Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-a7yn5sgc6x
Target 2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike
SHA256 7934ef8b6b684dcfbd38a08284be4824a4639857ac931a2b049893ae920764e0
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7934ef8b6b684dcfbd38a08284be4824a4639857ac931a2b049893ae920764e0

Threat Level: Known bad

The file 2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 00:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 00:51

Reported

2024-05-30 00:54

Platform

win7-20240508-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\guhuenW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qCnFABE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IGmQhIU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XLRTihA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AfntQLF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZXZmFlg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gcjCmhx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RJijBPP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fgUwFIB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eTBdZJl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ISuPuBb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WxuqYNb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZfswQCo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zrHNvsu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DLfOXdJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fhDNFoQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jFnLvzS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UAtUytQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JWCCDGl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TzHwpxp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ApTNwGQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\fhDNFoQ.exe
PID 2964 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\fhDNFoQ.exe
PID 2964 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\fhDNFoQ.exe
PID 2964 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzHwpxp.exe
PID 2964 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzHwpxp.exe
PID 2964 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzHwpxp.exe
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLRTihA.exe
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLRTihA.exe
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLRTihA.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\WxuqYNb.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\WxuqYNb.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\WxuqYNb.exe
PID 2964 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZfswQCo.exe
PID 2964 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZfswQCo.exe
PID 2964 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZfswQCo.exe
PID 2964 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApTNwGQ.exe
PID 2964 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApTNwGQ.exe
PID 2964 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApTNwGQ.exe
PID 2964 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFnLvzS.exe
PID 2964 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFnLvzS.exe
PID 2964 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFnLvzS.exe
PID 2964 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLfOXdJ.exe
PID 2964 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLfOXdJ.exe
PID 2964 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLfOXdJ.exe
PID 2964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfntQLF.exe
PID 2964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfntQLF.exe
PID 2964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfntQLF.exe
PID 2964 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXZmFlg.exe
PID 2964 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXZmFlg.exe
PID 2964 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXZmFlg.exe
PID 2964 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\gcjCmhx.exe
PID 2964 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\gcjCmhx.exe
PID 2964 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\gcjCmhx.exe
PID 2964 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJijBPP.exe
PID 2964 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJijBPP.exe
PID 2964 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJijBPP.exe
PID 2964 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgUwFIB.exe
PID 2964 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgUwFIB.exe
PID 2964 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgUwFIB.exe
PID 2964 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\guhuenW.exe
PID 2964 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\guhuenW.exe
PID 2964 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\guhuenW.exe
PID 2964 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTBdZJl.exe
PID 2964 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTBdZJl.exe
PID 2964 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTBdZJl.exe
PID 2964 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ISuPuBb.exe
PID 2964 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ISuPuBb.exe
PID 2964 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ISuPuBb.exe
PID 2964 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCnFABE.exe
PID 2964 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCnFABE.exe
PID 2964 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCnFABE.exe
PID 2964 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGmQhIU.exe
PID 2964 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGmQhIU.exe
PID 2964 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGmQhIU.exe
PID 2964 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\UAtUytQ.exe
PID 2964 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\UAtUytQ.exe
PID 2964 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\UAtUytQ.exe
PID 2964 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrHNvsu.exe
PID 2964 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrHNvsu.exe
PID 2964 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrHNvsu.exe
PID 2964 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\JWCCDGl.exe
PID 2964 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\JWCCDGl.exe
PID 2964 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\JWCCDGl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fhDNFoQ.exe

C:\Windows\System\fhDNFoQ.exe

C:\Windows\System\TzHwpxp.exe

C:\Windows\System\TzHwpxp.exe

C:\Windows\System\XLRTihA.exe

C:\Windows\System\XLRTihA.exe

C:\Windows\System\WxuqYNb.exe

C:\Windows\System\WxuqYNb.exe

C:\Windows\System\ZfswQCo.exe

C:\Windows\System\ZfswQCo.exe

C:\Windows\System\ApTNwGQ.exe

C:\Windows\System\ApTNwGQ.exe

C:\Windows\System\jFnLvzS.exe

C:\Windows\System\jFnLvzS.exe

C:\Windows\System\DLfOXdJ.exe

C:\Windows\System\DLfOXdJ.exe

C:\Windows\System\AfntQLF.exe

C:\Windows\System\AfntQLF.exe

C:\Windows\System\ZXZmFlg.exe

C:\Windows\System\ZXZmFlg.exe

C:\Windows\System\gcjCmhx.exe

C:\Windows\System\gcjCmhx.exe

C:\Windows\System\RJijBPP.exe

C:\Windows\System\RJijBPP.exe

C:\Windows\System\fgUwFIB.exe

C:\Windows\System\fgUwFIB.exe

C:\Windows\System\guhuenW.exe

C:\Windows\System\guhuenW.exe

C:\Windows\System\eTBdZJl.exe

C:\Windows\System\eTBdZJl.exe

C:\Windows\System\ISuPuBb.exe

C:\Windows\System\ISuPuBb.exe

C:\Windows\System\qCnFABE.exe

C:\Windows\System\qCnFABE.exe

C:\Windows\System\IGmQhIU.exe

C:\Windows\System\IGmQhIU.exe

C:\Windows\System\UAtUytQ.exe

C:\Windows\System\UAtUytQ.exe

C:\Windows\System\zrHNvsu.exe

C:\Windows\System\zrHNvsu.exe

C:\Windows\System\JWCCDGl.exe

C:\Windows\System\JWCCDGl.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2964-0-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2964-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\fhDNFoQ.exe

MD5 2d7ba7d1b1b13c3c261d582fad429780
SHA1 800034c541db288dacfc3a2a58e7ae547df0d49e
SHA256 c101543546aa71c385e12224742952cb15aeafbf63237505ca779cfc5e0dc6c1
SHA512 21939778d1393877fbe25ac52a97ed5516dfe6197cefc1d3579aa180fe23a9a57ce5742ad5cb6c812819d4b827170e255b19a55f8333d83ecd8cfcc52f8a0510

memory/896-7-0x000000013F2B0000-0x000000013F601000-memory.dmp

C:\Windows\system\TzHwpxp.exe

MD5 862c0ba8a02d02a3c14785fbe599e27d
SHA1 7757d47f8d04659f8b640ed82ebfc417589addc9
SHA256 b8e3e0086099634f9ec9b03de394b8cb148eba51ce2e1a8c79e1b9a758e047b7
SHA512 587195a88134178ad6a6fec52f8185a0274a446c45c7d84cb4155e12414e8c485e1ad2e6904049f7ee9bdc8e2e0021bbb08e3d5f962b08d07d0f874bc6afdc0a

C:\Windows\system\WxuqYNb.exe

MD5 822e29a2d70ccf80c0c4f22c290d6bfa
SHA1 057cd7bc24ca599e89c18450077c002c4d4dc446
SHA256 2cf0547d6ba4ff45bf383d12b9b4d47cdd6c7d4ad3f958c15757470bab2cb5c8
SHA512 d951af0741761c747dd36549dc1989e077a0bcd5db19ebc62c67d06f9112c8a0e1e9bffe526f7fa9e438f83a29ddaf04185aae15c67bc3813c7cb7cd145ecd21

\Windows\system\DLfOXdJ.exe

MD5 09c59171a52bd80ae7e2cc17b186b03a
SHA1 b8782295d6a4195b183f2dd0428010f0c5da06fa
SHA256 cf014dc101ff044fe03f8f0f363b634d7edc98abccbef1a20c762f317808bb14
SHA512 20bc962380b133d539e494c55832993589a5a097baad6ec7f0e374bbfb28e47fdfcaf23e490bb60d36a699ddcbc1177ce6ac1bbabf74e7c325b48ccd73da5a89

C:\Windows\system\ZXZmFlg.exe

MD5 e47a4b93f77c4f430b3700f77fecb35b
SHA1 f58c746e820b30f4e8a154f8e8a520b64f4b08fb
SHA256 768c3671c13e90579be07aca58f6c81771826ab75b222e1927b75f13c252a2cd
SHA512 7179d1c87578d67c6217681857d2b90e3a2be58b4be31f880026c5a067528d1c18b347feaf50a3709deff97d14d657ed661d3213d4f3a5aa4001aed23f14314e

\Windows\system\XLRTihA.exe

MD5 33438da19e8927826fc525fa82c46318
SHA1 6dc38e62e8d06ffde2af762abb432cfad5e7c665
SHA256 294f049346b2a2e971804bc03273e944636fcd1088c59bdc5ae88d3a91bcefc9
SHA512 4d4f5aaff442cac5bda9f8f580bc88f4d805ec2cda9c7cf56bf781bfb6fd9b7641d3ffd2c969e1e59509a23d9c779857934659d0dc6414e40ba0e9fc2eccf7f4

memory/2964-65-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/1156-67-0x000000013FFA0000-0x00000001402F1000-memory.dmp

C:\Windows\system\ZfswQCo.exe

MD5 de4600501f9dfaca8a576ccaf203b848
SHA1 d94d11b0e38c7727c63605e0ce6665745795394b
SHA256 2bf4014033ebb37899ec4f50328933a972b04019b652773da5f6e8b0f283d12e
SHA512 0db300f79264839e93f2539ff7a7662dca6a75f343ee99b9ad0ad1e063aff9cc16a0d57c9a4fa2b52c7fcc01fb2c23f15418eac7cc91029fab3b4f4de4560f69

C:\Windows\system\guhuenW.exe

MD5 ec1c68c6f2370b0971b1c5e6b5005cfc
SHA1 4859498f1b5f883a6c74ee99d6cddfc20fdf50d8
SHA256 548f5d1fc021bd671cdc405fa1b55d0d54f935dfd652b4a1d68eb5757b0b61e3
SHA512 43972fdeb12a45291083a8963cd0c9ad735603315ee1a2f4e2f8b23d31a39c9d5dfb96aad83e766ca5c966692ea58569eb18baacbe656d774278975f6e211c24

memory/2776-88-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2964-101-0x000000013FA70000-0x000000013FDC1000-memory.dmp

\Windows\system\qCnFABE.exe

MD5 336feda9bbaeb70aff853315380c5d34
SHA1 4c4167623b9f2e2e366291b67824ca0b0df18c30
SHA256 c8a575bc6221674cd4f536a196f0c11aa28e9941585d97e1b84beea477d655e1
SHA512 936c7327fc5ad3a46fb3e0e662376709a7fc52e08e177bc45989827207ef2f2af310c5a4ff1cf672588d2fb4aa9865e919939e2b29a06e40970dbfca5c215b9f

C:\Windows\system\JWCCDGl.exe

MD5 1fe0312307356f210d13f5b1ce3f860a
SHA1 8ecb892acd5ab43fbbd7468e8cf771e638e0992e
SHA256 c77bc551f5432442462d2e3c9294c8228a576777b3c2381b36804ef214d3f5f3
SHA512 183caf85146bc5d634ea13d3a0dae99489c9ed91311ef4d7f051ab35e30e0494c14d1063c0c35c5663a0ad0e26a8311e08404a9116a4f30d4e94e7d29ebd91c5

\Windows\system\UAtUytQ.exe

MD5 dd3aa8e19dd32e0c7dadfcba0211ee9b
SHA1 9a6da19ec8b8cd3bc6bb38096bda89695c4167bd
SHA256 afdbc6555451a979965088f7b790c61f33bf449e64fe960e306df566d638ad0c
SHA512 629c2135fb1b6d63f3f8e1a48832e8930f566bd8b4394dabe414adcce382eab0cd82f1dc3757d51515c31067dbc8b386081fe13d81190b174994a8fdd9a9b891

C:\Windows\system\fgUwFIB.exe

MD5 dd508e9ef169493f99e54f44c2facb03
SHA1 77503b3baf1232fb1e3212948fe8c6d1ebcaedaa
SHA256 6d365d210f79f03d47fac46443b35a6f6b9a2a38013ef19a6c262726e78eb75e
SHA512 fb5b99a10fac0c269e2ab5dcbf85a0d409b7300fc20c4b41b984d2950e63ec47a785c1eb663dbfcfaa3af366fd879b88b3a19d5dea784e58f0c12e03dbc8d8d8

C:\Windows\system\zrHNvsu.exe

MD5 71f9f3331e1a34200c43eca74499dbcb
SHA1 9177b2264987b90eb03731d7a90ca09be2945c3c
SHA256 3afed406d22cba22d2ec8607f3ef761739b9a4d6f7204da4142420679680354e
SHA512 618b6da99352a2e4e1125cf2b1307ec64eb2d6d500a4a14cac4417fcb390a1e0ee83976a9d70580a4b4047e2a99d362dfa66e991b755e055bae63cb30f0471bf

\Windows\system\eTBdZJl.exe

MD5 4bace5ae6c4f0a592078badf29c0e23e
SHA1 00a67327995538e5cf9f7f676a243597df28a1f4
SHA256 03a0fb6b946a08b8dfd255213cee77f9b394a11570320e43530bb838e8ea4832
SHA512 0332c97b48debdfe65b46862f6aacf00d1eda2fbb63a322e4fe4f27dda3c6d45b0c13e688c6d98bd355fce201be266ce96046dd4344cea4dcc54b98177e8b151

memory/2572-82-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2908-81-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2688-80-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2964-79-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2684-78-0x000000013F700000-0x000000013FA51000-memory.dmp

C:\Windows\system\gcjCmhx.exe

MD5 c9d0a5f14e3f4388eedacc433715f7f3
SHA1 152f8491c69371b5879323811bb9f7af4ea9b917
SHA256 f4c836c5d65901b5bf061db5b89a706a0ba87ceb6dcd62f2d572f052b90561f9
SHA512 36a39e146c768402a49d300e6b9e09c10849ddfe7eb0dcafc3b1b8bf2bb9b0a4a9334cf27efe513eaffd65dd6500b233d41dd9dccd968f085c642f915b9fcf54

C:\Windows\system\AfntQLF.exe

MD5 0662620686c9f607b4964e5940f6348d
SHA1 18ecd6b506c89074d20d1fa132f0ece91a82b6c7
SHA256 11e7a7cf64a06716ced253ca0428cbff915b15e111b9fe005506efe8915aa873
SHA512 1884aeff2ba9a8394b1b821fdf246aa6a6e3cbde4afb02d4338834202a858752166126b5f404922e6492f0df22e1ef168443a0e5d4abb0b376f663d37f548d1b

C:\Windows\system\jFnLvzS.exe

MD5 ae20af93831cad2f726aeeb81464f1dc
SHA1 10e890c7f13a61ceb4fbe6727e5b34457af55f80
SHA256 ed1bd442fde85dd454c591387e9556f4e86aa9ea8f3301d3b7729976c4e5d435
SHA512 4b8a47cc9f38a06a91c9f39165c153c00874526d30ad563a57f58b8defb35efdf1c55c492b1c91e8a14b8050fe2671bb7a72ecb4feb85edf25ea41c8ceebd05f

memory/2432-133-0x000000013FA70000-0x000000013FDC1000-memory.dmp

C:\Windows\system\IGmQhIU.exe

MD5 8bd77f60a6befa0b6775b9baf786909f
SHA1 f8044d43e772dd80f54802c8d6840b7ee93f126b
SHA256 092d712c31ac0ba5b2ee2f4c5bc0da98933555ac18c76a01a07bb04e0a6a596a
SHA512 3181ee71ab582632fa90f0199e34c400b3b2d0c2a4e7843461e0adf93ea084e40aeaad9ca986e4c48edbb626c4b9e46781a518907a250d4c43a6a0803ee26eff

memory/2964-102-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/2964-43-0x000000013F100000-0x000000013F451000-memory.dmp

memory/1196-36-0x000000013F020000-0x000000013F371000-memory.dmp

C:\Windows\system\ApTNwGQ.exe

MD5 f117fd93cb40e5aa1ebd7aa6ff7544ca
SHA1 0991347b1cf77a3ab807251ae5813ea36b8a301b
SHA256 04994fa20dce3b0c6a5860c090ade292b2f3ceb00308f99d05a0d654c35b47e2
SHA512 820c0248b385448f8c9b9763432de0eeddfdf00b216df63cc8a56e6f93c9430fab215663f8ee0914de8fde018f2212fabf4ae799eb1811bd6725068295c6973f

memory/2964-34-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/2964-25-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2964-14-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/896-100-0x000000013F2B0000-0x000000013F601000-memory.dmp

C:\Windows\system\ISuPuBb.exe

MD5 4d8db64d2d4f34ccc30901a412feb222
SHA1 cbae713600a5f143dcbb3adc8a51f605207fdb4e
SHA256 3381c772063bef0657e8b4c2898d94ae40e37f1e39d9023d02796070a529f6ec
SHA512 516b77a6d7e528fa68f59485521e66bdc2be892744a21a9b8b1603b0c616eb9ef4bc9812dc295686873b6a99b56e3ba50b7d86fb74af01fe84707c50583dd933

memory/2964-87-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2648-70-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2964-66-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2964-64-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2764-63-0x000000013FA00000-0x000000013FD51000-memory.dmp

C:\Windows\system\RJijBPP.exe

MD5 46477e89b4e2dd3cd840f6a471b3d4bb
SHA1 ef64edafdf2bf4e60a7441374da9e715e06e66d6
SHA256 0238b99d9a03ec95968afe15415af844e1d2089847aa6b501e309bfdacd11603
SHA512 098c7939b141ce903373e73f532a19028832136d5447cc95bc9d6a45e514f6878d9f2333aa34ca7faf145e3249a7eda3a273f0b6923d422d6d775278ebd5c804

memory/2964-61-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2876-56-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2796-48-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2432-21-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2964-134-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1156-137-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2684-139-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2572-145-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2876-148-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/1704-147-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2908-143-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2688-141-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2992-151-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/1720-154-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/1028-155-0x000000013F040000-0x000000013F391000-memory.dmp

memory/1976-153-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/1744-152-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2864-150-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2024-156-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2776-149-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2964-157-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2964-179-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/896-203-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2432-205-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/1196-207-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2796-209-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2764-211-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2876-213-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2648-215-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/1156-228-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2908-238-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2572-240-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2688-237-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2776-234-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2684-243-0x000000013F700000-0x000000013FA51000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 00:51

Reported

2024-05-30 00:54

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hubdICG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EYALPtm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DyoYxGf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FQdpYVo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pZCGZpI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YAvsMPn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JJZIUfo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ARuwBQT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eFKTOQG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iVPXQUZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WUXVglE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gRSoLcT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\muzYjqt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FheeHKl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DTifffk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EsXXdDB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\swITtbZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dFsDrxy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UXXRXmx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XLzfzsX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yImtnfz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\muzYjqt.exe
PID 1620 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\muzYjqt.exe
PID 1620 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ARuwBQT.exe
PID 1620 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\ARuwBQT.exe
PID 1620 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\hubdICG.exe
PID 1620 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\hubdICG.exe
PID 1620 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFKTOQG.exe
PID 1620 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFKTOQG.exe
PID 1620 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\FheeHKl.exe
PID 1620 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\FheeHKl.exe
PID 1620 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQdpYVo.exe
PID 1620 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQdpYVo.exe
PID 1620 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTifffk.exe
PID 1620 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTifffk.exe
PID 1620 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZCGZpI.exe
PID 1620 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZCGZpI.exe
PID 1620 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\EsXXdDB.exe
PID 1620 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\EsXXdDB.exe
PID 1620 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYALPtm.exe
PID 1620 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYALPtm.exe
PID 1620 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\YAvsMPn.exe
PID 1620 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\YAvsMPn.exe
PID 1620 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJZIUfo.exe
PID 1620 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJZIUfo.exe
PID 1620 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\swITtbZ.exe
PID 1620 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\swITtbZ.exe
PID 1620 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\dFsDrxy.exe
PID 1620 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\dFsDrxy.exe
PID 1620 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXXRXmx.exe
PID 1620 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXXRXmx.exe
PID 1620 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVPXQUZ.exe
PID 1620 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVPXQUZ.exe
PID 1620 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLzfzsX.exe
PID 1620 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLzfzsX.exe
PID 1620 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyoYxGf.exe
PID 1620 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyoYxGf.exe
PID 1620 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\yImtnfz.exe
PID 1620 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\yImtnfz.exe
PID 1620 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\WUXVglE.exe
PID 1620 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\WUXVglE.exe
PID 1620 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\gRSoLcT.exe
PID 1620 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe C:\Windows\System\gRSoLcT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\muzYjqt.exe

C:\Windows\System\muzYjqt.exe

C:\Windows\System\ARuwBQT.exe

C:\Windows\System\ARuwBQT.exe

C:\Windows\System\hubdICG.exe

C:\Windows\System\hubdICG.exe

C:\Windows\System\eFKTOQG.exe

C:\Windows\System\eFKTOQG.exe

C:\Windows\System\FheeHKl.exe

C:\Windows\System\FheeHKl.exe

C:\Windows\System\FQdpYVo.exe

C:\Windows\System\FQdpYVo.exe

C:\Windows\System\DTifffk.exe

C:\Windows\System\DTifffk.exe

C:\Windows\System\pZCGZpI.exe

C:\Windows\System\pZCGZpI.exe

C:\Windows\System\EsXXdDB.exe

C:\Windows\System\EsXXdDB.exe

C:\Windows\System\EYALPtm.exe

C:\Windows\System\EYALPtm.exe

C:\Windows\System\YAvsMPn.exe

C:\Windows\System\YAvsMPn.exe

C:\Windows\System\JJZIUfo.exe

C:\Windows\System\JJZIUfo.exe

C:\Windows\System\swITtbZ.exe

C:\Windows\System\swITtbZ.exe

C:\Windows\System\dFsDrxy.exe

C:\Windows\System\dFsDrxy.exe

C:\Windows\System\UXXRXmx.exe

C:\Windows\System\UXXRXmx.exe

C:\Windows\System\iVPXQUZ.exe

C:\Windows\System\iVPXQUZ.exe

C:\Windows\System\XLzfzsX.exe

C:\Windows\System\XLzfzsX.exe

C:\Windows\System\DyoYxGf.exe

C:\Windows\System\DyoYxGf.exe

C:\Windows\System\yImtnfz.exe

C:\Windows\System\yImtnfz.exe

C:\Windows\System\WUXVglE.exe

C:\Windows\System\WUXVglE.exe

C:\Windows\System\gRSoLcT.exe

C:\Windows\System\gRSoLcT.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1620-0-0x00007FF6085D0000-0x00007FF608921000-memory.dmp

memory/1620-1-0x000002C2E1A70000-0x000002C2E1A80000-memory.dmp

C:\Windows\System\muzYjqt.exe

MD5 b4ec2eb9b415920648409d30a2628246
SHA1 d6cb69c31507ac34d6b9f55adaaf9ac196c781e0
SHA256 5883671c89d556c56464d5700ac5769b075e74b9f6b17fd45a82b0fd7064705c
SHA512 17439e22ed8a2dbb7d51d5a54536f79f8592dfb4889f320ca00119f6e7038a7102a11f294ef9535102cf4ceb13ec3d3b70600441049ea2f9ad66bf0e4b8dd333

memory/4804-8-0x00007FF7115D0000-0x00007FF711921000-memory.dmp

C:\Windows\System\ARuwBQT.exe

MD5 fe9ba53c984c0f9c41f1112483086737
SHA1 ef839653bd8e93ac9c4b8206bee83d5e905199ce
SHA256 83bfb7ac80a71b6e9db59983dd067e0b86d5966ceab399ce22f830e809cdf0bd
SHA512 88cf5c3463635a8e9f0ffc7607bbd4ec506bfdcc1e1264f922e8805417852e1ad20e93f9915ee9abc4858c292a61086e5036ab04bbe77aac21bbfc0427b7cd27

C:\Windows\System\hubdICG.exe

MD5 5a1549d1eb6a9c57e2c36fbabfe41f8e
SHA1 6da5ee752de9447e800e761a18d04f45ff972624
SHA256 9bbe3488ef0536bcc3c220901e03977052e3190af5e893a511130a3c0ddb93a7
SHA512 545dc090abef931a22b63e3d463057ac8b5187e7799d1e6d6278f3b53796a164eb714413c46c173f83e003595622adc4042e17b8ceb4a52d57811d0848ad2551

memory/3376-13-0x00007FF7E28F0000-0x00007FF7E2C41000-memory.dmp

C:\Windows\System\eFKTOQG.exe

MD5 7c611b8227ac97efe68b05f60234c9c2
SHA1 f20493ca9d6bd54fe83deaf03ea714d1774a2a94
SHA256 82a24994ddf1a3175e9ad0baeaa14516ec2ea40890a0117d549ad2b4b67c82f3
SHA512 8098c742a5eb0f0ab8be5079c7810e55301cf6fb64080e99ff8888b73b94e3b5971d64d5764932511c8bc8aa5cbe9a942ea3e575d69ed89456b1eece1d485a4b

C:\Windows\System\FheeHKl.exe

MD5 c38eecd81d6f30964e6feecb3b886d70
SHA1 25202e0932e91af8a65134aab60632cdcd12cb02
SHA256 6cd545847116e1d62c56439cbccdd2471df621f83a7a60c46968bfdeb8ef1ba3
SHA512 4bbc12d0def67cce8285168ba59177c082197053ea49711afc649fa9aabdc2d04a43abb73335e10d7edb57f0ebda449ddc68b5e38052f7bcfde990bbd131c208

memory/3680-32-0x00007FF7BF7A0000-0x00007FF7BFAF1000-memory.dmp

C:\Windows\System\FQdpYVo.exe

MD5 b6665f059d9dedd12d39e68d619b1620
SHA1 01caa33b3ecdf22cf848daee7a5fa28c706ff875
SHA256 2e426cfe4b0cfe1bb511c53cd6fe9ffc3fc6abbde629b24f6fe7567e70e57430
SHA512 4f8451752310f447a65a63ffcbb8e317bd7056d7fd984b38cf01dea4d2b122a727004317f796f81ba2ebc08c2f30da2b2ef6e7d5bcecf7210caacdf9191c3d95

C:\Windows\System\DTifffk.exe

MD5 76d3a79d29e0aa59ad1efc1ff1053850
SHA1 ab3d138ff66cbf12bac5b037063fb27806846c83
SHA256 a629f5b2c9536a59d16f91157413381ebe7c1a7ab3d16ccb84989f4bb4524e5f
SHA512 9c5ed642f423a6dc1442b20d8adc88ba8248fb00ccbc27039ccf77b2c49dbb9515c1534a39cd95ff0b4bc6fcd4ced414395107d5bf3ac22011a1af915552fbd2

C:\Windows\System\pZCGZpI.exe

MD5 5455afe466f31fc312567a9543895c42
SHA1 e09e47bdd2b80ebe8c29bc10646eeff7fb41b495
SHA256 5f4d0fc796ab0fce0df3aa1df6a90b4d3696770438292ae14b202d17eff40da0
SHA512 3eb8717e8d1f237d1c1dcffd18b72e2a3da5b0a240581257a79d0550e8ff06dafda9385bd57568ee9c119174aa2b585d28a2e73b60ea6c5336a981762a2bab94

C:\Windows\System\EsXXdDB.exe

MD5 0132faf94abf370c5bd47f321781081c
SHA1 8683b36f17186e952111135b89fe546351d6a7e2
SHA256 2799d25e2e4ac02a281de82cb6a8a57f8ce7011f79384839b274e743e689f80c
SHA512 e8b14a3fa9e9439dd400d82f64927c04575037fd03e26989bf57773cbb0428b4a64807b2b4a652cc31de28bdea9e116d8ff3c96fc1532e8c0118188358d5c6b9

C:\Windows\System\YAvsMPn.exe

MD5 33bd455ee6b159f482d122779a8144f0
SHA1 48d34133f70e5bb8f9ee200c8ebe32ca35154378
SHA256 065c7f7b0c12957289c3a2968d24989cba2bee6585ab23aca680eebebb3a9443
SHA512 d80109524b0275c4802a92dd97aad248ebe3679a2f3616e1a8f6e6889f182a2a4f659c62dd5d2ec812ae0e081afcaed35686b4d326f40d39bd6c38a5e673c9b7

C:\Windows\System\EYALPtm.exe

MD5 39b79095a367cd80cacb1ae9679910fc
SHA1 479132e47f8489bd0f320587a9355fbe166ed921
SHA256 8bfa4ae20ac1e1dd8cc7bc125d5f1785bab5bcb7ca43fa18a41e1cffbf8575c7
SHA512 a2a1a08bd32d0cbd1b064cb664b9513d9256562d89f9b89d522e981555756c529aa63dd8e8d221f383f9cf4d67ee4883e4d940af98fe9e98f6ebcf65b93b846d

memory/3960-69-0x00007FF788F90000-0x00007FF7892E1000-memory.dmp

C:\Windows\System\dFsDrxy.exe

MD5 c9327512d87a1f0856c5f41eba0a596d
SHA1 8858b2cbda2f6254b7175eff66becdd58f0644fd
SHA256 4606ab1f1bf21e0a968c55cc7868be4b14994de3bb472b1bc9bdba5a2191b3ad
SHA512 fb5374082f546aca0bee22007b3ee37d14139131e19edca147b8e8a3d2c34b57961d6237a011ee37fd8b9b158a059e0942e5ca5f745a3470a3d209dba3be23ca

C:\Windows\System\iVPXQUZ.exe

MD5 f4a34457287ae3698c799369aaf6738b
SHA1 2d3629c9bc72cda0acd8c9616b6f49da27cae30d
SHA256 8e64e242828e0673f91337b019367f8e2030209fe114c9fcbdb324a5de336c25
SHA512 f87c80140370174f2218f31f99a2d0ab2e694a856088b065c523b1c9dca0f5e9491c82aee34c6afc73abb2a56ecd5376ca6d9bca69dce43695f9978d2d9d5468

C:\Windows\System\DyoYxGf.exe

MD5 a75d41f41814089800edfcd1ea3c99c0
SHA1 d9b6e3f0c74bcf2bbb80161e2899f4e4c5976378
SHA256 65044ee5d5148abfa844eaabd822c02060fe99dbcd799fef63eff9d5aa937797
SHA512 c355399d6c5868f5a9fb8c97286cd35e2d52741e88572589a2625ddf5c0a03cf89b977ca4afe22882be5570a6a759e2ff9e2ec18ffc74954ff94971dfc88136f

C:\Windows\System\gRSoLcT.exe

MD5 06ffd2839b516d55a22388aead837a13
SHA1 22e3388a497d480eb295cd0c27e14839c05093a6
SHA256 a52456e4984f59644f00a99ea8ec577b05d89f92f59ce3c5ee6e5820eb92c55c
SHA512 e353b729dea10237a19f27c64b2ed228c90149d363aa82f060a7148e46b8f9bee737ecfb57fc0b8600715c3901a6f43a9f12a5e13bf65a984d26ed71d9d7fea2

C:\Windows\System\WUXVglE.exe

MD5 4d110382796a231d52cc3e184956aa02
SHA1 b4a79e0f7d39e580011351780766263e0062d0a8
SHA256 bf3552cb0716b4c25036759a24fbb604ade991c220fd59652a5540dec2648f2f
SHA512 257556c2700ca30b3230d347313d943552e897cc656ff2e3ac122749a05be1ab456acdde7b6469f73d8c1283de8a68cb926a06783f3d44616d39b1318c1ab422

C:\Windows\System\yImtnfz.exe

MD5 0c6f59a95034fd32f8f44422efbd6dea
SHA1 e5eba1db32fa62d29bf2d1d17fbfd41310a15433
SHA256 a40674987c8f393db797f42f12a5f2cc5fc5fc5d34a3861251bce76f51c15792
SHA512 474bcffca1c6b86dc0203bfa9047f6f0c85fd756ce78c28eb51c75dfc6f4ec97f21511fd1aed119ca0f811f6f0743c672ca19cd2570d30b3b7cb3ddfbdc22453

C:\Windows\System\XLzfzsX.exe

MD5 8d3b614ae5660565fcc5cb066329e013
SHA1 9dd7fabfe439b47d459f1fb0ca040dd24e9df7db
SHA256 21d91b280e6776dede0dfe0c1596dd85caeebd8f5dff1f5880b4982867e1daae
SHA512 78cf2803b9d0610a151b76fcc89fb6bbfc104dee45c456e5751b0c26daecb983094eddba6aa9e8924e2c42b6b5e2d56884d647787762962a8225c80169d9f737

C:\Windows\System\UXXRXmx.exe

MD5 6fd0798da2ea827eded5793002fe3d8f
SHA1 670c31a83c7ce99272768ca14320f9db72f4f3ef
SHA256 88ef09fb6e336cbf58593c3971dad103f1812fc238bb4d2b7a1f7fa48c70b060
SHA512 4ac6fa0af9ebca0301e5f258fe28327019b201f313bcbb21c5592228d1e206efcc25d42484e02c522eb4169da3dbea7511e4580c386ce2e92285627b596518f0

C:\Windows\System\swITtbZ.exe

MD5 72520cc0fb33b91a0ef25eb6b4c5bd0d
SHA1 7a4de38777a0b6c2c547f2da56e779fa388db23b
SHA256 d15e02caa1d3885a1a0272e4b4c55267f470fb157c9fcd61289a2022395e3fb6
SHA512 b65695e519a381a2288d6c18d5e2d65be5ec361aa63a556bf7942e9a3c1bea330a07bdf8566caefd5539ede33ba9252b233fa0661101ca0d29de70dca6d5200f

memory/4408-75-0x00007FF7F96D0000-0x00007FF7F9A21000-memory.dmp

C:\Windows\System\JJZIUfo.exe

MD5 fef65b2eb805492208f68c9b24990d76
SHA1 ece2d89f2f7abb36d27e22c152b9a3c422ee41b3
SHA256 332b66915219831e885acf713674d978773f0935af30e2fd9e99d533a77e021d
SHA512 4a4037a2f7507513290563b9ae4287f7d2eee6a61e5146185bbe200c22318be95509d14a08612405ec4cf459130fc6e91a89e05759298eec25d4c0195283e95a

memory/2460-70-0x00007FF7914B0000-0x00007FF791801000-memory.dmp

memory/676-65-0x00007FF63D8F0000-0x00007FF63DC41000-memory.dmp

memory/2916-60-0x00007FF687AA0000-0x00007FF687DF1000-memory.dmp

memory/1180-45-0x00007FF63D3D0000-0x00007FF63D721000-memory.dmp

memory/1176-38-0x00007FF7E2A60000-0x00007FF7E2DB1000-memory.dmp

memory/756-28-0x00007FF7371A0000-0x00007FF7374F1000-memory.dmp

memory/3496-25-0x00007FF731170000-0x00007FF7314C1000-memory.dmp

memory/1620-119-0x00007FF6085D0000-0x00007FF608921000-memory.dmp

memory/3376-121-0x00007FF7E28F0000-0x00007FF7E2C41000-memory.dmp

memory/4804-120-0x00007FF7115D0000-0x00007FF711921000-memory.dmp

memory/2876-124-0x00007FF7669F0000-0x00007FF766D41000-memory.dmp

memory/1620-123-0x00007FF6085D0000-0x00007FF608921000-memory.dmp

memory/4100-125-0x00007FF688450000-0x00007FF6887A1000-memory.dmp

memory/2636-126-0x00007FF77EFB0000-0x00007FF77F301000-memory.dmp

memory/2488-128-0x00007FF7E7610000-0x00007FF7E7961000-memory.dmp

memory/2500-127-0x00007FF74B6A0000-0x00007FF74B9F1000-memory.dmp

memory/4748-129-0x00007FF70B100000-0x00007FF70B451000-memory.dmp

memory/4548-131-0x00007FF773000000-0x00007FF773351000-memory.dmp

memory/3680-133-0x00007FF7BF7A0000-0x00007FF7BFAF1000-memory.dmp

memory/4072-132-0x00007FF7FC860000-0x00007FF7FCBB1000-memory.dmp

memory/4696-134-0x00007FF6B1F10000-0x00007FF6B2261000-memory.dmp

memory/1180-136-0x00007FF63D3D0000-0x00007FF63D721000-memory.dmp

memory/4408-141-0x00007FF7F96D0000-0x00007FF7F9A21000-memory.dmp

memory/2460-140-0x00007FF7914B0000-0x00007FF791801000-memory.dmp

memory/1620-151-0x00007FF6085D0000-0x00007FF608921000-memory.dmp

memory/4804-196-0x00007FF7115D0000-0x00007FF711921000-memory.dmp

memory/3376-198-0x00007FF7E28F0000-0x00007FF7E2C41000-memory.dmp

memory/3496-211-0x00007FF731170000-0x00007FF7314C1000-memory.dmp

memory/756-213-0x00007FF7371A0000-0x00007FF7374F1000-memory.dmp

memory/3680-215-0x00007FF7BF7A0000-0x00007FF7BFAF1000-memory.dmp

memory/1176-217-0x00007FF7E2A60000-0x00007FF7E2DB1000-memory.dmp

memory/2916-219-0x00007FF687AA0000-0x00007FF687DF1000-memory.dmp

memory/676-221-0x00007FF63D8F0000-0x00007FF63DC41000-memory.dmp

memory/3960-223-0x00007FF788F90000-0x00007FF7892E1000-memory.dmp

memory/1180-225-0x00007FF63D3D0000-0x00007FF63D721000-memory.dmp

memory/2460-229-0x00007FF7914B0000-0x00007FF791801000-memory.dmp

memory/4408-231-0x00007FF7F96D0000-0x00007FF7F9A21000-memory.dmp

memory/2876-228-0x00007FF7669F0000-0x00007FF766D41000-memory.dmp

memory/4100-237-0x00007FF688450000-0x00007FF6887A1000-memory.dmp

memory/2500-243-0x00007FF74B6A0000-0x00007FF74B9F1000-memory.dmp

memory/4072-245-0x00007FF7FC860000-0x00007FF7FCBB1000-memory.dmp

memory/2488-242-0x00007FF7E7610000-0x00007FF7E7961000-memory.dmp

memory/2636-236-0x00007FF77EFB0000-0x00007FF77F301000-memory.dmp

memory/4548-234-0x00007FF773000000-0x00007FF773351000-memory.dmp

memory/4748-240-0x00007FF70B100000-0x00007FF70B451000-memory.dmp

memory/4696-247-0x00007FF6B1F10000-0x00007FF6B2261000-memory.dmp