d734894ab15f17b89dd11df12a3e92db
SHA1 b8fdab96e9662325ae2635d3a2c25c560c9c47d1
SHA256 8aecaf59d5cc98c50182878a5dffbbee298a675b180c938abca14db92b8a5d22
SHA512 f340528131e8adc77230930a81c464e1008085ff59378859984b8fb441240adade60c90fc7d3f473038d95bb11ef6c9d0c9e3bdd1d91c7f5ee7e1111194ff27f

C:\Windows\system\BomeBqD.exe

MD5 5684fc0695dffca40560634b310fe102
SHA1 3e77eaf253dbeae710075adb93c29fbd88f23ce8
SHA256 3b33bd8901d118aba89451da9fead8c297fb889cc7371832809cb952942f5425
SHA512 786f8ac90370b38b709d13e336274fe4e2e9da9e9eb462b8f6ebe513797a167d10c6fa3e3a9ec40b62d6c1c7ff37770a4704aaa1017dad0a7cd8b7aa0d7463e5

C:\Windows\system\wurkJxN.exe

MD5 6b2d86c72a840c81ed78f9d172e8ce57
SHA1 008a110f565253e760504d2f8a1875305c535881
SHA256 267ddaf1e84d6b2903a9ab08329e6b62b671a911c0096958a4ff2de980497856
SHA512 489496dc59143f4bff15840d2f72b7f650fa38216ac2a331dbdbe97bc2f6e46cc8dec963c98dccd35947f5d055aed6c86359589f300c4ce129271cec4d220399

C:\Windows\system\jyVEmqb.exe

MD5 79a4da586c556154e4409b23393a4c0c
SHA1 a5113b0329a972f8d4b706c91fb98f15961f9cb4
SHA256 10e8fe3096c5465e072a89636ecc6672be64ca12bad8c4a16e49f0399d841a4a
SHA512 ef1b08131105d18d8da1662ad46c7c4a2963ceeae8b1dc3e4d10a8b21cba69162f4e8957bbd046179f4b9be9436feec5d9bd69dbd230a40772bfa68d8c0e397d

\Windows\system\GuIbCia.exe

MD5 fa9edc91a6c19cb67debff3b1e685680
SHA1 5bab5da7656c2ad5aef4cc3cb4350b748a0ac06a
SHA256 dd9b60fa390eee2d52e0e72d64336735a4cbe643bc98e78f913942aed23242d7
SHA512 3270e67af9dfef9d7a5d689823a29d0d851681bf8dc18237fc6bb678c43f678dd72a6d9d59c7f9fe47d54ef8cc55af71a785d9ecfcafc959bd4b567834aed71a

memory/2520-83-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2136-82-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2136-116-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2136-115-0x000000013F2D0000-0x000000013F621000-memory.dmp

C:\Windows\system\hkmtpFz.exe

MD5 5600e3f2f22235531347b2dacf219c0c
SHA1 3e2fbb85fdf7c7f38df0183a821b01f8f50d85cc
SHA256 55a95625b34199b2c4751ae09ad556c27395584a554c7a641b3d3e9bbe8f618e
SHA512 5c8ebc9552c1127fc6792e8864180fbdb47dcaa24b34bdda2c1f4bd38a0c39d5ab65afac46e956f055c6a8f23fd228db6bef015eb48ef7374b97c41915f95c87

memory/2136-113-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2136-112-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/496-111-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2136-134-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

C:\Windows\system\inAkJoE.exe

MD5 2736f2cc9ee2a4d16d22c029c0010cf8
SHA1 1186adf1a6d05a2084982e3819721c90e6efb7fe
SHA256 1565adca1eebbd3d76b02b58af1a6deb902401e17f6a7b8c847a9d5586a3590a
SHA512 91002b83c7c6a7cb5001476f5bd67dfecdd834d8928396f886edf31d59af158b587d9e7e9010a62662cf0292998f6ce21e3268b57f08191457cf6f3503f10735

C:\Windows\system\GmOUSEm.exe

MD5 eb4178ee2dd934eb09af232f5954cd4f
SHA1 f8ab71bbf8178815f18492c5dc39311a5a837942
SHA256 39776347e0d81eee2f00117e9128690261cd1bf257309d9e28f97a8c20e53a1e
SHA512 9056f40d60d597c79ad087bddb18006064f4c05c688cf731037ee2793dc008f2d37ea75b64c625895480a99ebfc7fcd5d424c80e729250b7be11dfd070eed021

C:\Windows\system\FINKrVS.exe

MD5 824ab35206a2a147642894e7e4fa7c0b
SHA1 72d4a71d2d7ac5bb16bc722a9ed8ce22ca3ec5f3
SHA256 36cd8054e3d5944c8fa92a1fed60452e79f427ab3727f6ab024d3a8d2c56c24e
SHA512 5980e09ce6166031015f6a297e82e9b96e0e186e7c73cb0936cb1cf5b27c7d1da4971f206c5f8b9a89a9478ca28ec2462a6d9478a2a7d98f74cacb433b13ecdc

C:\Windows\system\PHwughQ.exe

MD5 4e5d1764a893dadcaa35d4af1fc7d993
SHA1 cfb35c4b4c3bebfa45b09df151021112cae15f39
SHA256 e56ea60995e664f70e5b5e4fa5fb788bbc7ecfb4d3a4bb5bc6a36074a5bae400
SHA512 d40b6b59629b5a4dd40961c132f75bdbf0414963b7b390e1dbd4e325c76874b6e43367694a148f5142a46aa76e7bf6239a54917ce2afe9d9aa53c175cb4b00b5

memory/2596-135-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2500-77-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2136-76-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2980-75-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2136-63-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2780-62-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2708-51-0x000000013FF10000-0x0000000140261000-memory.dmp

C:\Windows\system\NtOlwmb.exe

MD5 cf14d8a0a70b8a4b822ef89c8efb7831
SHA1 98ff7a62851d653a31d2469e670bba697d1ee071
SHA256 538c5910263f7dfef60050173cc30df03d53893ea4e17e022ce9da257a620d61
SHA512 fd03515ff951ee5dada9b88c6b57cda18f0abaef5a5da7d8e0cb8727ca8077372fdad650427dfc4e5121324c268028055527b831532b29f4486a50a82d134d48

C:\Windows\system\MMikwcx.exe

MD5 070e5ec5f2f2b306ecabcc45f2ef684e
SHA1 00e5512a95af692e0da12a74735b2ffe7b8bc160
SHA256 736eb1d7131a5da7031bf768be4a06ceb573ac57144117c4e6d836d70949ef3a
SHA512 11931a6b65e972e9d814ac70386d0f7dd2f7b040ca0848b00b1e7a01c461143584225e10b0231d61bd313559475509f9b7cbf5c6ad6b24f6f460caf075b4b2fc

memory/2136-37-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2136-36-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2692-35-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2596-34-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

C:\Windows\system\GvEvrLx.exe

MD5 955d6a9ef996620d0ed2aacc9fe45643
SHA1 22dbda25d1cbf5829b15f0787ba78b83983c63f1
SHA256 8a99afa3c0440740f0624cc74ea851b5e7868bb75e8c950980cbfd9a6478d42a
SHA512 5e4b184fd5dce7ed39b719b7ce3a82f45e58699365b419ae0a4fade0de96f0257ded2971be8cb4799e0983e59a71240eb17b134ff29e0c9a53c53f07d43338e4

memory/2136-58-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2824-57-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\mAGebnH.exe

MD5 a4c6efb00e0d08318d3d2bda11222d07
SHA1 b0b05287f5bb5fa62dd49f2a46aff7a8690a8af4
SHA256 37e4536c51c1100b8dd2468282be5314198ddb952f01cc4329d7e9f3b278c055
SHA512 d7af2da5cd56862834393ee4d76d71dd02e10bec3404e536b55fb94fbcb0bd334a9d57b3deae43d3f9f9b9acbff4556043175ff8336e0fc2207074c4b2dd02b9

memory/2136-53-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2692-136-0x000000013FDE0000-0x0000000140131000-memory.dmp

C:\Windows\system\eGIcIGS.exe

MD5 8c150cf9916725f5aea33f49c1cc750b
SHA1 b5519d22c696cc24260dec194757c59e69e9b57d
SHA256 70c426f06950dc1549dabddbe7dff33116dd78569c2e82aee7442777a445facb
SHA512 7683554f89d8efc7e86f02064ff56e825723ad317138219edded2f5d9b0b58d9edfcd44e351dcd4490435ef40a855e0a02c30fc2945fdca27f392a69d4381ea5

memory/2136-19-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

C:\Windows\system\SLgqoSK.exe

MD5 e375740051c7065de1328d170abe498c
SHA1 a2d9b4d289e768eaff646b9afca50726781e2704
SHA256 2211df76313f8d32a4ae85eb5fe380129e60b5724803ec3961d0a5b5325300c4
SHA512 38cb2ba047f93a490d36f9975ea7599d857c9162bc1aeeddffdd14c83f316905dc34812d417704a9b14e0b4d2d687186dfef4a9451564e2a0329c9c6e6e64cab

memory/2136-137-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2780-146-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2444-152-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/280-158-0x000000013F630000-0x000000013F981000-memory.dmp

memory/1928-157-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/1976-156-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/2652-154-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2764-153-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2124-151-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2520-149-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2568-155-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2136-159-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2136-160-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2136-182-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2872-207-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2656-209-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2936-211-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2692-213-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2824-215-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2596-217-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2708-219-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2780-221-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2980-225-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2500-227-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2748-223-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/496-229-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2520-233-0x000000013FC30000-0x000000013FF81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 20:03

Reported

2024-05-29 20:06

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WWNYKKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ClLPmBJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iAOGINo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VCvPETq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jqQcFRa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OriKtlA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ynOTnJk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QYTHxmI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FYVHhWd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jFuKjhW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FTzSNSW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzVkZVS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fcDgjMQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tDHVxdV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iOhqdrt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ocytHNB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vrUTuBs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WetiNls.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ojFEAwb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LRdVLbM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SKnFgYQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqQcFRa.exe
PID 3624 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqQcFRa.exe
PID 3624 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fcDgjMQ.exe
PID 3624 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fcDgjMQ.exe
PID 3624 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\tDHVxdV.exe
PID 3624 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\tDHVxdV.exe
PID 3624 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\OriKtlA.exe
PID 3624 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\OriKtlA.exe
PID 3624 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\WetiNls.exe
PID 3624 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\WetiNls.exe
PID 3624 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\WWNYKKJ.exe
PID 3624 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\WWNYKKJ.exe
PID 3624 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojFEAwb.exe
PID 3624 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojFEAwb.exe
PID 3624 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iOhqdrt.exe
PID 3624 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iOhqdrt.exe
PID 3624 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ocytHNB.exe
PID 3624 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ocytHNB.exe
PID 3624 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYVHhWd.exe
PID 3624 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYVHhWd.exe
PID 3624 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFuKjhW.exe
PID 3624 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFuKjhW.exe
PID 3624 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ClLPmBJ.exe
PID 3624 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ClLPmBJ.exe
PID 3624 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRdVLbM.exe
PID 3624 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRdVLbM.exe
PID 3624 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAOGINo.exe
PID 3624 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAOGINo.exe
PID 3624 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FTzSNSW.exe
PID 3624 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FTzSNSW.exe
PID 3624 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCvPETq.exe
PID 3624 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCvPETq.exe
PID 3624 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ynOTnJk.exe
PID 3624 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ynOTnJk.exe
PID 3624 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzVkZVS.exe
PID 3624 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzVkZVS.exe
PID 3624 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKnFgYQ.exe
PID 3624 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKnFgYQ.exe
PID 3624 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYTHxmI.exe
PID 3624 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYTHxmI.exe
PID 3624 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\vrUTuBs.exe
PID 3624 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe C:\Windows\System\vrUTuBs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jqQcFRa.exe

C:\Windows\System\jqQcFRa.exe

C:\Windows\System\fcDgjMQ.exe

C:\Windows\System\fcDgjMQ.exe

C:\Windows\System\tDHVxdV.exe

C:\Windows\System\tDHVxdV.exe

C:\Windows\System\OriKtlA.exe

C:\Windows\System\OriKtlA.exe

C:\Windows\System\WetiNls.exe

C:\Windows\System\WetiNls.exe

C:\Windows\System\WWNYKKJ.exe

C:\Windows\System\WWNYKKJ.exe

C:\Windows\System\ojFEAwb.exe

C:\Windows\System\ojFEAwb.exe

C:\Windows\System\iOhqdrt.exe

C:\Windows\System\iOhqdrt.exe

C:\Windows\System\ocytHNB.exe

C:\Windows\System\ocytHNB.exe

C:\Windows\System\FYVHhWd.exe

C:\Windows\System\FYVHhWd.exe

C:\Windows\System\jFuKjhW.exe

C:\Windows\System\jFuKjhW.exe

C:\Windows\System\ClLPmBJ.exe

C:\Windows\System\ClLPmBJ.exe

C:\Windows\System\LRdVLbM.exe

C:\Windows\System\LRdVLbM.exe

C:\Windows\System\iAOGINo.exe

C:\Windows\System\iAOGINo.exe

C:\Windows\System\FTzSNSW.exe

C:\Windows\System\FTzSNSW.exe

C:\Windows\System\VCvPETq.exe

C:\Windows\System\VCvPETq.exe

C:\Windows\System\ynOTnJk.exe

C:\Windows\System\ynOTnJk.exe

C:\Windows\System\BzVkZVS.exe

C:\Windows\System\BzVkZVS.exe

C:\Windows\System\SKnFgYQ.exe

C:\Windows\System\SKnFgYQ.exe

C:\Windows\System\QYTHxmI.exe

C:\Windows\System\QYTHxmI.exe

C:\Windows\System\vrUTuBs.exe

C:\Windows\System\vrUTuBs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3624-0-0x00007FF6E8970000-0x00007FF6E8CC1000-memory.dmp

memory/3624-1-0x00000197B00B0000-0x00000197B00C0000-memory.dmp

C:\Windows\System\jqQcFRa.exe

MD5 6138ecdcf63004344e647701b5c57108
SHA1 851a384076b14be937a3fd9ac3975dd1b3aba894
SHA256 7c18c3ff0189ea504a76c9b6b69f7f1e198b1f1d5031391ce07ae54d5ba47c17
SHA512 dbcd9f0797b5145c2dd99747849ded702857b005c07c93f341672a3eb1e78d4281f1295bf3708d07d92562c83cace2d80990c8a78db0d0a1f2249877f16b7d6b

memory/464-6-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp

C:\Windows\System\fcDgjMQ.exe

MD5 a79e0ed8a0d4a0c56c0ed364a58c845f
SHA1 5417a9f65964d909c04d76b5515aa9ea70d0e8e2
SHA256 edf2b09d8268c40795f3963d4497c4e427571017958149a88106ac2bab9d3419
SHA512 abd2a654b47262f3e1a31ec1ae14a78bfc910e9b0209107b118a6e7cc85c8c283f3a7d7bea35694d285ed2bad26c785ca9787ac80af9a3f0834ebc18d655cc85

C:\Windows\System\tDHVxdV.exe

MD5 fba2a00362a8f6a802f56bbe710c07d6
SHA1 0cb82569a42a49277f38c57cc5d387879d018a17
SHA256 2850c303bf154750658f389efa27b4d2264ddcdf619f7504b93f98e1dadc20a7
SHA512 3176f1a45c88c10c48debd559c00231dad5005c6fe5c985837f90509f15d9f8850a494e681aea799939293580f608378f689b0c5d5f344f91c166b998a19bb15

C:\Windows\System\OriKtlA.exe

MD5 8af30f277b431cd125301b271d6284f4
SHA1 9fa103c19703789e5fe5e13c319f215585a06ff4
SHA256 6a4f54deecc06b987f7b16e27108f8c0e983293837aa57503a1f119427bcd946
SHA512 b7d3ee0e2b7ce738ab9d54b6fb8427b02656a57dfdd2e0090c5ef957072a4c32607f750a0d49ac033b4c6c71d2dd75d26e6f567d0ee5248eb190967dccc3a8b2

C:\Windows\System\WetiNls.exe

MD5 d1156f2cbe611e2ce7fc593c75f20ac6
SHA1 a25fddea16b5e4b0bf3288aa2448af41988afc1e
SHA256 36cd486643c8e824af1d3e695802aa0ce5723fda69af08329d45c34e5a16fa5a
SHA512 91c8bcc7958f9a8e7afb3c9226cbdbbb1f1cf7f3de18a44c06ed0011741eabb886403c76c1923bb03656cd965f2bc9aaef9769c8b36dc053b419f2de8df6097a

C:\Windows\System\WWNYKKJ.exe

MD5 4996c2c329d7233d39a5118f9067bebd
SHA1 a3307fe8cd56cb01b5559f3467a5485fa8f8a498
SHA256 4a9f63c0db5a5429a4ce563d269e7635aa10ffcca58b14706cea5b607e42536f
SHA512 cf5828e19bccc09bd3b683d54e99c53333f8e5abe959e47f592c80fa9fd374144053ca4cc8fd9c11857189ffc70ffdb1182972f46f837ed4f30bc42c9d08996c

memory/916-30-0x00007FF79BCA0000-0x00007FF79BFF1000-memory.dmp

C:\Windows\System\ojFEAwb.exe

MD5 56feadd66a65c5187af5baa087806957
SHA1 36137a80285fc12b9999fb79bcba7ef7d1a63784
SHA256 3a7cf798ff4b4b7ad6857146a77cb9ba756ee52b9b49e6981c12e5df04364bae
SHA512 6d6958e63c5dbc4197416e5e932363177a76d68590755c662c809955c18b07799477e338bc6ac4c585f54a5c30b0ca06f00f527c519c913de2953f3cb6947dff

C:\Windows\System\iOhqdrt.exe

MD5 4831ab69082defda0e61a0f549657d36
SHA1 3caed877f0c71ff1ea43c3a3e7c8ba1bef672a4a
SHA256 1489b93c8ab552e0632235a759672828c41f2826a18a72a84cd009cb9496c8e1
SHA512 1c56e4d1acc3964bfb6de642ab160e02584afcd1cc136e08a06c6dd70fb100b54d42a1c8de8957c394c4450e1f34af4592160179b6c3707d3f14dea6a9a4055b

memory/2932-22-0x00007FF6B2F20000-0x00007FF6B3271000-memory.dmp

memory/4868-17-0x00007FF6A6950000-0x00007FF6A6CA1000-memory.dmp

memory/2532-21-0x00007FF7F2B80000-0x00007FF7F2ED1000-memory.dmp

memory/3768-48-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp

memory/5104-51-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp

C:\Windows\System\ocytHNB.exe

MD5 58aff8185df5efee3cff2cd3a98631d0
SHA1 e6badc82d29a06d167ca50e67963031a7819def0
SHA256 8aebf82191e29c38ff0e88935761d90a272c493f22312acf914937144e565c10
SHA512 dda1d9a94efb5058ba9bc44e02d61d62093eef6d45a2c6dbbd372b1e54e85e76b0197a84862ef45d4d04fa3aeac09a2c63087ae510aefa9aa8c59aaa4fccc553

C:\Windows\System\FYVHhWd.exe

MD5 ea339ca63922fe7ad2906adabc3d43d2
SHA1 5732269de6a7b38218617871d626a51dc6877138
SHA256 e09fbf0c87abb8b445301659df2d125ef2ed7de4645608d171baa79d392028d4
SHA512 ba02ffd35799d3b4dceebd6277a52eeb5e5b6a5b9b4a9e91516f49e85915dc7df3549c4ab44cbbbd8c171479b66b002debab9654ff09c3429906f5a71f5fe119

C:\Windows\System\jFuKjhW.exe

MD5 a6ee03f4521f83825754ba8cd72598a9
SHA1 c5830df868618dc897797801eb4127c0ca84c2ca
SHA256 cb40991401546085bd46561009eee68592c760f3ce30d9c7cc81aa97c4e4fc41
SHA512 dc85d63df44e6c46e34e7408abb7e749f497785186d6fa10b3741b312a57363ee24e856ef9f1be4432a35d8bfe1d12472106f50cbe2aa9ab0ead53dcf2bdbcb8

memory/2224-63-0x00007FF7364A0000-0x00007FF7367F1000-memory.dmp

memory/1900-66-0x00007FF63B480000-0x00007FF63B7D1000-memory.dmp

memory/3228-70-0x00007FF7527E0000-0x00007FF752B31000-memory.dmp

memory/3624-72-0x00007FF6E8970000-0x00007FF6E8CC1000-memory.dmp

C:\Windows\System\ClLPmBJ.exe

MD5 f44f6e89115098495f02134c791b1ed9
SHA1 d278b9ddd48d6253d9635001b960d5395cff2ea8
SHA256 14afbf4ff42b21a2248da26b9e26fc4f844425146e2d4e3026ca3fd606d18f73
SHA512 2dbc61e1624a70e038afabc9ac92d0fa54867da2d03fe1cce2f4fef09c1cdaef15bd75f0ff506669ac0f0d0884d2d09ecdc7871d2a60ec8d3814e94baa7d58d3

memory/3176-73-0x00007FF795170000-0x00007FF7954C1000-memory.dmp

C:\Windows\System\iAOGINo.exe

MD5 47be084254ae532b7993dbba7cd1a72e
SHA1 a5fe701936a8068a1927ab053fb467f058228b99
SHA256 5793c8d7ffd2731b4989b496effd560c770884513a31fe02d176580b8a62ed66
SHA512 8c922907e62ae03cb0d2895b2794dd88f336a8bf22282081dcccaac3a35a6d9d2432e78856fb8974cba45df96f122fb1c0dfff349a2fc83a28fcea89beab463c

memory/4868-88-0x00007FF6A6950000-0x00007FF6A6CA1000-memory.dmp

C:\Windows\System\VCvPETq.exe

MD5 f864675dd7f00857aed671ecee46fa81
SHA1 fa18ab5375e94523f9242414b9cd6b48179b0986
SHA256 b25b03ab4c28be7720ece51acb7028931cfd420f7c59fde0062289134d6edb7b
SHA512 ce531b8b71f259ea43e92c5f942445baaa193b3d72c59750fd64826fda8b7b28c2a5bb6290d520807772296d225c507e990a2ffb84057a79137bb98009881de4

C:\Windows\System\ynOTnJk.exe

MD5 31ede688966bcee0c2c8caae231b7a8d
SHA1 00048c2ce00c9ff2fcc35825fb82e36e198f6bc9
SHA256 45a13f224353686ea3dad3c34be4e773157488dd47beb0550897d3f1bf5591fc
SHA512 b0a5f0cd96147a9c9206b56c6029ce659c2ae6648049608791593d8c02ac43b8f4fa26a43435b55e9a02f2363c2a030db18ee323d2e525d4b03780ae905e8c75

memory/3756-108-0x00007FF7F8B60000-0x00007FF7F8EB1000-memory.dmp

memory/4340-112-0x00007FF704A50000-0x00007FF704DA1000-memory.dmp

memory/2304-114-0x00007FF78A5A0000-0x00007FF78A8F1000-memory.dmp

memory/2216-113-0x00007FF633DC0000-0x00007FF634111000-memory.dmp

C:\Windows\System\BzVkZVS.exe

MD5 f62f1f0a5c491c45866d86a8e69716c2
SHA1 7c3c9d95b789f9b0e432a73c804c8c36ce89fb1c
SHA256 c871b3f9998385ffcaafb644bc28d6661e20fc7ec9457d828ecd292daa6c311f
SHA512 b77484c7435e205833b48fbf4fd8d883c0afc4905c45fda6254a1e4a4faac2cccfd4fd1c5f61d5ba0f15f5fb4b67e6372972efd16962c03a0860693a02d0ad0a

memory/2532-109-0x00007FF7F2B80000-0x00007FF7F2ED1000-memory.dmp

memory/4316-96-0x00007FF69B900000-0x00007FF69BC51000-memory.dmp

memory/2280-95-0x00007FF7AEAE0000-0x00007FF7AEE31000-memory.dmp

C:\Windows\System\FTzSNSW.exe

MD5 fd0dd119c3cb3acc18e2093713437f59
SHA1 778581f641eeb9cfa8eb6bb8fd8c4eb6eeaa46a5
SHA256 73d4dbac20d2a4719ed1e832f0ba257728ea79e7cf65787ee08bcdee8f1252e1
SHA512 8a26ac74eb1524cc1616f5cafba8dfbf553482e901094518869ca2505e531e62c0423dde3095fad054e20673fb5bcd2f0ae1487ebfceb331ed17902be8fd4b04

memory/464-86-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp

C:\Windows\System\LRdVLbM.exe

MD5 a5ed552d92e24470882a9b7bead66945
SHA1 4595b8c728cec35f1bf492b49ac481c01b60d8db
SHA256 2db1e831507b674ee0f6b4b39118ce93ca22550e0bfe5de22e40f1ede827e9d1
SHA512 5e1f547507934a1e85ffc59bfd5e6a9b87873933870c589f7ba6c0f3e3f0a3e3b6d561bdcc95ec3e04a50947128c388f20607f6af78d97451f86c42dd8b1b770

memory/4512-49-0x00007FF795EA0000-0x00007FF7961F1000-memory.dmp

C:\Windows\System\SKnFgYQ.exe

MD5 9d9bf4d301c91cd74ad3635bbedab058
SHA1 5d30d95d260dc50d3186e6a0e66f5b7e0b7c5cff
SHA256 4325433e0f0fb167a538a5628c1e665e9d672289fd16ebf4714c28a01cb19844
SHA512 87a77225737bded5ecf0b00fe15ad3822144446c04b96169a1cfabf07166ad9e89100347cafdccee862131c30e495dc2bcc78b45a8d6caaefa050ee2e01a29a0

memory/4652-118-0x00007FF6856A0000-0x00007FF6859F1000-memory.dmp

C:\Windows\System\vrUTuBs.exe

MD5 21dba0eb96c9b3161c5412450c83377d
SHA1 438f9350cb28dc385e7737c1eaea6ff9e696d269
SHA256 4a59f6718ab0063b152d3a35025e340a4c7ac81bb54ef607f60abb83289378a2
SHA512 7dfeb1f82a609d329e70f72e1b0321985244a6f8ac03151c35ea9c9ad7d3602d054b416f546beb7e090a0028f49e23715ba720740e2d90c5c090c0d015a94428

memory/3232-131-0x00007FF74ACF0000-0x00007FF74B041000-memory.dmp

memory/904-132-0x00007FF624020000-0x00007FF624371000-memory.dmp

memory/916-133-0x00007FF79BCA0000-0x00007FF79BFF1000-memory.dmp

memory/2932-130-0x00007FF6B2F20000-0x00007FF6B3271000-memory.dmp

C:\Windows\System\QYTHxmI.exe

MD5 8fc8eb18a1ed695f5a947582cd8832a8
SHA1 43c47a7709b09402887859677f3484c7b181a3ad
SHA256 f25a4b34bca43fc234fc570b9e7959dd822ea8afb6f68975a6fe1a6f98bebab9
SHA512 1c208874dbe0aee127c02d897d3a22ea063732e9d5469d0bee1d5c6beb6db023174302b2530b459dd62a25d43144bc4a4a642f1cac8373851a11b1ceda9dfecd

memory/3624-134-0x00007FF6E8970000-0x00007FF6E8CC1000-memory.dmp

memory/3176-146-0x00007FF795170000-0x00007FF7954C1000-memory.dmp

memory/3228-145-0x00007FF7527E0000-0x00007FF752B31000-memory.dmp

memory/4652-153-0x00007FF6856A0000-0x00007FF6859F1000-memory.dmp

memory/3624-156-0x00007FF6E8970000-0x00007FF6E8CC1000-memory.dmp

memory/464-201-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp

memory/4868-213-0x00007FF6A6950000-0x00007FF6A6CA1000-memory.dmp

memory/2532-215-0x00007FF7F2B80000-0x00007FF7F2ED1000-memory.dmp

memory/2932-217-0x00007FF6B2F20000-0x00007FF6B3271000-memory.dmp

memory/916-219-0x00007FF79BCA0000-0x00007FF79BFF1000-memory.dmp

memory/3768-221-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp

memory/5104-223-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp

memory/4512-225-0x00007FF795EA0000-0x00007FF7961F1000-memory.dmp

memory/2224-227-0x00007FF7364A0000-0x00007FF7367F1000-memory.dmp

memory/1900-229-0x00007FF63B480000-0x00007FF63B7D1000-memory.dmp

memory/3228-231-0x00007FF7527E0000-0x00007FF752B31000-memory.dmp

memory/3176-233-0x00007FF795170000-0x00007FF7954C1000-memory.dmp

memory/2280-235-0x00007FF7AEAE0000-0x00007FF7AEE31000-memory.dmp

memory/4316-237-0x00007FF69B900000-0x00007FF69BC51000-memory.dmp

memory/4340-239-0x00007FF704A50000-0x00007FF704DA1000-memory.dmp

memory/2216-241-0x00007FF633DC0000-0x00007FF634111000-memory.dmp

memory/3756-243-0x00007FF7F8B60000-0x00007FF7F8EB1000-memory.dmp

memory/2304-245-0x00007FF78A5A0000-0x00007FF78A8F1000-memory.dmp

memory/4652-248-0x00007FF6856A0000-0x00007FF6859F1000-memory.dmp

memory/3232-250-0x00007FF74ACF0000-0x00007FF74B041000-memory.dmp

memory/904-252-0x00007FF624020000-0x00007FF624371000-memory.dmp