Malware Analysis Report

2025-03-15 08:10

Sample ID 240530-a8r8rahc79
Target 2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike
SHA256 543b85479fbc8e3b320e67067ab80ac0797b14b250460fc4e9f4017c6aa4b3f6
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

543b85479fbc8e3b320e67067ab80ac0797b14b250460fc4e9f4017c6aa4b3f6

Threat Level: Known bad

The file 2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike

xmrig

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 00:53

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 00:53

Reported

2024-05-30 00:55

Platform

win7-20240419-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IhaOUjI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QMNrVNM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bWkPnse.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vcbAizs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GOClcpn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wpbBuuI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RmIeUPp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aJTJnbj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hzceCYV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qwoZdjI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ilQYZBa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TCvFjOJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vPJSPor.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DMpJtqP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ogJGYyk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DWfVhlu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zzUaMDT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vYVFIki.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NgkkORv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ehcbxIQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WBAcUMA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 992 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMpJtqP.exe
PID 992 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMpJtqP.exe
PID 992 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMpJtqP.exe
PID 992 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\wpbBuuI.exe
PID 992 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\wpbBuuI.exe
PID 992 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\wpbBuuI.exe
PID 992 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBAcUMA.exe
PID 992 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBAcUMA.exe
PID 992 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBAcUMA.exe
PID 992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmIeUPp.exe
PID 992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmIeUPp.exe
PID 992 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmIeUPp.exe
PID 992 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\ehcbxIQ.exe
PID 992 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\ehcbxIQ.exe
PID 992 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\ehcbxIQ.exe
PID 992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\aJTJnbj.exe
PID 992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\aJTJnbj.exe
PID 992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\aJTJnbj.exe
PID 992 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\IhaOUjI.exe
PID 992 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\IhaOUjI.exe
PID 992 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\IhaOUjI.exe
PID 992 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzceCYV.exe
PID 992 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzceCYV.exe
PID 992 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzceCYV.exe
PID 992 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwoZdjI.exe
PID 992 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwoZdjI.exe
PID 992 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwoZdjI.exe
PID 992 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\ilQYZBa.exe
PID 992 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\ilQYZBa.exe
PID 992 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\ilQYZBa.exe
PID 992 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCvFjOJ.exe
PID 992 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCvFjOJ.exe
PID 992 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCvFjOJ.exe
PID 992 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\vPJSPor.exe
PID 992 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\vPJSPor.exe
PID 992 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\vPJSPor.exe
PID 992 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\QMNrVNM.exe
PID 992 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\QMNrVNM.exe
PID 992 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\QMNrVNM.exe
PID 992 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\vYVFIki.exe
PID 992 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\vYVFIki.exe
PID 992 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\vYVFIki.exe
PID 992 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\bWkPnse.exe
PID 992 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\bWkPnse.exe
PID 992 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\bWkPnse.exe
PID 992 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzUaMDT.exe
PID 992 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzUaMDT.exe
PID 992 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzUaMDT.exe
PID 992 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogJGYyk.exe
PID 992 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogJGYyk.exe
PID 992 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogJGYyk.exe
PID 992 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\NgkkORv.exe
PID 992 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\NgkkORv.exe
PID 992 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\NgkkORv.exe
PID 992 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\vcbAizs.exe
PID 992 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\vcbAizs.exe
PID 992 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\vcbAizs.exe
PID 992 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\GOClcpn.exe
PID 992 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\GOClcpn.exe
PID 992 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\GOClcpn.exe
PID 992 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\DWfVhlu.exe
PID 992 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\DWfVhlu.exe
PID 992 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\DWfVhlu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\DMpJtqP.exe

C:\Windows\System\DMpJtqP.exe

C:\Windows\System\wpbBuuI.exe

C:\Windows\System\wpbBuuI.exe

C:\Windows\System\WBAcUMA.exe

C:\Windows\System\WBAcUMA.exe

C:\Windows\System\RmIeUPp.exe

C:\Windows\System\RmIeUPp.exe

C:\Windows\System\ehcbxIQ.exe

C:\Windows\System\ehcbxIQ.exe

C:\Windows\System\aJTJnbj.exe

C:\Windows\System\aJTJnbj.exe

C:\Windows\System\IhaOUjI.exe

C:\Windows\System\IhaOUjI.exe

C:\Windows\System\hzceCYV.exe

C:\Windows\System\hzceCYV.exe

C:\Windows\System\qwoZdjI.exe

C:\Windows\System\qwoZdjI.exe

C:\Windows\System\ilQYZBa.exe

C:\Windows\System\ilQYZBa.exe

C:\Windows\System\TCvFjOJ.exe

C:\Windows\System\TCvFjOJ.exe

C:\Windows\System\vPJSPor.exe

C:\Windows\System\vPJSPor.exe

C:\Windows\System\QMNrVNM.exe

C:\Windows\System\QMNrVNM.exe

C:\Windows\System\vYVFIki.exe

C:\Windows\System\vYVFIki.exe

C:\Windows\System\bWkPnse.exe

C:\Windows\System\bWkPnse.exe

C:\Windows\System\zzUaMDT.exe

C:\Windows\System\zzUaMDT.exe

C:\Windows\System\ogJGYyk.exe

C:\Windows\System\ogJGYyk.exe

C:\Windows\System\NgkkORv.exe

C:\Windows\System\NgkkORv.exe

C:\Windows\System\vcbAizs.exe

C:\Windows\System\vcbAizs.exe

C:\Windows\System\GOClcpn.exe

C:\Windows\System\GOClcpn.exe

C:\Windows\System\DWfVhlu.exe

C:\Windows\System\DWfVhlu.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/992-0-0x000000013F220000-0x000000013F571000-memory.dmp

memory/992-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\DMpJtqP.exe

MD5 aeccd4a4f0ae439b958952c8ccbbe005
SHA1 2835f945cdb76fb4f245f6eed1c83cf1647e7a23
SHA256 4f9ad93d47c9b2b205c776c306b0c2ecbe4bea042d0ba6d1a57880046305442f
SHA512 1583b89ff77334f5e16470d3fed8bdfa062c94004e69892b954f2d42f704bd880bfa97997477995f6a9ace1f2accea73230351775a72ef8534e545b1c1d3c562

memory/1956-8-0x000000013F650000-0x000000013F9A1000-memory.dmp

\Windows\system\WBAcUMA.exe

MD5 fd32ed578e79e8fadebd7b55f02b6e8a
SHA1 fbe963f9b8b1c2fa8af8d0c56adec11354fe7e38
SHA256 07f1c544d0be907c26c7eef59bf0795531f1d289580b5daab3f184eff82ca8de
SHA512 19df503eb08fb583e697d48a714960fc03c4a695cb37785244c6b7a3b1a786fcfa32437ddc6a4011bdeedf1fccde2baf0268aa7ca167d6c2dc0e405b62b1741e

C:\Windows\system\wpbBuuI.exe

MD5 9e52f44c9f4d5c5fe602ab9e762b9193
SHA1 e429a1f0687ace77b7207403607c23ec63b43388
SHA256 feaf3ae5aecd60658d36e9ed091c69062e1f9985123071c5564d9a3b25e6475f
SHA512 ffb04e758f8be948c3b0d70464962c5b274b1f0beded8907b989c9e00a5630e8e624c473071a58d33c866cd4b1b775174fb536961d25b641fa69baaca699ec30

memory/992-21-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/2500-20-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2116-19-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/992-35-0x000000013FD70000-0x00000001400C1000-memory.dmp

\Windows\system\aJTJnbj.exe

MD5 579aa55db55f271fd9e4716771db8006
SHA1 7f46f92af521bbb8571de85776faa8943d57847a
SHA256 49969a1e943227945445630a1b67b2a5f193e4533ae9ad686c2f5b804686db35
SHA512 443568a45f769e5b582a297fba425d0f1f4253c03edec50130b1ae83c99a721eecf03aca87712e9b8a1d36f4241358037c6d3e71878af91304693c90cb996cfb

C:\Windows\system\RmIeUPp.exe

MD5 fc37771ba51ca9178307ac548a31945e
SHA1 dd1f5a053dda0e785e09e80ecfe1b8d3935496d5
SHA256 62e29d2f969c85e91d469a5919839780d605601314dc8919faa79da136e43819
SHA512 9415f4287c27662323ee549891c20f8dc927cd07e638cb6dc63cc591415b757a76a28446e1b9d40af60cc9a4639a77c80d15e823e660a94bf3663135453e7e86

\Windows\system\IhaOUjI.exe

MD5 462fa7e50e17feeeef7851e7b76cf35f
SHA1 12758966eb5f8caec96fe634f793ce8a0751d102
SHA256 c5d41e6556f19f7d3d169af3db0103aa80161bdc73e8749a74dc65c72523d115
SHA512 0c1658b59e6ece29bea97d3ecc21b9d19c4baed77d1f10841b05ad3abadff2b9b720b9da6f28033295b2face139b78dbd7e269fbb41db46d0b5cd7a391e42099

memory/992-39-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/2728-54-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/992-57-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/1888-55-0x000000013F530000-0x000000013F881000-memory.dmp

memory/1956-48-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2676-45-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2420-64-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2580-71-0x000000013FC40000-0x000000013FF91000-memory.dmp

\Windows\system\vYVFIki.exe

MD5 027d123d65de436aa8ed9d4776bafcd8
SHA1 6c04c08844aa5c7309edcfdba8002d4cc173812c
SHA256 3d8bbad238e69e31e52bfeac002da9ca5a984c2531ac4bf642a6c02910ad6316
SHA512 3f5e7dfc9977666872aa6ca8db3b35ecc2b55e461dc8a67a0dbcf59a159bdc966a31826a63fa7c49a92c921b0f5b3ca316dee418d8ffd1809c1d5402d5b6ce71

C:\Windows\system\zzUaMDT.exe

MD5 5eaf82e310a4b9e1b0eb03ef1f6deea8
SHA1 d2cf83abded6512e020dd90fc0db0f266a8f88cf
SHA256 2b8011c348b24fedbf91d2c8f9fe5906fdb761e8f58bd726817fe6c0dabc4689
SHA512 d95ffa617e8ff662d879bc01be3c25948252dd3afc7cb0696e6bd4ac59c44d211de8d7fbdfc842fc9bc550e9ccf1853a2c8826a94c0a1d9548ee73bda1bd8a3e

C:\Windows\system\NgkkORv.exe

MD5 cab809836acfb08f31429aa0b043a400
SHA1 9da8f59338b5e502bfb13a8fd25e05cddb3fb324
SHA256 4b1ad9ea4b1f5c4e1f9cad0ad9b66e9c6eab01d5758aebda78f843ea246de965
SHA512 e8dcd5b9bd1e44fecde6d4daa1c7b2c492cc05e6f68d6a321f971fa3357fb638438bef522c0693d0a259cd275e61a2c23a15475732b3eca672a06753ed4e545a

C:\Windows\system\vcbAizs.exe

MD5 339cde1b92a7d82167c95291ef530cb6
SHA1 f83f9a553d07905007a0567d44822e9c43b684db
SHA256 d5a1a2f6ccddfaf0ec8fb5937358e87cacfb9a1da7105808984a2d69f787c78a
SHA512 eddf242a47fcf68e7c7a2f91fb2e29e0f9c5d7820e01e58190a5d0e154dbf3a1ac688470e431eead07e636eb847e37c58292593c229e9b5189985d17d5dd5f1b

\Windows\system\DWfVhlu.exe

MD5 90ee4539d485723783893112f847c184
SHA1 a9cb3647848f466f6b5f06466eeb52ba3e7ab39e
SHA256 754393812623612068e5d93b4a9e2017315d642bbb1a39365d86fef3b5f782d1
SHA512 680837ee0ab09752752307927f0f969cde6a3c88328ca0e03fe094113258793c88704a0e879695a8d3d7f57ed9c682111aecc2d35f2a21e511ee924db43dfdf9

C:\Windows\system\GOClcpn.exe

MD5 9e3dd12dad968fa060a640055a3ccb85
SHA1 610a7c93c136818eaa310391f39fde5ee69e9e8c
SHA256 59a4586fa9300bcfe7de26e3da33abfb57489d60d01c5b55135bf92fab3fb007
SHA512 faa61dc2a5c66c0d14d80698c5092eb45f06deec58f9b8280a766418324a164afb30f28164d6b2e28ba9c58a384bb233c0a64656aaeca91947aa7622e38947c8

C:\Windows\system\ogJGYyk.exe

MD5 038fa10ff5d63b05173b1bd48970f243
SHA1 51e70fd1a0522993f975e32a1d6b9807f56b5952
SHA256 8f58c2227beefd0ef99cc8e7c27d198db13f95762d9a3583f7b794ac90f7cfec
SHA512 6449ee25f25859f26aafe3b2e09dac51691eb67284a5d15a39f1feca00f2c5ce138bd76fb394c3f3c219e071bd144a12ca75764af02f917eea10f54d2f97d192

C:\Windows\system\bWkPnse.exe

MD5 05d3f3d6107895c8be5aa0e7fb9842c2
SHA1 f935b95db2315309fe40af3409d18c20db8c0aa1
SHA256 1ebcc73e9bade1d0f619dc821a2ca85c256cd1ba064190b29be0ade4d4610f8b
SHA512 f3d494bf9182ae2a746c2a593772abeaab54d96f24b3e6215d1506508fd45ef8b4c68800cf39dd42da77eb453d165469067aa31b3a5e3d592a8ebc6f7eded9c0

memory/2676-136-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/992-102-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2712-101-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2772-99-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/992-98-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/2508-91-0x000000013FF10000-0x0000000140261000-memory.dmp

C:\Windows\system\QMNrVNM.exe

MD5 569f1ad2245821d86b97af8217e9a36a
SHA1 be3f9ca98d8e4aa304cc187cf62e45d3c47be984
SHA256 db8c308dec569908cc948d228152402c03af7d4d2a4467907b4dd4fdfc4ec438
SHA512 5bf10634b0b9cdfa9619c24e132bfed1e22c4d29d7e92a51fef570c7ee84f1c86d429eb2e512b2d1ebabe75d4aca1a397d58a167db84acf5b476d6d0de4e2873

memory/2664-86-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/992-85-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2932-77-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/992-76-0x000000013FB80000-0x000000013FED1000-memory.dmp

C:\Windows\system\TCvFjOJ.exe

MD5 3b103a4a2a71800c24e5c904be152c36
SHA1 602664b88ecb73292dc32642c6f2009754909758
SHA256 410e114633fb275fa520d702bbf40104602ba5f05a61d5d034224f4430baab63
SHA512 d172fd624bddcb277b3be7966bad27472c7e7069f8fc4d8547acf8c615b5b5f7e127c07be8e55e448d08cdfbae2ad84974408d796dc06010cb2fc7972bd5f1cd

C:\Windows\system\vPJSPor.exe

MD5 28d4d0dea2946a3c464dfcf03d922bcb
SHA1 290eead935a4bb263b15f078e88c21aefebb1561
SHA256 1a08ad43ea4b5f8d46b12532ea99ac79844db1b940b5983480befe504e175a13
SHA512 f4d48a1a53e7e6fe93834d101c0f26c1d4cf5a9a3ff5aab0ba59f013381dbc9927faa8a0aba61dba94c4550f7f0c93d44fdcc0c9a6bab66d79a1ffacc959e5e0

memory/1888-137-0x000000013F530000-0x000000013F881000-memory.dmp

memory/992-63-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/992-62-0x0000000002350000-0x00000000026A1000-memory.dmp

C:\Windows\system\qwoZdjI.exe

MD5 8b426dab72cebb529d27ebbb4eac52b6
SHA1 689dfc1afb98a76ef7232fcfd7c7740650eab025
SHA256 81d219d81d18454a0960d4a3bc99a00756faf3232bcb2bdcc0ef484fa501eae9
SHA512 8b0c96a1440e836efe16c4cf9839be5bed391c212f03765db390960a97b406d14de79d4defa73144e66fde0ca1dddc13dd9404b83680b6e075f82416d6bca834

memory/992-70-0x000000013FC40000-0x000000013FF91000-memory.dmp

C:\Windows\system\ilQYZBa.exe

MD5 e39791ccc761ceb434888e806ee7ecdc
SHA1 e339cadf9a46cb518db2d64ab5aa96dfa3b8d86b
SHA256 704ee90b8a5243ca7bf6a50f5b27ca85395e00e3420e9bdf1875fe094ce533db
SHA512 399994b81026cc5e507dc721ec8770cfcc715d0fa7da3a618a4ee214eaede301c0342e225f286bd7d3a9e1b02b9ebabe844e8e2e04225195e10cbbec662e8ecc

memory/992-44-0x000000013F220000-0x000000013F571000-memory.dmp

C:\Windows\system\ehcbxIQ.exe

MD5 b1d7320730877576cfadf54bfd2d965f
SHA1 b93a382c3229b1f8ad1d094cc032825519defa64
SHA256 04c2c24e668e0e02048d81d209a07dff31df5f29e5480723bce9a99125b40731
SHA512 3ff1cd984f011b11e732a0a6d2200dbe3b5c9d1008b4f1229dc8a5d00916535260eabaffd71763321fbd3298262b4fcd789589f5b940013d574219f4730c5e63

memory/2712-41-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2520-31-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/992-27-0x000000013F760000-0x000000013FAB1000-memory.dmp

C:\Windows\system\hzceCYV.exe

MD5 450ea39cdd8959d333acba72da7010e1
SHA1 de6c580fa248c42b892c4b53e52040b0c61e278e
SHA256 a985c13f44e020db247afb6d735aa060ce54e2f5cdaa482ce2e82aa89a1a2d15
SHA512 9467c23d3fd4773d6edc437a756bce79466479fbcab3c0423ff9fb08cf73929d5233e45c4771bd0e048b9948878d1c4c82a85e0500e61252fbb93b10b3f4b330

memory/992-138-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/992-139-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2420-148-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2580-150-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/992-149-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2508-153-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2932-151-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/2380-160-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/1012-159-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/992-162-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/1304-161-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/1552-158-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/1628-157-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/1536-156-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2068-155-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/992-163-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/992-164-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/992-165-0x000000013F220000-0x000000013F571000-memory.dmp

memory/992-187-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/992-188-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/1956-216-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2116-218-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2500-220-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2520-222-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2712-224-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2676-227-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1888-230-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2728-229-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2420-232-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2580-234-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2932-236-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/2664-238-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2508-249-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2772-251-0x000000013F1F0000-0x000000013F541000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 00:53

Reported

2024-05-30 00:55

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FsbHeWD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kgfoKJK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\auMFqHO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HpSpMRI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SKYyMZJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CLZgiGD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pWbWWJE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WMdDqSy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XlbkOHE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LcOjWiB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OQnspwT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dSxxJJv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rmmopqb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zONhzar.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\npFBCXZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IXJeTnV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EgWpCTY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WGkPYlk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RYUBwex.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gJbMZSR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uIZWTpT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpSpMRI.exe
PID 2056 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpSpMRI.exe
PID 2056 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYUBwex.exe
PID 2056 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYUBwex.exe
PID 2056 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\FsbHeWD.exe
PID 2056 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\FsbHeWD.exe
PID 2056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\rmmopqb.exe
PID 2056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\rmmopqb.exe
PID 2056 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\uIZWTpT.exe
PID 2056 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\uIZWTpT.exe
PID 2056 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\dSxxJJv.exe
PID 2056 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\dSxxJJv.exe
PID 2056 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKYyMZJ.exe
PID 2056 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\SKYyMZJ.exe
PID 2056 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\zONhzar.exe
PID 2056 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\zONhzar.exe
PID 2056 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgfoKJK.exe
PID 2056 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgfoKJK.exe
PID 2056 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLZgiGD.exe
PID 2056 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLZgiGD.exe
PID 2056 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWbWWJE.exe
PID 2056 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWbWWJE.exe
PID 2056 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\npFBCXZ.exe
PID 2056 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\npFBCXZ.exe
PID 2056 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\WMdDqSy.exe
PID 2056 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\WMdDqSy.exe
PID 2056 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\XlbkOHE.exe
PID 2056 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\XlbkOHE.exe
PID 2056 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\auMFqHO.exe
PID 2056 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\auMFqHO.exe
PID 2056 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXJeTnV.exe
PID 2056 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXJeTnV.exe
PID 2056 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgWpCTY.exe
PID 2056 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgWpCTY.exe
PID 2056 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcOjWiB.exe
PID 2056 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcOjWiB.exe
PID 2056 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJbMZSR.exe
PID 2056 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJbMZSR.exe
PID 2056 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGkPYlk.exe
PID 2056 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGkPYlk.exe
PID 2056 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQnspwT.exe
PID 2056 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQnspwT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HpSpMRI.exe

C:\Windows\System\HpSpMRI.exe

C:\Windows\System\RYUBwex.exe

C:\Windows\System\RYUBwex.exe

C:\Windows\System\FsbHeWD.exe

C:\Windows\System\FsbHeWD.exe

C:\Windows\System\rmmopqb.exe

C:\Windows\System\rmmopqb.exe

C:\Windows\System\uIZWTpT.exe

C:\Windows\System\uIZWTpT.exe

C:\Windows\System\dSxxJJv.exe

C:\Windows\System\dSxxJJv.exe

C:\Windows\System\SKYyMZJ.exe

C:\Windows\System\SKYyMZJ.exe

C:\Windows\System\zONhzar.exe

C:\Windows\System\zONhzar.exe

C:\Windows\System\kgfoKJK.exe

C:\Windows\System\kgfoKJK.exe

C:\Windows\System\CLZgiGD.exe

C:\Windows\System\CLZgiGD.exe

C:\Windows\System\pWbWWJE.exe

C:\Windows\System\pWbWWJE.exe

C:\Windows\System\npFBCXZ.exe

C:\Windows\System\npFBCXZ.exe

C:\Windows\System\WMdDqSy.exe

C:\Windows\System\WMdDqSy.exe

C:\Windows\System\XlbkOHE.exe

C:\Windows\System\XlbkOHE.exe

C:\Windows\System\auMFqHO.exe

C:\Windows\System\auMFqHO.exe

C:\Windows\System\IXJeTnV.exe

C:\Windows\System\IXJeTnV.exe

C:\Windows\System\EgWpCTY.exe

C:\Windows\System\EgWpCTY.exe

C:\Windows\System\LcOjWiB.exe

C:\Windows\System\LcOjWiB.exe

C:\Windows\System\gJbMZSR.exe

C:\Windows\System\gJbMZSR.exe

C:\Windows\System\WGkPYlk.exe

C:\Windows\System\WGkPYlk.exe

C:\Windows\System\OQnspwT.exe

C:\Windows\System\OQnspwT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2056-0-0x00007FF786F70000-0x00007FF7872C1000-memory.dmp

memory/2056-1-0x00000188F8070000-0x00000188F8080000-memory.dmp

C:\Windows\System\HpSpMRI.exe

MD5 8ec02f498e01692e49ea6a08aa95b197
SHA1 fff9c323a299d4afec02b85c74efcbf1a72d5767
SHA256 2588fad268a0048acc45a13b65533b0a1b5e2c4a516cd6a5105b9700936dd963
SHA512 e313f9f20a13e8f7a56a03ba7972e42baec72eba11f204c64cb9711e2768f09fa41543064500f87568695b28efea87bf4b559a0b5a3445e84ade5795b4f43e95

memory/1784-8-0x00007FF64C990000-0x00007FF64CCE1000-memory.dmp

C:\Windows\System\RYUBwex.exe

MD5 a1fd2ba8129c3a8372db11f1e6d5c914
SHA1 9b32c07bad6f30b87af6fdd1e18b05d792f67fd6
SHA256 24b7459cc00788536b1a0a45ca6099c6fb6a25586cd031c1adca1f8d35e9ffe8
SHA512 df5fdc6e1475c6497177f31252f9cc3ecd3dfa8cfd4c7642036822fbe4a9e59a92d8168f63153ecd2d521ab8fcea3957246e2772e91f36cc88f7a91e6c4fd365

memory/1188-12-0x00007FF7848B0000-0x00007FF784C01000-memory.dmp

C:\Windows\System\FsbHeWD.exe

MD5 be879b4497e044b74a8d9bbe2f43b1bf
SHA1 494f68279e502faedd90a2f2cf10b6bf8001bd48
SHA256 c29269447f96d793360aae9d380d49547ae04dd9424a1769435443e99937e354
SHA512 6b4bcdd771593adc8519d1cf6edfa069d1b65ccdc3240dd394adad2194f5821b038c901f85a3c7307eceb6242ad53fc4accf07935b4a36dae8b858041f7ff1ab

memory/2000-19-0x00007FF63E570000-0x00007FF63E8C1000-memory.dmp

C:\Windows\System\rmmopqb.exe

MD5 2a253d42827ae158ca4939c3f23c6b43
SHA1 410cef92e2e6cf4cbbba31f2b6f0e5f070fa7b65
SHA256 e5e24ec178ce1ba4060f13c8b8f749b6e60879c083339ce89f6719153365def6
SHA512 255df1c798d4ffba64e19f12d8e4b460a6ec1f8f212f24b20033daf993c1a7636d109ccf654073a015b9912aecb4a3a01e37a055c18844dcdd45c62578e8ef96

C:\Windows\System\uIZWTpT.exe

MD5 83b8631d4e2650f57a325bcd6aa25d65
SHA1 82e0ed479d3078ca271bf2717d644fcf1e6352b0
SHA256 6f88b9ed0c75bbabd7e8acb51d73dd6b14293efc606ef046f461036340ef9654
SHA512 301cc7479f7bde4dcdc68f7cd45af4579aaa9d9ccf1d087f1ce41d08ecdae4b119efa6bc6cc31eb567797ba19054db1bbb671392ba368797cb74fe3313b5ff0c

memory/2524-31-0x00007FF6EFB20000-0x00007FF6EFE71000-memory.dmp

C:\Windows\System\dSxxJJv.exe

MD5 364de4b49f4aaf6c490cf22439a94aeb
SHA1 2e453e848d6274001efec00f1c48716e186ed1bd
SHA256 63b692dc0a1527771fdbcf8474fa0437c2f8d7931263813c0b3bef8b158b2afe
SHA512 b0c86ffbe1e4bd1fd6661aac7d831c32ea74488c690c4538087fbbb741a1c239551e15bb8a5091525fcbc760d5234e11f8bd2db39dfce7b728f378f7ebe96e92

C:\Windows\System\zONhzar.exe

MD5 b665e2205b801b62e3a1955b17324364
SHA1 5eee90179ba2d782b97e83af5651eb505d2e1c89
SHA256 85d5dd746dc6cf692730d55135bcda01141615236f3da0ff09c3cc8d3b40c8b9
SHA512 6c0f39c3bfcff58851220c1fd5339e888876efa91d663b2d80ac0478603afcb11e0df7addddfdf81c05c25e24a7ab7b1587e3e7f686b323e8f46485d8a148bd0

memory/1600-45-0x00007FF65FA00000-0x00007FF65FD51000-memory.dmp

C:\Windows\System\SKYyMZJ.exe

MD5 d868b3fe4c9ef9719232739ec6ab9ba5
SHA1 9834957a8b17912fcdbbaa8b575eb6ca9b6f16b5
SHA256 3d8dfd50cafbc51d5c9be406a83d29c1cc85740680dd7ad5c72fa81230cc1b3e
SHA512 301ea89fc6134382b905675c21cf4043dbf2ad57ab1b39e557899827705dbec1dd755bd64be6d540a828af671443985e4567f0f170159e5fadb72bde3abed039

memory/4020-46-0x00007FF7B9CF0000-0x00007FF7BA041000-memory.dmp

memory/736-40-0x00007FF68BA90000-0x00007FF68BDE1000-memory.dmp

memory/1260-32-0x00007FF6DB650000-0x00007FF6DB9A1000-memory.dmp

C:\Windows\System\kgfoKJK.exe

MD5 1763cfa6645a0ddf7b2e03e94e175b1b
SHA1 19d2acd248cfc232e56ac09989be2fbf230f448e
SHA256 10776d5aaf2aa22c56512016fb3a24d300734d99ae2b620b4c5aa412f99ff825
SHA512 55721361e370a9887448f6ccba4224a6e21edf8e88a559f2819d6af6b810740704087aaf9827953e42b294abedd804862e77d1457ebd2604882a76812d9f76ad

C:\Windows\System\CLZgiGD.exe

MD5 16cde79e43e78c6fb2c5a56cd895c1a6
SHA1 2ea830428a2ebd8308c6372af5d5ccc07d4063d0
SHA256 0e68d1a412a866a2269b2c5c76c9a02de6b24d14087fd79f335d24f64d52ad92
SHA512 eed3f12134c0e281298747efe4def26e778c64e3bde0ae3160f1836c0d695884cfa92bc435827659f919c92f0ed6a89146c4f1655b478eee5a5f7150286f51ed

C:\Windows\System\pWbWWJE.exe

MD5 ef21ae1b2dccd80e47c8efae0a610f92
SHA1 14cd7dd5cf874e645c823afff2f600bfac8880b6
SHA256 7cec7f445574a8394c9f40359465c5cd496b05c98dbe2995b402f651204219f7
SHA512 d4f49821915a9fdc8fd67f141238b3c01ba84aec00b4e505b8ea13a47f95a93a935c2341e6c054700d024ce98b73eb832fb58d9cdd3356e6c078184089ed99f2

memory/3808-70-0x00007FF661DA0000-0x00007FF6620F1000-memory.dmp

memory/1188-69-0x00007FF7848B0000-0x00007FF784C01000-memory.dmp

memory/1368-63-0x00007FF7D2220000-0x00007FF7D2571000-memory.dmp

memory/2056-62-0x00007FF786F70000-0x00007FF7872C1000-memory.dmp

memory/1388-60-0x00007FF636490000-0x00007FF6367E1000-memory.dmp

C:\Windows\System\npFBCXZ.exe

MD5 c13c18f0b791d8a1e003659d8050f18e
SHA1 25392b396635e49fb0288e19459d65874f633f21
SHA256 3f9f795bbd875f30d879973bab718b6373c87f0a5be0dae4d1f48c7df1e6655c
SHA512 684de30d428db614e0b6d84bded7690c3a4f482d328464681e4cd9b64e7c6f6fe7371d96c10fcbd09a6bf511a6df95e2e978184b33f019f11cb5a0d2922751cf

memory/3676-74-0x00007FF70C120000-0x00007FF70C471000-memory.dmp

C:\Windows\System\WMdDqSy.exe

MD5 f168d239ba1bc98f57ce4e66c9f1b306
SHA1 2f579195a8c971174f10ee6fd929189063774155
SHA256 8140a56e33a9c667f633f2f6be53e484e17c0b90e9c021f4ed05c70eda99c1c1
SHA512 73c8af2ed1cc58bc0d447cd02e7519c671bba92fa1de4917d1034033154c98f5fe59fa8a6a77504e2238fc550d26216184e8f3ef4ac45ff7a114a6177b204960

C:\Windows\System\XlbkOHE.exe

MD5 a3bc32827123f39cd7c8b1888e0f1a45
SHA1 ab701a42d96456d8a296e231eeebf3441d9a04cf
SHA256 ed9283ee7df0ffd5b4b8aae49add6c70e79c28e77a7568b9de349030594b4259
SHA512 a44791ad6e7992e4b9dd8375cd7f6fe75a505f60b9a511f0776369f7d27a553c87b086781aaf8eaf03707644a9395ef0f4fb8fed7998b90cc4d6f74aaa4819ee

memory/2000-90-0x00007FF63E570000-0x00007FF63E8C1000-memory.dmp

C:\Windows\System\EgWpCTY.exe

MD5 a9c481f5416b618003cd30e483d88c02
SHA1 c9fec9fe22692c60283300adbf333a5834eb96f5
SHA256 850742abafa0826c5f494f0ca044263f3198e83754dc089a80773d3cad8b7af1
SHA512 8908016cd93805cddbeb3ef176777b18b22c430874ec9f553545b9e069625fcfe451d5e667367dbce704fa2a7ac9e591040cf4bb07654b4e21ffb88443f94987

memory/684-111-0x00007FF653B90000-0x00007FF653EE1000-memory.dmp

C:\Windows\System\LcOjWiB.exe

MD5 0e1c488c8536dfa59b3bec8893e4d525
SHA1 43322f50b8b9769136d79095a32450cd77d9727f
SHA256 1406f4bbb980d48093579c72465e759d3cadd8717b871147eb37705fbe955911
SHA512 a94dffdb85a5943dc2ce6fddfb8e41eaf57517cd32b56a8362da5359c3fd00d5eedc80ffbbc25ece33f2625b06244bb67afb28fdd42b2dbf37d44d6170de7c50

memory/4584-105-0x00007FF67F380000-0x00007FF67F6D1000-memory.dmp

C:\Windows\System\IXJeTnV.exe

MD5 affa568ac7102ff8f3bd5883eb3be165
SHA1 5b271e28ce037e7754a68f82286ea719569f1372
SHA256 9939f79cf03439f22d9e04e3a48b7a03cb3e035e88fbe9a27e3bce7956e1961b
SHA512 889fbe934b67d991e8b9c8fb010442d31526fb0cac41e985833facbb28b1bf8fee294446878d640e2c05f1d30de891392959b2c56f11edbd9a79cfaa68825f6b

memory/1512-102-0x00007FF7DE6B0000-0x00007FF7DEA01000-memory.dmp

memory/4868-101-0x00007FF72BB00000-0x00007FF72BE51000-memory.dmp

memory/4408-97-0x00007FF620910000-0x00007FF620C61000-memory.dmp

memory/4328-96-0x00007FF7FD0D0000-0x00007FF7FD421000-memory.dmp

C:\Windows\System\gJbMZSR.exe

MD5 66195e414900fc85d67a9a6a5d83f431
SHA1 1be1e244593d61b208139d0313a456160817a0f5
SHA256 15a66325a247888880a4d8678423fcd6fff9e5137762caabe817661338367f0d
SHA512 7331fb218400ff0503f9b0d30c84fc1b116a42160bb1a1041fd462fe7118a45f1d268aac00d0e039916e5da3f9cb135eeaf1e42b78763073eb82eea2a2498deb

memory/4908-122-0x00007FF6F0050000-0x00007FF6F03A1000-memory.dmp

C:\Windows\System\OQnspwT.exe

MD5 c2a5b95721186f51dee54a9640d21c17
SHA1 0b78a03100d4586c4e381558b8324159eef4bf41
SHA256 e3e297b3184f11bb947f0b5714058bc1a32fb0f646cadb7b70f7e37f7dd5328e
SHA512 2ee0000b56816a27b9f3dcf581666406095cd567076f6c6631efff9ab4b1f1de50d4fb70fd977524bfdcd75281c4b2a5187a3f08c7def7c3393106c2b7b23a2d

memory/1180-127-0x00007FF742650000-0x00007FF7429A1000-memory.dmp

memory/1968-126-0x00007FF662080000-0x00007FF6623D1000-memory.dmp

C:\Windows\System\WGkPYlk.exe

MD5 14c5eae72f11bd5e5b0ac4fd07f6dd8b
SHA1 b6ec91abc213b2acd4a87a87e72a979daab5f51b
SHA256 57b06967283f334b6c30a7464d9baf1db5c498ac51ec05fd60222f37a60d5d5b
SHA512 148a10afed5a2bcfac28a86c2d5f54ba9fc7e8ce8e959603a103826c8d24da5e1a64becc3d784b146186665477eca6380fe87e2652cba7ab305614e1497e9931

memory/4020-123-0x00007FF7B9CF0000-0x00007FF7BA041000-memory.dmp

memory/1600-118-0x00007FF65FA00000-0x00007FF65FD51000-memory.dmp

C:\Windows\System\auMFqHO.exe

MD5 6668f979dcd078e12112f0d5f5227b1f
SHA1 364d23003e8c4711b6fc05da7b6a224d3621fd42
SHA256 ce6bd26a1bff22b558d051749a17856e0128befb77a2ebf0df8878aa9e5f802b
SHA512 cb172cab31c6a7d9da8115603b406fed2ffaf0cd564818c1b6517c3e898eff75c0c08b1ff50e6abef48d7674f6a70af7c94aeb77f06589f2c04d0f411c1a9853

memory/2056-133-0x00007FF786F70000-0x00007FF7872C1000-memory.dmp

memory/1512-149-0x00007FF7DE6B0000-0x00007FF7DEA01000-memory.dmp

memory/3676-153-0x00007FF70C120000-0x00007FF70C471000-memory.dmp

memory/4908-152-0x00007FF6F0050000-0x00007FF6F03A1000-memory.dmp

memory/684-151-0x00007FF653B90000-0x00007FF653EE1000-memory.dmp

memory/4584-150-0x00007FF67F380000-0x00007FF67F6D1000-memory.dmp

memory/1180-155-0x00007FF742650000-0x00007FF7429A1000-memory.dmp

memory/1968-154-0x00007FF662080000-0x00007FF6623D1000-memory.dmp

memory/2056-156-0x00007FF786F70000-0x00007FF7872C1000-memory.dmp

memory/1784-202-0x00007FF64C990000-0x00007FF64CCE1000-memory.dmp

memory/1188-204-0x00007FF7848B0000-0x00007FF784C01000-memory.dmp

memory/2000-206-0x00007FF63E570000-0x00007FF63E8C1000-memory.dmp

memory/2524-208-0x00007FF6EFB20000-0x00007FF6EFE71000-memory.dmp

memory/1260-210-0x00007FF6DB650000-0x00007FF6DB9A1000-memory.dmp

memory/736-212-0x00007FF68BA90000-0x00007FF68BDE1000-memory.dmp

memory/4020-215-0x00007FF7B9CF0000-0x00007FF7BA041000-memory.dmp

memory/1600-216-0x00007FF65FA00000-0x00007FF65FD51000-memory.dmp

memory/1388-223-0x00007FF636490000-0x00007FF6367E1000-memory.dmp

memory/1368-225-0x00007FF7D2220000-0x00007FF7D2571000-memory.dmp

memory/3808-227-0x00007FF661DA0000-0x00007FF6620F1000-memory.dmp

memory/3676-229-0x00007FF70C120000-0x00007FF70C471000-memory.dmp

memory/4328-231-0x00007FF7FD0D0000-0x00007FF7FD421000-memory.dmp

memory/4868-233-0x00007FF72BB00000-0x00007FF72BE51000-memory.dmp

memory/4408-235-0x00007FF620910000-0x00007FF620C61000-memory.dmp

memory/1512-237-0x00007FF7DE6B0000-0x00007FF7DEA01000-memory.dmp

memory/4584-239-0x00007FF67F380000-0x00007FF67F6D1000-memory.dmp

memory/684-245-0x00007FF653B90000-0x00007FF653EE1000-memory.dmp

memory/4908-247-0x00007FF6F0050000-0x00007FF6F03A1000-memory.dmp

memory/1180-249-0x00007FF742650000-0x00007FF7429A1000-memory.dmp

memory/1968-251-0x00007FF662080000-0x00007FF6623D1000-memory.dmp