Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-a87cnshc96
Target 2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike
SHA256 9a8aadaffcf9f3a903dd4b743947d612f755ad9543d1fd2839288af7321ed0cb
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a8aadaffcf9f3a903dd4b743947d612f755ad9543d1fd2839288af7321ed0cb

Threat Level: Known bad

The file 2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

XMRig Miner payload

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 00:54

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 00:54

Reported

2024-05-30 00:56

Platform

win7-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oCdoMHX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\epKzsBU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jUPBufv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\chAPLGz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zmrBHyL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iTmvGqn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CJkrhLs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MSrAknR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EuUldpp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVPxsVy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HeWRbAU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iKhOJVM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hjZPJON.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SKeSxLh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IcVJfSB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\khJMyHd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lzVbLkR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FrsdQQN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ceCMNhE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\whegALI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RNXUwJg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCdoMHX.exe
PID 1232 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCdoMHX.exe
PID 1232 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCdoMHX.exe
PID 1232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\epKzsBU.exe
PID 1232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\epKzsBU.exe
PID 1232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\epKzsBU.exe
PID 1232 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HeWRbAU.exe
PID 1232 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HeWRbAU.exe
PID 1232 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HeWRbAU.exe
PID 1232 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\chAPLGz.exe
PID 1232 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\chAPLGz.exe
PID 1232 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\chAPLGz.exe
PID 1232 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmrBHyL.exe
PID 1232 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmrBHyL.exe
PID 1232 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmrBHyL.exe
PID 1232 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKhOJVM.exe
PID 1232 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKhOJVM.exe
PID 1232 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKhOJVM.exe
PID 1232 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzVbLkR.exe
PID 1232 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzVbLkR.exe
PID 1232 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzVbLkR.exe
PID 1232 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTmvGqn.exe
PID 1232 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTmvGqn.exe
PID 1232 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTmvGqn.exe
PID 1232 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\FrsdQQN.exe
PID 1232 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\FrsdQQN.exe
PID 1232 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\FrsdQQN.exe
PID 1232 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceCMNhE.exe
PID 1232 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceCMNhE.exe
PID 1232 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceCMNhE.exe
PID 1232 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJkrhLs.exe
PID 1232 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJkrhLs.exe
PID 1232 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJkrhLs.exe
PID 1232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjZPJON.exe
PID 1232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjZPJON.exe
PID 1232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjZPJON.exe
PID 1232 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUPBufv.exe
PID 1232 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUPBufv.exe
PID 1232 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUPBufv.exe
PID 1232 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKeSxLh.exe
PID 1232 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKeSxLh.exe
PID 1232 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKeSxLh.exe
PID 1232 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\whegALI.exe
PID 1232 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\whegALI.exe
PID 1232 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\whegALI.exe
PID 1232 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\MSrAknR.exe
PID 1232 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\MSrAknR.exe
PID 1232 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\MSrAknR.exe
PID 1232 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\EuUldpp.exe
PID 1232 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\EuUldpp.exe
PID 1232 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\EuUldpp.exe
PID 1232 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNXUwJg.exe
PID 1232 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNXUwJg.exe
PID 1232 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNXUwJg.exe
PID 1232 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcVJfSB.exe
PID 1232 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcVJfSB.exe
PID 1232 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcVJfSB.exe
PID 1232 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\khJMyHd.exe
PID 1232 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\khJMyHd.exe
PID 1232 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\khJMyHd.exe
PID 1232 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVPxsVy.exe
PID 1232 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVPxsVy.exe
PID 1232 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVPxsVy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\oCdoMHX.exe

C:\Windows\System\oCdoMHX.exe

C:\Windows\System\epKzsBU.exe

C:\Windows\System\epKzsBU.exe

C:\Windows\System\HeWRbAU.exe

C:\Windows\System\HeWRbAU.exe

C:\Windows\System\chAPLGz.exe

C:\Windows\System\chAPLGz.exe

C:\Windows\System\zmrBHyL.exe

C:\Windows\System\zmrBHyL.exe

C:\Windows\System\iKhOJVM.exe

C:\Windows\System\iKhOJVM.exe

C:\Windows\System\lzVbLkR.exe

C:\Windows\System\lzVbLkR.exe

C:\Windows\System\iTmvGqn.exe

C:\Windows\System\iTmvGqn.exe

C:\Windows\System\FrsdQQN.exe

C:\Windows\System\FrsdQQN.exe

C:\Windows\System\ceCMNhE.exe

C:\Windows\System\ceCMNhE.exe

C:\Windows\System\CJkrhLs.exe

C:\Windows\System\CJkrhLs.exe

C:\Windows\System\hjZPJON.exe

C:\Windows\System\hjZPJON.exe

C:\Windows\System\jUPBufv.exe

C:\Windows\System\jUPBufv.exe

C:\Windows\System\SKeSxLh.exe

C:\Windows\System\SKeSxLh.exe

C:\Windows\System\whegALI.exe

C:\Windows\System\whegALI.exe

C:\Windows\System\MSrAknR.exe

C:\Windows\System\MSrAknR.exe

C:\Windows\System\EuUldpp.exe

C:\Windows\System\EuUldpp.exe

C:\Windows\System\RNXUwJg.exe

C:\Windows\System\RNXUwJg.exe

C:\Windows\System\IcVJfSB.exe

C:\Windows\System\IcVJfSB.exe

C:\Windows\System\khJMyHd.exe

C:\Windows\System\khJMyHd.exe

C:\Windows\System\uVPxsVy.exe

C:\Windows\System\uVPxsVy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1232-0-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/1232-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\oCdoMHX.exe

MD5 8d40d6f4d74881e1b00eefa89661e0b7
SHA1 d0cefb559c6a02ae66031e8f0a6e6444ee25142d
SHA256 b501d5709d1016eb2552fac0dbc0767e61abb5a4f2258fc9ed75eaf40c147bf6
SHA512 c2999eccfffb3dc4e9be0df70895928dc71519f5652d7d59c236edb833b76f50d1c4e6c03e49a4f97e5c3c16205840f50b3434f33cab2005f89aba35dc67050d

C:\Windows\system\epKzsBU.exe

MD5 eaf66943e145923022c171744dfa6585
SHA1 14f5b7ff18687e39d300d1e3d66258d29918f82f
SHA256 0f212e4d1e13c2f74a0ca0a57c4d83e4624d77749ce3b21abd39f97aafaf6d8e
SHA512 d6d5194b8c77a299423c2daa476482596b211f8b2e058ad231aae7c84b43db4187d5cdbe109f09db50f79e70c0fe2b57c835d289e03f82efa1719447c9c33219

memory/2348-13-0x000000013F960000-0x000000013FCB1000-memory.dmp

\Windows\system\HeWRbAU.exe

MD5 bbbd0f8fd586e04a474ac5208f03dc25
SHA1 31ea629261efd058c74185acd335326c81995c3a
SHA256 795904cc59010255fabdbf0f4e3b80ca1145f3983492ce25dd3900c8c77c6f9e
SHA512 a754677ebba05781f23e6f68b05d079ec2345f9a433c3a7d7f76fc8dc7f9ef924d08395580d0a6e0c08f40d56a1f9ee6c5aff1f9b1af3c19c1b9727219b2c706

memory/2128-22-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

C:\Windows\system\zmrBHyL.exe

MD5 bbe9a5087070114cd47b8eefc095475a
SHA1 b3ff9ad2ab6bf09fe555c0f79e5c2eda313ed886
SHA256 2baed592ebb73d23a563298b497b28df32570e96b4bc15541d2a3bc0194259a4
SHA512 15dbaab3062252c3a44c692963449f504e0d344281b58ae7a352b1f231dcb95c3d23a728ed7458480110df1019554c60d5c5d77fa6173052c4f9a513ab774c78

C:\Windows\system\iKhOJVM.exe

MD5 6e49e8750a0ad58a589f5af9fd55ca52
SHA1 65657587d1d90983c125f62641448f8f54bf0279
SHA256 c134bc7398bd2f827b20cb99801923330d786fd3f7e7a080d17adf78db61c258
SHA512 4b5a4e70d1eb22c12067fb36a6422f9ad70f8422293dcf312a3f99d2a747b1c108c5d228349966f632ba4a27e3ec9378ded7199dbc45c0e1f7b3b061191a33fe

memory/2756-35-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/1232-39-0x0000000002150000-0x00000000024A1000-memory.dmp

memory/2820-50-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\lzVbLkR.exe

MD5 02ece032be23996f9577de7c4fd9d7e8
SHA1 09ff8d9ab75c38adaa9717a06f8161455f726f23
SHA256 379fb32d5a203c75891ecd3aadb98d8e1140db1228e52211d5dafc1ebe428108
SHA512 19f1be7936a0ec1e16e2150bbed9267b6706d691c67992dca09c4c788121ec86bf1cc6176c214767c800c6f9fce766a4fb1ed2837af9a5e4c5cc7e02a55c8068

memory/1232-47-0x0000000002150000-0x00000000024A1000-memory.dmp

memory/2516-46-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2072-33-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/1232-32-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2612-30-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1232-29-0x0000000002150000-0x00000000024A1000-memory.dmp

memory/1232-27-0x000000013F950000-0x000000013FCA1000-memory.dmp

C:\Windows\system\chAPLGz.exe

MD5 6248affe3858272086715f8d5c6eb8e0
SHA1 f40be002b54038ceb12932ece7742fff0c3923c1
SHA256 952070dfc90c3b84d852f34720c6ea0a3218e53252d6970ac7aa0fb12a4455df
SHA512 76237fbbfd8c0b76e4692fc941f39f3a1e51f0ca0fa516d4e72dbb38bab65be12cc9d3b661a30ebb04e330f7359eb5c163dd29a390c7eacaf766b18960c9d509

memory/1232-17-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1232-9-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

\Windows\system\iTmvGqn.exe

MD5 3f544109ae8fd85d0abfec169343df66
SHA1 f5efeb5ddd5149d9eb9f7b0d5da9a891aea8fdf1
SHA256 c19b44059afdfffc5081e78d60153bfd298f402b086988eb6941a03b1682ddca
SHA512 20d8f4b6443c313dc0449763dfb7053bcbb5739e8e3b05a5fce1b02e2abb78f5fb1db7902f41f638da258e3917e6cd4407e5c9eb63c7cdfa9731386282b21a41

\Windows\system\FrsdQQN.exe

MD5 e78b8bb757c996f974bae8b110db2485
SHA1 65fbb908f3750b54c397f4761f9781d9758c55b3
SHA256 620993456636ee00a0b9bf5e5467bef206ee9b285fc266ce2ed8148bdb2c20bc
SHA512 234b41720c2a05b57405cfaa0b63d6fadf9f12584b06456f4e5aac3fa692a2e78188d5843050741e721d8b568c559c84d36959840aa2e70a8d9ce491df993c62

memory/2128-67-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2572-66-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/1232-65-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2504-64-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2348-63-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1232-61-0x000000013FCE0000-0x0000000140031000-memory.dmp

C:\Windows\system\ceCMNhE.exe

MD5 0a1c7c4c2b1206c38eb285fb299a5c45
SHA1 df13d6ad617b87a91b07916fc7d76b680b026358
SHA256 d67f19982fd28b3864517fbc18b31c51f89c9fd0c3ec95bca53092b3ef09ab4d
SHA512 a407a864c817dfe2832a021fb723b08b284294ee5563d2071ca74f9760175335755b42a235ca17a75cc4264e67078d1af04f894dd62336bd5addf08c2b7c6258

memory/2680-74-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/1232-73-0x0000000002150000-0x00000000024A1000-memory.dmp

memory/2160-80-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1232-78-0x0000000002150000-0x00000000024A1000-memory.dmp

C:\Windows\system\CJkrhLs.exe

MD5 e9de26cb3b45423645849d4b95e7bc53
SHA1 d4642afc284346275d1731ebf3b6284d2d0eb30c
SHA256 467a2e4dfe14101c1b1233caeb7ab4c861cd049d54980445891df4be820916ce
SHA512 5ff37515ad5ebf6025409b644397cb17e37a3dd22507214ecca77a57ffe6eee66dae3dd5044dd01830baff4d9520d93427d1522b27df7867594d8fe1a98c1188

C:\Windows\system\hjZPJON.exe

MD5 1042243c427357eaea9dc3bf1ac89d70
SHA1 043e75aeb2a98a2449b7affd7d983bbb1bd4dfc3
SHA256 a883997ce353dafc72eb4ce7e032dcff556ea7ec4135029147572ecb0f8d891f
SHA512 91dcaf9b376a5c469d0fa73638855c456029b68b41d9361963b4d33cad7144e1147aee55477b2ea3d1e96816d4b92b1ca26ab03999e38c1397f9170d99327a9f

C:\Windows\system\SKeSxLh.exe

MD5 9f08cc2bd3c1152ba372c2d81a8124fe
SHA1 ec644c2ce8e1e124944f3b5f3ee78a15e0f527bc
SHA256 dbba218726b88d8c94963aa53ba34d11a079fb41e4a5f8a786f530e5688193d7
SHA512 f96b1c5a1b7de54d0e2f0be9d892bfd688eba0c1ed2c90118cbb7bec47b6ab31df1eb20854ac8826381805ee17024b1ec45b981af7e144fbdc097895b9fb1c39

C:\Windows\system\jUPBufv.exe

MD5 aefe78864e890207c99b29193a661130
SHA1 d69628cba6eb14f58db939490478d9d520597479
SHA256 bb4eb7e77819e61db0094bd3a7af127f0ab0ff39f349fd999b9cae24bd760919
SHA512 e1dda21d8c0a64bd0c7196248124e46f1592d8491ba8f5381f9a9453d7473a574964db88295a816af680a5593f6c4f1db5b294e0ee7ef201e8bf1c14dd9c36e3

C:\Windows\system\RNXUwJg.exe

MD5 6d1fb14133be8789c96046fa09146550
SHA1 130e6c93f8ff099cfc5a2ce8c94ca661a4b45582
SHA256 489ffe0a2bec13e5f93cfc2565757c815bfa6e01e824eceb5355655157c32986
SHA512 aa97337446d6f5771e1ba05777c9dfbf30347b4b4c1ead0121070869efa72de9f6b6e7a72fcef929fce99eb3bc363d92fdcfd7a1d5cf292b9d0b31cd152543ff

C:\Windows\system\EuUldpp.exe

MD5 e17f541d188f485263dab3deb36f2512
SHA1 5cfb15ad151861fc48547165959c5c45f2285658
SHA256 4fed298099d0902b434fcffda8655a0c68a7a025e1dfb0e000b1eee05193ea71
SHA512 6f8aa02f6a7a4f9e7d5be39c0ef2fb6bcaef186c185a4e98123232b5b13f0b635d1c708a57bfb772a8c7f741a6639dda07cc0e49761574ab08c96a91aaefb843

C:\Windows\system\uVPxsVy.exe

MD5 a951ebbdc7e7ff8d5b5c8ad3deb0dc76
SHA1 f554e5f9ffde7fa5307ac2bb7d5fef94a8b29b3d
SHA256 f25984565db695420eedff26f348455c0e3f2ee3e50d5e0c0b835810a555920e
SHA512 897d6d881dbbe2941be7214ff4f0efaadb0e43292253adcc6d79174a82bef6181e909134b3a693c740ca1b784f9800169e6ec042ae88d21e857c8dd3cc7813cf

C:\Windows\system\IcVJfSB.exe

MD5 0189a54fff376300f4d93f7395b98a75
SHA1 65b0326fe739c3dfd91a7c159c183aaa784942e4
SHA256 9cf5da1b87e259cd10bbda9b3aec68368b2e5bf9722a784439a6156311447e09
SHA512 19b16a98ef8b21a6a551660dfbe6e7568b89ac048425adfc30a2ddc9b6d2ab5554f099f637a6b3e2048923f3ee5aee3a300f4822b8f37574a99895af6d297a91

C:\Windows\system\khJMyHd.exe

MD5 c9e6e544b50b2c6288409a22b9626226
SHA1 43edbc6c0c0bd679e4c97deafcfba6b8bdf43fd0
SHA256 50e2a53df51497bf4a2b3ba1d42233ef3cba2595ccfed5d7229a534fe8a9caeb
SHA512 dc11d4044e92c55341afc856b78dc532d175b0496b303eed7ee7795f1ae3c0e518ca0db7ee6adec4dd07bfaebdd0dea377d82e1e83addabb7c593f35be3598c6

C:\Windows\system\MSrAknR.exe

MD5 ef1642356a67789465a8a866fabd3d96
SHA1 2313f06fcda780f8e13bbfbf778e7089c9a3fa8f
SHA256 0ee1bea5debd1dbd667500a9212d1b03869735d3736ce176fe9a72cf13c30529
SHA512 c7092e018367a0c42ca8387485926b55af552f8a3d5df70715abe79d05aab972c492f72ae62340bb62b206b8de3c5f0bb3314291c73bfcbc6c7631de4dce9d9c

C:\Windows\system\whegALI.exe

MD5 52c8a6ff59b25a64570fc2d42a9253b6
SHA1 1b4c9aaa5588edf1ed32a5372a55233c880748bc
SHA256 a3d61c91bd74cfe21ebf1426481b6c2044106093946ff32bf738e1f9cb3372d9
SHA512 838a09adfdfdd2171256a8bbcf767f9768ce5a8a934a7693ed369d806ba6fed983c45fe50928cc2f38978c4ba36c3cdf1e739c3e5e5a0dca20df0864f1bebce6

memory/1232-130-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2840-134-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2896-136-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/1232-135-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2072-138-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/1232-133-0x0000000002150000-0x00000000024A1000-memory.dmp

memory/2836-131-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2820-144-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2516-143-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2756-142-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2160-148-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1032-152-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2724-158-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/1640-157-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/1928-156-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1952-154-0x000000013F530000-0x000000013F881000-memory.dmp

memory/1856-153-0x000000013F420000-0x000000013F771000-memory.dmp

memory/1848-155-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/1232-159-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/1232-167-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/1232-168-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2348-206-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2128-215-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2612-217-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2516-220-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2072-221-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2756-223-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2820-225-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2504-227-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2572-229-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2680-235-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2836-237-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2840-239-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2896-241-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2160-251-0x000000013FFB0000-0x0000000140301000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 00:54

Reported

2024-05-30 00:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zYDHukJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lTMBXCY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HTjtwiP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wFMVOmh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PJCTEal.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BKNWVlS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CgeZYht.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PVowdXG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vkTLDaa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VygErWU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rmxbXiP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iVGwsKX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qcnNWsp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VvaczKU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AZrquDi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BaXrMBI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YdQQcGn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gJVxpow.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mYswDrE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vGPdvRs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FPXMAgP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\rmxbXiP.exe
PID 4864 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\rmxbXiP.exe
PID 4864 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\zYDHukJ.exe
PID 4864 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\zYDHukJ.exe
PID 4864 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVGwsKX.exe
PID 4864 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVGwsKX.exe
PID 4864 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgeZYht.exe
PID 4864 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgeZYht.exe
PID 4864 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVowdXG.exe
PID 4864 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVowdXG.exe
PID 4864 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTMBXCY.exe
PID 4864 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTMBXCY.exe
PID 4864 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\vkTLDaa.exe
PID 4864 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\vkTLDaa.exe
PID 4864 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BaXrMBI.exe
PID 4864 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BaXrMBI.exe
PID 4864 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTjtwiP.exe
PID 4864 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTjtwiP.exe
PID 4864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\wFMVOmh.exe
PID 4864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\wFMVOmh.exe
PID 4864 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdQQcGn.exe
PID 4864 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdQQcGn.exe
PID 4864 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJVxpow.exe
PID 4864 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJVxpow.exe
PID 4864 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\qcnNWsp.exe
PID 4864 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\qcnNWsp.exe
PID 4864 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\mYswDrE.exe
PID 4864 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\mYswDrE.exe
PID 4864 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\vGPdvRs.exe
PID 4864 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\vGPdvRs.exe
PID 4864 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\VygErWU.exe
PID 4864 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\VygErWU.exe
PID 4864 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvaczKU.exe
PID 4864 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvaczKU.exe
PID 4864 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\PJCTEal.exe
PID 4864 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\PJCTEal.exe
PID 4864 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BKNWVlS.exe
PID 4864 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BKNWVlS.exe
PID 4864 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\AZrquDi.exe
PID 4864 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\AZrquDi.exe
PID 4864 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPXMAgP.exe
PID 4864 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPXMAgP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rmxbXiP.exe

C:\Windows\System\rmxbXiP.exe

C:\Windows\System\zYDHukJ.exe

C:\Windows\System\zYDHukJ.exe

C:\Windows\System\iVGwsKX.exe

C:\Windows\System\iVGwsKX.exe

C:\Windows\System\CgeZYht.exe

C:\Windows\System\CgeZYht.exe

C:\Windows\System\PVowdXG.exe

C:\Windows\System\PVowdXG.exe

C:\Windows\System\lTMBXCY.exe

C:\Windows\System\lTMBXCY.exe

C:\Windows\System\vkTLDaa.exe

C:\Windows\System\vkTLDaa.exe

C:\Windows\System\BaXrMBI.exe

C:\Windows\System\BaXrMBI.exe

C:\Windows\System\HTjtwiP.exe

C:\Windows\System\HTjtwiP.exe

C:\Windows\System\wFMVOmh.exe

C:\Windows\System\wFMVOmh.exe

C:\Windows\System\YdQQcGn.exe

C:\Windows\System\YdQQcGn.exe

C:\Windows\System\gJVxpow.exe

C:\Windows\System\gJVxpow.exe

C:\Windows\System\qcnNWsp.exe

C:\Windows\System\qcnNWsp.exe

C:\Windows\System\mYswDrE.exe

C:\Windows\System\mYswDrE.exe

C:\Windows\System\vGPdvRs.exe

C:\Windows\System\vGPdvRs.exe

C:\Windows\System\VygErWU.exe

C:\Windows\System\VygErWU.exe

C:\Windows\System\VvaczKU.exe

C:\Windows\System\VvaczKU.exe

C:\Windows\System\PJCTEal.exe

C:\Windows\System\PJCTEal.exe

C:\Windows\System\BKNWVlS.exe

C:\Windows\System\BKNWVlS.exe

C:\Windows\System\AZrquDi.exe

C:\Windows\System\AZrquDi.exe

C:\Windows\System\FPXMAgP.exe

C:\Windows\System\FPXMAgP.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 137.126.19.2.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4864-0-0x00007FF684AD0000-0x00007FF684E21000-memory.dmp

memory/4864-1-0x000002642A080000-0x000002642A090000-memory.dmp

C:\Windows\System\rmxbXiP.exe

MD5 d1eaec6976177f29f7ff631b624a9c6e
SHA1 631e1c7613d51a4c270649a3a8487801514e71ee
SHA256 3cb9127e863ee04821f72fc52169b3bf4a953810ff6783f16d5ffa5d348ddd6a
SHA512 bd55ed05373e7798375957adea082b78932503d5137f63b80750fb76b3a661ecf5298404d0d0cc47efddebfc15bd5892a6b6f9607a5152d5afc8fd9e55d5f042

memory/4604-8-0x00007FF64D510000-0x00007FF64D861000-memory.dmp

C:\Windows\System\zYDHukJ.exe

MD5 e9413e94a922d874bdf51e802ef2d075
SHA1 7233f69864eca6c6215039d3818677c8c3273124
SHA256 35ac77a77aed21db7c9485ea080e5d3f8a9d3e9b6ea32a77e44de9ae03e0ee00
SHA512 b40bc6a798e5bfce61136bc310e42937871b403cd7bd8c71d6c74a96b23f7e49ec433defdf23bb66f545c1bd8ab38196947b1d48ba0348aac7a7eaca552c105c

memory/3052-13-0x00007FF7EA1C0000-0x00007FF7EA511000-memory.dmp

C:\Windows\System\iVGwsKX.exe

MD5 e5070f39ebc4befc7e8693f27495d6bf
SHA1 375bbc9a1efa80c79a49b49e14c324d4b6354cc0
SHA256 09f774727eeb18d64a5900ba79c0aecdd1d2a600c0a7b53ae41e87697db32db4
SHA512 d47a31d09a2cdcc126542eeb70550ccbcd500d61401eb71b669f5ed9564da9a6ae38ec361fbf3ea144d76f7b7f662dc3baeece0d457a7df24daacebff9954238

memory/3780-20-0x00007FF75A340000-0x00007FF75A691000-memory.dmp

C:\Windows\System\CgeZYht.exe

MD5 f5fbc41679f3988a47e12b395e4e3053
SHA1 71e7c96747ccfb160e1621d3e60ac95098ee6463
SHA256 7108158ad21e1eed246173132d28ebc6b23a39cfe9f8a98d1a798d9daceacf6c
SHA512 60a89d6e00e7f9066a0a1e2891f1aefcea4d0c34d1bf0579f665e5daa42d5fea7aaccd2bf6d6fc606027c7d7e666cf781c8f274a348362e8bbfe6845a5ea4b8b

C:\Windows\System\PVowdXG.exe

MD5 c1b449fddf567147c5826744487d7d36
SHA1 a203792a15c505dd4068679de4fa53a842dda844
SHA256 555f40414caf1b1fd93d846038530572ee4e7d0586809b8db25f6bfe1337db91
SHA512 5c9bd59c279b5883466d3033558b7bfe501acda9f0916cc7f418e859042d4eb78a3ba554ff5658eb836093cea0199d64405f689d1906be140ee4d0e02f451439

memory/2208-26-0x00007FF60DE50000-0x00007FF60E1A1000-memory.dmp

memory/5056-30-0x00007FF6AC7B0000-0x00007FF6ACB01000-memory.dmp

C:\Windows\System\lTMBXCY.exe

MD5 3c0fe7cfddc6b0211e5bfc2679f70d0a
SHA1 fa458eed5305c52f46c244c8e4f57b898ac35b00
SHA256 98c3215b587287630119d95a2f82be06d746ee00041de7bd128b9904f1d29a9d
SHA512 26a012eaf51c4ee45a6dd030141a978b7655c01f2c8278aeebeb6e200e4d56721803e225b807b8941718f77890fa9ceced109273ab4abca0c8d3f19bb3a9d90e

memory/4944-40-0x00007FF7C8C30000-0x00007FF7C8F81000-memory.dmp

C:\Windows\System\vkTLDaa.exe

MD5 330504a8f5e733187a719bbbb9e14d25
SHA1 7a8cac41b445e4f474cc5bd6d1362f3079eba801
SHA256 ab169fdc03ca8bb3ff649ab7c779539159b9104a6764713a605e3518d590beb8
SHA512 c9130cf1489d35f4b34a678e6549d454d23f64f24b714a4c75f0b33b2864829e1a69b99159f5be3342f24015743910d3163a5a278b62e17638c400f59810ffe6

C:\Windows\System\BaXrMBI.exe

MD5 0cd258bde27870d16d3b7baa96ef00d0
SHA1 c28a0b50dc9d291253ce81c87bd1bbb6a9663a96
SHA256 75555fb59d7f1c387b516da058ab8398ae4dee16bee24b4c63d95cf8ae032265
SHA512 9da79b117912b86151ffac414fdc835ca7389fc51b88bfdd4eec3cad72564164cfa07255c71002060168cf3b44557449964f468c330d152abdce62e5d8bea757

memory/3964-46-0x00007FF70EA30000-0x00007FF70ED81000-memory.dmp

memory/1072-48-0x00007FF6BF560000-0x00007FF6BF8B1000-memory.dmp

C:\Windows\System\HTjtwiP.exe

MD5 50cd13377b8363d746926e013fbbd0d6
SHA1 ef816c602c33d121782d06fccf06d6dc7e91669b
SHA256 28b9962ce570b02a71cf38542c2a23c057705e6d8f50949bef704bf66710e74c
SHA512 fce4567207611a3b760f7aa3873cd6e6c4e425288d7d6384abd889819c31120eecf14d3b32693836951289705b91ebac873311c99588b6786f85f86edcf06dc9

C:\Windows\System\YdQQcGn.exe

MD5 db804f1d1997708d6d06b9f82eaffae9
SHA1 186471bf168fd23c0464abba77f08dfc08264a45
SHA256 c267c8503a5fc3eddc295630c61f1de7e8c55bab8c2ad35b30353aa981daeb72
SHA512 23dc9560291ce09e84b29b8a6f0c856a15a07d5f57ebf17a1fd172d8146a3b8b2b7fb1f8a6b504537fbfe3ecb2f644170acc4072c28a8d43bf409865e257e6ff

C:\Windows\System\qcnNWsp.exe

MD5 ebbb9a5a23688db2a75f895caff6c6bf
SHA1 418ee9499572bb85d96fe95cfb9d39ff9581558a
SHA256 ed2726691f82e214c93888fdeaf3621b86c8b37e1c68518134cd9c17e2ae7f7e
SHA512 d4ca09a73bf47159c0278e39f18790b13975b7905562039043b114a51828dc779ff2082268cdd822d997227c6dfecaa57d24a8e13d08f9a6e8150135badc589e

C:\Windows\System\VvaczKU.exe

MD5 b5a3c284ea290a60e7238e602e633532
SHA1 296bf5c6444e31e5b0e77f6aeede5a29e18a6723
SHA256 65e2dc1c6a51d4d429b823e78793d2093c1f6d45ef19fa5bd89063e1f25094aa
SHA512 77830647346aaa66d6262e2dc7d38691a1622aa4154de30e7b61d1100f670cb843640fdf732640f3cc9296a704a930dbc8d13a1ca0336c49d1eda3dc56fe4013

C:\Windows\System\BKNWVlS.exe

MD5 1a81796b9afbe13906a5c415f3657f10
SHA1 82d5f99c5af275cd4af8288832431aadbee926fa
SHA256 efa9a4ef2d0cd7caaef4ebe2db9c6844e1db21d0d37ae0474a23796051204b12
SHA512 3a66bb75e66892d2b6adc0875ed6c019610d2d7a3371d17c45a9d968d65cde6636836708db7644c43c4ecdd41f6b3c8d52b071a1a602c4a120e63f29238b1f36

C:\Windows\System\FPXMAgP.exe

MD5 acc2388e29b27e2da3e607814198dc74
SHA1 ccd58c16505fa87a811ddc23a6aa7770cecb84a0
SHA256 4e40e40e29777bd1a5b1d676202944d6e67ec6540d2aa2153c6b215b8c55fe9d
SHA512 46cfa8eb4b247245d2ca51f1b0fe6f080a89a77bd1322836e83f2ad7150e8e35dbc0913f9a2596c92dead27daf38c2914d134ff58cd0e72a4f714085ebd10ed0

C:\Windows\System\AZrquDi.exe

MD5 b1e0bbcd40661d15a7d91af929d65a74
SHA1 93b8ac81fcb91d21ac977f88d2aab651ffd067a7
SHA256 b08aa7f1593c983cfa843c59ce4eb81dbbf2cac545189b6cd360c01194c9397f
SHA512 91875e3c165f4680802c172186382e5743614df2fb3747b969961d178aec7c26f3f1d15d48a8dc23f533252ff2d76cc09d2559dc4733f701b7366c90d45fb58d

C:\Windows\System\PJCTEal.exe

MD5 10ebb500667c928565573338967a7f16
SHA1 eed4a1daa040cc09b6e178fb8b9f0632df67f655
SHA256 c15126988090d60a4ba5f6b3e5d1b9de7154072ab01e8024b7255bff272160ec
SHA512 adfd102b3ea2a15a040b418e2ef54d34510a9553a1d28d29e476b4d4f2508c13f69e6b9f3412da25edda7dbbb01c38d2ef286e5b7062380e641eb7b373468734

C:\Windows\System\VygErWU.exe

MD5 4aeef3d9d0d2288a035409458063b8f6
SHA1 a28576bf27528dbf2cb6a6792a1e09557c5892a6
SHA256 f67a3e1ce7f7c625719c1dfed64373263c7ba9349ad68249ab14d05e8b49de99
SHA512 c27cfe789140a57447daf1876c35105e94dbdf8b9f28d5b6a5e73e1bf82e49aeac7c87fd7050c72f5dfc3ff0ad0940d35dc9142fc330ff5b8f105b9d5fffe3b3

C:\Windows\System\vGPdvRs.exe

MD5 940a101e653a1fb34d1e026d33103eae
SHA1 4bce5fe88a73cee05abec7cd2f411826b23c9f14
SHA256 6ecf99c942344facd0695e917b462af53bcc56004d350b8e7cd3f08bd90d08e4
SHA512 1d418b482cc6720673074eec584bc928f34afe17dec706eb48e2451db68f21f82644a310d110d8ae2f03bc492c03ef5ce2503dc1b9366b2b96f01025da0769d8

C:\Windows\System\mYswDrE.exe

MD5 c67420bde789ceb1d2839141fd9865b2
SHA1 7aa8ae936d2dfabce002df6ce7e8b9f66d23b30c
SHA256 f50c47cc464155c051ea542ef0fc34314abf2029c0bbee1e71414008426c0dd7
SHA512 06889390638f8f75127f6107aa41eb9ec316f650fb91eeda596fdcfd252b2d5858558c7281dea08fc38049a50d0eefe1fc9e5e0c69e83c22b6dd3959881c0543

C:\Windows\System\gJVxpow.exe

MD5 c4a42e9acdd909122d424709ac2b6a02
SHA1 16d10a7be562ab042e90725b2e5758a55f783d12
SHA256 1039823edaf20b166affcf493c85fe0e85099bfec8b37cec29fb7d17676958e2
SHA512 b292597a19e6736b381e1f2f1cf4dbd91712c1573305092c2b5f840eee94152645d62761f12b7b79328f4a8f0160ed096b87d1c319b69e200d01dbe8b557de9e

C:\Windows\System\wFMVOmh.exe

MD5 e661ece5f7a8739fdedaecc77347f71e
SHA1 4c9e7cb9cb2b86c730a159c701636471ec44de4a
SHA256 bb175f3027219f4e31e3fc043a4d83ad556de668609edeb16ec5139677b14efd
SHA512 a321a90b7f6c529728a5aac9455b659837d407aa20f743b2ec3dcb9ba26f09784cf3f70cfd99d019d296b84bc16eec179a4057ce02a7cc80649b487d8349429c

memory/2208-119-0x00007FF60DE50000-0x00007FF60E1A1000-memory.dmp

memory/4864-115-0x00007FF684AD0000-0x00007FF684E21000-memory.dmp

memory/5056-120-0x00007FF6AC7B0000-0x00007FF6ACB01000-memory.dmp

memory/3904-125-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp

memory/2072-132-0x00007FF681020000-0x00007FF681371000-memory.dmp

memory/4644-133-0x00007FF657890000-0x00007FF657BE1000-memory.dmp

memory/2852-136-0x00007FF70A4B0000-0x00007FF70A801000-memory.dmp

memory/5072-135-0x00007FF6922E0000-0x00007FF692631000-memory.dmp

memory/2944-134-0x00007FF67C560000-0x00007FF67C8B1000-memory.dmp

memory/940-131-0x00007FF725100000-0x00007FF725451000-memory.dmp

memory/1492-130-0x00007FF79A170000-0x00007FF79A4C1000-memory.dmp

memory/1240-129-0x00007FF6EAA50000-0x00007FF6EADA1000-memory.dmp

memory/3912-128-0x00007FF7EFA00000-0x00007FF7EFD51000-memory.dmp

memory/4488-126-0x00007FF7B88F0000-0x00007FF7B8C41000-memory.dmp

memory/4228-124-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp

memory/1072-123-0x00007FF6BF560000-0x00007FF6BF8B1000-memory.dmp

memory/1364-127-0x00007FF6E1260000-0x00007FF6E15B1000-memory.dmp

memory/3780-118-0x00007FF75A340000-0x00007FF75A691000-memory.dmp

memory/3052-117-0x00007FF7EA1C0000-0x00007FF7EA511000-memory.dmp

memory/4604-116-0x00007FF64D510000-0x00007FF64D861000-memory.dmp

memory/4864-137-0x00007FF684AD0000-0x00007FF684E21000-memory.dmp

memory/4864-141-0x00007FF684AD0000-0x00007FF684E21000-memory.dmp

memory/4604-187-0x00007FF64D510000-0x00007FF64D861000-memory.dmp

memory/3052-189-0x00007FF7EA1C0000-0x00007FF7EA511000-memory.dmp

memory/3780-191-0x00007FF75A340000-0x00007FF75A691000-memory.dmp

memory/2208-194-0x00007FF60DE50000-0x00007FF60E1A1000-memory.dmp

memory/5056-197-0x00007FF6AC7B0000-0x00007FF6ACB01000-memory.dmp

memory/4944-199-0x00007FF7C8C30000-0x00007FF7C8F81000-memory.dmp

memory/3964-201-0x00007FF70EA30000-0x00007FF70ED81000-memory.dmp

memory/1072-203-0x00007FF6BF560000-0x00007FF6BF8B1000-memory.dmp

memory/4228-205-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp

memory/3904-207-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp

memory/4488-209-0x00007FF7B88F0000-0x00007FF7B8C41000-memory.dmp

memory/1364-214-0x00007FF6E1260000-0x00007FF6E15B1000-memory.dmp

memory/3912-212-0x00007FF7EFA00000-0x00007FF7EFD51000-memory.dmp

memory/1240-217-0x00007FF6EAA50000-0x00007FF6EADA1000-memory.dmp

memory/940-219-0x00007FF725100000-0x00007FF725451000-memory.dmp

memory/1492-215-0x00007FF79A170000-0x00007FF79A4C1000-memory.dmp

memory/5072-224-0x00007FF6922E0000-0x00007FF692631000-memory.dmp

memory/4644-228-0x00007FF657890000-0x00007FF657BE1000-memory.dmp

memory/2072-229-0x00007FF681020000-0x00007FF681371000-memory.dmp

memory/2944-226-0x00007FF67C560000-0x00007FF67C8B1000-memory.dmp

memory/2852-221-0x00007FF70A4B0000-0x00007FF70A801000-memory.dmp