Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-a6whdshc25
Target 2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike
SHA256 cc10ed67eb1633f366be0a3d378a005e8f6fd5a0a97a0425fc0aff4159fb2970
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc10ed67eb1633f366be0a3d378a005e8f6fd5a0a97a0425fc0aff4159fb2970

Threat Level: Known bad

The file 2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 00:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 00:49

Reported

2024-05-30 00:52

Platform

win7-20240221-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hYIpsly.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FaobcWq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nYsZnKk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wPOFSyj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RWIjGBX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xITwksC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cmQOOKv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wYPlXrA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RVSXIMU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YLITSiV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JMgKqWc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fbcmGXF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qLWqdiA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ffkwXZj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KecQdwv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HpYGpQl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sMpcxfa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WWufrzQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UnNhnKu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eyaFhfA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xbowGji.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYIpsly.exe
PID 2584 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYIpsly.exe
PID 2584 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYIpsly.exe
PID 2584 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\WWufrzQ.exe
PID 2584 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\WWufrzQ.exe
PID 2584 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\WWufrzQ.exe
PID 2584 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbcmGXF.exe
PID 2584 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbcmGXF.exe
PID 2584 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbcmGXF.exe
PID 2584 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPOFSyj.exe
PID 2584 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPOFSyj.exe
PID 2584 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPOFSyj.exe
PID 2584 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\RWIjGBX.exe
PID 2584 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\RWIjGBX.exe
PID 2584 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\RWIjGBX.exe
PID 2584 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\qLWqdiA.exe
PID 2584 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\qLWqdiA.exe
PID 2584 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\qLWqdiA.exe
PID 2584 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaobcWq.exe
PID 2584 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaobcWq.exe
PID 2584 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaobcWq.exe
PID 2584 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\ffkwXZj.exe
PID 2584 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\ffkwXZj.exe
PID 2584 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\ffkwXZj.exe
PID 2584 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\KecQdwv.exe
PID 2584 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\KecQdwv.exe
PID 2584 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\KecQdwv.exe
PID 2584 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpYGpQl.exe
PID 2584 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpYGpQl.exe
PID 2584 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpYGpQl.exe
PID 2584 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\xITwksC.exe
PID 2584 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\xITwksC.exe
PID 2584 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\xITwksC.exe
PID 2584 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnNhnKu.exe
PID 2584 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnNhnKu.exe
PID 2584 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnNhnKu.exe
PID 2584 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\cmQOOKv.exe
PID 2584 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\cmQOOKv.exe
PID 2584 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\cmQOOKv.exe
PID 2584 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\nYsZnKk.exe
PID 2584 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\nYsZnKk.exe
PID 2584 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\nYsZnKk.exe
PID 2584 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\wYPlXrA.exe
PID 2584 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\wYPlXrA.exe
PID 2584 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\wYPlXrA.exe
PID 2584 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\sMpcxfa.exe
PID 2584 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\sMpcxfa.exe
PID 2584 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\sMpcxfa.exe
PID 2584 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLITSiV.exe
PID 2584 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLITSiV.exe
PID 2584 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLITSiV.exe
PID 2584 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyaFhfA.exe
PID 2584 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyaFhfA.exe
PID 2584 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyaFhfA.exe
PID 2584 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbowGji.exe
PID 2584 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbowGji.exe
PID 2584 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbowGji.exe
PID 2584 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\JMgKqWc.exe
PID 2584 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\JMgKqWc.exe
PID 2584 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\JMgKqWc.exe
PID 2584 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVSXIMU.exe
PID 2584 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVSXIMU.exe
PID 2584 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVSXIMU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\hYIpsly.exe

C:\Windows\System\hYIpsly.exe

C:\Windows\System\WWufrzQ.exe

C:\Windows\System\WWufrzQ.exe

C:\Windows\System\fbcmGXF.exe

C:\Windows\System\fbcmGXF.exe

C:\Windows\System\wPOFSyj.exe

C:\Windows\System\wPOFSyj.exe

C:\Windows\System\RWIjGBX.exe

C:\Windows\System\RWIjGBX.exe

C:\Windows\System\qLWqdiA.exe

C:\Windows\System\qLWqdiA.exe

C:\Windows\System\FaobcWq.exe

C:\Windows\System\FaobcWq.exe

C:\Windows\System\ffkwXZj.exe

C:\Windows\System\ffkwXZj.exe

C:\Windows\System\KecQdwv.exe

C:\Windows\System\KecQdwv.exe

C:\Windows\System\HpYGpQl.exe

C:\Windows\System\HpYGpQl.exe

C:\Windows\System\xITwksC.exe

C:\Windows\System\xITwksC.exe

C:\Windows\System\UnNhnKu.exe

C:\Windows\System\UnNhnKu.exe

C:\Windows\System\cmQOOKv.exe

C:\Windows\System\cmQOOKv.exe

C:\Windows\System\nYsZnKk.exe

C:\Windows\System\nYsZnKk.exe

C:\Windows\System\wYPlXrA.exe

C:\Windows\System\wYPlXrA.exe

C:\Windows\System\sMpcxfa.exe

C:\Windows\System\sMpcxfa.exe

C:\Windows\System\YLITSiV.exe

C:\Windows\System\YLITSiV.exe

C:\Windows\System\eyaFhfA.exe

C:\Windows\System\eyaFhfA.exe

C:\Windows\System\xbowGji.exe

C:\Windows\System\xbowGji.exe

C:\Windows\System\JMgKqWc.exe

C:\Windows\System\JMgKqWc.exe

C:\Windows\System\RVSXIMU.exe

C:\Windows\System\RVSXIMU.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2584-0-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2584-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\hYIpsly.exe

MD5 977e7f95f2e76830ab9078a7cdb2f989
SHA1 a9a3335893865ac6fd1c0a384977debb30c7dcbf
SHA256 6d01ba72856b09ad04348bde44d4a52d54f6e0dcc73d171dc96e3a8182152aed
SHA512 9b34a32bf5868fb89c266deca96ce858fd70b1b9117db1549447842eda8b8cc11f8db3c227400c58c4c868b94b03512e68567f8a3efa9d51f51b06928bb3dab0

\Windows\system\WWufrzQ.exe

MD5 ebecd4505a06b3b452ee66d9d30fccf0
SHA1 f9cdf0a1d47c973f99f474c1322c6fb35a8600e5
SHA256 d718920f85d76aa093b95e166cb5d88a5805b9206586882e41474d1114cfc04e
SHA512 8171e14397c3d07afff29edf7ce984e1f2e92eaf36eb837bc1c6aa944b3c745bba90fdb53aa5aad5b7d3435c04d3e15986464547a50e2d9a43558a783c06f272

memory/2600-16-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2584-15-0x00000000023A0000-0x00000000026F1000-memory.dmp

memory/3060-13-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2584-12-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

C:\Windows\system\fbcmGXF.exe

MD5 57ff7b7d024d0a188916d5d0695849ea
SHA1 7e6fab8e5f921ba36f88c7bd0be87670aa4d2f48
SHA256 7510be67900d0b90385d527a888ba5613b46540ab08027d591a43a6bb1925bd1
SHA512 23c9a1d31f297ce06729cb5ee3795854ef557a6ec618c32fb65f4543e302942bb5b185327f058429d2d785210f501f25e4542b75436a55e0a41cd84de543ecc3

memory/2536-23-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2584-21-0x000000013F260000-0x000000013F5B1000-memory.dmp

\Windows\system\RWIjGBX.exe

MD5 ad092524b9917bca848149312e37b76f
SHA1 c57fd8e0b1f8b81dcb6fe79958fca9464bf0233d
SHA256 53074a51492943134d02098baa3a1a3f43f67f3da457983a4602b90fbad390d8
SHA512 b20fe487ef457e7abc26415c5bd68060ea2ea089d98cf18cd21ca030c207334d67794ed97691a3de390d71e1199963590b3d37c1ace53350e73843c7bc9c46ad

C:\Windows\system\wPOFSyj.exe

MD5 e91b23a43b2cf46ceb2fc28f2e608127
SHA1 c513e12bc0313cd515733cd4efa8f25bf14c539f
SHA256 9ff5151294f23af6d5165f46e34df359300620c111a5a2e148f16e8b36c4b954
SHA512 cd5a89388fbc4dbf1299c5e82359614b2fb32dec9ad008f5b6df2f99fe607289685e9dc91046bba20cb5560768db59213a8391907e0a336266db8bb1d941d6e1

memory/2628-29-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2584-47-0x00000000023A0000-0x00000000026F1000-memory.dmp

memory/2556-64-0x000000013FF60000-0x00000001402B1000-memory.dmp

C:\Windows\system\nYsZnKk.exe

MD5 d8c830d7a4207f4593acd81216921771
SHA1 85ada7ebc7f710fd6c0e1a7ea736bcda618f059e
SHA256 a8cb43f11b4eecffbe5a85a2a9504ade357ffe63bfc5fb1586ae51831a627c1c
SHA512 8c36969043a18a5183325713db07183704850fea5964d910080e486ece36f4c2ef94f584d6413a7440180cd6212d366471aeed7cbef72ad5f3bf6b4e996bcf65

\Windows\system\JMgKqWc.exe

MD5 5f3887ae6f6b80fe5c7a5c423354813a
SHA1 c88ae80a27ab9eb65da3607c3c458945b3f04981
SHA256 062b2be383d255487a5bbfca3d6e7cdf1ffe1fffe10a39297d443aed8845bade
SHA512 6396d0b141edd6ce6348ee34fe7ab994639928d35561c50d6a64d39463ee839ffd48549ae3defb0ec79e5da0457f0a8ed1e575986bbb6def689894765d4b0d72

C:\Windows\system\sMpcxfa.exe

MD5 bcb96ce57d392ccbc9db3258df959540
SHA1 f41b969f56731fd2cfe042397fcb9a77a082b0da
SHA256 47c074fb6b9a4e3fd70f1744b7f09d43603e322862c17ebfa5ff3b0596cdadaa
SHA512 5aefe43e895fcf902f00a009eb603bf5219255fde882e9d9c8029c3ba552173e42ad6096a1d4367a8506b6326d97f127a0089b11ab0c72109680e783fa5e4df8

C:\Windows\system\YLITSiV.exe

MD5 6f9040e91744a2b08ab133cc6047234d
SHA1 84b546788a8c857ab5ee6a123a8c2ad2e2273848
SHA256 03ba2c510780fad5a1072ea7feeb1839d7524b36adbaa31f6b188e35b5dd6b7b
SHA512 9a655ad77b109a11dfead680d5bda88321275202b8c710bbd85fc15767c41fc0441d14de1eda83d6d5661363e7fd0fd6e0aefd11255f777b9607c1589cd2576c

\Windows\system\eyaFhfA.exe

MD5 09094a48c5f112f19c329090329db65b
SHA1 b4f59ae7a2fe247008d932c5e9dc5044581179fd
SHA256 db1a4658b60feaed1d252dff1db98d6d1d5c32f1e123751002bb849f080ca6d0
SHA512 e85d8350cf6b37c86f40a41acf7209d7eed1ed16e9a6f4944bb37b5ae11b61256c7d5000ba13eaf742ecf2c2e0f7856a78c5cb98f5c09a1af8c02b1afdbbceeb

C:\Windows\system\RVSXIMU.exe

MD5 1dbf77bbfe159b2322251f3f8cafd76e
SHA1 bb49e89d03b41d9bb0f3db6bb40eec883d91a479
SHA256 506cb02b0349f3e66379387517319d024739228892afe3dbcd4b46a9fe5fbd25
SHA512 c275453ab47a908b461150019365088b6f7a8ec2f4ae3f1d4085a6cd077391a79251e9ea88080865c5f4bf261e2a5e53c3b2cf47366250ae51cdf880b0f168ef

C:\Windows\system\xbowGji.exe

MD5 835dbcd305f8a66dd2581bf10d7908d8
SHA1 a0caca6ddce31004715a55db513cbb50cf582c72
SHA256 630a8f851a2da23080ac8f9a14779b889a93138c8c5e6c4ba50c7f96db7479da
SHA512 3a1b67a7e2e502c217e3e2d129f8e347a68db6bc67986333b3048467de0be323fcca682c3bdd19916f93db218ab8982e5e81e64d0aec603c4a74552f725b032b

C:\Windows\system\wYPlXrA.exe

MD5 facfd57c3f3f070b8f374f281fb8ee44
SHA1 11d42333a56ba8fd8ee39131170e7c1f06e271e2
SHA256 244d4d8be52f9efc2f505e4fad4c3db4f71efd6261c9fc709ba2f734db78180f
SHA512 76affcac84c7e6ee491371d9f25b46e63cf2fd9c6e7569c0de205b830b35fab9b9b9b84ab87c3f8c5f388d409dd4904d63cc41536f25feab8ccc31e55b390bcb

C:\Windows\system\cmQOOKv.exe

MD5 2129b47422629d076a419f6d10db7404
SHA1 26860b75b0f98f68838e09ddebb1575487114a60
SHA256 dc78e3850be38cebc416fafeda0d5de0897a85ae5a30df66f2bbdee8c0e44eb7
SHA512 29596aa9600e59ff9c13cbf815811479fa743daee6a43cbf0495310522aeddec61cc2920235ce808b917185f902cfec7b90d84e3ea2d61095fae52a8c7d0d0a5

C:\Windows\system\UnNhnKu.exe

MD5 0537651513953f0470b2387df61a22ad
SHA1 4fa9b133db44877e1cece39e2ed29397f60f1f42
SHA256 addca3646a308a6ff105d2b09407d340ab142dad24338794cfba838d3cbc411e
SHA512 4dd92463196cdbe3a0393aced2afec02e6d31594ea343319bf64572c39d44107e84ab493629b687dfaf16db3293f11ecbc4219a7b00b20cd0f2b7e9a36d28f86

C:\Windows\system\xITwksC.exe

MD5 1a0ccedf1e7412c0a646f9f12a549861
SHA1 88da5e072fee670d8b8446e42c86e08e11229f9b
SHA256 f9cac9bd6290a806b59d23d3547610f154198c8dd0f09b883b0999fdc1ce4797
SHA512 6adda985f1c7fc6353e53ae9775a39ba281ad2f0414cbdb7a9df1563aca6a5a18aa4259a3105a2c36be0072911a4f4fb5a6366e06f8967b9fa9ed705de04e4c7

memory/1632-71-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/304-69-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2764-68-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2412-65-0x000000013F350000-0x000000013F6A1000-memory.dmp

C:\Windows\system\HpYGpQl.exe

MD5 7c07f44b399719d614ad20940348c033
SHA1 f2c31d7679e4282bc8ce626e7ca5dc914ea93558
SHA256 cadfce18bbc522fc20baba37d92773f1c2c16783af4e8cadb77eb12b75d85fa1
SHA512 995155bd4418f62791385b8809a0ca900ca48aba2fad99c97e42f26ba00c78fb757e238c7bc071b0c236def6777cd803001b0f552da7db608bec5014598b6d5b

C:\Windows\system\ffkwXZj.exe

MD5 31882fa2bee3f5ab45597944c65660ea
SHA1 7139d1f58fe951ad4ee8a394178076c78d0db8ce
SHA256 fcd3e5b5282eee5f13d729928dcb766b62ea675f516ba8c07c4dec038f4943a5
SHA512 d69d62d51c00e0f5985c19f953dcd58d7c23ca88f9ff29624045bd4a9ce30b3afa5699a68ceba3ea5d90dc8590c779588f20f9a45c3157df87d2b089a2a41254

C:\Windows\system\qLWqdiA.exe

MD5 4b93fe639ef7cf364f1fff8e1a51d241
SHA1 ad181915b0c9dad08227b0497d0ad0bb1d1540a1
SHA256 d642a344c4fbe025d786eeb522eae3d7d5beba0648309179d390c30bf8390d3a
SHA512 81f14943d2e8080611dffb34a3fef515fa2f0e044821c3502cf0cafc8501753c06c7239a8deb4fee4be95496fabe1505507cbb4e4dad9e60bec3611a0b38b53c

C:\Windows\system\KecQdwv.exe

MD5 7282e9979f52cc103e3b57e745ee4bfe
SHA1 d3620002e47a686ab30c9a347aa197f4cc1f7fa9
SHA256 6fb79f0b4120adca56467d5bd76b869b755359fcb46048d6d366898e3893f385
SHA512 7da75ca9337ff98d521fde41fd0567e2afd0dfde6efde7638c170b2b4561792e7d81806d46312d811e45d231244d33f51f8b9da6259da38d6523db4701665f85

C:\Windows\system\FaobcWq.exe

MD5 7f53acca0c5b0f9015439585f61feeb8
SHA1 033822353099840fddc8643b9f27898cb344a82c
SHA256 33e45304d7bd26a9e2d85ed8c6fdbc0e7052ccf065d6aa004ff1dec46d06f8d9
SHA512 c0a4d99d16420f15b62d6539850897717b0441b581b60253415b29dd2101122c6599abe035c2c1aedf1604abf69f19cc9026af61aeb5ae4256a0f0e24e17032d

memory/2584-57-0x00000000023A0000-0x00000000026F1000-memory.dmp

memory/2584-56-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2584-54-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2840-39-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2584-37-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2584-28-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2584-43-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2820-128-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2584-127-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2584-129-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2952-130-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2584-135-0x000000013F320000-0x000000013F671000-memory.dmp

memory/1456-134-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2584-133-0x00000000023A0000-0x00000000026F1000-memory.dmp

memory/1444-132-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2584-131-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2584-139-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2536-140-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2584-136-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2628-141-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/692-158-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2728-156-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/816-154-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1560-152-0x000000013F320000-0x000000013F671000-memory.dmp

memory/304-145-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2556-144-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2764-143-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2668-157-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2460-155-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/1452-153-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2584-159-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2584-203-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/3060-205-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2600-207-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2840-231-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2536-229-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2628-233-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2412-235-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/1632-239-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2764-241-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2556-238-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2952-243-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2820-245-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/1444-247-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1456-249-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/304-258-0x000000013F040000-0x000000013F391000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 00:49

Reported

2024-05-30 00:52

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wVUbugW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HntwMjh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YeJpIUn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gImfPfW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cPPOJgN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SPrgytH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QdwTCGS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WKqnCyI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DgftHAj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MtFMrKL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ValRblY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BhaMBEc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aFSaOTm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RPzEBjC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XhiCRov.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yDauOkf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GGvvIwg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VeJBVUo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GCcvNlE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SkdyjHv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xnsLsjT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\HntwMjh.exe
PID 2028 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\HntwMjh.exe
PID 2028 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGvvIwg.exe
PID 2028 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGvvIwg.exe
PID 2028 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFSaOTm.exe
PID 2028 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFSaOTm.exe
PID 2028 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\VeJBVUo.exe
PID 2028 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\VeJBVUo.exe
PID 2028 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCcvNlE.exe
PID 2028 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCcvNlE.exe
PID 2028 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPzEBjC.exe
PID 2028 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPzEBjC.exe
PID 2028 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\YeJpIUn.exe
PID 2028 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\YeJpIUn.exe
PID 2028 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\gImfPfW.exe
PID 2028 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\gImfPfW.exe
PID 2028 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\SkdyjHv.exe
PID 2028 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\SkdyjHv.exe
PID 2028 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\WKqnCyI.exe
PID 2028 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\WKqnCyI.exe
PID 2028 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPPOJgN.exe
PID 2028 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPPOJgN.exe
PID 2028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgftHAj.exe
PID 2028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgftHAj.exe
PID 2028 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\MtFMrKL.exe
PID 2028 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\MtFMrKL.exe
PID 2028 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnsLsjT.exe
PID 2028 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnsLsjT.exe
PID 2028 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhiCRov.exe
PID 2028 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhiCRov.exe
PID 2028 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\ValRblY.exe
PID 2028 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\ValRblY.exe
PID 2028 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\BhaMBEc.exe
PID 2028 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\BhaMBEc.exe
PID 2028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdwTCGS.exe
PID 2028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdwTCGS.exe
PID 2028 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDauOkf.exe
PID 2028 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDauOkf.exe
PID 2028 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\SPrgytH.exe
PID 2028 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\SPrgytH.exe
PID 2028 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\wVUbugW.exe
PID 2028 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe C:\Windows\System\wVUbugW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_45f292c80923c0f784b4b82361246b04_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HntwMjh.exe

C:\Windows\System\HntwMjh.exe

C:\Windows\System\GGvvIwg.exe

C:\Windows\System\GGvvIwg.exe

C:\Windows\System\aFSaOTm.exe

C:\Windows\System\aFSaOTm.exe

C:\Windows\System\VeJBVUo.exe

C:\Windows\System\VeJBVUo.exe

C:\Windows\System\GCcvNlE.exe

C:\Windows\System\GCcvNlE.exe

C:\Windows\System\RPzEBjC.exe

C:\Windows\System\RPzEBjC.exe

C:\Windows\System\YeJpIUn.exe

C:\Windows\System\YeJpIUn.exe

C:\Windows\System\gImfPfW.exe

C:\Windows\System\gImfPfW.exe

C:\Windows\System\SkdyjHv.exe

C:\Windows\System\SkdyjHv.exe

C:\Windows\System\WKqnCyI.exe

C:\Windows\System\WKqnCyI.exe

C:\Windows\System\cPPOJgN.exe

C:\Windows\System\cPPOJgN.exe

C:\Windows\System\DgftHAj.exe

C:\Windows\System\DgftHAj.exe

C:\Windows\System\MtFMrKL.exe

C:\Windows\System\MtFMrKL.exe

C:\Windows\System\xnsLsjT.exe

C:\Windows\System\xnsLsjT.exe

C:\Windows\System\XhiCRov.exe

C:\Windows\System\XhiCRov.exe

C:\Windows\System\ValRblY.exe

C:\Windows\System\ValRblY.exe

C:\Windows\System\BhaMBEc.exe

C:\Windows\System\BhaMBEc.exe

C:\Windows\System\QdwTCGS.exe

C:\Windows\System\QdwTCGS.exe

C:\Windows\System\yDauOkf.exe

C:\Windows\System\yDauOkf.exe

C:\Windows\System\SPrgytH.exe

C:\Windows\System\SPrgytH.exe

C:\Windows\System\wVUbugW.exe

C:\Windows\System\wVUbugW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2028-0-0x00007FF6CB9B0000-0x00007FF6CBD01000-memory.dmp

memory/2028-1-0x000001F519680000-0x000001F519690000-memory.dmp

C:\Windows\System\HntwMjh.exe

MD5 3d9538448f0e981f0033981ae3cdfa1d
SHA1 03a35cc5234891f19dcdd330fdb72a7b483bc92e
SHA256 4915059586ff362ca5362cbe89f70dc990a4c213b242824f18b1b014a52f9c7d
SHA512 67e6c5d6441d17b12ae96fec63730c7396ed3f4e4acac451f51cb304026d1fa6ba5815fd0c983460172ef1aef478c300b616c576cbf53555e84b5e6ed73840a4

memory/2488-7-0x00007FF791D40000-0x00007FF792091000-memory.dmp

C:\Windows\System\aFSaOTm.exe

MD5 29a1233155c4fd6e46b98bcbaac893d6
SHA1 9ec0de247ee4f46f2334282028dc19bffebc7953
SHA256 ec451842bc68279f8a15b502ea45dece55c1df913d1fc4d382b0dc955e19e688
SHA512 1ea1fc135a92476ceeb0be3fee36fdcea2c1debad41be6b2d83eec50831f1d4aedae711d0d06c149fba62dd53234a3803f4f2616d79b64c25cea497627e4991b

C:\Windows\System\GGvvIwg.exe

MD5 93e9e1ab273058fa393564363d05a3cf
SHA1 2ebbdcc764337c53e42a63812be3371de8d6f89a
SHA256 429fb77da1726394237634c4f61b0d238a7c80086b3c42e8cba1c898cca066fd
SHA512 d0ca6665a78901bbd4afd652b3cb632238e1a99600414fcb604f00613c13684304152c09be52ee1565952b8d5cb69fa740c6a08f7e22a63c6d12945feab64d13

memory/3476-16-0x00007FF77C450000-0x00007FF77C7A1000-memory.dmp

memory/3552-19-0x00007FF6ACBE0000-0x00007FF6ACF31000-memory.dmp

C:\Windows\System\VeJBVUo.exe

MD5 0e38d8894b4939575a29510f7c052efb
SHA1 1e22de88d123ca6457e2ae02cfecd7d2a2f33921
SHA256 7516f107da7122421f1020360430f2148849bab272d13672d7c503078052472a
SHA512 91684c408515284c367afe3e1f0ef4d50c7c625329d787f5087d3d8faa67496d76d1fd589a25fdf26f1dc1a38d7f518e0c325c3c8ee15dde13f8597c846c7161

C:\Windows\System\GCcvNlE.exe

MD5 62b3c54f4f77a15d7f3d6f6f6ed2a7a6
SHA1 6dda66d51777b3bb87f37ed71268def41a8ae203
SHA256 64b766f34bb81d8be05a2a803349f3dba233a54c623740dd35c8b08146951291
SHA512 c370bc94026e38e66a82e5a747ac64c6d85c77c0e82f490f714c15da14e8f442076ffa4249fa2f69968980094e2fd0400ef24bfc9242a91247f58bb81d0f3a1e

memory/3840-28-0x00007FF6131C0000-0x00007FF613511000-memory.dmp

memory/3564-36-0x00007FF68A9E0000-0x00007FF68AD31000-memory.dmp

C:\Windows\System\RPzEBjC.exe

MD5 33dc830ad5d2ee3f2c9c1d64f08b79a1
SHA1 dad192a9c7e6c7fb03d50969eacdaf241f342b03
SHA256 fbad5a9ee31229025c83317fcdc897c23cf9b14b1fe9c85a1c807766d4271022
SHA512 66da996a6fe856c8db16628b5a1fc3de88555958536492bc1b5ad9ae978eb26ca2cd1e99c3a4e6917cb57ca68bb0b8245a9ca21f134566c188c384985355d913

C:\Windows\System\gImfPfW.exe

MD5 335c811fe400c217936472e9bd35476c
SHA1 765fb4ebbeb72b575e20622faa1053c60f300c21
SHA256 158d1db73f511af43694e9903f8bfd8bf9a6582b52b6c7096d7e4a892090db09
SHA512 929da10bf8b8d225f2d68b9702c4fbdf24d8b56eee6a81ccf403363f2d8dd78ecaec4cd8f65d5b040beee68f4c3a25a7ab6169dc557fbf28550e14acf2600907

C:\Windows\System\SkdyjHv.exe

MD5 4152c7793cfe81fd5731f2a9c7392ee5
SHA1 6c09902c396a6e6e955a40fd606ee9b9bd43de97
SHA256 caf57ea6354542f2be30cc3015fcdf64373d75f5f8602200bd064b64c02a9a38
SHA512 2a2a15c717392bf0e4a70084285360b05886119cd9f1d64e9410d4aee3aea0c694d61de6980d923c7274f8250249a5a3a9a4859808238ed1af9bbe0925f69809

C:\Windows\System\WKqnCyI.exe

MD5 a02761da74008819f74e088b74ff6947
SHA1 ffc98399ae3d69f38cdfda3b32161914061dc3de
SHA256 e8bcfb5f07a37e864d118b4f1fa80e349e855497590d503ab1e97c6a984d6412
SHA512 9fd640a89056f306c81ba173ad4d35af3ee56f917513d05ca80cbd95b11dd5f9285348b3151950525bbe70c67b38452bbf5b25e892e3bc045677591c628f4b8c

memory/4276-68-0x00007FF753F40000-0x00007FF754291000-memory.dmp

memory/3160-80-0x00007FF714880000-0x00007FF714BD1000-memory.dmp

C:\Windows\System\XhiCRov.exe

MD5 65e6baed943aad99a0f7fa5503c27c3a
SHA1 79881d366a9c02d62c3a4d997e9e8e6774953c70
SHA256 7a715ac824461398879850262d2ec1677277bed53b4174139919a6d604a59612
SHA512 88142e38abe5731ce0a5989c88fdea0c01dbacdf31ab556fc0b8f1b6df289cea9d270cb9869fbf21a78186efbeb214d8650cdfc96d96f7dd333fcf44415530d9

memory/4888-96-0x00007FF7A6790000-0x00007FF7A6AE1000-memory.dmp

C:\Windows\System\BhaMBEc.exe

MD5 23179f24da1b2404cc52ac4c4f2ae175
SHA1 8f898d6bcad4a48a8968c3386f4a5ade2551e49a
SHA256 388ff1a9d0f2f720b14b68483f82081065568edf14500b093ee3390ba1a28de6
SHA512 c8be716adb1819b66f71550e8bc7c17aa3dd7b6f83e401a37320fb6c3becfda84866c09b72bfb82ba3389558368ebe83ff71ad0b743d9f5733c6c7c3c9027e48

C:\Windows\System\yDauOkf.exe

MD5 273b7497a256f1ae146db5bd68e2488b
SHA1 db2ef44c134e0b1a938c00692e34c354d1386c9f
SHA256 5ed9d58dd187ab7bd66ead97eb9eabede8fed1575f5770d63fc480d9e51d904b
SHA512 b148de424c0bdb98d265cb3eb8fcfb77dc1792b8ac0df1996cdec81f2e40b7c9b413712c5e7d5e54fd45d012568a44c10369d065d3726f785c9c73708b49b4ab

C:\Windows\System\wVUbugW.exe

MD5 9aacea93b5f8551ab442e22751c0d13f
SHA1 ca6603fc1a22b3ce612c92278a885d65c2625105
SHA256 7156e992f6c5ceead0c7adeb2e0ddbf8fcc52bfc0919caaf93f7beae63e72e62
SHA512 14d7bbf05779ee8e356673f8115d4f5a9dd1d8eb1b338b3441b0543243e01952e7cf273c7148472363af1b8185564087f1166764980d9657666d3245c07910af

C:\Windows\System\SPrgytH.exe

MD5 2016623a0789566f8ccaa8a51b8a419e
SHA1 75294f50f40a246c7a3e28cb38b36318739fe441
SHA256 7bbdbf71ce1099d83fdd5ab144bc593da90329ee5461fd0440091ed80ed7d95f
SHA512 c7a721decea8a282e2261688ecc7e1e6b00d8295a4a0d64873fd285dbf28a8a9b1ec883e8c75ff7b07146048ad7bc68919e47b390af9e6ccd3af9ddb41097b57

C:\Windows\System\QdwTCGS.exe

MD5 28b38fc2f637cc05fe119bc6675af7c3
SHA1 ee3b10b4f206eed7286803e7b8100b9028440fe8
SHA256 21cb94ce9034c4a44839edeac74a5b29acc22062159a8b49d5194d83a706b6e4
SHA512 7f327e5dd86a3dfed3cc291877e3eb582e4798753a95b66e8c3014a6d00e0b5c97ad1dc6d049591e9201854d57787825faa44713b862fc44fd6fbe0fdc51a8ae

memory/3476-98-0x00007FF77C450000-0x00007FF77C7A1000-memory.dmp

memory/5108-97-0x00007FF747870000-0x00007FF747BC1000-memory.dmp

memory/2156-95-0x00007FF7CEB90000-0x00007FF7CEEE1000-memory.dmp

memory/4168-94-0x00007FF7892F0000-0x00007FF789641000-memory.dmp

C:\Windows\System\ValRblY.exe

MD5 1feed15509c27b05cd4ee829e9c26e52
SHA1 e368ff5628f66545880bae42342541ea9f984186
SHA256 98d86f38afa5b8ee5411feb471d75b8d8b401fc07ecaed9aee4418c69e3ae8a4
SHA512 5e7f5ab69aad99e929231813cc15e70e7d2ef35a0566190cee0bb67fb0436ec2fc6df7585c1f16d2cf1135608fb474e775b3d5c8bae385c93da93273e836fff0

memory/2292-91-0x00007FF735090000-0x00007FF7353E1000-memory.dmp

C:\Windows\System\xnsLsjT.exe

MD5 cacdf18aa6375790c36483b79394d7f5
SHA1 8d458bd09b901a9202cfa253be283e089a50da4e
SHA256 beae46eda015f21846384e6c04c07b439d7308130b37b4d6cf42b95aeaf5eba8
SHA512 fe7c93cb4888ee2885908ed495f6eb703ab6c48b675fae38a28e01e31d6dc1deebb2ef6cecae8178c692e76f4567644ca37ad450f6b5441d952e314c85ac33cc

memory/2080-86-0x00007FF7CBC80000-0x00007FF7CBFD1000-memory.dmp

C:\Windows\System\DgftHAj.exe

MD5 211cb521d668836cab55b78d4dee406b
SHA1 dbac04f7f6478c426120f66fcadc7ec858eba92d
SHA256 350bcac784243f53245e93ed53f4de4d877b6340c076c9f0f5e7fb805a6af40e
SHA512 1a7671831f77ee19890b5c38742ff246aa8995258a339daba00f57e30d34e53364a6cfd8fd3250eecb4c697e8b189c223c0a9291bf3c1bed33e5a44784d5f487

C:\Windows\System\MtFMrKL.exe

MD5 4f80ca701ad75d5687e04b6f10e50467
SHA1 d3d2a92354d7e22235b523fc1d7d3ae2a2432d68
SHA256 a06c0ac405cab9928682b7ca6ccb5b9a1b8ea719fe84078fd566830319e8f810
SHA512 8fe6bdac9ae1a563970d7603209c64bc2f06e62a52f12ff9def20439060513eae8214094d1ef16f307aa35ffc2ff7b381502f35a811d1045db5a0743699c1bdf

C:\Windows\System\cPPOJgN.exe

MD5 11f39fe87d591a6a837ea577f8b5c7f4
SHA1 d0b5715a0bab455495b108785669bd62748fa4df
SHA256 fb22c987a4990e7416f3e8d0e873a5c20bc47315fc0ae04e30bd247ff9756fe5
SHA512 1fefa885e88d4b4ff515a676653a2b53ab86dd8866ed987269cf569bd13e5bb85d89be1fe3daa5ebe632706de0b1058649dad1842d0cb04c542362450f29f5e8

memory/2176-72-0x00007FF659E10000-0x00007FF65A161000-memory.dmp

memory/5036-62-0x00007FF7CEEC0000-0x00007FF7CF211000-memory.dmp

memory/4420-43-0x00007FF7A5760000-0x00007FF7A5AB1000-memory.dmp

C:\Windows\System\YeJpIUn.exe

MD5 8ff6c4a859f7cd7995866183de755016
SHA1 05224f111366493ef06abbf354d606fae5ef3fd4
SHA256 086041384de7525b5c193c90bb565f22f5f34f17c0bc92a02ec4ad0e3943b1ce
SHA512 19fa7c348c8c79b31e2e80dd584209852841464895ca9ade0ae52579a18a62ea5833cfb39c4fc0ccefd32ae3c420f518f560a58c903de6e017f5af5e11c5ff57

memory/2596-125-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp

memory/2488-124-0x00007FF791D40000-0x00007FF792091000-memory.dmp

memory/1132-128-0x00007FF6791C0000-0x00007FF679511000-memory.dmp

memory/2632-127-0x00007FF7A7420000-0x00007FF7A7771000-memory.dmp

memory/1484-129-0x00007FF71EB10000-0x00007FF71EE61000-memory.dmp

memory/624-126-0x00007FF60E1D0000-0x00007FF60E521000-memory.dmp

memory/2028-123-0x00007FF6CB9B0000-0x00007FF6CBD01000-memory.dmp

memory/2028-131-0x00007FF6CB9B0000-0x00007FF6CBD01000-memory.dmp

memory/4420-137-0x00007FF7A5760000-0x00007FF7A5AB1000-memory.dmp

memory/3564-136-0x00007FF68A9E0000-0x00007FF68AD31000-memory.dmp

memory/3552-134-0x00007FF6ACBE0000-0x00007FF6ACF31000-memory.dmp

memory/2292-142-0x00007FF735090000-0x00007FF7353E1000-memory.dmp

memory/2176-143-0x00007FF659E10000-0x00007FF65A161000-memory.dmp

memory/2028-153-0x00007FF6CB9B0000-0x00007FF6CBD01000-memory.dmp

memory/2488-202-0x00007FF791D40000-0x00007FF792091000-memory.dmp

memory/3476-204-0x00007FF77C450000-0x00007FF77C7A1000-memory.dmp

memory/3552-206-0x00007FF6ACBE0000-0x00007FF6ACF31000-memory.dmp

memory/3840-208-0x00007FF6131C0000-0x00007FF613511000-memory.dmp

memory/4420-211-0x00007FF7A5760000-0x00007FF7A5AB1000-memory.dmp

memory/5036-212-0x00007FF7CEEC0000-0x00007FF7CF211000-memory.dmp

memory/3564-215-0x00007FF68A9E0000-0x00007FF68AD31000-memory.dmp

memory/4276-216-0x00007FF753F40000-0x00007FF754291000-memory.dmp

memory/3160-218-0x00007FF714880000-0x00007FF714BD1000-memory.dmp

memory/2080-220-0x00007FF7CBC80000-0x00007FF7CBFD1000-memory.dmp

memory/4168-224-0x00007FF7892F0000-0x00007FF789641000-memory.dmp

memory/2176-223-0x00007FF659E10000-0x00007FF65A161000-memory.dmp

memory/2156-228-0x00007FF7CEB90000-0x00007FF7CEEE1000-memory.dmp

memory/4888-227-0x00007FF7A6790000-0x00007FF7A6AE1000-memory.dmp

memory/624-233-0x00007FF60E1D0000-0x00007FF60E521000-memory.dmp

memory/5108-238-0x00007FF747870000-0x00007FF747BC1000-memory.dmp

memory/1484-240-0x00007FF71EB10000-0x00007FF71EE61000-memory.dmp

memory/2596-235-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp

memory/1132-232-0x00007FF6791C0000-0x00007FF679511000-memory.dmp

memory/2632-236-0x00007FF7A7420000-0x00007FF7A7771000-memory.dmp

memory/2292-243-0x00007FF735090000-0x00007FF7353E1000-memory.dmp