Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-bcwfzahe34
Target 2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike
SHA256 1bf86d0802c55cafe6d5cad3e87b1cecea467c276b0d7b2d23efe5bf9f2825ac
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1bf86d0802c55cafe6d5cad3e87b1cecea467c276b0d7b2d23efe5bf9f2825ac

Threat Level: Known bad

The file 2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Cobaltstrike

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 01:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 01:00

Reported

2024-05-30 01:03

Platform

win7-20240215-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VsNgNCV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hyavcvD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MMHrrpV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HcOqWEl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\scLjMGc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wyWNbIg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BtxXXhy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\affTxwf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iAVafMz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZjSyxYO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KPigTgD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tmDSLdt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VwEqMfc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hgQSjJu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pFyirdi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DXnikAd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TQulfYZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VgkJYfv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EZnOCKq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IkAykWQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HyaOYZH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DXnikAd.exe
PID 1568 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DXnikAd.exe
PID 1568 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DXnikAd.exe
PID 1568 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAVafMz.exe
PID 1568 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAVafMz.exe
PID 1568 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iAVafMz.exe
PID 1568 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TQulfYZ.exe
PID 1568 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TQulfYZ.exe
PID 1568 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\TQulfYZ.exe
PID 1568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MMHrrpV.exe
PID 1568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MMHrrpV.exe
PID 1568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MMHrrpV.exe
PID 1568 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VsNgNCV.exe
PID 1568 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VsNgNCV.exe
PID 1568 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VsNgNCV.exe
PID 1568 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZjSyxYO.exe
PID 1568 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZjSyxYO.exe
PID 1568 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZjSyxYO.exe
PID 1568 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VgkJYfv.exe
PID 1568 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VgkJYfv.exe
PID 1568 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VgkJYfv.exe
PID 1568 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KPigTgD.exe
PID 1568 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KPigTgD.exe
PID 1568 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KPigTgD.exe
PID 1568 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HcOqWEl.exe
PID 1568 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HcOqWEl.exe
PID 1568 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HcOqWEl.exe
PID 1568 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EZnOCKq.exe
PID 1568 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EZnOCKq.exe
PID 1568 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EZnOCKq.exe
PID 1568 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tmDSLdt.exe
PID 1568 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tmDSLdt.exe
PID 1568 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tmDSLdt.exe
PID 1568 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\scLjMGc.exe
PID 1568 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\scLjMGc.exe
PID 1568 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\scLjMGc.exe
PID 1568 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VwEqMfc.exe
PID 1568 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VwEqMfc.exe
PID 1568 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VwEqMfc.exe
PID 1568 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyWNbIg.exe
PID 1568 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyWNbIg.exe
PID 1568 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyWNbIg.exe
PID 1568 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgQSjJu.exe
PID 1568 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgQSjJu.exe
PID 1568 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgQSjJu.exe
PID 1568 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyavcvD.exe
PID 1568 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyavcvD.exe
PID 1568 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyavcvD.exe
PID 1568 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pFyirdi.exe
PID 1568 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pFyirdi.exe
PID 1568 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pFyirdi.exe
PID 1568 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtxXXhy.exe
PID 1568 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtxXXhy.exe
PID 1568 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtxXXhy.exe
PID 1568 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IkAykWQ.exe
PID 1568 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IkAykWQ.exe
PID 1568 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IkAykWQ.exe
PID 1568 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyaOYZH.exe
PID 1568 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyaOYZH.exe
PID 1568 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyaOYZH.exe
PID 1568 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\affTxwf.exe
PID 1568 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\affTxwf.exe
PID 1568 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\affTxwf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\DXnikAd.exe

C:\Windows\System\DXnikAd.exe

C:\Windows\System\iAVafMz.exe

C:\Windows\System\iAVafMz.exe

C:\Windows\System\TQulfYZ.exe

C:\Windows\System\TQulfYZ.exe

C:\Windows\System\MMHrrpV.exe

C:\Windows\System\MMHrrpV.exe

C:\Windows\System\VsNgNCV.exe

C:\Windows\System\VsNgNCV.exe

C:\Windows\System\ZjSyxYO.exe

C:\Windows\System\ZjSyxYO.exe

C:\Windows\System\VgkJYfv.exe

C:\Windows\System\VgkJYfv.exe

C:\Windows\System\KPigTgD.exe

C:\Windows\System\KPigTgD.exe

C:\Windows\System\HcOqWEl.exe

C:\Windows\System\HcOqWEl.exe

C:\Windows\System\EZnOCKq.exe

C:\Windows\System\EZnOCKq.exe

C:\Windows\System\tmDSLdt.exe

C:\Windows\System\tmDSLdt.exe

C:\Windows\System\scLjMGc.exe

C:\Windows\System\scLjMGc.exe

C:\Windows\System\VwEqMfc.exe

C:\Windows\System\VwEqMfc.exe

C:\Windows\System\wyWNbIg.exe

C:\Windows\System\wyWNbIg.exe

C:\Windows\System\hgQSjJu.exe

C:\Windows\System\hgQSjJu.exe

C:\Windows\System\hyavcvD.exe

C:\Windows\System\hyavcvD.exe

C:\Windows\System\pFyirdi.exe

C:\Windows\System\pFyirdi.exe

C:\Windows\System\BtxXXhy.exe

C:\Windows\System\BtxXXhy.exe

C:\Windows\System\IkAykWQ.exe

C:\Windows\System\IkAykWQ.exe

C:\Windows\System\HyaOYZH.exe

C:\Windows\System\HyaOYZH.exe

C:\Windows\System\affTxwf.exe

C:\Windows\System\affTxwf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1568-0-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1568-1-0x0000000000200000-0x0000000000210000-memory.dmp

\Windows\system\DXnikAd.exe

MD5 ac1730a8b5e74e41682ebc707e0a4a30
SHA1 e57d421616787c772ea3925115cb7f5dda6ee328
SHA256 61073da936f9e4df4e8586601646d049c4622b7aea44e074479c9baebb72b771
SHA512 2d846bc1cce348877c6304a71aed33dc0f036b46d4493534db43921622c5b11b48f8124adbfd22c6d5ffe6e19cf9eecec6636f4192ee2012cff2557ad0671cdf

memory/2504-9-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/1568-7-0x0000000002270000-0x00000000025C1000-memory.dmp

\Windows\system\iAVafMz.exe

MD5 6c41177e04a17d8cde97826ccf6ead2f
SHA1 dce4b3530b7f2a60f1cddaf4b1ce6b6a77cfd7bf
SHA256 19e272d3fa7667794ef9419c5c9ceed2222e01bd610fca20d600eb6afe6336e0
SHA512 6c2e127cc1fd2fc578edeaf7534bc5ff23237260217901a0fa6af82f716138fddbc3d24ac7d2d77d6624115dad7c9a0047bc22d87b49e050a63e2474dbc161b1

C:\Windows\system\TQulfYZ.exe

MD5 f9da6475bf31ae6e5b5a4cb55446e2bc
SHA1 c0384af369186fa79fd32c2e44981ac7b93b7690
SHA256 e5122a71d640b80dfff3c8aa6fa6701db5f5c58dbd036996006fd3746a3d7968
SHA512 3b7f07657ed4d47f54a4a4c37da6dd4b989f8ba7ac071241e947eb32d4b2339526f50cf6440863aa0a238222909204b17e99569e53ebbe0c4ac18b845d65b888

memory/1568-23-0x000000013FF90000-0x00000001402E1000-memory.dmp

\Windows\system\MMHrrpV.exe

MD5 7eb97597b031e0345a40f0092b8866fa
SHA1 0bf1a1251db90e0da46f3c30e1e1da839528a597
SHA256 e9b1b64d958596a671a09d4f06c9f554dacc75c8c768c955a42f2d0532bee857
SHA512 0f04bf842d5f2d6852b771075a2177f6b40ea405b655d2fa0fcb58da443c40558becbf0ed8a72b2b7c7877f935e30f929be012c8c9798711ddfabb322d6cd32e

C:\Windows\system\VsNgNCV.exe

MD5 7bf445c65c244fc2e686959222e67ad7
SHA1 e362d98643d8657437acb0d86626bbf7cd462369
SHA256 20dcfe4f6f1edda66cfceddd567fd702e3ee141571a5860fa64949417d58aa6c
SHA512 29c563a1ad5780dd44b79669fc4b5e6d834add9e87b40c130187eeafbe0153a3ebf5bc283479b26f05244d4fce7d4b17d1a85013ff7f0b4e50987cfa5fadb8c3

C:\Windows\system\ZjSyxYO.exe

MD5 20b8926f1410f69d239efab635599eeb
SHA1 0e7e66df1c94b76f940d6c6b4602e93972923e49
SHA256 04ce71d8326c471d80f949053fcf393a1ae79363ff4773765e21cfd10a8e403c
SHA512 65ca5bb832be801b40bdf3bfdffe37931d6e046a616b2a1115188e3a1c196c9ca7d72f57fc8fd874e40462572efc0dc83e23649aa0e0d0c667976f500e10b9ab

memory/1568-39-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2500-40-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2416-35-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1568-33-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1568-54-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2576-49-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2412-58-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\VgkJYfv.exe

MD5 499dd74d81c312dbed8b0436185842f8
SHA1 18254407b82c7aa265e47e025d46cb7529d2cd01
SHA256 75760c3d33fcdda29ba6bb845b8debdad1b99be32353fd758c1b928097d29114
SHA512 483e71725f2817e1d329aca52962775b90e73dc78e979972567023070b264947fe19362d8a23c5c876bdd63338c9c91f27aa692cb64ab6393cccf76815b1c117

memory/1568-44-0x0000000002270000-0x00000000025C1000-memory.dmp

memory/1568-55-0x0000000002270000-0x00000000025C1000-memory.dmp

C:\Windows\system\KPigTgD.exe

MD5 f997e1acfd051dfcb6c28aca266220c1
SHA1 95c977a3ecda1930c2bf74704d661dd6ddc3ee85
SHA256 dfcd121a6b77687251f61ccf0fa924880152b6629fb65463e86328499870a8cc
SHA512 8dfa35cb2b57cec0de40128afdd561fcc2d55ef63b1c45420efc34226951c2ddafc084e5ebe4aa88b1e9ac7b9785029c64731f89747432d24b61082af17ecf7d

memory/1568-32-0x0000000002270000-0x00000000025C1000-memory.dmp

memory/2216-31-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2652-28-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2540-14-0x000000013FA90000-0x000000013FDE1000-memory.dmp

C:\Windows\system\HcOqWEl.exe

MD5 6de9ef86bae2bb9ef6a7ed3f015d5970
SHA1 c8c7ecf63b55bf4fb533655fb6469178c81e9c36
SHA256 ec1c2493edfff89a8b0027d042c12f85cc0abf63c9b8fa55be1928354b5b493e
SHA512 361d26e4d18596534e1428f392f60acacfa80797d5fd18e6fc1750000c9cd9d81e51c9b082b8708ccc440bb84795a4949695b31608b344a30f9a3f20b12e7356

C:\Windows\system\EZnOCKq.exe

MD5 c2a4d076d65c39b1f5d7069297d5a30f
SHA1 cc5c88184884cf968e87263c6044dea3c6447b36
SHA256 de29c6dbc6baa14b47534d43c4c566fad1d97dcc81c383d806da9a89ab718738
SHA512 99bf359c3065f70ce7fc629fdb40b6b499df5dfb0f687154ffee25cccc4850b3d8447c0b2f4f3e0a2c4daaa7b69b430b5a94ce5547c1f63f7b1c60ada2fc87e1

memory/2504-68-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/1376-71-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/1568-63-0x0000000002270000-0x00000000025C1000-memory.dmp

\Windows\system\scLjMGc.exe

MD5 873f145c3d603128c262f24972f5bf49
SHA1 07cf5cfd914dff07189cda8936ce03d8b6f15b1e
SHA256 02aa86838ef962bb9c18c77b98aa136ef50db0f9f565aa45fd039ee686b5d59f
SHA512 9789f72a82a462d8aaecc5ae7229e7201d24c87c7381cabfe99c614c5ad826493e35bc8b9930983cdceccb74c3427c7f379fe639e026aefcaf459f989c5a5861

memory/2540-77-0x000000013FA90000-0x000000013FDE1000-memory.dmp

\Windows\system\VwEqMfc.exe

MD5 c03ec88eb6bf245fbdfa4b5050498441
SHA1 bf4892615806e1e574a7fc17f9f94295d8683ae2
SHA256 053bd1e9571bd0aca944ec0844fd6dce7505bc5096dd846093babc2083244029
SHA512 61ef6f45268db1b9cac5a7146099cfb4b7010f3bd84ac19bf6135a452e5cba4b791cf5e255ec8c882e751156987e2fe7ca20b1a7e2af2aa39d58d395ff8e4209

memory/2712-97-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2708-99-0x000000013FB50000-0x000000013FEA1000-memory.dmp

C:\Windows\system\wyWNbIg.exe

MD5 1aee32065fb6e68267759a5a3de2f925
SHA1 62ba50d2c2a09e3184a98dcd67fc46291647b2b0
SHA256 a592ce7e7eebec8d87f8cd6f48d077ec96198a7e181ea1c544a88d69b1369e40
SHA512 6499afa28d900d08f2f03af1defd5bfd652f81f386763b0097c5b38dcbfe62a44c7b5515ab2865192f3c4898b7f232c5d1adabebb438c149963e53fcd7432fe1

memory/2416-103-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1652-106-0x000000013FA20000-0x000000013FD71000-memory.dmp

C:\Windows\system\pFyirdi.exe

MD5 a60f2d3ccef5c1174b57450d88e68fd0
SHA1 af3fe2080577cac3d18128622ca10c58b15e38df
SHA256 86e89d3f04f2e0b67b60605be63ba7e8b10b3502a27e74a83c5463d08da5bc91
SHA512 6f6e6581baed1c25854ca550ad28ff810b1067c641178670af0d8040be34980f1c73c507c4b1e79aa8aae4b948b98e9a87a24affa7931c82a6e5d1906da09f40

C:\Windows\system\HyaOYZH.exe

MD5 dd60081daaa0637c3111b09864166b6e
SHA1 d8a8d21c1453e8b0ab42be613b04b2ad12ff5366
SHA256 983b3f1967f55dddbd335e77632173644c77e16e88d1b0e730924561bb20bdd3
SHA512 656b4859e97205c6376961108e68b0d8979bffe904bd5506a61b74717085cd42525b9811d02f7e9a082a3d891fa4f4530538760ad83fcef66055edcbb42c11c8

\Windows\system\affTxwf.exe

MD5 2f6bf98d797b73d074260d10084e1db1
SHA1 1248a34d54a50e45c70c8b4717e7792c16ed8b51
SHA256 ba92ac4af9fcaf641c4224ea93a4c7e47ae4abcfdc5e55a5bf1a3b8a1a92edf6
SHA512 4dd833f2cf2f5702c3e961f9dc6eb7bad1407629e30f76c3f9f21d25ed54cbbd348e8977cd6fad0f305eec646a45e3644b19fd0ac1d6895c22f6280c93fdb0ff

C:\Windows\system\IkAykWQ.exe

MD5 995d291b9a1662ad69e9b3629a9c8821
SHA1 7d56de99c7ca5943c3068bde7dfc7a8891204dd0
SHA256 34887a59ac43c7cd5f9b1cb1846aeed208809998e70d06baed4de88ffad041eb
SHA512 a596890dd950c9794806de5b4d3afd86a9e5b29b7c5a6d44bc26c4787f957dd9e14deb7a74ea7900e3b92da157551c41bfadd377a2617bcc8fed94c2f3c5f6f9

C:\Windows\system\BtxXXhy.exe

MD5 e0fbad318a2ae3716d48c07201bf991a
SHA1 2edbadefdc2ec88b62090db01bacc3837b678cf8
SHA256 e0b2c6bc26ba6e5333c42e579696b4bf7bd02d6950019dd0c56aac5b097a6883
SHA512 745a9f4908382944de43c326bb2f71efaebb22cd6d97d680447cc0ebd914e14bd4f20fa50389053632fc7c1967838020d0d4eabb72851d407c512c13ceb10bad

memory/1568-111-0x0000000002270000-0x00000000025C1000-memory.dmp

C:\Windows\system\hgQSjJu.exe

MD5 486a80ea801068dee204c6fe157aaa34
SHA1 f0e3306501c0d522e7b33fa2d7992165f6497d5b
SHA256 1111d992e1dd8d155496d1aaf4462e2284a9684cf60de09a72ea0477876d832f
SHA512 c1487e8d4a963265e4d47ed0fac31ff29bf213766fdff1136ac4b81a50f809a8902eb179aa040dd35d9cd642fd2283f4d0ccf4bcc449ecb4c172c51e1367845f

C:\Windows\system\hyavcvD.exe

MD5 20ad42227a9ceaf1c4a6ad6b1d11a5fb
SHA1 fd259c95294be6a9c32ad322beb0e9aed5a871b7
SHA256 50402857709c9f3b79f4b3a0641f10deb232582c83c634ffa2791d22e3f6db60
SHA512 048b40bca82080fa74839112e17501abc6b7dc53ccf1d84940ff89c2b9ac16a482cbd0a9d270085c8c00f99bcd36dfe3a694fa782f0c713f311ca240720834ab

memory/2500-104-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/1568-95-0x0000000002270000-0x00000000025C1000-memory.dmp

memory/2216-94-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1568-93-0x000000013F640000-0x000000013F991000-memory.dmp

memory/1288-92-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/1568-90-0x0000000002270000-0x00000000025C1000-memory.dmp

memory/1568-89-0x0000000002270000-0x00000000025C1000-memory.dmp

memory/1568-76-0x0000000002270000-0x00000000025C1000-memory.dmp

C:\Windows\system\tmDSLdt.exe

MD5 1ba38b9f8942ab8015fed06c216b25b3
SHA1 adbddc2befc0f1414da65dbe590c9eeb289e54e9
SHA256 f7b2d0dc79e0dab92a87fce0a4f022932a21ec1a5deb5fb4e6417731ab3bc352
SHA512 b3b25d2a9e247374ef1aaa053cd15b78a5125304b06a9866302659ce7e587518080a1460be9730d056de4bd47b1072165a381a42d7e893e513000a7c26d5ee2a

memory/2652-82-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/1568-79-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2412-142-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1568-143-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1652-157-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2532-159-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1568-158-0x0000000002270000-0x00000000025C1000-memory.dmp

memory/1432-163-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1268-165-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/1968-166-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/932-162-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2320-164-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2172-161-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1600-160-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1568-167-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2504-221-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2540-223-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2216-226-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2652-227-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2500-229-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2576-231-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2416-233-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2412-235-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2532-237-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1376-239-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/1288-241-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2712-243-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2708-245-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/1652-247-0x000000013FA20000-0x000000013FD71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 01:00

Reported

2024-05-30 01:03

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NUEggcG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ocGOvVz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DJnweWR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\suyyMxk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AieeDwP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YYBkQiX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cJBilFS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vUAfBUm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WAybSDX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IeDhgGe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VWnBtqn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VRODktp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IajHGpD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ALXzNOO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ILDUMVm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LrgaWEr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RdEIajN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rXTGAsO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FZxrOOj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gWIZcEu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nPXrFwf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4212 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NUEggcG.exe
PID 4212 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NUEggcG.exe
PID 4212 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cJBilFS.exe
PID 4212 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cJBilFS.exe
PID 4212 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrgaWEr.exe
PID 4212 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrgaWEr.exe
PID 4212 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUAfBUm.exe
PID 4212 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUAfBUm.exe
PID 4212 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdEIajN.exe
PID 4212 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdEIajN.exe
PID 4212 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ocGOvVz.exe
PID 4212 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ocGOvVz.exe
PID 4212 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXTGAsO.exe
PID 4212 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXTGAsO.exe
PID 4212 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAybSDX.exe
PID 4212 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAybSDX.exe
PID 4212 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\FZxrOOj.exe
PID 4212 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\FZxrOOj.exe
PID 4212 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DJnweWR.exe
PID 4212 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DJnweWR.exe
PID 4212 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeDhgGe.exe
PID 4212 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeDhgGe.exe
PID 4212 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\suyyMxk.exe
PID 4212 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\suyyMxk.exe
PID 4212 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gWIZcEu.exe
PID 4212 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gWIZcEu.exe
PID 4212 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VWnBtqn.exe
PID 4212 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VWnBtqn.exe
PID 4212 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VRODktp.exe
PID 4212 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VRODktp.exe
PID 4212 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IajHGpD.exe
PID 4212 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IajHGpD.exe
PID 4212 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\nPXrFwf.exe
PID 4212 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\nPXrFwf.exe
PID 4212 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AieeDwP.exe
PID 4212 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AieeDwP.exe
PID 4212 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYBkQiX.exe
PID 4212 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYBkQiX.exe
PID 4212 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALXzNOO.exe
PID 4212 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALXzNOO.exe
PID 4212 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ILDUMVm.exe
PID 4212 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ILDUMVm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NUEggcG.exe

C:\Windows\System\NUEggcG.exe

C:\Windows\System\cJBilFS.exe

C:\Windows\System\cJBilFS.exe

C:\Windows\System\LrgaWEr.exe

C:\Windows\System\LrgaWEr.exe

C:\Windows\System\vUAfBUm.exe

C:\Windows\System\vUAfBUm.exe

C:\Windows\System\RdEIajN.exe

C:\Windows\System\RdEIajN.exe

C:\Windows\System\ocGOvVz.exe

C:\Windows\System\ocGOvVz.exe

C:\Windows\System\rXTGAsO.exe

C:\Windows\System\rXTGAsO.exe

C:\Windows\System\WAybSDX.exe

C:\Windows\System\WAybSDX.exe

C:\Windows\System\FZxrOOj.exe

C:\Windows\System\FZxrOOj.exe

C:\Windows\System\DJnweWR.exe

C:\Windows\System\DJnweWR.exe

C:\Windows\System\IeDhgGe.exe

C:\Windows\System\IeDhgGe.exe

C:\Windows\System\suyyMxk.exe

C:\Windows\System\suyyMxk.exe

C:\Windows\System\gWIZcEu.exe

C:\Windows\System\gWIZcEu.exe

C:\Windows\System\VWnBtqn.exe

C:\Windows\System\VWnBtqn.exe

C:\Windows\System\VRODktp.exe

C:\Windows\System\VRODktp.exe

C:\Windows\System\IajHGpD.exe

C:\Windows\System\IajHGpD.exe

C:\Windows\System\nPXrFwf.exe

C:\Windows\System\nPXrFwf.exe

C:\Windows\System\AieeDwP.exe

C:\Windows\System\AieeDwP.exe

C:\Windows\System\YYBkQiX.exe

C:\Windows\System\YYBkQiX.exe

C:\Windows\System\ALXzNOO.exe

C:\Windows\System\ALXzNOO.exe

C:\Windows\System\ILDUMVm.exe

C:\Windows\System\ILDUMVm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/4212-0-0x00007FF682C60000-0x00007FF682FB1000-memory.dmp

memory/4212-1-0x00000263BAB40000-0x00000263BAB50000-memory.dmp

C:\Windows\System\NUEggcG.exe

MD5 d4f691cb14211934316c101505ba9350
SHA1 95b315acd33bef02a574afb6b1c71682a25202ca
SHA256 67f2c341b4decd05048c1f944f5b9a2f66af96c3484d0fa49c5052d90c40bba8
SHA512 eb43a574b08603110a46352e3c60c508f032029435c57ff967a0b4dda6cb385ae4a192d1c11500a5ac796ec55e9daff01dab48bf96d7c3d7b4878bc494ee993b

C:\Windows\System\LrgaWEr.exe

MD5 83cd775f47cefdd557a32e5bd1996a07
SHA1 05f05d0f276c03b582bd14b61710dcc0ffebd6f6
SHA256 f151d122773213705c40814693a30296ac2024174da0e2264af4263737abe8a8
SHA512 a416fadfc4c7ed77fd0094b81056a93f40ac9e13352e5f81ac534ba19028246a60fafa7f7a258ba7f983050966dad461854f2b812eb33f338d497d6fe1a0b905

C:\Windows\System\cJBilFS.exe

MD5 0d33231261e0e338209c6f6e4f5e0b58
SHA1 64b2cb00922a28fb5c0f691fb3c5d9ea8f6973d7
SHA256 3eead18ee2c9d6c3e403d9d33fd39e6352b66085285c487f8c68af1e479ea4ce
SHA512 41b57102a2dcb5b9a7601f3104cae54e934acb75692f7d0d294290ab402f10be3f3e56e42905ae7bfc5becc2b2a9777a853c3d6131beb6a697ed7074f5fc4007

memory/3272-12-0x00007FF702A30000-0x00007FF702D81000-memory.dmp

memory/4444-6-0x00007FF6082B0000-0x00007FF608601000-memory.dmp

C:\Windows\System\vUAfBUm.exe

MD5 4f4734283db0ea2519115ab20ba09168
SHA1 5d1c9704be819a90689896caafc2f66494ffcd5e
SHA256 6a6c25ca489c6231eaf1eee79cea526688793d98559a37fa98f4377eed6e6bcd
SHA512 46df67ae8e64cf7b4e2f48282b03aebbe21e20fb87fb633f55eb17ee7d61154cab94d5b68b914e48da44340786a08fa28364e0d7ba6ed7c7c0bf2138c00fa82e

memory/3120-24-0x00007FF7861A0000-0x00007FF7864F1000-memory.dmp

memory/3160-22-0x00007FF6995C0000-0x00007FF699911000-memory.dmp

C:\Windows\System\RdEIajN.exe

MD5 4dd9d5a22e70641443591849805529e5
SHA1 3ae6304084d19368155d5ac84a914b0fa8365104
SHA256 1e7b6f4021e1256f55e518a6348ec98efff60000584b6d696c2d9ad3ed3e7abe
SHA512 66ccc19aa47c5fb25ef99842582dc7682887dbe3593aa1ed5ec8d60384d8e3d33b2f5b5079ec996b3d901f7d46db474befa17972fbbf8edeea513f42844c3ae9

C:\Windows\System\ocGOvVz.exe

MD5 d918d3e2e91210176a2903117defee61
SHA1 45b357ff13b27a150acf735d7a074b90b9093738
SHA256 6daaff8affcf99673f118a1b230f671b13e09c666f5f30525e9ce2acc164bebb
SHA512 31e8509b2e53aafc60f59549b836ab7972d5047824c81da3c8371e72691950e2d35e91c6c855ee28836ca5d292b114b2638b405014cbff037d7db8ff0f906873

C:\Windows\System\rXTGAsO.exe

MD5 96acb60dc91a9d4afd4280d7557b0c25
SHA1 37c03b2c4b469248e733c1df447993692456d4ca
SHA256 a20799f70a99f04a31fdd30544145af7dd768b47dbaaeb2890271a8c64e6181c
SHA512 faa6f90e0ecf8b7e4ec9fc0586ea2d541ee0bae29529db293f44ddcf7f21de965eb8ca5b297e53601e94f78c8ef8fcab70b273712541b298c08fe67a79dea3d3

C:\Windows\System\WAybSDX.exe

MD5 9afcdf0c2747c7fcc9a1f4787a26b9af
SHA1 d62ff08c47a23b7a5a530fbdc682f6a047b89706
SHA256 bc40917f91178a7ed9c9e5bea86dd647779733906c3feb9c56e939fe50820cf7
SHA512 b3c88bf291a47cf8b49f11a504f05ea12ef16ea069d13d3a67d45394271b4e4d630753accbf6d802f527248da397bfdd7ab24819e7998c36715098853262dc7d

memory/3392-44-0x00007FF6DA190000-0x00007FF6DA4E1000-memory.dmp

C:\Windows\System\IeDhgGe.exe

MD5 41dc2b759037cb8fb8937067e3e52edf
SHA1 b2cf24388ced06e51b0bb92eb55f8e74652054c4
SHA256 441f6674148343571b724988ff6d1dcc0102c0512a78fa76afffdf44c49fc497
SHA512 9cd9cdbcf500bc73318561faef4ede30b819379c1e6c2dbbcfd3695c671178643603a08995789dd1455fa6fd363072e0605ffd9c9523c41fd35e10926424a9ce

C:\Windows\System\DJnweWR.exe

MD5 95ca3ea02f39883326061c6bdbe62972
SHA1 50eb99e1243c8a5a071db72bc3647faf75807710
SHA256 0ffc934787adec89c621b8c5f24d89eba3bc2f0e34f4954bb7c3df4035cb1a1d
SHA512 11bd132cc43cf12a402a4a4c355ae20f000a3897c203fe4f687ac7a3c2e6c0e09f17db77174515dcbc19028824b2808dbfa697dd6c865be406dbbd16487e0740

memory/4912-61-0x00007FF64F1A0000-0x00007FF64F4F1000-memory.dmp

memory/4212-71-0x00007FF682C60000-0x00007FF682FB1000-memory.dmp

C:\Windows\System\AieeDwP.exe

MD5 bb8163f3a527f2a983c8b346080e49a2
SHA1 f476e8a6171bead5ab369b9591e2f767efd8fa22
SHA256 1f4407e91d82fa15660c6417994bb4d93a109390f56a9b8261f4ea26629ab0a8
SHA512 227a9c343d81d8f94da07acae84dfcb4058371ce527c11f40ac62668af097c8b558a69d0102d104497f628bf3ff4d7537db4bed07b7cba433878a3c2ca89b3ae

C:\Windows\System\YYBkQiX.exe

MD5 3fa77f742c7930a030c586020af9a325
SHA1 c4f5f5d75b05344180d8679e2fde312a1aeda906
SHA256 4c4cc438eb507017a2504633f3ca4e1efdca2ea2105b068b4665f67d463eb712
SHA512 3efd7898063657ba334db75c858ea83b99daf7606c0739398d8f40d7d718b358f8b00dfa7408d2893c273ff05274fcf9cd56f7d5696e525c89f17d1a1b8c6866

C:\Windows\System\ILDUMVm.exe

MD5 dc81e95be43338db7d867fe96b37da2e
SHA1 95635beb4bcb73c118974d51437017ea29070765
SHA256 93c92ab336c1184f8ac95b42de78482683f96a58d272fc49f0d7cfd31a4732b1
SHA512 e093c156f8907f6ceb202098e0eef4f9e9c2f01241c8f97b0173211529c9f7be9d25bcd78ce5e9fa614f4889501fd56bfee7f10126e0bc841d9dc6ec6d191451

C:\Windows\System\ALXzNOO.exe

MD5 bce21724d6b8db1c7993a3df64ac070c
SHA1 745fce877781b12c6fb8482bd1f100a7eb055e1c
SHA256 132f4dc4039b692919ec5328efd68b0df30697c169960ba5b3886e89fe5fd137
SHA512 82585c5d7bd0f0567919258d9778f244f5a9672b9b537c945d891e2e33b5be4ffc63622d4a51d1aed09bbcad8162effef0bc0ab0b19d404029b1e937252a0207

C:\Windows\System\nPXrFwf.exe

MD5 5b75f61e7134db7aadb0c014275a6a8d
SHA1 8352b42209a6cd917e8bb5250b89f9eb52dcf68b
SHA256 5183b781b8db2fc72addcdfd3d68f5f5f3e5e1751b99ea34ee5d09424c2a44da
SHA512 4a4df6e47cc1ef88f37d125e055f1e104dfe89e0deefd13bc8d5d8d8ff56d92dabd827fc7b48393e19bc75e206e8b4b760ecf6029512df03263ad269d23f844b

C:\Windows\System\IajHGpD.exe

MD5 e1ee2a806f2b5dc85971d2adec1c0b65
SHA1 6a7123c84dd13e26fcf1545d0b91b456de28a038
SHA256 0ce5d6a1e46618cbdeadfade690950ef604c0d2c382c058c38c277fda158c503
SHA512 92d08b56d4a7433e1201faa10a1bce3722be6ced51297ae0030319f14174be58be45a0b73a76863e4abb5761d36e8ae637c7528b796b87bf8086469eb0e51391

C:\Windows\System\VRODktp.exe

MD5 06b454ef53d4ff1c294f13f90c63a0b1
SHA1 1b6f79dd2d4ec3ddbde5812ca3d2f4eec20e44fb
SHA256 216c4d420194c5fa5f4e48953d1053a95f51cfe7fd05f26fa3d28c1d1b6eb7e7
SHA512 5591e6f542f557323f985d0cb98b98126d980439c6fc91deba6d1f920dc780b57b0f1e818436e7b4fba570717df7ae3ff6408af5c16c4b4c3e45f28a99cd7918

C:\Windows\System\VWnBtqn.exe

MD5 0494a5da4fd7c97ea98cb0f7496c4396
SHA1 96470895ce4b08ec98cbb8fbc655ffc361320fa0
SHA256 31a3c4d29797ff5b9b2b05e9bc7feaffd5a77ea92d8295f33fdf3d68377e5e7f
SHA512 187606cc4c500929e38c95c659adda2fd698fbe3574c3ccf7e31d08325f794cb7cd00cf070ae5a7c7f69ccfd38ecc431d3a0a09af7cc479805f744b52df2c919

C:\Windows\System\gWIZcEu.exe

MD5 dca1257f3044cc24c1fdd169871817b2
SHA1 4b90d00360e5afef73fd38b00d0b8c8f7d9bc5f4
SHA256 cc27d1ac743ff0c4288e32c59b1c4cd4609da7cf9184d16e03af72b3b8d4e26b
SHA512 63e8c92e0b037ffeb08da1f00a9f051546ff2263a19f8ee2e169784eeb11af5f384c08a79945a30c5e12cfb5fc125c90832437dede6aeb13a24a8abe560547c2

C:\Windows\System\suyyMxk.exe

MD5 102e816119697ea8944e7b319140ff82
SHA1 12e0a230f72f0d5e0aa11e990beb186722accb5c
SHA256 45c876a576a54dc49c5c481e88e07d402e456cde09f74bb5ef0fdad087d04ce1
SHA512 f18b7a08f3115227b3b2bf07f8592b266cc28bcdda076ec0bce8565d47da7f23b735f09899ab0ab088ae71f48f47ec465889293af3f13e9151df64ebf1297148

memory/4592-72-0x00007FF647C50000-0x00007FF647FA1000-memory.dmp

memory/4992-70-0x00007FF765EF0000-0x00007FF766241000-memory.dmp

memory/940-68-0x00007FF6653B0000-0x00007FF665701000-memory.dmp

C:\Windows\System\FZxrOOj.exe

MD5 6d6914f89b25bb1043ffc2e25765752a
SHA1 5d2ab660b9669a220961b9a43f8c8cfa054b9147
SHA256 21cca2287efbeefdb95728366f2b287df5bbe4450829549e14435748f1006149
SHA512 4fd3a38364cb4eb8154b3ecb728c68972476de6a224513d199915b93eef9fcd647d44e2f0b1407d20270611ae44bdcb39c62fc4e6f98692cae6e20f2d2823406

memory/4752-62-0x00007FF7FEC30000-0x00007FF7FEF81000-memory.dmp

memory/1880-37-0x00007FF612580000-0x00007FF6128D1000-memory.dmp

memory/4788-33-0x00007FF6BBB30000-0x00007FF6BBE81000-memory.dmp

memory/4212-119-0x00007FF682C60000-0x00007FF682FB1000-memory.dmp

memory/4444-125-0x00007FF6082B0000-0x00007FF608601000-memory.dmp

memory/4788-124-0x00007FF6BBB30000-0x00007FF6BBE81000-memory.dmp

memory/3636-128-0x00007FF6D8130000-0x00007FF6D8481000-memory.dmp

memory/1568-129-0x00007FF769930000-0x00007FF769C81000-memory.dmp

memory/632-132-0x00007FF704A00000-0x00007FF704D51000-memory.dmp

memory/1380-134-0x00007FF64DF50000-0x00007FF64E2A1000-memory.dmp

memory/3752-135-0x00007FF609E60000-0x00007FF60A1B1000-memory.dmp

memory/1160-133-0x00007FF7BB090000-0x00007FF7BB3E1000-memory.dmp

memory/920-131-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp

memory/4864-130-0x00007FF7C0D10000-0x00007FF7C1061000-memory.dmp

memory/2552-127-0x00007FF6854A0000-0x00007FF6857F1000-memory.dmp

memory/3120-123-0x00007FF7861A0000-0x00007FF7864F1000-memory.dmp

memory/3272-121-0x00007FF702A30000-0x00007FF702D81000-memory.dmp

memory/4592-142-0x00007FF647C50000-0x00007FF647FA1000-memory.dmp

memory/940-141-0x00007FF6653B0000-0x00007FF665701000-memory.dmp

memory/4752-139-0x00007FF7FEC30000-0x00007FF7FEF81000-memory.dmp

memory/3392-137-0x00007FF6DA190000-0x00007FF6DA4E1000-memory.dmp

memory/1880-136-0x00007FF612580000-0x00007FF6128D1000-memory.dmp

memory/4212-152-0x00007FF682C60000-0x00007FF682FB1000-memory.dmp

memory/4444-201-0x00007FF6082B0000-0x00007FF608601000-memory.dmp

memory/3272-203-0x00007FF702A30000-0x00007FF702D81000-memory.dmp

memory/3160-205-0x00007FF6995C0000-0x00007FF699911000-memory.dmp

memory/3120-207-0x00007FF7861A0000-0x00007FF7864F1000-memory.dmp

memory/4788-210-0x00007FF6BBB30000-0x00007FF6BBE81000-memory.dmp

memory/3392-212-0x00007FF6DA190000-0x00007FF6DA4E1000-memory.dmp

memory/1880-214-0x00007FF612580000-0x00007FF6128D1000-memory.dmp

memory/4912-216-0x00007FF64F1A0000-0x00007FF64F4F1000-memory.dmp

memory/4992-218-0x00007FF765EF0000-0x00007FF766241000-memory.dmp

memory/4752-220-0x00007FF7FEC30000-0x00007FF7FEF81000-memory.dmp

memory/4592-222-0x00007FF647C50000-0x00007FF647FA1000-memory.dmp

memory/2552-224-0x00007FF6854A0000-0x00007FF6857F1000-memory.dmp

memory/3636-226-0x00007FF6D8130000-0x00007FF6D8481000-memory.dmp

memory/1568-228-0x00007FF769930000-0x00007FF769C81000-memory.dmp

memory/4864-237-0x00007FF7C0D10000-0x00007FF7C1061000-memory.dmp

memory/632-240-0x00007FF704A00000-0x00007FF704D51000-memory.dmp

memory/920-241-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp

memory/1160-245-0x00007FF7BB090000-0x00007FF7BB3E1000-memory.dmp

memory/3752-247-0x00007FF609E60000-0x00007FF60A1B1000-memory.dmp

memory/1380-244-0x00007FF64DF50000-0x00007FF64E2A1000-memory.dmp

memory/940-250-0x00007FF6653B0000-0x00007FF665701000-memory.dmp