Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-a7ew2agc4z
Target 2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike
SHA256 64e444e4fc45a6b5c7ca256d89cd9cab814b1a53117449cdcc03e58305e68444
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64e444e4fc45a6b5c7ca256d89cd9cab814b1a53117449cdcc03e58305e68444

Threat Level: Known bad

The file 2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

Detects Reflective DLL injection artifacts

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 00:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 00:50

Reported

2024-05-30 00:53

Platform

win7-20231129-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IQUjlDE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JrQxnRd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TxwKpbt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ycTtMSh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DspnMWB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eZzFXID.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\olVUuIM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lGhEZSQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sDagGRW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qiNbWUD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LfNWWxw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xkMZaik.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TtSinwb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Jlfvvvj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wOxcwbS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aVzzSpY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GQkRqcM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rPrRTzm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EgfNaVn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bIsekyS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EqAVjWg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LfNWWxw.exe
PID 1936 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LfNWWxw.exe
PID 1936 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LfNWWxw.exe
PID 1936 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPrRTzm.exe
PID 1936 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPrRTzm.exe
PID 1936 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPrRTzm.exe
PID 1936 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ycTtMSh.exe
PID 1936 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ycTtMSh.exe
PID 1936 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ycTtMSh.exe
PID 1936 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgfNaVn.exe
PID 1936 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgfNaVn.exe
PID 1936 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgfNaVn.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtSinwb.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtSinwb.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtSinwb.exe
PID 1936 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\DspnMWB.exe
PID 1936 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\DspnMWB.exe
PID 1936 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\DspnMWB.exe
PID 1936 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\Jlfvvvj.exe
PID 1936 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\Jlfvvvj.exe
PID 1936 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\Jlfvvvj.exe
PID 1936 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkMZaik.exe
PID 1936 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkMZaik.exe
PID 1936 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkMZaik.exe
PID 1936 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZzFXID.exe
PID 1936 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZzFXID.exe
PID 1936 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZzFXID.exe
PID 1936 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\IQUjlDE.exe
PID 1936 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\IQUjlDE.exe
PID 1936 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\IQUjlDE.exe
PID 1936 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOxcwbS.exe
PID 1936 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOxcwbS.exe
PID 1936 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOxcwbS.exe
PID 1936 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\olVUuIM.exe
PID 1936 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\olVUuIM.exe
PID 1936 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\olVUuIM.exe
PID 1936 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrQxnRd.exe
PID 1936 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrQxnRd.exe
PID 1936 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrQxnRd.exe
PID 1936 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\aVzzSpY.exe
PID 1936 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\aVzzSpY.exe
PID 1936 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\aVzzSpY.exe
PID 1936 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\lGhEZSQ.exe
PID 1936 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\lGhEZSQ.exe
PID 1936 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\lGhEZSQ.exe
PID 1936 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDagGRW.exe
PID 1936 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDagGRW.exe
PID 1936 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDagGRW.exe
PID 1936 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQkRqcM.exe
PID 1936 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQkRqcM.exe
PID 1936 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQkRqcM.exe
PID 1936 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TxwKpbt.exe
PID 1936 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TxwKpbt.exe
PID 1936 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TxwKpbt.exe
PID 1936 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiNbWUD.exe
PID 1936 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiNbWUD.exe
PID 1936 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiNbWUD.exe
PID 1936 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIsekyS.exe
PID 1936 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIsekyS.exe
PID 1936 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIsekyS.exe
PID 1936 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqAVjWg.exe
PID 1936 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqAVjWg.exe
PID 1936 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqAVjWg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LfNWWxw.exe

C:\Windows\System\LfNWWxw.exe

C:\Windows\System\rPrRTzm.exe

C:\Windows\System\rPrRTzm.exe

C:\Windows\System\ycTtMSh.exe

C:\Windows\System\ycTtMSh.exe

C:\Windows\System\EgfNaVn.exe

C:\Windows\System\EgfNaVn.exe

C:\Windows\System\TtSinwb.exe

C:\Windows\System\TtSinwb.exe

C:\Windows\System\DspnMWB.exe

C:\Windows\System\DspnMWB.exe

C:\Windows\System\Jlfvvvj.exe

C:\Windows\System\Jlfvvvj.exe

C:\Windows\System\xkMZaik.exe

C:\Windows\System\xkMZaik.exe

C:\Windows\System\eZzFXID.exe

C:\Windows\System\eZzFXID.exe

C:\Windows\System\IQUjlDE.exe

C:\Windows\System\IQUjlDE.exe

C:\Windows\System\wOxcwbS.exe

C:\Windows\System\wOxcwbS.exe

C:\Windows\System\olVUuIM.exe

C:\Windows\System\olVUuIM.exe

C:\Windows\System\JrQxnRd.exe

C:\Windows\System\JrQxnRd.exe

C:\Windows\System\aVzzSpY.exe

C:\Windows\System\aVzzSpY.exe

C:\Windows\System\lGhEZSQ.exe

C:\Windows\System\lGhEZSQ.exe

C:\Windows\System\sDagGRW.exe

C:\Windows\System\sDagGRW.exe

C:\Windows\System\GQkRqcM.exe

C:\Windows\System\GQkRqcM.exe

C:\Windows\System\TxwKpbt.exe

C:\Windows\System\TxwKpbt.exe

C:\Windows\System\qiNbWUD.exe

C:\Windows\System\qiNbWUD.exe

C:\Windows\System\bIsekyS.exe

C:\Windows\System\bIsekyS.exe

C:\Windows\System\EqAVjWg.exe

C:\Windows\System\EqAVjWg.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1936-0-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/1936-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\LfNWWxw.exe

MD5 b3449e41ee8d63991cbb53605f735ba7
SHA1 5d74b8ac942433b51372e50d8299f923944a452a
SHA256 b53f7e3e013bfe7e9c5538dc01e1fbabc2ded1b5b7439984cc1e1c2b6fd12ff4
SHA512 a532d8a14b75a408b446ef36bb7293d32332bf831414e4bac1fda724e06a326ad7b41737920b878c838377dc204cab7b25413e7a1d45259fa839d1dfa90061bb

memory/2284-13-0x000000013FC50000-0x000000013FFA1000-memory.dmp

C:\Windows\system\ycTtMSh.exe

MD5 ad861b70628101c879eac125c000445c
SHA1 1106232a06397ae1c14ccd6220ebb673a786a7ef
SHA256 9472874cc1c30abfb7812d40f1e68284c49a940dad53af68a0a56ddb2af870d3
SHA512 46b69499f2a2ecee5d04c5b336a020ae8f05b56083cc4beaf883edb4e0451c8de04470e01fb9a52fb4cf8d677608886a0a39621c468d6f5d34fab9b1fb6a9640

memory/1936-19-0x0000000002320000-0x0000000002671000-memory.dmp

\Windows\system\EgfNaVn.exe

MD5 4ec52e6d0472fd8b6cc635ab77839e07
SHA1 4c5d5b465fb0163088e3d19e55289c5d0c8810cd
SHA256 03ae4c81fb22a1954bb853acbdcf3d549ac5f6a58afe47698c0627a073ee7d20
SHA512 0d5f833813a064676650d2e5bd69b5c916d03c1366d7d057fb98f85110572bb8ab297524f21367654ccc1f47a276424855643bd5b4ab5af336a1e74c4a0dbdcf

C:\Windows\system\rPrRTzm.exe

MD5 b534143d5a4f96bc5878094eb4bbf5d0
SHA1 f34e344436360546bc400dec8631fb0ef4b078df
SHA256 97ca0b9a399f9e679f32e7cbd5ce9ddfc5a04da8a0ff98541c2b81ee2b149170
SHA512 67c25093f0a865b9f205e7fe0cd23ecde2c3644bdc6a5a72291d983de238d232e35e5f49bd1483a2b2e82b8bffd5b17cf48a9c54a9533aa15e215379509a2233

memory/1936-9-0x000000013FC50000-0x000000013FFA1000-memory.dmp

\Windows\system\TtSinwb.exe

MD5 1c5d7f776e0c7d03dc178526942fff43
SHA1 55731ff8687706bd4d3f8fe7fcc1844df283bb6f
SHA256 3aac904c35202395262dff8b5bbec9e3abb2902cdb9dc6add5b0f1f048c3a48e
SHA512 19e827516cd52643e222c5f3a6459e13f9d6022a00dd4523885de5b1679d1097fcc57997251a369da13308a453b07080b12e2645191a37f0f6c36999a4fb2b55

memory/2552-32-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/1936-30-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/1608-33-0x000000013F370000-0x000000013F6C1000-memory.dmp

C:\Windows\system\DspnMWB.exe

MD5 0f038550346496d93b9e54bde16c8dd2
SHA1 948fdd8358ffbe20a521e773ed837e7deae16650
SHA256 f381c9bf99e051a6c41d116e4c175ecb53addc89553e57aba2dd94d0b65861cc
SHA512 86812b7dba44e3018c3c64f4b1a82094cfa39c4f117fe024bc58cb4ba19b96d19422dff2b627415cfb00c4c3ac9a1b4d8c95afc94455b37af16ce32acdeac5c3

memory/2744-39-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2596-38-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/1936-43-0x0000000002320000-0x0000000002671000-memory.dmp

memory/1936-42-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2836-41-0x000000013F400000-0x000000013F751000-memory.dmp

\Windows\system\Jlfvvvj.exe

MD5 741ae8a229cc392afe1ff85a41cd93bf
SHA1 0c54d77c1a45ac453e2cc5c608fe19f7a65272ab
SHA256 e03c6700025d3597313465ded1044b1e3209483d174367f8ab30cf9fe997445a
SHA512 c0390d9527db3fa405eb4cf87f1029c3bf74b969e36be4bae02876b8e83c7e05743723eed5330a9149950f07ad2bc5a554a6131bb736a320028fac9bc6b47315

memory/1936-49-0x0000000002320000-0x0000000002671000-memory.dmp

\Windows\system\xkMZaik.exe

MD5 667b3730c50e929e7352834dc65ee417
SHA1 4bfa929397357c8f792d70bb051923ea0fcf6141
SHA256 ca5ac6adc6438acadf5ff5519bbf671b0dffa2f60dcf1239ab46f5f9a50441fc
SHA512 dfe2ccc9e6dc03b7d5f531289c7e9836b0b18ca6c7f4ca47be623df51592847bdc1feaa1ee6439981746cb0827ab1cf94d6578989fcfbd139f1b545c570d977e

\Windows\system\IQUjlDE.exe

MD5 d18eae195eaf09960afe5ffb6f87fe6b
SHA1 8d780e59132394e2957c94c99b6a660598f6c582
SHA256 daf4d020f1ec5922d6b9dda56b6750b22866ced33ea99373f3be186c00f569e9
SHA512 f0d164396efcc60db86456662c2eda40e591dafc2afc27e691b407c9266a7e2ae84d435e59f66accb5f121e95c91230f911a703dccfef5686eb3734b6ecf3190

memory/1936-74-0x0000000002320000-0x0000000002671000-memory.dmp

memory/2540-76-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2484-77-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2940-78-0x000000013F400000-0x000000013F751000-memory.dmp

memory/1936-75-0x0000000002320000-0x0000000002671000-memory.dmp

memory/1936-72-0x0000000002320000-0x0000000002671000-memory.dmp

C:\Windows\system\wOxcwbS.exe

MD5 327fce6c32b06ac71d7cd539a3cea894
SHA1 5f67661f0282a58deb6e05feff1fe93ab4deee9a
SHA256 291b5249e757cced8794743e0a7a69ae4f47e8b7338f242aaf5a6a183221cc6c
SHA512 39d07cb0e75333f95b42af159d4debb6cf1d879a5935159fea48f21a9819c0d9d2c4f96afb86dc593c9f59ed838d257625178bfe671219068eb8365d1aaa9555

memory/2524-69-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/1936-68-0x0000000002320000-0x0000000002671000-memory.dmp

C:\Windows\system\eZzFXID.exe

MD5 df277b4babd3c9f1bcc0902081437745
SHA1 9f3b7119146a37ab3289140909135be96783ec81
SHA256 fe2a832e01b15733ef2ecce8f323c5a7103b69af99bb7f77e9f2de06e5f5508e
SHA512 f51f9a3693f17b50110439b386dab413fd9c910f1f5b26aebce9967f61afbe05d2896991d8807daff86963829bf411a78a7c9bb191fca75543265f20beaddda3

C:\Windows\system\olVUuIM.exe

MD5 5015321cf28ee441eecf06c7e803a333
SHA1 5cb7cfca812f975cdca2a21b20a5dba6145af2a4
SHA256 c2452edd5e69ead0c07f87d6f5b86071c4754402afc3dae39bae1d9e54cceb13
SHA512 ea69c39948ff8279b8f6ee2c6c0705594f238cd27979e1c716cd811690aead53479dc8041cf5e28dd3c4d0394a9fc2cccc33a82b0950ee9beb6e5bae9f34c147

memory/2792-85-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/1936-82-0x0000000002320000-0x0000000002671000-memory.dmp

\Windows\system\JrQxnRd.exe

MD5 c4de067b0d2e6ac4fd44e8d59619e1a1
SHA1 2617aa23b4f1345092d79e5a09465b35a71a7147
SHA256 57b86cd6a32b017259a73041a165690de273f056678bcd8047d04d8c914edade
SHA512 1ba42178c5c4e1abd64dd1596f208a90bd678d5d79f5553f1f19fc22eeb08c195d356d98897e3a4696f611f8789fdcb48140d2e850d63148bf862b83b5f13654

memory/1936-91-0x0000000002320000-0x0000000002671000-memory.dmp

C:\Windows\system\aVzzSpY.exe

MD5 6c2b51d9046d15bae86b8afbffa37129
SHA1 9d7a868c5335bf5870bded16ba65a880d6fa4feb
SHA256 acc07fe7ef118eab04d5a4cfc4d5c6d14283ff245b2c6bac925d24d98cc8b8e1
SHA512 4f1649aec3260f106043ad8266fefa1ba8877edba955111049b6ddb4bc96179fccd9ce138c34c2ecc14286f4a115202bc9edf793967ff9338c4d2e6a266cbba3

\Windows\system\lGhEZSQ.exe

MD5 67324dfaa5c658a25d2325dbc71cf657
SHA1 0cca571c4d0f06e8eb2753fd41f4483923ccc51f
SHA256 60cb49bdf16bcb930be6b61ce399c3e8655a80e47629b2f74c13cc7e7b0bd4c5
SHA512 3076d62cbdec840f49afb4b974f42e830eced86859d60b79ebd04ed4f41e0aa529696acdf4583804755be111f61daa30aea3c5eaa4e000477c4f5081c8a08b0e

memory/1936-102-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2784-106-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1936-107-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2284-105-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/1936-103-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2804-92-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2768-50-0x000000013F260000-0x000000013F5B1000-memory.dmp

C:\Windows\system\sDagGRW.exe

MD5 ee6e482ff8cbf668005295e79815d938
SHA1 d183364996eebce41154542eec94e562fd4d2148
SHA256 425a6df4e0df69f72fafc85fdd2b775aba20f02d32f8b7c52d3de2856fcc48a7
SHA512 847d89c02166fce9e2958ad426600300d20549bb34c684b7d433fee8097a4e9e17a2836797bcdf8549a9670d9b95416608fb4378d4a0aab91483e3b9ad8580b6

C:\Windows\system\qiNbWUD.exe

MD5 0692029c2910572e765a41895f659a52
SHA1 fd133150b05a98afa784d7f5f39bb88c5acd4acf
SHA256 e5f65e240b8756a3a01a2e6dddd5d4e4a1a9809771dbc0439990aee1676846da
SHA512 bfd1b6dd97989a35fbe3f78b12779bfe556f027d72e87aa501f691e222f5ba7a9473625057cf5508f7fe1cac13badc19f03caa0eceb3afa55d104b9da9f0d8c9

\Windows\system\EqAVjWg.exe

MD5 d4f8c659508054d9b9279117b8bbb227
SHA1 13030d69c306d1aa2c4211aa106793e49c83de7b
SHA256 c493b8818b23ba2d3ece8a23f15f1952bd592ddf2b1201d4ca7e4b3a26425fce
SHA512 a2363b9ccb3b55c1c15374c607e336ddcd05dde57945b6ff220ab0bf907e196552b3f95d993cda4c63609880c7cd2909f4bb2dc177693c8e1dd8c740c2a91bfc

C:\Windows\system\bIsekyS.exe

MD5 b97a4e5614f7ef9f784edf13a22a06b8
SHA1 120c427b460d3b6424299addc8dc5e389df1a66b
SHA256 8d99f6907356c7ca079bde6140d1eafa6fb20812a8c1149f9fc871cb70437389
SHA512 a3e6d373d48afab04ef516755045c8c31e941bcac5d6abd51440d09892ec389ae5782e1c42ea8f7531c615c87e6a117b9518624f683113bd7623dd368145ca5e

C:\Windows\system\TxwKpbt.exe

MD5 b0e0d7e4ceeb0b16f6441a433fd275e8
SHA1 c5b9b5eeb86c640f5166934f11277297f6a5245a
SHA256 250d49b2ef942e4091fc32875ce4471b4382bd839e7ccfd8f1a579865adcb4fa
SHA512 3fd2161ee7d3b5daa1335c99bf654653ffe1f088ddf1e4fa33bbbec28d3cbaacc116e42a6d524ab65dfeea6ea87933537cee4dc047559e53acf1ca786d57ffa7

C:\Windows\system\GQkRqcM.exe

MD5 67fb3bd0ccd83fbfaeb85553b48e8016
SHA1 977bcc6bd776111a783a32493ff052afe51da329
SHA256 d262b5b832a30297ba6b7a0d0ceb0a5220335e1eb1f5be55a7666984170048d7
SHA512 35d7ad2ffd28a8dd2046351ef66518fe2e410135c5239ee02c32b70e798f1586698fbbbc3e682e5ffffd404565a8b913c5acd3a19c8b9fc8ece8e8e1004113ea

memory/1936-137-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/1936-144-0x0000000002320000-0x0000000002671000-memory.dmp

memory/3048-156-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2352-158-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2904-157-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2876-155-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/3068-159-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2728-154-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2788-153-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/1936-160-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/1936-172-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1936-183-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2284-207-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2552-209-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/1608-211-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2596-213-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2744-215-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2836-220-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2768-222-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2524-224-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2540-226-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2484-228-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2940-230-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2792-232-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2804-237-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2784-239-0x000000013F850000-0x000000013FBA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 00:50

Reported

2024-05-30 00:53

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cmStUgs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BiHkVAZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YUCYdck.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\enJfvxZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rUPdJVW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TWdgodt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oLRCaqv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ubEeYUv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QjIkrhw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OHpKhYo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MylRVab.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gJrVDix.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SadBjWN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qAaIguX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jINoMnU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FCTbawN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QrFdXtF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bzmzuHh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QAoIQXX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XQqAUxr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QtbSGAG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\OHpKhYo.exe
PID 2104 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\OHpKhYo.exe
PID 2104 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MylRVab.exe
PID 2104 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MylRVab.exe
PID 2104 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUCYdck.exe
PID 2104 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUCYdck.exe
PID 2104 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\enJfvxZ.exe
PID 2104 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\enJfvxZ.exe
PID 2104 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUPdJVW.exe
PID 2104 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUPdJVW.exe
PID 2104 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FCTbawN.exe
PID 2104 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FCTbawN.exe
PID 2104 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TWdgodt.exe
PID 2104 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TWdgodt.exe
PID 2104 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QrFdXtF.exe
PID 2104 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QrFdXtF.exe
PID 2104 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJrVDix.exe
PID 2104 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJrVDix.exe
PID 2104 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bzmzuHh.exe
PID 2104 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bzmzuHh.exe
PID 2104 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\SadBjWN.exe
PID 2104 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\SadBjWN.exe
PID 2104 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLRCaqv.exe
PID 2104 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLRCaqv.exe
PID 2104 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAoIQXX.exe
PID 2104 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAoIQXX.exe
PID 2104 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ubEeYUv.exe
PID 2104 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ubEeYUv.exe
PID 2104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\cmStUgs.exe
PID 2104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\cmStUgs.exe
PID 2104 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\BiHkVAZ.exe
PID 2104 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\BiHkVAZ.exe
PID 2104 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\XQqAUxr.exe
PID 2104 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\XQqAUxr.exe
PID 2104 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtbSGAG.exe
PID 2104 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtbSGAG.exe
PID 2104 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jINoMnU.exe
PID 2104 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jINoMnU.exe
PID 2104 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAaIguX.exe
PID 2104 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAaIguX.exe
PID 2104 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjIkrhw.exe
PID 2104 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjIkrhw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\OHpKhYo.exe

C:\Windows\System\OHpKhYo.exe

C:\Windows\System\MylRVab.exe

C:\Windows\System\MylRVab.exe

C:\Windows\System\YUCYdck.exe

C:\Windows\System\YUCYdck.exe

C:\Windows\System\enJfvxZ.exe

C:\Windows\System\enJfvxZ.exe

C:\Windows\System\rUPdJVW.exe

C:\Windows\System\rUPdJVW.exe

C:\Windows\System\FCTbawN.exe

C:\Windows\System\FCTbawN.exe

C:\Windows\System\TWdgodt.exe

C:\Windows\System\TWdgodt.exe

C:\Windows\System\QrFdXtF.exe

C:\Windows\System\QrFdXtF.exe

C:\Windows\System\gJrVDix.exe

C:\Windows\System\gJrVDix.exe

C:\Windows\System\bzmzuHh.exe

C:\Windows\System\bzmzuHh.exe

C:\Windows\System\SadBjWN.exe

C:\Windows\System\SadBjWN.exe

C:\Windows\System\oLRCaqv.exe

C:\Windows\System\oLRCaqv.exe

C:\Windows\System\QAoIQXX.exe

C:\Windows\System\QAoIQXX.exe

C:\Windows\System\ubEeYUv.exe

C:\Windows\System\ubEeYUv.exe

C:\Windows\System\cmStUgs.exe

C:\Windows\System\cmStUgs.exe

C:\Windows\System\BiHkVAZ.exe

C:\Windows\System\BiHkVAZ.exe

C:\Windows\System\XQqAUxr.exe

C:\Windows\System\XQqAUxr.exe

C:\Windows\System\QtbSGAG.exe

C:\Windows\System\QtbSGAG.exe

C:\Windows\System\jINoMnU.exe

C:\Windows\System\jINoMnU.exe

C:\Windows\System\qAaIguX.exe

C:\Windows\System\qAaIguX.exe

C:\Windows\System\QjIkrhw.exe

C:\Windows\System\QjIkrhw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2104-0-0x00007FF651130000-0x00007FF651481000-memory.dmp

memory/2104-1-0x000002181EE90000-0x000002181EEA0000-memory.dmp

C:\Windows\System\OHpKhYo.exe

MD5 3069e63fb9bf93b31942213dbe8bed73
SHA1 1042fc48ed0d15db6689a35d7f63a93a6c290d03
SHA256 3e9922bf5ca740b3fec74ea8de7923d04adfdbe85cc3528947a9644fec59be31
SHA512 3d052eba3df223455751a5e944b24ede9b4ed09ac6a9d6d79748e7da23240dcc88f12cf5217691a15821b50f7e22b4dace82572c210a0a975324a640824e669d

memory/2172-8-0x00007FF7C9940000-0x00007FF7C9C91000-memory.dmp

C:\Windows\System\YUCYdck.exe

MD5 a4b4e1bf5143b5d955d21ef5c4285e2e
SHA1 a5e2de1b81f190085a477681bb797adcbbaa7549
SHA256 f1473fc801a861019cc4445adcf1116f73ae66c194adc67824401bbd838f0c51
SHA512 e7e3db80d987aa321cb691248b343574e4e990387b35b2f184879be815f846fc9383a547495482fc15f41486d62bb00de08c6ffcb96ad910d342d65dcd9ffb01

C:\Windows\System\MylRVab.exe

MD5 8b8f7b0a0bc30162c95c9956e73b43ed
SHA1 74f2df46c1b8494cac5c98369cb32fc1146c4764
SHA256 2bb4ac37cccd844cb75bd90590d8fe75b21e011a6b26293d89337f7bee16e36d
SHA512 20b33e6a9af38e8b119bb7515c9ef60fbf25ba2294e422556c77f662d7cd9feffc948a18263e84f1c85eb3e5066189c03c33faa3c25a131370ae8c84d9403b10

memory/4164-12-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp

C:\Windows\System\rUPdJVW.exe

MD5 e07d6c9a62d6e8128057aa838fe5fd74
SHA1 96e9b5a7fc3447a03b75d7a780718998775d2e45
SHA256 28934a685b109ad66a0fa69d2e2020d6f7e2daf82f9d2e552fd72d6835da1f9e
SHA512 d827386ba3144700547670254569a8bd780a152e722ee263580a1f807120a6e800959f79554fadc15374a9d34390d6cd8845f11e7030a71d643829a6d64bc0a6

C:\Windows\System\enJfvxZ.exe

MD5 e4299da31f96d01fc034e6251e981766
SHA1 622bc61e92a3c5c6e7ed5148d3588cc5f4f4e23d
SHA256 be6ce148101a1f96e7f8e03832b77e9886078e67c631b4f9e284d20133843da2
SHA512 57a0474b535dff6d49edc661384495832d9eaea33e27b5a26b7d426188a95cc8bc8be02e96a479a2cad0016c741fbb9632f4817511ef99732afb6b25ee45662d

C:\Windows\System\FCTbawN.exe

MD5 7bf2afb13dcd95c71475ec2c5844c867
SHA1 cf827f5bd029ffe8264b6d79e8f0de1b7ddcd112
SHA256 eeef61ce8d83c131b34e2d84c233017b3e48c49cdea05a84ca4be8a23ec4374a
SHA512 4b866ad6f70aae300b0ee9d74e88f9a41e7027681c5288cb2f0b6eae6fe27b3f6eadc149cb55b2fb3f6a2fdd92c9dc7535eabadb4dd840c5f3a413d4f867da2b

C:\Windows\System\QrFdXtF.exe

MD5 1e55f62cb0f7150a7d8c6337f9cf826d
SHA1 f3860aa81d6f8fbd5e2b4603f6535adb4b9d18ec
SHA256 1256ac9cb048734a57a918950350b243704018e583e66f431e3fc7c00176f483
SHA512 aacd9d89579cca083a1ae8c765219babefb4beb91722b55b95f444327af724c7e6f39b2fdb9517c8e5f60d65e7e0c32179542b3b74c5053b32278e6ea5817862

memory/5044-51-0x00007FF650EC0000-0x00007FF651211000-memory.dmp

memory/3936-54-0x00007FF705740000-0x00007FF705A91000-memory.dmp

C:\Windows\System\SadBjWN.exe

MD5 10d738a9eac1eac1b006e45c1dc6020a
SHA1 bd5ff8df6f523290787f1b1830f5c23cb76138cd
SHA256 1fdf6a04d7e63cb3585158e6218a53891d5b3e04c7f4e5772520c49028c15f28
SHA512 5febcb2ff88f65304a1cc54084bd61b71e2cc116abbb70328f891d4cb6f49e61ca6fd4dd739da071bd08aa85a759e2540d7f3b76ac7f4d551f35f8d7cb138702

C:\Windows\System\oLRCaqv.exe

MD5 202303174d2d1b3e9db3d0f7cbff6926
SHA1 187e8596ec83f0afae3236782c88c84118eb0d70
SHA256 da5f6c747a7e904452ac84846a76453fafd76f80430ee2140e958686dfa8781a
SHA512 5fc0836ac30017f2fc5ef8b249c8df8a55f4585090ae70b528e1b8ad208ca2bcac735a0c8d4ee2976b7795f8eba9f987b16108c4c7640805063de7516bf191bf

C:\Windows\System\QAoIQXX.exe

MD5 050048049aa6ccbf94248cafc596af1d
SHA1 c63def68b8a81829c60d56f5146d9e3fdb2826c8
SHA256 81bb56f7ce5f95906d07355ac8cab6d818f09e624d533aab5e95ed92f919e081
SHA512 3af71ec19c3ae3f5b81c33e6adc4380b45a430a0f27606fdd83417da9b6399aa9a7601e2dc58f0185dc39771cd03b2827b20648780951acbd96ae6a9191b7f4e

C:\Windows\System\ubEeYUv.exe

MD5 547bd8140faa53e6a45952b4e32dded8
SHA1 8161592381e3716faf329b2f6766da3c811d88f6
SHA256 0833bd4b54e722352f03acbac80814a6328670409254ff4188fadc2c69087bd9
SHA512 86a58e20cca2a353d73e89362f29517df62675ac5d55753a3f5ba7fcc72040d635f62c55998b0797030f07ab4ccd572a65f6652d5e01125b26aa608b6e0c43d0

C:\Windows\System\cmStUgs.exe

MD5 0ad062551db6acdbabde6425dd94d120
SHA1 9853e3c09cd79a666a15d5a6e31b7ee89ee14372
SHA256 eb1e09c023f5e07bf004e0c9c3e75a51aeb77fec9bffead7af36c23f2d880c9c
SHA512 23c4c8b5efa1fb9aa1f3cede78fe7f433a0a405c4eb83771b60670964b59e671c7e514c0166255df34854f5ba476e8145aa6e4b828d42a4267173458f6181e05

memory/2036-113-0x00007FF75C750000-0x00007FF75CAA1000-memory.dmp

memory/2104-120-0x00007FF651130000-0x00007FF651481000-memory.dmp

memory/3244-127-0x00007FF636A30000-0x00007FF636D81000-memory.dmp

memory/3336-126-0x00007FF6BC390000-0x00007FF6BC6E1000-memory.dmp

memory/4572-125-0x00007FF648DF0000-0x00007FF649141000-memory.dmp

C:\Windows\System\QjIkrhw.exe

MD5 eac2a455da96e33d695da84972b6a8c8
SHA1 0f94cb0587293928237c7bda57a2544276bc1844
SHA256 06a8a0a655e64cba8d8774a070ca45bc2aa1c431948e6084488d2fa686d04596
SHA512 f654db5b4d3ba2bb6fc0d8759718dfc6edec2b50e038ac0ef837e518684c4fc1827f60e881015fbaa1ba1a88ee1102888d5d56643165bafd5eb5a2990e56504c

C:\Windows\System\qAaIguX.exe

MD5 47ae967e14ec48bd67fb6ec7f7b825ca
SHA1 3f65c3eb43214d414199771b51549bca9db91636
SHA256 413148491aa1f7ac59763e46ae0f2a9489bab92eec9262a8d2ede1bea5f22489
SHA512 12ea7e86b2c9de4706e9e7f54ca3a37ebf619df03d79d1fac826bbf02e058ad928466c0a0d942d9d2cf02dd0aa89d2b6f534f95ea86b5dd546f3d1daf2cf4658

memory/4728-121-0x00007FF724EA0000-0x00007FF7251F1000-memory.dmp

C:\Windows\System\jINoMnU.exe

MD5 b6a18f970653995113706444f5831663
SHA1 571d2873bbf0ec9d0c26532e836d88c9303140e5
SHA256 af10063d1d0d9f7f26ce7a6cec68c0e4c0cc441bd9f5c15aa3cdef9eeb55f523
SHA512 4d6a33576b592e8251454c403c31201a104b33cf6a449954761ab687b8823df90c613e2f8c84e6c20ae8014261060452662717db10796c69c48885ea4c9aea47

memory/3704-117-0x00007FF776300000-0x00007FF776651000-memory.dmp

memory/3248-111-0x00007FF635280000-0x00007FF6355D1000-memory.dmp

C:\Windows\System\XQqAUxr.exe

MD5 fdefe058f5dc6e98a3a9ff4860900fa8
SHA1 efcaa8249b4e51817fc7100cd7d1f175df7aafdf
SHA256 3df9ed7848f4473244e1495aa2b891ea6bde5e54c897afa1e5387875eb503dde
SHA512 8d1dbb86fc017e3dbcf213cb6431626232d2195f34bee4b5507c958608c2b9ae5156523a74a429fc0e671834d9f99d10ea01347d610576b663d711bef8c81343

C:\Windows\System\QtbSGAG.exe

MD5 24645852debb58fd050769d53a1763d6
SHA1 92efac9b8f7270055e97fc31457d0a580db7a26f
SHA256 f3ab57a01838a4fc25d89ab22ab916289a0a9a83e056fd0fa3a405d4d3a7b7ea
SHA512 923bc0ca9e6ba7f0a259a1373058d7660add5fcb2520a9fa631e9af2f789c60f3829d7cfe1a4cdb2f960cc0c73af06f5a30cd77db735df7759979b03b7bc707a

memory/208-100-0x00007FF6522D0000-0x00007FF652621000-memory.dmp

C:\Windows\System\BiHkVAZ.exe

MD5 1dc378ce919203de132b44ecab5381f7
SHA1 571b372b440888d98ea325e00a25f7d59ccc24d8
SHA256 a98020511ef46f64b1e06ee73b86707d8a7a73dc81d8d1e8a6c4402eae583260
SHA512 79af165d3546e0b35ef3ee04827c21c23ec5a1cb9a0b61e25637dc3cc77b2755b20d790b872c5fe1c52251871a66097bdb8b22db49cf49d81ba4b4291ab2dfbb

memory/2816-88-0x00007FF6B93E0000-0x00007FF6B9731000-memory.dmp

memory/1992-81-0x00007FF7FEA60000-0x00007FF7FEDB1000-memory.dmp

memory/4304-74-0x00007FF77CE90000-0x00007FF77D1E1000-memory.dmp

C:\Windows\System\gJrVDix.exe

MD5 adc46cd18d86c323b4a9a36095dffa99
SHA1 b97f5c7a231f366f1a0e8aa03ee051ca1ba3bb33
SHA256 d81e52a0cdb91d5ae6e31d4fc993f17d087d4aa2605486884200f80acf212e0e
SHA512 dee64b0ebfb79a6e1b41c63ff79baa5f6ac1a2c236f9f8635d967494294c63cb14d3747887a3d1526e4830ba85655929be6bedb3fe9071351e39f482655db08b

C:\Windows\System\bzmzuHh.exe

MD5 e4455bcdf264d445087cdf0a84279ea5
SHA1 340fd328bef3c8e32bfbfd4c481a5349f9dca90f
SHA256 a8a7266157dd8c7cf282409c176148ea911c1ae7d6ebcf6678c984f2bfdae22b
SHA512 ee6cb95a815480e47fdc8db839fec9e764553c15d2eeb24073b6b496b8fa08f20c8a6e714cd9b93634ad42eb2a1edf955225e1dd6c2065072701f3f24a74cc64

memory/3300-55-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp

C:\Windows\System\TWdgodt.exe

MD5 7ad4c7296537bc25dbdafa88fd1eda29
SHA1 4c061e8fbbd5f40bfb7d72ed4ddd4cb928f4a7ca
SHA256 d8bb3a6b74670ba0eef443f599313de21a76b0fb306a0cf7b8778ed2c1c2b054
SHA512 beca11fc5daefccee7dde1643463fd091f0359a9cdd14a7e4d583f85e4e119fec1466f1a7f9c8d598ada73644caa3153b9a47e0ca968d2c57dbcece48f044e4f

memory/2496-47-0x00007FF7EFE50000-0x00007FF7F01A1000-memory.dmp

memory/2420-46-0x00007FF6023F0000-0x00007FF602741000-memory.dmp

memory/4664-39-0x00007FF7D7A30000-0x00007FF7D7D81000-memory.dmp

memory/4600-32-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp

memory/2696-23-0x00007FF6828E0000-0x00007FF682C31000-memory.dmp

memory/4164-131-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp

memory/3936-139-0x00007FF705740000-0x00007FF705A91000-memory.dmp

memory/2496-137-0x00007FF7EFE50000-0x00007FF7F01A1000-memory.dmp

memory/4728-150-0x00007FF724EA0000-0x00007FF7251F1000-memory.dmp

memory/1992-141-0x00007FF7FEA60000-0x00007FF7FEDB1000-memory.dmp

memory/2816-142-0x00007FF6B93E0000-0x00007FF6B9731000-memory.dmp

memory/3300-138-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp

memory/5044-136-0x00007FF650EC0000-0x00007FF651211000-memory.dmp

memory/4600-133-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp

memory/2104-129-0x00007FF651130000-0x00007FF651481000-memory.dmp

memory/2104-151-0x00007FF651130000-0x00007FF651481000-memory.dmp

memory/2172-211-0x00007FF7C9940000-0x00007FF7C9C91000-memory.dmp

memory/4164-216-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp

memory/2696-218-0x00007FF6828E0000-0x00007FF682C31000-memory.dmp

memory/4664-220-0x00007FF7D7A30000-0x00007FF7D7D81000-memory.dmp

memory/4600-222-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp

memory/2420-224-0x00007FF6023F0000-0x00007FF602741000-memory.dmp

memory/5044-226-0x00007FF650EC0000-0x00007FF651211000-memory.dmp

memory/3936-230-0x00007FF705740000-0x00007FF705A91000-memory.dmp

memory/3300-232-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp

memory/4304-234-0x00007FF77CE90000-0x00007FF77D1E1000-memory.dmp

memory/2496-228-0x00007FF7EFE50000-0x00007FF7F01A1000-memory.dmp

memory/208-236-0x00007FF6522D0000-0x00007FF652621000-memory.dmp

memory/1992-239-0x00007FF7FEA60000-0x00007FF7FEDB1000-memory.dmp

memory/2816-244-0x00007FF6B93E0000-0x00007FF6B9731000-memory.dmp

memory/4572-246-0x00007FF648DF0000-0x00007FF649141000-memory.dmp

memory/2036-243-0x00007FF75C750000-0x00007FF75CAA1000-memory.dmp

memory/3704-248-0x00007FF776300000-0x00007FF776651000-memory.dmp

memory/3336-250-0x00007FF6BC390000-0x00007FF6BC6E1000-memory.dmp

memory/3248-240-0x00007FF635280000-0x00007FF6355D1000-memory.dmp

memory/3244-252-0x00007FF636A30000-0x00007FF636D81000-memory.dmp

memory/4728-255-0x00007FF724EA0000-0x00007FF7251F1000-memory.dmp