Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-a5gylshb55
Target 2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike
SHA256 777086a86d24fe9e3719915d1b2cc3aa3bc53389d0907d07da451cf8eef51700
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

777086a86d24fe9e3719915d1b2cc3aa3bc53389d0907d07da451cf8eef51700

Threat Level: Known bad

The file 2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobaltstrike

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 00:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 00:47

Reported

2024-05-30 00:50

Platform

win7-20240419-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rcodMRJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JRHsrqn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ExNRKTo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JjKKPFb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LpRXKtr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qkiVbmP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GYBCYxz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YgSCoXQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wszFfcO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VqnuzWr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hfueTXi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\stJFrfg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TkrvOto.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ihwQUdO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PdiUZHn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yQiDCJe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TbBBJEf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OMzcoCJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\idrgFrx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\stlfYOm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\doVPBtt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgSCoXQ.exe
PID 2948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgSCoXQ.exe
PID 2948 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgSCoXQ.exe
PID 2948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\idrgFrx.exe
PID 2948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\idrgFrx.exe
PID 2948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\idrgFrx.exe
PID 2948 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wszFfcO.exe
PID 2948 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wszFfcO.exe
PID 2948 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wszFfcO.exe
PID 2948 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\stlfYOm.exe
PID 2948 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\stlfYOm.exe
PID 2948 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\stlfYOm.exe
PID 2948 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\doVPBtt.exe
PID 2948 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\doVPBtt.exe
PID 2948 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\doVPBtt.exe
PID 2948 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\rcodMRJ.exe
PID 2948 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\rcodMRJ.exe
PID 2948 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\rcodMRJ.exe
PID 2948 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRHsrqn.exe
PID 2948 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRHsrqn.exe
PID 2948 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRHsrqn.exe
PID 2948 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQiDCJe.exe
PID 2948 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQiDCJe.exe
PID 2948 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQiDCJe.exe
PID 2948 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ExNRKTo.exe
PID 2948 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ExNRKTo.exe
PID 2948 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ExNRKTo.exe
PID 2948 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\JjKKPFb.exe
PID 2948 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\JjKKPFb.exe
PID 2948 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\JjKKPFb.exe
PID 2948 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpRXKtr.exe
PID 2948 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpRXKtr.exe
PID 2948 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpRXKtr.exe
PID 2948 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\VqnuzWr.exe
PID 2948 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\VqnuzWr.exe
PID 2948 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\VqnuzWr.exe
PID 2948 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkiVbmP.exe
PID 2948 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkiVbmP.exe
PID 2948 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkiVbmP.exe
PID 2948 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfueTXi.exe
PID 2948 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfueTXi.exe
PID 2948 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfueTXi.exe
PID 2948 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbBBJEf.exe
PID 2948 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbBBJEf.exe
PID 2948 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbBBJEf.exe
PID 2948 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\stJFrfg.exe
PID 2948 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\stJFrfg.exe
PID 2948 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\stJFrfg.exe
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkrvOto.exe
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkrvOto.exe
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkrvOto.exe
PID 2948 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ihwQUdO.exe
PID 2948 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ihwQUdO.exe
PID 2948 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ihwQUdO.exe
PID 2948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdiUZHn.exe
PID 2948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdiUZHn.exe
PID 2948 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdiUZHn.exe
PID 2948 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GYBCYxz.exe
PID 2948 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GYBCYxz.exe
PID 2948 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GYBCYxz.exe
PID 2948 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMzcoCJ.exe
PID 2948 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMzcoCJ.exe
PID 2948 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMzcoCJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YgSCoXQ.exe

C:\Windows\System\YgSCoXQ.exe

C:\Windows\System\idrgFrx.exe

C:\Windows\System\idrgFrx.exe

C:\Windows\System\wszFfcO.exe

C:\Windows\System\wszFfcO.exe

C:\Windows\System\stlfYOm.exe

C:\Windows\System\stlfYOm.exe

C:\Windows\System\doVPBtt.exe

C:\Windows\System\doVPBtt.exe

C:\Windows\System\rcodMRJ.exe

C:\Windows\System\rcodMRJ.exe

C:\Windows\System\JRHsrqn.exe

C:\Windows\System\JRHsrqn.exe

C:\Windows\System\yQiDCJe.exe

C:\Windows\System\yQiDCJe.exe

C:\Windows\System\ExNRKTo.exe

C:\Windows\System\ExNRKTo.exe

C:\Windows\System\JjKKPFb.exe

C:\Windows\System\JjKKPFb.exe

C:\Windows\System\LpRXKtr.exe

C:\Windows\System\LpRXKtr.exe

C:\Windows\System\VqnuzWr.exe

C:\Windows\System\VqnuzWr.exe

C:\Windows\System\qkiVbmP.exe

C:\Windows\System\qkiVbmP.exe

C:\Windows\System\hfueTXi.exe

C:\Windows\System\hfueTXi.exe

C:\Windows\System\TbBBJEf.exe

C:\Windows\System\TbBBJEf.exe

C:\Windows\System\stJFrfg.exe

C:\Windows\System\stJFrfg.exe

C:\Windows\System\TkrvOto.exe

C:\Windows\System\TkrvOto.exe

C:\Windows\System\ihwQUdO.exe

C:\Windows\System\ihwQUdO.exe

C:\Windows\System\PdiUZHn.exe

C:\Windows\System\PdiUZHn.exe

C:\Windows\System\GYBCYxz.exe

C:\Windows\System\GYBCYxz.exe

C:\Windows\System\OMzcoCJ.exe

C:\Windows\System\OMzcoCJ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2948-0-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2948-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\YgSCoXQ.exe

MD5 dcba41a721f6d1d4c7618c79215c3fab
SHA1 abf7a6469aaf7ee55160f82789ff43196749c800
SHA256 44d4894a58d6505cd5a413bd28786d1d5d78f9996a60e5de2c8ff2bb14d60122
SHA512 6e287b2746c8fd7afdda21979b1e06c8901712f6d0b7abd3bc8220d0956448767ad99a372100381384456301b4b77139cb4bc7c7a2335be9e25c3cc73fe5f953

memory/3028-7-0x000000013F610000-0x000000013F961000-memory.dmp

\Windows\system\idrgFrx.exe

MD5 6b16ee9e0859122b188005178accdc09
SHA1 17229497ea7b3a7aea688f0787b518fb8134f077
SHA256 a9fa60b0d2fcc77bf643c867066cd114d6f1c0b5b78df3547a2c2d2ddfcfedf8
SHA512 4ab95c27244f383df2a8a78872b2d6c16d3274753ef3e92338738be962d745abb69da89cb5ad1f3e5b63de5b5757d36703ebbc786e50ea3ba965f2ae5d6e363b

memory/3008-13-0x000000013F0C0000-0x000000013F411000-memory.dmp

\Windows\system\wszFfcO.exe

MD5 e4b905407f7191e249d847081a59201e
SHA1 fdd72017ddd9c22bf61ffbe0276b75ef1f744f1a
SHA256 48a8d45ea70d9468b011193ef61b88f2306d92a5f59b91eb4e08697f62ababd5
SHA512 796aced9aae880be614d0c116ff2c7c61ac03169ab375979fcdf704853dfa96cdb81395af29ef69c5be2df220cb7406c181ceeee0c3df82bbe644ccf07eb20eb

memory/2948-27-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2700-25-0x000000013F2C0000-0x000000013F611000-memory.dmp

C:\Windows\system\stlfYOm.exe

MD5 bf5b2ae13f08fe945ce5922f965c5a9a
SHA1 60d958529da5dc761b0511ceace68048c9651d4d
SHA256 9acf476b549232188e67334a8aff3b50a0b3b1f99a7922f439aa2fd5b7a16b78
SHA512 11d6e591de6414be3ad19f7da4cbd6df4d8611541a75f1af2d477ed15d27b74776082ae85ab43c561dec4c788bc61606dc9d1c044a331767e48122ce3fc3c938

memory/2948-19-0x00000000023F0000-0x0000000002741000-memory.dmp

memory/2660-33-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\rcodMRJ.exe

MD5 f7fe8b6cac1b3c8d252a20eb2c3c589f
SHA1 6a31f2f112eccf1645a4811c53c90203def0a4bf
SHA256 011e2dbaccb872a5d2cc9bc118b706b3c7ed89af5d1dd8d53272bf051d4ce283
SHA512 5cf3ee9e0f12e78613b0e6f79593dae0731b4e28704085d1d167330a85ca72b0f74acdd3b39eb2967eb0a81a659b76a5bf1b62058827d542fa4323714072f8cf

memory/2304-40-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2948-54-0x000000013FF30000-0x0000000140281000-memory.dmp

C:\Windows\system\yQiDCJe.exe

MD5 ee49a0f3f1348d68fba9616fd03b5f1f
SHA1 2329f1ab70bf47c9cfa9eb6595fb9fc21afdaa27
SHA256 a384649daadd49ce5b279a63b810eeff2045c34de7ba3dce28a24e9a22cdd63b
SHA512 992d359e8ba2d670f5677f8a20ae0c4c958b7623d5f5a13dfc893fd41addcff6424eee1a13f5079dc3724a4d3bfa2e4d2b72b37c9e299edd079d57fa2c9340ff

memory/2536-67-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2840-48-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2948-83-0x00000000023F0000-0x0000000002741000-memory.dmp

memory/2436-78-0x000000013F290000-0x000000013F5E1000-memory.dmp

C:\Windows\system\hfueTXi.exe

MD5 dfd3bf156d31f0d56c8e4340bc1b80d9
SHA1 54354ea84e2edc380da9b338f1380d430014ef56
SHA256 c2bc402ae6caecdf1af01c0010628ca53e16a35088bfa823fbb9e6766778dc2c
SHA512 9a2acc178b34411eed8b293fd30287daefaf66dadbc7c3c76ffdfdf0e4dbb5f997cbc26c0f1f25715a0f283b39033a047758ecab4f7053300b95e0a099fb7490

C:\Windows\system\stJFrfg.exe

MD5 87bb2b6775d1328ece4b10ff755f9777
SHA1 fe32b6cc3935f811b19dcec4f5d448185fdb7663
SHA256 ec06facf3322fc02d44e24590d862b0b3040b4d2eb3891196811aa580b7842b1
SHA512 e50699302755631aec2db3ef1acf4febe959220fdd7581a011ebf816074b1a4e94aa5df856e4c8ea29d4a1c24df8911ba6a4c1d095bcda1dae96b8da20fbf853

C:\Windows\system\PdiUZHn.exe

MD5 796be207f15bcf0acc846dfcaa4250da
SHA1 be8792ab95ab4fbed02753ffdfb6c019f50834e3
SHA256 26012c567eda85ad89c96801af611c985ecfd46ed3851ce6e08c61e94e559bd2
SHA512 481431cb051e79eff31b9656e8c368bde695af3a10de6b79d7481346976aacd1c231102ed08d1056a613a92a7829c0ce3bb230ec40b54ddd7ded8f0a499a73a8

C:\Windows\system\GYBCYxz.exe

MD5 372ffe298985e9d00ba92c626a37590f
SHA1 c2a640e93098ebc4c362d1f3542c8de6a1ebaa7f
SHA256 b61ae677b4c4a29aac16ae86572c6ef19fa3f7c5ebedddd1975777d4d8b27382
SHA512 44a7d47c04f039fb0cd50be58491bb1789a7d4d7ac8e382a20c0118128c1349fa456267e148443ba6a13b5853476deaee5278643dd314b36b32738eedf789881

\Windows\system\OMzcoCJ.exe

MD5 9dd2daff20aeed3fb067a69566ac6997
SHA1 8fadeec8cc6562a463593f2ce581cdb6d2aa3e48
SHA256 a9bbbd04ab6e498f4d2e4edf2589d10875489b71406265ffce983ebeaa7bed4a
SHA512 60ba3e83f3d878b48c06682fffc771d7fabca8bc8c0215b299c98776682b6aeeb2ec36989023cfca2f0e8ca753039fbeaf023887d8a2e632688ae22db8808e2b

C:\Windows\system\ihwQUdO.exe

MD5 6511aefc5fc06574c0fe22a643563f83
SHA1 ec81c93051194bba28e65f0841689ca5dd77b407
SHA256 9b1c522f127eaeae17164384a1013d81f6beb75ba1a0913749da3f8e54f03b98
SHA512 abc25d56db060b375d455b928f23f4b419b92a0e5bf1969d263ad451f0cb3f7670907b8c5a386bca0aba3110a8f60d4cf060e570a788d08e2728598036942c47

C:\Windows\system\TkrvOto.exe

MD5 d5a82993ca49c849ab0ac0ffc0aec7b7
SHA1 60f6865e129b287e240682c4a31ef072e8f7ce14
SHA256 2cb3d3ab8b78f7e2ea04cfd7eac1ddb0f29d310ba352c0ab1b47db9adff4c7c9
SHA512 c1bcad676aeea635abbce87908bd0947d52f2423a3558ebf69071d74db74826bd7c92dee021fcfa6a3eb09c39f1cb251f6922bcdc9ea417082a0743a1b772f51

memory/2428-139-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2948-108-0x00000000023F0000-0x0000000002741000-memory.dmp

memory/2840-107-0x000000013FD50000-0x00000001400A1000-memory.dmp

C:\Windows\system\TbBBJEf.exe

MD5 69575c054922e30a286dada63085681b
SHA1 239a24fb80c0e434ca49c6b6591ad0813d4540f7
SHA256 fdbe05a198ebab4cbbef5216b4e0c5c25056aaa94c432eb42082b3e3f85891fc
SHA512 c7c39d16cf69c56be0e7afd703c358a9b9bfb60847533454387a1493cf7a069e68b77f4c2c07a9b84c262a5993479c609ba93e02b86201289c48ac2a3ae982d2

memory/2448-101-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2948-100-0x00000000023F0000-0x0000000002741000-memory.dmp

memory/2304-99-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2976-92-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2948-91-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2660-90-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\qkiVbmP.exe

MD5 0b454c656537c0ea338571535f48dff7
SHA1 5a5c095bd200890235f0eb1ded520d012f91ffb3
SHA256 b2b6f1c1e841f3cb348c87ab828e7337008731b9ad0866692f94e473aee5e068
SHA512 2f7ef8d51fcc64f8c86c328fbb3178579d7b00ef095767f51915879c39b4950b0ea334c9f7262bcb0216beba0030fff3fd9e7a35838cbf476fcc60f33535fe39

memory/2700-77-0x000000013F2C0000-0x000000013F611000-memory.dmp

C:\Windows\system\LpRXKtr.exe

MD5 ae802754c53e89f910e0a19c5f98adca
SHA1 c3c536e7ca0eb45b58a68194c08eb9bdd79a3d1d
SHA256 4a41754891bffd6d238bcfb08a0f40560e68dab880ba37360312cb5b72ea2111
SHA512 19a57a5db96c2740e3a6d6e1273360eb935b246f3cd96577f4bb65292d77057ed8ff64a6dc89a9fc56d075693600fb1ee5627efdd8cb575f2cb8e905b03964c1

memory/2948-75-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/3056-74-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/3008-73-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2836-84-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2788-63-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/3028-62-0x000000013F610000-0x000000013F961000-memory.dmp

C:\Windows\system\ExNRKTo.exe

MD5 60df4760e619d2c55ec5193aca74b3ca
SHA1 2f3b7cda0983c2d770a114c19689f8b822ce1290
SHA256 ca9e972692c95740a22c2658cde5e43f299f7066c6ffdea0579e8e2098e3f5c3
SHA512 32d325dd02d9d0096835dc62b89fbcd3e03656c1bdc042247aa942b40ee5e1031f8ce0f428457a313637d44fb509f50ae58480fe584c7f6f1f1fbff05df4713c

memory/2948-59-0x000000013F610000-0x000000013F961000-memory.dmp

C:\Windows\system\VqnuzWr.exe

MD5 a422acf0cdb4844a4193ad8d56957f12
SHA1 23199314aee8a9940f76f080319aba94a4aedfd4
SHA256 cfc5d7609d307aa09cdc57584322432b4f9d04b7a69960ee2700f016aaedbd93
SHA512 81d9f7f43c25c6a0e6bf84e2e199409bbb227b0a9bd4385190a027d886e94adab579af5d65ba335b5fdffdbe2619a61584beb89f29abe069db4591ba5706d17c

memory/2948-47-0x00000000023F0000-0x0000000002741000-memory.dmp

C:\Windows\system\JRHsrqn.exe

MD5 903f2b1e7617a2027738dd5a211fcb57
SHA1 1f03f6733aad4d5e41eec3fadaabcf3f0680fbe1
SHA256 8a37cfbe8ccbbcd2c790f67f037bb927d09b621261121bf1a656a0ee885ad7e5
SHA512 c3928d3a47bdaef29554b9b1ba33978985ebc192bb5a83f0d9853f7f95e107a92b206d7c13a16aaa44b33c54d25939c1a74ccde177ae6991e067f0459db5f1f5

C:\Windows\system\JjKKPFb.exe

MD5 a5bb4415b170727de148f4efc8112a82
SHA1 561d01e99ed72808db6716b7802c494551b3d03f
SHA256 be9cd002e9c8e91806b183732083a4c0c74c7f095b8b5c0789e0915192fea102
SHA512 aed88f11a43e599e90a98ee4e48b2f0d4c629ddc05dd96f7a105d76d595bc69d4a46d851f29b699a61a6eb556308a52efedf7b8070c3144523645f5814656440

memory/2948-39-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2948-32-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\doVPBtt.exe

MD5 4dfc1b1b55580ec1fac1cf806217a11b
SHA1 c208655efccb3027f241364d5ead509c2a763c5f
SHA256 a3cf55beadd86c3e7916b5f656043c1b2d2dce88b4c13a5696ad834df333db57
SHA512 bef97cf5ec11f81e549cf749d26b9136873b760822a52231db6997ccdee5c40e5cb83b0c579163cf7fb3c644b99ae788248b6da52c6a077fe65605892f4553d4

memory/3056-23-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2948-140-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2436-151-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2836-152-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2536-150-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2188-158-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2480-157-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2948-162-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/1516-161-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2740-160-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2768-159-0x000000013F630000-0x000000013F981000-memory.dmp

memory/300-156-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/316-155-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2448-154-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2976-153-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2948-163-0x00000000023F0000-0x0000000002741000-memory.dmp

memory/2948-164-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2948-171-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/3028-210-0x000000013F610000-0x000000013F961000-memory.dmp

memory/3008-212-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/3056-214-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2700-216-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2304-219-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2660-220-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2840-222-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2428-224-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2788-226-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2536-228-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2436-236-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2836-242-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2976-244-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2448-246-0x000000013FCD0000-0x0000000140021000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 00:47

Reported

2024-05-30 00:50

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\flbYdCb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fkikomS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tXSKXao.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GhFgqtq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VQjdfEZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BRxJGPi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SBOxtqX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wsygvsI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ADihPZM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JkAJZCE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SHerMTH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kkEmkXU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRnhyyI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DMkgHam.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ttSRizW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VKbbQJE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hIxwxom.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VJigUtE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TCEcjgw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RfbzzLA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZGHroNa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRnhyyI.exe
PID 3548 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRnhyyI.exe
PID 3548 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMkgHam.exe
PID 3548 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMkgHam.exe
PID 3548 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkikomS.exe
PID 3548 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkikomS.exe
PID 3548 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\SBOxtqX.exe
PID 3548 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\SBOxtqX.exe
PID 3548 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXSKXao.exe
PID 3548 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXSKXao.exe
PID 3548 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttSRizW.exe
PID 3548 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttSRizW.exe
PID 3548 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCEcjgw.exe
PID 3548 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCEcjgw.exe
PID 3548 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfbzzLA.exe
PID 3548 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfbzzLA.exe
PID 3548 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GhFgqtq.exe
PID 3548 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GhFgqtq.exe
PID 3548 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKbbQJE.exe
PID 3548 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKbbQJE.exe
PID 3548 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\hIxwxom.exe
PID 3548 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\hIxwxom.exe
PID 3548 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQjdfEZ.exe
PID 3548 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQjdfEZ.exe
PID 3548 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsygvsI.exe
PID 3548 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsygvsI.exe
PID 3548 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkAJZCE.exe
PID 3548 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkAJZCE.exe
PID 3548 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\SHerMTH.exe
PID 3548 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\SHerMTH.exe
PID 3548 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\BRxJGPi.exe
PID 3548 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\BRxJGPi.exe
PID 3548 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\kkEmkXU.exe
PID 3548 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\kkEmkXU.exe
PID 3548 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\flbYdCb.exe
PID 3548 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\flbYdCb.exe
PID 3548 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ADihPZM.exe
PID 3548 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ADihPZM.exe
PID 3548 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\VJigUtE.exe
PID 3548 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\VJigUtE.exe
PID 3548 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZGHroNa.exe
PID 3548 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZGHroNa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bRnhyyI.exe

C:\Windows\System\bRnhyyI.exe

C:\Windows\System\DMkgHam.exe

C:\Windows\System\DMkgHam.exe

C:\Windows\System\fkikomS.exe

C:\Windows\System\fkikomS.exe

C:\Windows\System\SBOxtqX.exe

C:\Windows\System\SBOxtqX.exe

C:\Windows\System\tXSKXao.exe

C:\Windows\System\tXSKXao.exe

C:\Windows\System\ttSRizW.exe

C:\Windows\System\ttSRizW.exe

C:\Windows\System\TCEcjgw.exe

C:\Windows\System\TCEcjgw.exe

C:\Windows\System\RfbzzLA.exe

C:\Windows\System\RfbzzLA.exe

C:\Windows\System\GhFgqtq.exe

C:\Windows\System\GhFgqtq.exe

C:\Windows\System\VKbbQJE.exe

C:\Windows\System\VKbbQJE.exe

C:\Windows\System\hIxwxom.exe

C:\Windows\System\hIxwxom.exe

C:\Windows\System\VQjdfEZ.exe

C:\Windows\System\VQjdfEZ.exe

C:\Windows\System\wsygvsI.exe

C:\Windows\System\wsygvsI.exe

C:\Windows\System\JkAJZCE.exe

C:\Windows\System\JkAJZCE.exe

C:\Windows\System\SHerMTH.exe

C:\Windows\System\SHerMTH.exe

C:\Windows\System\BRxJGPi.exe

C:\Windows\System\BRxJGPi.exe

C:\Windows\System\kkEmkXU.exe

C:\Windows\System\kkEmkXU.exe

C:\Windows\System\flbYdCb.exe

C:\Windows\System\flbYdCb.exe

C:\Windows\System\ADihPZM.exe

C:\Windows\System\ADihPZM.exe

C:\Windows\System\VJigUtE.exe

C:\Windows\System\VJigUtE.exe

C:\Windows\System\ZGHroNa.exe

C:\Windows\System\ZGHroNa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/3548-0-0x00007FF7F09B0000-0x00007FF7F0D01000-memory.dmp

memory/3548-1-0x0000024D3B6B0000-0x0000024D3B6C0000-memory.dmp

C:\Windows\System\bRnhyyI.exe

MD5 5f43da69cb9f518f2b228a4d9fea558b
SHA1 ecc2aac38395ffac0c35e01e0b069d9177583fbf
SHA256 58547383167fd1838ca0f73c2dd1894e34c8a53956f187a60fb962484c1dd581
SHA512 43ec4ed28bbc6471944bc570b37998d3151a5497a5ec74801753fd6466f2dd9d7f015a33665d539e67e23d255d82807e78a9685b61470bbe83ee10490a5b4aad

memory/3892-8-0x00007FF79E720000-0x00007FF79EA71000-memory.dmp

C:\Windows\System\DMkgHam.exe

MD5 a933392bf662631b4f0423d836e9d774
SHA1 ac92cd00a38e3b5f2357127c6a87069ae402b743
SHA256 1ab69767ab3a160624d8f6afbedebd3ca4a17a7c20f02043beb7dda0cb6757ae
SHA512 47d9d26b0b7614f07086725c55c6eefa08e390a9b34e1f58552365cedc465e15d761b67ebeedf9d4e9ea184cb25e6ecd69ddece84c8d5374065350eddede2d89

C:\Windows\System\fkikomS.exe

MD5 59c905e31124faf7314a5bb2425afea5
SHA1 f53409bcdfe595a8a17db878c49326eb58e57ede
SHA256 d4791e15cc3f0688f866b0f8e018a5d0e0f1e453ee1c5c4e26fe0dc4d98ab5e3
SHA512 299426b3f6cab2221e89a4a8505e0835c403c9f0fce2f219fc94a7f07337789fca6eb03b2ffee31eb54cb917ff0ad037a97b4f9b069c1356077006b3267c8ff9

memory/4332-18-0x00007FF79C880000-0x00007FF79CBD1000-memory.dmp

C:\Windows\System\SBOxtqX.exe

MD5 51305c59ff7182d4056383a9e304d0ea
SHA1 8f7e9c1d9ed402e80b19e6b8f24fc1022e1a4690
SHA256 f7e549e555af5bfb9dbbb7861e3f7fd212b1f39fdf830080dd7917482d7dd65b
SHA512 a411ff4d0f9a96f336affc0bbbbb339545563794f49d55b03ef09d99ae0018c13773fc7c1b1002d2cf508d333c570d049612d1467f9e8ed376c277cbb1ad679d

memory/1396-26-0x00007FF7FCBB0000-0x00007FF7FCF01000-memory.dmp

memory/4676-17-0x00007FF7BD390000-0x00007FF7BD6E1000-memory.dmp

C:\Windows\System\tXSKXao.exe

MD5 36537cc1fb1bc4cafbc0ca86688c9a93
SHA1 a906f39d411d4a342fe8dc88d8edf0eb419888b2
SHA256 5d440a37fdd25874a95e5fa2d00531b31541d201201491e87e03b23cecfb5709
SHA512 e2ea07300aae80002ff3ebd1b46bbc742c5591568e9e9857c8b47f075ee7d8b502212466e2d3130f4e6c7cfae7d621233307cf374c24d5cc593603bf2c1c78bf

memory/4312-32-0x00007FF789210000-0x00007FF789561000-memory.dmp

C:\Windows\System\ttSRizW.exe

MD5 18886959b5ba7d7cf0751b4b823c5c99
SHA1 9e69699797e9ab0751aa0077e5f30d94e69f9372
SHA256 f5bac6d26c6ad3f7f102ca957f5dc82faa5d8799269771bfa86bac69c4e635ea
SHA512 fe6c1c523aba1cec45efe7ac71d3b098c150bf410f4e2e4e2ac9eddcd825a24ec0bc291e33147c254d674b877c8cb6852d9e01741bfe5897e339b46171f13615

memory/4260-38-0x00007FF602410000-0x00007FF602761000-memory.dmp

C:\Windows\System\TCEcjgw.exe

MD5 1022fc24f4504b84103414d2e1e4aea8
SHA1 32041f64d5bd705f8f44a0a8b3bd8fe8641b0c7b
SHA256 e20dee7bd0404bd90914bcdd2ab3931698990db90a863f64a1f3a5e54d8dc866
SHA512 7f121486aad4b8a0b60d2c0718d62568a54cddb770c2b97b1b0c8d3733bd2f83e1c5f18c0bcf1a37430bd103803e2c13529bb3183dc1abd0559ef3e0cbbe7be0

memory/1312-44-0x00007FF657550000-0x00007FF6578A1000-memory.dmp

C:\Windows\System\RfbzzLA.exe

MD5 aa66647bc9e82d948bcd9ff7c5e1e684
SHA1 49ea99f0322513218e781525f68254dca34ddf53
SHA256 0aad216e3cf7aa5d3465e6133f19a76c91fa6f270b1e579a87f05345829edd36
SHA512 a31f965388df57ce926ac6e69909e78e48db868d0a8cd7f4ae261c4305df6b16d5594a54703bc5c9f96f8bc8928b668788ffc7ae8b2b223b3adcf57894a3aa95

memory/4492-50-0x00007FF7895A0000-0x00007FF7898F1000-memory.dmp

C:\Windows\System\GhFgqtq.exe

MD5 f812247357bab1c379b2f5cad2ebd2b5
SHA1 75e3b3a803fdb89e66ae7b2c413c6972be2f7648
SHA256 bac2c93421803ec810ec97240e48cc5bb16e6e58a0818bfd654d263925a9c965
SHA512 430d404ee495fd9cf7515cb311d51ec60b1e453ca7192ea1aaef49f102e7df067a0c679c317a5ba74abd3556118d41b3c34ac3b9f63345cc6c4792d5bfe0aaac

C:\Windows\System\VQjdfEZ.exe

MD5 d1f6873e9466d528f5243537bb0060b6
SHA1 8deb7be74e1e0e0717e9f7164fd2a0ff97624bde
SHA256 9f04f0c71571c0464ba2b6f0e79a8b86971fa44c3ceeb4fcd23684409e29468a
SHA512 b7cf2b64794611d76e2ee00561fa54cfa3298cabae495bf603bd4f543a3685e397e1b91f77225d2b607aab3894ce618a1d8e9f3d81296905c2fd421fb839e44f

memory/3052-75-0x00007FF737680000-0x00007FF7379D1000-memory.dmp

memory/4908-73-0x00007FF722540000-0x00007FF722891000-memory.dmp

memory/2792-72-0x00007FF602290000-0x00007FF6025E1000-memory.dmp

C:\Windows\System\hIxwxom.exe

MD5 7b72fea3767a6fd99f1bf988874ae4dd
SHA1 838f7b6c17980293617c64b317abfd3eb4984e60
SHA256 44c82a3bae298aa075505ccddcfb353cc3766f16ec951f9d81956bfcfa1b13cb
SHA512 a4f604619b8afa8f3da692718a8aa12d14b7d620d8dcd3743f6e61fb96ba2a995b71d51f0fdd629818e7b4cb1515474ef02c46b4ce6e30190371a312b546342f

C:\Windows\System\wsygvsI.exe

MD5 4846119f71f3ba73234f45ca0a1fad44
SHA1 1d10ed27a740fd31b60ec748d026aaa80d835dcf
SHA256 66c1c2f40bb085cf728449e9240d0d78191837aaf15a9ce2f556e008b794d55f
SHA512 4f01c044cd237bf0a2327d92b4509fadefe2fa7405ea5cee29dc76ae44b1e404617993c84691f354ce709de8be1a9cd43f909ee9f7239760ae245920dd34cfa9

C:\Windows\System\JkAJZCE.exe

MD5 852006e834adb6c1ae81a07f77d6e194
SHA1 4a183b9a5f37d83e1441d09c7cdf6da283da7559
SHA256 607efe11eb8eda2138c528bcd8237f08b3a1875b99c7072aa059fba804c6dabc
SHA512 ef384414fbc3895062056ba3df6bdb336d38ca7eb1990b30ee25b182ccf627df2b555b598b07716dec4f500ce7ffe831d6d5f745d29229421a4406c966ade00e

memory/3896-85-0x00007FF7E87B0000-0x00007FF7E8B01000-memory.dmp

C:\Windows\System\SHerMTH.exe

MD5 f46dbd0a11984190da9aa06e1af6862e
SHA1 9eb753fc565df526ff64299170711ed36c837d7f
SHA256 aba7f0b8eff6a8d8b606ef72cfa69ddac690439e21f6953ef7f1ba22ff92c676
SHA512 9a41b5874f9f38de8262aa807269a945b9e28133ad96a1ecb9b6b1f4fda95b46837d03265c8ebc75cb8f923cb0e1f3ba49210952e4ef4751118261d36f379550

memory/4332-99-0x00007FF79C880000-0x00007FF79CBD1000-memory.dmp

memory/4980-100-0x00007FF7CE120000-0x00007FF7CE471000-memory.dmp

C:\Windows\System\BRxJGPi.exe

MD5 f64808c5182b593196004723c1e95d93
SHA1 ce263b63f87c9337e24dfc2af65d05ac7921ce40
SHA256 23dc0e5dfe21fde0859969dd943a8721f2327d26fffba26e19450ea29283b2b2
SHA512 8e07530e70ed40769d4b15591dc8e2595d6aa5dc06feae0b596f80194b6a0148f6a178d1abf55fae33224f94b121e5bec07b0d8a3aca7672f54f6a6ad4d29c11

memory/1720-92-0x00007FF7350D0000-0x00007FF735421000-memory.dmp

memory/2944-86-0x00007FF681060000-0x00007FF6813B1000-memory.dmp

C:\Windows\System\VKbbQJE.exe

MD5 3660d68fdc68051b66c55af50253772d
SHA1 28592cb60fb742353761bd4dadda3d02bc209d1f
SHA256 cd6f48db3e1c6c55a50399a51d46afce49cb6bfa3b1a8521d7b1a52655920cf8
SHA512 08b705ac62690c9a486f5005b7eb0d915b81d1d32afd741f49780f01e61d583b4754927c7e8b279fca5267dcd6839555a3bdbb358d9cd85a38b592dd0fd2af4f

memory/3548-64-0x00007FF7F09B0000-0x00007FF7F0D01000-memory.dmp

memory/3992-61-0x00007FF610E70000-0x00007FF6111C1000-memory.dmp

C:\Windows\System\kkEmkXU.exe

MD5 ee57bb919aa1e1ccaf9c744314cd7433
SHA1 ee5883d8b942712878425990189eb657b9a62af3
SHA256 64cb72a3862d3745a1697ce34ea73b00c61a28137920db01200c3096ea96e108
SHA512 059c89e5c8baabe4822903b40a3e2d81254e9df936fd86b02ef12625cb4b994acd2e6dab4311d0846ad4d9eb822072011b7e8659ac1cb370eedcdea230e5404d

C:\Windows\System\flbYdCb.exe

MD5 e37fe4fd149315f5ce1fb036fe60da29
SHA1 f5bd8e71fc3c42b8b79e0f64b97203d7d93979aa
SHA256 642c3c8e3a47990e385e0f2ea26945c63df07d7a8ad67d0c0adfa3cbf92f8a14
SHA512 c20581db877d9e4c26aedaa65625d6b9eb0f3b8d29d6a60ca01a51c0fb2ec918cb234d3dea3a13383df80689883d6a1fe60e1bf6158638a993383820b9027433

C:\Windows\System\VJigUtE.exe

MD5 fe4eae12fd1f07a23eeb946ae431126b
SHA1 50706ad69994e02f3abe270a920d1171992e8014
SHA256 6a0d6f60dd7e6d987b846125d177f92b7883c835555aec5846e801b4dee8a681
SHA512 9a37de1f77083e69835c426a9fbab8f6f222198d59f877cfc60a01d17dcaf7603d3ce35d4176acfb9a588d7f0045a764eafceb45359843941dc143d93fdf43de

C:\Windows\System\ADihPZM.exe

MD5 0d1b268e4b7ce7f0901d9ca151269ecb
SHA1 5ed537bb2b4e603cb3a32d8c144fde1d9f8b77a4
SHA256 03177a38443ceaa5696d22ea0c41acbc08c393c13924d856e27e4632c0b20311
SHA512 6b210167bcea0eb540bd638214614fdf3e888a8f857bdde3b1ebb2a9ecad9c68fa88a8a157804abed92a27ab97c07716405a16571ee424f56b61120551f9fcd5

memory/3160-133-0x00007FF6F2680000-0x00007FF6F29D1000-memory.dmp

memory/2000-134-0x00007FF657AC0000-0x00007FF657E11000-memory.dmp

C:\Windows\System\ZGHroNa.exe

MD5 fccdc0b7921c555af03288641ea9caf1
SHA1 33abc2019761b7d8c1c54df63b99669f92721f4d
SHA256 9ebb7c6a3206a6034a1e8e909bb9c503678b11601b18cdbc636b992f41a0a956
SHA512 93f33724e0fdce5bb92ca79d33f1f44099567bede73ededc19c29a7d6178d450b0afe5990c82e88e91cae1be23b041aa06aa0c62cc47175d7745f20c8ad7be4f

memory/4260-127-0x00007FF602410000-0x00007FF602761000-memory.dmp

memory/4000-125-0x00007FF654020000-0x00007FF654371000-memory.dmp

memory/4352-124-0x00007FF6D1090000-0x00007FF6D13E1000-memory.dmp

memory/4048-114-0x00007FF6E8F80000-0x00007FF6E92D1000-memory.dmp

memory/2792-141-0x00007FF602290000-0x00007FF6025E1000-memory.dmp

memory/1720-146-0x00007FF7350D0000-0x00007FF735421000-memory.dmp

memory/4908-144-0x00007FF722540000-0x00007FF722891000-memory.dmp

memory/4048-148-0x00007FF6E8F80000-0x00007FF6E92D1000-memory.dmp

memory/3896-143-0x00007FF7E87B0000-0x00007FF7E8B01000-memory.dmp

memory/3052-142-0x00007FF737680000-0x00007FF7379D1000-memory.dmp

memory/3548-149-0x00007FF7F09B0000-0x00007FF7F0D01000-memory.dmp

memory/4000-157-0x00007FF654020000-0x00007FF654371000-memory.dmp

memory/2000-159-0x00007FF657AC0000-0x00007FF657E11000-memory.dmp

memory/3548-171-0x00007FF7F09B0000-0x00007FF7F0D01000-memory.dmp

memory/3892-194-0x00007FF79E720000-0x00007FF79EA71000-memory.dmp

memory/4676-201-0x00007FF7BD390000-0x00007FF7BD6E1000-memory.dmp

memory/4332-203-0x00007FF79C880000-0x00007FF79CBD1000-memory.dmp

memory/1396-205-0x00007FF7FCBB0000-0x00007FF7FCF01000-memory.dmp

memory/4312-212-0x00007FF789210000-0x00007FF789561000-memory.dmp

memory/4260-214-0x00007FF602410000-0x00007FF602761000-memory.dmp

memory/1312-216-0x00007FF657550000-0x00007FF6578A1000-memory.dmp

memory/4492-218-0x00007FF7895A0000-0x00007FF7898F1000-memory.dmp

memory/3992-229-0x00007FF610E70000-0x00007FF6111C1000-memory.dmp

memory/2792-231-0x00007FF602290000-0x00007FF6025E1000-memory.dmp

memory/3896-234-0x00007FF7E87B0000-0x00007FF7E8B01000-memory.dmp

memory/2944-235-0x00007FF681060000-0x00007FF6813B1000-memory.dmp

memory/4908-239-0x00007FF722540000-0x00007FF722891000-memory.dmp

memory/3052-238-0x00007FF737680000-0x00007FF7379D1000-memory.dmp

memory/1720-241-0x00007FF7350D0000-0x00007FF735421000-memory.dmp

memory/4980-243-0x00007FF7CE120000-0x00007FF7CE471000-memory.dmp

memory/4048-247-0x00007FF6E8F80000-0x00007FF6E92D1000-memory.dmp

memory/4352-248-0x00007FF6D1090000-0x00007FF6D13E1000-memory.dmp

memory/4000-252-0x00007FF654020000-0x00007FF654371000-memory.dmp

memory/3160-251-0x00007FF6F2680000-0x00007FF6F29D1000-memory.dmp

memory/2000-254-0x00007FF657AC0000-0x00007FF657E11000-memory.dmp