Malware Analysis Report

2025-03-15 08:12

Sample ID 240530-byhf8shf9s
Target 2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike
SHA256 5930998834b47e856ae98fdc501caccb5a2bf73d17100f5080819b140f858187
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5930998834b47e856ae98fdc501caccb5a2bf73d17100f5080819b140f858187

Threat Level: Known bad

The file 2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

XMRig Miner payload

xmrig

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 01:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 01:33

Reported

2024-05-30 01:35

Platform

win7-20231129-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rHdEcui.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FcgosWu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ImaMiLR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VIXHUXa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oIqbNQC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NRPlBke.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hYmWPPk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BWnVnks.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ApsiHHR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wSaiXtM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EQiFHUQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bssActi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sdupVxP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hZvSsjo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DbjlyFR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZWEJiXg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GjVXyvZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AQSqSgt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RfpBBfg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SiyCIRe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GgCvjuw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdupVxP.exe
PID 2232 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdupVxP.exe
PID 2232 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdupVxP.exe
PID 2232 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\NRPlBke.exe
PID 2232 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\NRPlBke.exe
PID 2232 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\NRPlBke.exe
PID 2232 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYmWPPk.exe
PID 2232 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYmWPPk.exe
PID 2232 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYmWPPk.exe
PID 2232 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQSqSgt.exe
PID 2232 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQSqSgt.exe
PID 2232 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQSqSgt.exe
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWnVnks.exe
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWnVnks.exe
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWnVnks.exe
PID 2232 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApsiHHR.exe
PID 2232 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApsiHHR.exe
PID 2232 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApsiHHR.exe
PID 2232 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wSaiXtM.exe
PID 2232 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wSaiXtM.exe
PID 2232 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wSaiXtM.exe
PID 2232 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHdEcui.exe
PID 2232 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHdEcui.exe
PID 2232 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHdEcui.exe
PID 2232 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcgosWu.exe
PID 2232 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcgosWu.exe
PID 2232 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcgosWu.exe
PID 2232 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZvSsjo.exe
PID 2232 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZvSsjo.exe
PID 2232 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZvSsjo.exe
PID 2232 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbjlyFR.exe
PID 2232 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbjlyFR.exe
PID 2232 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbjlyFR.exe
PID 2232 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWEJiXg.exe
PID 2232 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWEJiXg.exe
PID 2232 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWEJiXg.exe
PID 2232 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImaMiLR.exe
PID 2232 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImaMiLR.exe
PID 2232 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImaMiLR.exe
PID 2232 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfpBBfg.exe
PID 2232 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfpBBfg.exe
PID 2232 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfpBBfg.exe
PID 2232 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiyCIRe.exe
PID 2232 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiyCIRe.exe
PID 2232 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiyCIRe.exe
PID 2232 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIXHUXa.exe
PID 2232 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIXHUXa.exe
PID 2232 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIXHUXa.exe
PID 2232 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIqbNQC.exe
PID 2232 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIqbNQC.exe
PID 2232 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIqbNQC.exe
PID 2232 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjVXyvZ.exe
PID 2232 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjVXyvZ.exe
PID 2232 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjVXyvZ.exe
PID 2232 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GgCvjuw.exe
PID 2232 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GgCvjuw.exe
PID 2232 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GgCvjuw.exe
PID 2232 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQiFHUQ.exe
PID 2232 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQiFHUQ.exe
PID 2232 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQiFHUQ.exe
PID 2232 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\bssActi.exe
PID 2232 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\bssActi.exe
PID 2232 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\bssActi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\sdupVxP.exe

C:\Windows\System\sdupVxP.exe

C:\Windows\System\NRPlBke.exe

C:\Windows\System\NRPlBke.exe

C:\Windows\System\hYmWPPk.exe

C:\Windows\System\hYmWPPk.exe

C:\Windows\System\AQSqSgt.exe

C:\Windows\System\AQSqSgt.exe

C:\Windows\System\BWnVnks.exe

C:\Windows\System\BWnVnks.exe

C:\Windows\System\ApsiHHR.exe

C:\Windows\System\ApsiHHR.exe

C:\Windows\System\wSaiXtM.exe

C:\Windows\System\wSaiXtM.exe

C:\Windows\System\rHdEcui.exe

C:\Windows\System\rHdEcui.exe

C:\Windows\System\FcgosWu.exe

C:\Windows\System\FcgosWu.exe

C:\Windows\System\hZvSsjo.exe

C:\Windows\System\hZvSsjo.exe

C:\Windows\System\DbjlyFR.exe

C:\Windows\System\DbjlyFR.exe

C:\Windows\System\ZWEJiXg.exe

C:\Windows\System\ZWEJiXg.exe

C:\Windows\System\ImaMiLR.exe

C:\Windows\System\ImaMiLR.exe

C:\Windows\System\RfpBBfg.exe

C:\Windows\System\RfpBBfg.exe

C:\Windows\System\SiyCIRe.exe

C:\Windows\System\SiyCIRe.exe

C:\Windows\System\VIXHUXa.exe

C:\Windows\System\VIXHUXa.exe

C:\Windows\System\oIqbNQC.exe

C:\Windows\System\oIqbNQC.exe

C:\Windows\System\GjVXyvZ.exe

C:\Windows\System\GjVXyvZ.exe

C:\Windows\System\GgCvjuw.exe

C:\Windows\System\GgCvjuw.exe

C:\Windows\System\EQiFHUQ.exe

C:\Windows\System\EQiFHUQ.exe

C:\Windows\System\bssActi.exe

C:\Windows\System\bssActi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2232-0-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2232-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

\Windows\system\sdupVxP.exe

MD5 d7bfc0051083004b9b8da662dbce3bcb
SHA1 e5073754e47cc68176b8ff69bd50bd88e28f86fc
SHA256 c4a245bcbbffc4ceb3368a81faffd8ce0998fbcf6eeeb8ee32dbfe9c096da8c9
SHA512 952d0f2c3c706960075ab61cb8b0e9b7ff8381ccd229da3ead79d07d5083dddbf7eeed42efde3baa972fff16f5541c0b6fbb4468f5d75e1ccd37f4c508e49081

\Windows\system\hYmWPPk.exe

MD5 a73580d043cc9c502b8c538d541c7f22
SHA1 3ba3bb1a07d7beb7f4a60642293dd753a1763e17
SHA256 9150682c6469ed057c29fef55406c39bf00c97f174ab37b4f576a5a1d9538371
SHA512 512e8361f0e05e9d1093fea31c752be67c73a72fb114faef49022294fe1c11691c2eb8afd87b3eb0bb91d4e9c4aa985e2c2894af58c89a844e5e9250971403e5

C:\Windows\system\AQSqSgt.exe

MD5 c1670275602ee94c88bbddaf4cf56a53
SHA1 84300ba768eff7b9b926e8ff6b960f354629bc66
SHA256 54967dc060922c5767f8be03de634e3be9941cd1ba639088f586033c8e93db18
SHA512 5621d6a5d1321126e790e3be6643b12f1a4689b3b59835917de708b381330b29abe2109fb3c4e2a847c72d06aa8a75b2ec1af64ac4980d54fcfeff09ceac2a74

memory/2232-12-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2724-37-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2204-39-0x000000013FFB0000-0x0000000140301000-memory.dmp

\Windows\system\BWnVnks.exe

MD5 40ff4899e58e9e244d7012d946ce9439
SHA1 94d413f4f2bb91b3bd6419fcd109229d34085987
SHA256 47872b154bc8149de05e3cbd38751b0b0ab90cb1e1da4fd7549f1d61bbb751bf
SHA512 f51a62f5a462aae0c205e0fd6668262c3348b904967c3b87a4e41c326d7f401bc9c4dadb4dfc1360b2a48717846d505d630a4f07220fe331ce7cd08c55c59635

memory/2664-41-0x000000013F6B0000-0x000000013FA01000-memory.dmp

C:\Windows\system\NRPlBke.exe

MD5 443fdb036864ce0a3d5bf3065bbe29e2
SHA1 54b56efb1868d27f247b5bbc0225857a2aa3557b
SHA256 99de4c3034a690f6f345ce3a3ce3378b7ac2f8a8a8de87185ffc7baffbd6d21e
SHA512 ddc58c2420c3a3df20b404c544ce0462cc4644a02b11e240d5a4affe32f19fb1a3bfaeb3d9a363d6b06c824d5cef3176dc3607f54d5a1d928de8608d18b18e28

C:\Windows\system\rHdEcui.exe

MD5 78b5437539817c68e429dfed04907f65
SHA1 689b0ff52127e4632e994a9528ddd6792ba7974b
SHA256 f2540e5d57046962dd72e4ec64dcf75d3ea5e8e0b76361e2b6c0aaa577e0ebcd
SHA512 1c749ab692d8e45ae902d3af506d6437f39ce13fe1b5a6449a17b74a0dc3625408bff44ecf6a070ca843ad5db26b91a18fa86a53bf9282fd5d1dd24476a38035

memory/2760-55-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2500-48-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2484-69-0x000000013F9F0000-0x000000013FD41000-memory.dmp

C:\Windows\system\ZWEJiXg.exe

MD5 8b811e6cb2b89361d0dedd7fe090ef96
SHA1 75429175e05c4852bb2536aaad09ce9979f65dc0
SHA256 726d9dc2d5d98d0da2b4aeaf841123438af3d1862cecea648525786ac69afa5e
SHA512 a434958f76fb075809504e2948b785757accd076300e75c3883294c7e0cb12b639e39c5b3f38f316842af16442c83f160f1a9d27d650b4d1eff153188a788127

memory/2820-82-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2160-83-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/1832-90-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2532-98-0x000000013F590000-0x000000013F8E1000-memory.dmp

C:\Windows\system\GjVXyvZ.exe

MD5 375d87a80c36e73a85ebf20616d82df0
SHA1 fa195f159e592f9e421d73b3b4ff246dfa6268e1
SHA256 9c2859bdad3fcffcf93359a1ca82780d77434916bd1db143358557b75574aa63
SHA512 9966582eb0e5febc440924a5b28333c27d37275ac31f4ecd9a94ab8b7191af64f83504c7ea2dad0ca6e831e2578f2f7a3dacdabd8bc162cb78341fd9e8adb5ef

C:\Windows\system\GgCvjuw.exe

MD5 f9fb4fcaee571c0d5c97f66364485a7f
SHA1 331eb0177d0faf611e9fe86dc7e45c40a19e65df
SHA256 c19044b65eeab885ccf4bede29f18974910eba4c069c510eef55c0907199c10f
SHA512 b8b614ef057a5adf06f00d7d060aa58ef6db1ab53e0894fe6fb2799a2b87132c9fc583d00267e69bae1062ba5c7c1da525259441b24c7eae1ff19de7fdac7f8b

C:\Windows\system\EQiFHUQ.exe

MD5 5a00f15ad044f82d03e89685f5068640
SHA1 d101aeec2f3a378d813fdbbe41a5c13e2a3a7dce
SHA256 6b9867cdd819f4268a7c19337c37d2c60a9940fdca4c4a159c873ab9f14a82a3
SHA512 ca59fd61ac28a8adec3819290895a3c5bc8ee5403166289f3b5c56f62fbf06fd1c32f03f2d93e1f14c9493ac01a6a1541de69b81550339f6c404fa8cffcedb96

\Windows\system\bssActi.exe

MD5 6051c7e30428fd6082e1dbfe7dc692de
SHA1 2b9ba1bf968d7e08f66baeae496d741a8c9672df
SHA256 d0c452a7e67fe6ddf22f77b2a613e968cf7c8e7291ba1452cb8bbc0fb763ddce
SHA512 b36d890fd83d411a014c2509edd8b980c7789d057561c38ad693f690c8ab6b723b9963dc3d6eb36a67395077fcafa7e020c2db459173013e8ca29a398024be4b

C:\Windows\system\oIqbNQC.exe

MD5 1270aa1a5c6d639a6bf3a5fa29858afb
SHA1 47f5f4612a115963afe72cd23826c97910b1d047
SHA256 087ec4eda544eb6285b920a31d0c8388f237dc5976cd6846fb907edd86144517
SHA512 d36aee21179cd8a0a9597f73b038eb68a11b6f10e59eb76330ae2a83e8971f3b7b280db665cd50e5423b6e4faf8ed338a8ba7b3e69185bf41069f02f60b53ec0

memory/2232-104-0x000000013F320000-0x000000013F671000-memory.dmp

C:\Windows\system\SiyCIRe.exe

MD5 23873c0308b74bc751d9b5cad5658f1b
SHA1 2a198ed3235ae2d44e1d42736f40f13cb7ea0159
SHA256 04e9d441a7b71f512ba6258ddb197808c5ff8879f67cfeeaece951263a715893
SHA512 1283a6833eb2c0292baef93aedc3a388f9680568c7ce4da144ae481e5d7fc16fe8e3ab3caacc1923776fcc37278b6b22bf2421454bc2991815b0626f85b69232

C:\Windows\system\VIXHUXa.exe

MD5 b4dd98b9bbe497454d183799b319c367
SHA1 f8174723aa430a0b91ea05019c97f49c4b1c8474
SHA256 7b531faefde09289084cd2f328f9422823383e78653aa8a45071861a642a17e7
SHA512 040bf7c5a46839f85b057b29925ad747eed720f044e08e4083edaeaa0416c5f6a095ab5742d76b0b6932b5333fff06e12fb06b1cd0b834b0b29a6910fe80d796

memory/2664-134-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2232-97-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/2232-89-0x000000013F2D0000-0x000000013F621000-memory.dmp

C:\Windows\system\RfpBBfg.exe

MD5 062acd6c0cf3f590eb8d583735d6e79a
SHA1 de03c5bb841084b38f87cd08b4f04e2f323f978f
SHA256 79ce7bbe130e1cad923bf1499a2e596239b162d8f4cdd6d0ea3b7b6736197a74
SHA512 bf1d5159ab61783f79ff1cb5a4139df7e2c8b1431b8b6c1b4f9d1a5a5b3d76d142b8aa8f5766d0ba8ef49c566f03199d26a60715a27f819f1e0b16b7aed25577

C:\Windows\system\ImaMiLR.exe

MD5 1e18d7a4e01454df2f0b3ddb0ecb2f27
SHA1 12e91714229db18701c996d11246410c16e1ad4b
SHA256 4f37c5a9dcfae7dbca92c3b2b5498f298504e8f9b8d79e67e6f7f7cc6f21bdf2
SHA512 da9143bf2e8b7161497e0bf8988c60fcaebdaae6c8dfb18fdc62406d8712373371a14156fe4eeb8ea887dd07c777b86b4758f578b990c8104d752baa8b4cec09

memory/2752-76-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2232-75-0x000000013F850000-0x000000013FBA1000-memory.dmp

C:\Windows\system\DbjlyFR.exe

MD5 4632c1d4437b61c1e8c8981e097a29fb
SHA1 505ba851c6fe3e9f12bc9bc15fb8cd772e29a1fb
SHA256 48e448d4c3e37d12d2821c6baa26f07903d872755709e91d6e89ec6351bc0652
SHA512 216a533cd5c5d2656772558929bfc16d590db1e96aa5c6caede10a87990ac6cf5a57534f6c91e2f8b17f6f666964d984b9cb2a3b2559e951d0c55f4e32c2a11f

memory/2232-68-0x0000000002290000-0x00000000025E1000-memory.dmp

C:\Windows\system\hZvSsjo.exe

MD5 e7d5cbef7b80762c3a75b7bab4514a3e
SHA1 23844e77be8fd11ed6562110bad386343113be0b
SHA256 55068a08461c59ab21c7ee14a81d85d981a0c5187505bb2eab9bda1e6b73b7df
SHA512 24713c2b3361dca9af84c9b027ed32c09f90034c6cbb12c2712be93e326592fe0e152d05cfd8dcda2839ecafde3a318c8586f05e6262329bb8391719e68ac78d

memory/2576-62-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2232-61-0x000000013F3F0000-0x000000013F741000-memory.dmp

C:\Windows\system\FcgosWu.exe

MD5 a80768d28fd05403b6346aca26bf0dae
SHA1 43cae2ba100347b15c6113f7a2fa7b4a54d674bf
SHA256 1e1cc663ba4b5260f40897116e4ba8327cd9c08aa134c013d48c01e7fc85b075
SHA512 e0f73492f8b5b0002473f993226315dd6fd7c50c6bb321c7d1eb6af31f715571376949dbeaf758629584bccb51c4f1f74351649396b1a25f23a6579f893225f5

memory/2232-47-0x0000000002290000-0x00000000025E1000-memory.dmp

C:\Windows\system\wSaiXtM.exe

MD5 6635d94795ca310222c104ae226b83a2
SHA1 cc3db0fcdf66a8f25840c06e35a02ad7003e5bbb
SHA256 363d37fc1a9a56b4eff7b385be9cba1f8bd75c2bd4c96be6b30dfb33e8457102
SHA512 f5bb967bc8b3780911ae4294bdaf966b7cebd186add9e99d3de034fa8c913fb051c32090b72402de0d57c8d50ebe0d83609b99c7671f7ede9e971d3819ef3ca8

memory/2232-54-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/1172-38-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2232-35-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2232-34-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/3056-30-0x000000013FF80000-0x00000001402D1000-memory.dmp

C:\Windows\system\ApsiHHR.exe

MD5 4431b2598e6240948fecce7fe17c9921
SHA1 edb164ec837e1aa214d6b3fd7e74145ab21e02e1
SHA256 a2e21d90a6ae3148393d56ac1f762c3081aa4700ce6a69541b24ca3d6ba2768e
SHA512 356e71e2b9a8797734180d42bfffde1c7da2ae96fb6f3ac20ff45c377b358f8d350d64bc931afe9feaef7b8b7cd3f576a1f00915096bf4afdeece6336ba3e261

memory/2232-26-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2820-20-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2760-136-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2232-135-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/2232-137-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2752-148-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2484-147-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2576-146-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/1832-150-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2296-157-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2908-155-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/1108-154-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/1348-152-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2960-158-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2184-156-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/1892-153-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2160-149-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2232-159-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2232-160-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2232-168-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2232-183-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2820-208-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/3056-209-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2724-213-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/1172-212-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2204-215-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2500-217-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2664-219-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2760-221-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2576-223-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2484-233-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2752-240-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2160-242-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/1832-244-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2532-246-0x000000013F590000-0x000000013F8E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 01:33

Reported

2024-05-30 01:35

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hYmWPPk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHdEcui.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VIXHUXa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oIqbNQC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EQiFHUQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BWnVnks.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wSaiXtM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FcgosWu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DbjlyFR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GjVXyvZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SiyCIRe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NRPlBke.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AQSqSgt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ApsiHHR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hZvSsjo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RfpBBfg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sdupVxP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZWEJiXg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ImaMiLR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GgCvjuw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bssActi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdupVxP.exe
PID 3444 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdupVxP.exe
PID 3444 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\NRPlBke.exe
PID 3444 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\NRPlBke.exe
PID 3444 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYmWPPk.exe
PID 3444 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYmWPPk.exe
PID 3444 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQSqSgt.exe
PID 3444 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQSqSgt.exe
PID 3444 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWnVnks.exe
PID 3444 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWnVnks.exe
PID 3444 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApsiHHR.exe
PID 3444 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApsiHHR.exe
PID 3444 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wSaiXtM.exe
PID 3444 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wSaiXtM.exe
PID 3444 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHdEcui.exe
PID 3444 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHdEcui.exe
PID 3444 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcgosWu.exe
PID 3444 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcgosWu.exe
PID 3444 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZvSsjo.exe
PID 3444 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZvSsjo.exe
PID 3444 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbjlyFR.exe
PID 3444 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbjlyFR.exe
PID 3444 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWEJiXg.exe
PID 3444 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWEJiXg.exe
PID 3444 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImaMiLR.exe
PID 3444 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImaMiLR.exe
PID 3444 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfpBBfg.exe
PID 3444 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfpBBfg.exe
PID 3444 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiyCIRe.exe
PID 3444 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiyCIRe.exe
PID 3444 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIXHUXa.exe
PID 3444 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIXHUXa.exe
PID 3444 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIqbNQC.exe
PID 3444 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIqbNQC.exe
PID 3444 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjVXyvZ.exe
PID 3444 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjVXyvZ.exe
PID 3444 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GgCvjuw.exe
PID 3444 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\GgCvjuw.exe
PID 3444 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQiFHUQ.exe
PID 3444 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQiFHUQ.exe
PID 3444 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\bssActi.exe
PID 3444 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe C:\Windows\System\bssActi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\sdupVxP.exe

C:\Windows\System\sdupVxP.exe

C:\Windows\System\NRPlBke.exe

C:\Windows\System\NRPlBke.exe

C:\Windows\System\hYmWPPk.exe

C:\Windows\System\hYmWPPk.exe

C:\Windows\System\AQSqSgt.exe

C:\Windows\System\AQSqSgt.exe

C:\Windows\System\BWnVnks.exe

C:\Windows\System\BWnVnks.exe

C:\Windows\System\ApsiHHR.exe

C:\Windows\System\ApsiHHR.exe

C:\Windows\System\wSaiXtM.exe

C:\Windows\System\wSaiXtM.exe

C:\Windows\System\rHdEcui.exe

C:\Windows\System\rHdEcui.exe

C:\Windows\System\FcgosWu.exe

C:\Windows\System\FcgosWu.exe

C:\Windows\System\hZvSsjo.exe

C:\Windows\System\hZvSsjo.exe

C:\Windows\System\DbjlyFR.exe

C:\Windows\System\DbjlyFR.exe

C:\Windows\System\ZWEJiXg.exe

C:\Windows\System\ZWEJiXg.exe

C:\Windows\System\ImaMiLR.exe

C:\Windows\System\ImaMiLR.exe

C:\Windows\System\RfpBBfg.exe

C:\Windows\System\RfpBBfg.exe

C:\Windows\System\SiyCIRe.exe

C:\Windows\System\SiyCIRe.exe

C:\Windows\System\VIXHUXa.exe

C:\Windows\System\VIXHUXa.exe

C:\Windows\System\oIqbNQC.exe

C:\Windows\System\oIqbNQC.exe

C:\Windows\System\GjVXyvZ.exe

C:\Windows\System\GjVXyvZ.exe

C:\Windows\System\GgCvjuw.exe

C:\Windows\System\GgCvjuw.exe

C:\Windows\System\EQiFHUQ.exe

C:\Windows\System\EQiFHUQ.exe

C:\Windows\System\bssActi.exe

C:\Windows\System\bssActi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3444-0-0x00007FF6FB800000-0x00007FF6FBB51000-memory.dmp

memory/3444-1-0x000001D715520000-0x000001D715530000-memory.dmp

C:\Windows\System\sdupVxP.exe

MD5 d7bfc0051083004b9b8da662dbce3bcb
SHA1 e5073754e47cc68176b8ff69bd50bd88e28f86fc
SHA256 c4a245bcbbffc4ceb3368a81faffd8ce0998fbcf6eeeb8ee32dbfe9c096da8c9
SHA512 952d0f2c3c706960075ab61cb8b0e9b7ff8381ccd229da3ead79d07d5083dddbf7eeed42efde3baa972fff16f5541c0b6fbb4468f5d75e1ccd37f4c508e49081

C:\Windows\System\hYmWPPk.exe

MD5 a73580d043cc9c502b8c538d541c7f22
SHA1 3ba3bb1a07d7beb7f4a60642293dd753a1763e17
SHA256 9150682c6469ed057c29fef55406c39bf00c97f174ab37b4f576a5a1d9538371
SHA512 512e8361f0e05e9d1093fea31c752be67c73a72fb114faef49022294fe1c11691c2eb8afd87b3eb0bb91d4e9c4aa985e2c2894af58c89a844e5e9250971403e5

memory/4636-6-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp

C:\Windows\System\NRPlBke.exe

MD5 443fdb036864ce0a3d5bf3065bbe29e2
SHA1 54b56efb1868d27f247b5bbc0225857a2aa3557b
SHA256 99de4c3034a690f6f345ce3a3ce3378b7ac2f8a8a8de87185ffc7baffbd6d21e
SHA512 ddc58c2420c3a3df20b404c544ce0462cc4644a02b11e240d5a4affe32f19fb1a3bfaeb3d9a363d6b06c824d5cef3176dc3607f54d5a1d928de8608d18b18e28

memory/4080-19-0x00007FF7F5E60000-0x00007FF7F61B1000-memory.dmp

C:\Windows\System\AQSqSgt.exe

MD5 c1670275602ee94c88bbddaf4cf56a53
SHA1 84300ba768eff7b9b926e8ff6b960f354629bc66
SHA256 54967dc060922c5767f8be03de634e3be9941cd1ba639088f586033c8e93db18
SHA512 5621d6a5d1321126e790e3be6643b12f1a4689b3b59835917de708b381330b29abe2109fb3c4e2a847c72d06aa8a75b2ec1af64ac4980d54fcfeff09ceac2a74

memory/1664-35-0x00007FF6027B0000-0x00007FF602B01000-memory.dmp

C:\Windows\System\ApsiHHR.exe

MD5 4431b2598e6240948fecce7fe17c9921
SHA1 edb164ec837e1aa214d6b3fd7e74145ab21e02e1
SHA256 a2e21d90a6ae3148393d56ac1f762c3081aa4700ce6a69541b24ca3d6ba2768e
SHA512 356e71e2b9a8797734180d42bfffde1c7da2ae96fb6f3ac20ff45c377b358f8d350d64bc931afe9feaef7b8b7cd3f576a1f00915096bf4afdeece6336ba3e261

memory/3216-36-0x00007FF740E40000-0x00007FF741191000-memory.dmp

memory/556-29-0x00007FF780970000-0x00007FF780CC1000-memory.dmp

memory/2880-27-0x00007FF7DBCB0000-0x00007FF7DC001000-memory.dmp

C:\Windows\System\BWnVnks.exe

MD5 40ff4899e58e9e244d7012d946ce9439
SHA1 94d413f4f2bb91b3bd6419fcd109229d34085987
SHA256 47872b154bc8149de05e3cbd38751b0b0ab90cb1e1da4fd7549f1d61bbb751bf
SHA512 f51a62f5a462aae0c205e0fd6668262c3348b904967c3b87a4e41c326d7f401bc9c4dadb4dfc1360b2a48717846d505d630a4f07220fe331ce7cd08c55c59635

C:\Windows\System\wSaiXtM.exe

MD5 6635d94795ca310222c104ae226b83a2
SHA1 cc3db0fcdf66a8f25840c06e35a02ad7003e5bbb
SHA256 363d37fc1a9a56b4eff7b385be9cba1f8bd75c2bd4c96be6b30dfb33e8457102
SHA512 f5bb967bc8b3780911ae4294bdaf966b7cebd186add9e99d3de034fa8c913fb051c32090b72402de0d57c8d50ebe0d83609b99c7671f7ede9e971d3819ef3ca8

C:\Windows\System\rHdEcui.exe

MD5 78b5437539817c68e429dfed04907f65
SHA1 689b0ff52127e4632e994a9528ddd6792ba7974b
SHA256 f2540e5d57046962dd72e4ec64dcf75d3ea5e8e0b76361e2b6c0aaa577e0ebcd
SHA512 1c749ab692d8e45ae902d3af506d6437f39ce13fe1b5a6449a17b74a0dc3625408bff44ecf6a070ca843ad5db26b91a18fa86a53bf9282fd5d1dd24476a38035

memory/1048-42-0x00007FF7A3D50000-0x00007FF7A40A1000-memory.dmp

C:\Windows\System\FcgosWu.exe

MD5 a80768d28fd05403b6346aca26bf0dae
SHA1 43cae2ba100347b15c6113f7a2fa7b4a54d674bf
SHA256 1e1cc663ba4b5260f40897116e4ba8327cd9c08aa134c013d48c01e7fc85b075
SHA512 e0f73492f8b5b0002473f993226315dd6fd7c50c6bb321c7d1eb6af31f715571376949dbeaf758629584bccb51c4f1f74351649396b1a25f23a6579f893225f5

C:\Windows\System\hZvSsjo.exe

MD5 e7d5cbef7b80762c3a75b7bab4514a3e
SHA1 23844e77be8fd11ed6562110bad386343113be0b
SHA256 55068a08461c59ab21c7ee14a81d85d981a0c5187505bb2eab9bda1e6b73b7df
SHA512 24713c2b3361dca9af84c9b027ed32c09f90034c6cbb12c2712be93e326592fe0e152d05cfd8dcda2839ecafde3a318c8586f05e6262329bb8391719e68ac78d

memory/4928-55-0x00007FF7FD4B0000-0x00007FF7FD801000-memory.dmp

memory/3260-48-0x00007FF7C8DE0000-0x00007FF7C9131000-memory.dmp

memory/3648-64-0x00007FF661520000-0x00007FF661871000-memory.dmp

memory/3444-68-0x00007FF6FB800000-0x00007FF6FBB51000-memory.dmp

C:\Windows\System\DbjlyFR.exe

MD5 4632c1d4437b61c1e8c8981e097a29fb
SHA1 505ba851c6fe3e9f12bc9bc15fb8cd772e29a1fb
SHA256 48e448d4c3e37d12d2821c6baa26f07903d872755709e91d6e89ec6351bc0652
SHA512 216a533cd5c5d2656772558929bfc16d590db1e96aa5c6caede10a87990ac6cf5a57534f6c91e2f8b17f6f666964d984b9cb2a3b2559e951d0c55f4e32c2a11f

memory/4080-76-0x00007FF7F5E60000-0x00007FF7F61B1000-memory.dmp

memory/1372-81-0x00007FF750090000-0x00007FF7503E1000-memory.dmp

memory/3608-85-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp

C:\Windows\System\SiyCIRe.exe

MD5 23873c0308b74bc751d9b5cad5658f1b
SHA1 2a198ed3235ae2d44e1d42736f40f13cb7ea0159
SHA256 04e9d441a7b71f512ba6258ddb197808c5ff8879f67cfeeaece951263a715893
SHA512 1283a6833eb2c0292baef93aedc3a388f9680568c7ce4da144ae481e5d7fc16fe8e3ab3caacc1923776fcc37278b6b22bf2421454bc2991815b0626f85b69232

memory/4836-95-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp

memory/556-94-0x00007FF780970000-0x00007FF780CC1000-memory.dmp

memory/4436-92-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp

C:\Windows\System\RfpBBfg.exe

MD5 062acd6c0cf3f590eb8d583735d6e79a
SHA1 de03c5bb841084b38f87cd08b4f04e2f323f978f
SHA256 79ce7bbe130e1cad923bf1499a2e596239b162d8f4cdd6d0ea3b7b6736197a74
SHA512 bf1d5159ab61783f79ff1cb5a4139df7e2c8b1431b8b6c1b4f9d1a5a5b3d76d142b8aa8f5766d0ba8ef49c566f03199d26a60715a27f819f1e0b16b7aed25577

memory/2880-88-0x00007FF7DBCB0000-0x00007FF7DC001000-memory.dmp

C:\Windows\System\ImaMiLR.exe

MD5 1e18d7a4e01454df2f0b3ddb0ecb2f27
SHA1 12e91714229db18701c996d11246410c16e1ad4b
SHA256 4f37c5a9dcfae7dbca92c3b2b5498f298504e8f9b8d79e67e6f7f7cc6f21bdf2
SHA512 da9143bf2e8b7161497e0bf8988c60fcaebdaae6c8dfb18fdc62406d8712373371a14156fe4eeb8ea887dd07c777b86b4758f578b990c8104d752baa8b4cec09

C:\Windows\System\ZWEJiXg.exe

MD5 8b811e6cb2b89361d0dedd7fe090ef96
SHA1 75429175e05c4852bb2536aaad09ce9979f65dc0
SHA256 726d9dc2d5d98d0da2b4aeaf841123438af3d1862cecea648525786ac69afa5e
SHA512 a434958f76fb075809504e2948b785757accd076300e75c3883294c7e0cb12b639e39c5b3f38f316842af16442c83f160f1a9d27d650b4d1eff153188a788127

memory/4636-74-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp

memory/5020-72-0x00007FF6AB060000-0x00007FF6AB3B1000-memory.dmp

C:\Windows\System\VIXHUXa.exe

MD5 b4dd98b9bbe497454d183799b319c367
SHA1 f8174723aa430a0b91ea05019c97f49c4b1c8474
SHA256 7b531faefde09289084cd2f328f9422823383e78653aa8a45071861a642a17e7
SHA512 040bf7c5a46839f85b057b29925ad747eed720f044e08e4083edaeaa0416c5f6a095ab5742d76b0b6932b5333fff06e12fb06b1cd0b834b0b29a6910fe80d796

memory/3216-107-0x00007FF740E40000-0x00007FF741191000-memory.dmp

C:\Windows\System\oIqbNQC.exe

MD5 1270aa1a5c6d639a6bf3a5fa29858afb
SHA1 47f5f4612a115963afe72cd23826c97910b1d047
SHA256 087ec4eda544eb6285b920a31d0c8388f237dc5976cd6846fb907edd86144517
SHA512 d36aee21179cd8a0a9597f73b038eb68a11b6f10e59eb76330ae2a83e8971f3b7b280db665cd50e5423b6e4faf8ed338a8ba7b3e69185bf41069f02f60b53ec0

C:\Windows\System\GgCvjuw.exe

MD5 f9fb4fcaee571c0d5c97f66364485a7f
SHA1 331eb0177d0faf611e9fe86dc7e45c40a19e65df
SHA256 c19044b65eeab885ccf4bede29f18974910eba4c069c510eef55c0907199c10f
SHA512 b8b614ef057a5adf06f00d7d060aa58ef6db1ab53e0894fe6fb2799a2b87132c9fc583d00267e69bae1062ba5c7c1da525259441b24c7eae1ff19de7fdac7f8b

C:\Windows\System\EQiFHUQ.exe

MD5 5a00f15ad044f82d03e89685f5068640
SHA1 d101aeec2f3a378d813fdbbe41a5c13e2a3a7dce
SHA256 6b9867cdd819f4268a7c19337c37d2c60a9940fdca4c4a159c873ab9f14a82a3
SHA512 ca59fd61ac28a8adec3819290895a3c5bc8ee5403166289f3b5c56f62fbf06fd1c32f03f2d93e1f14c9493ac01a6a1541de69b81550339f6c404fa8cffcedb96

memory/1048-130-0x00007FF7A3D50000-0x00007FF7A40A1000-memory.dmp

memory/544-133-0x00007FF7A89F0000-0x00007FF7A8D41000-memory.dmp

memory/3644-134-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp

C:\Windows\System\bssActi.exe

MD5 6051c7e30428fd6082e1dbfe7dc692de
SHA1 2b9ba1bf968d7e08f66baeae496d741a8c9672df
SHA256 d0c452a7e67fe6ddf22f77b2a613e968cf7c8e7291ba1452cb8bbc0fb763ddce
SHA512 b36d890fd83d411a014c2509edd8b980c7789d057561c38ad693f690c8ab6b723b9963dc3d6eb36a67395077fcafa7e020c2db459173013e8ca29a398024be4b

memory/4384-135-0x00007FF67B200000-0x00007FF67B551000-memory.dmp

memory/4264-132-0x00007FF6BEEC0000-0x00007FF6BF211000-memory.dmp

memory/4592-131-0x00007FF67AFC0000-0x00007FF67B311000-memory.dmp

C:\Windows\System\GjVXyvZ.exe

MD5 375d87a80c36e73a85ebf20616d82df0
SHA1 fa195f159e592f9e421d73b3b4ff246dfa6268e1
SHA256 9c2859bdad3fcffcf93359a1ca82780d77434916bd1db143358557b75574aa63
SHA512 9966582eb0e5febc440924a5b28333c27d37275ac31f4ecd9a94ab8b7191af64f83504c7ea2dad0ca6e831e2578f2f7a3dacdabd8bc162cb78341fd9e8adb5ef

memory/3260-140-0x00007FF7C8DE0000-0x00007FF7C9131000-memory.dmp

memory/4928-141-0x00007FF7FD4B0000-0x00007FF7FD801000-memory.dmp

memory/4836-147-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp

memory/4576-149-0x00007FF729990000-0x00007FF729CE1000-memory.dmp

memory/3608-146-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp

memory/1372-144-0x00007FF750090000-0x00007FF7503E1000-memory.dmp

memory/5020-143-0x00007FF6AB060000-0x00007FF6AB3B1000-memory.dmp

memory/4436-145-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp

memory/3444-150-0x00007FF6FB800000-0x00007FF6FBB51000-memory.dmp

memory/3444-172-0x00007FF6FB800000-0x00007FF6FBB51000-memory.dmp

memory/4636-201-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp

memory/4080-203-0x00007FF7F5E60000-0x00007FF7F61B1000-memory.dmp

memory/2880-205-0x00007FF7DBCB0000-0x00007FF7DC001000-memory.dmp

memory/1664-208-0x00007FF6027B0000-0x00007FF602B01000-memory.dmp

memory/556-209-0x00007FF780970000-0x00007FF780CC1000-memory.dmp

memory/3216-211-0x00007FF740E40000-0x00007FF741191000-memory.dmp

memory/1048-228-0x00007FF7A3D50000-0x00007FF7A40A1000-memory.dmp

memory/3260-230-0x00007FF7C8DE0000-0x00007FF7C9131000-memory.dmp

memory/4928-232-0x00007FF7FD4B0000-0x00007FF7FD801000-memory.dmp

memory/3648-234-0x00007FF661520000-0x00007FF661871000-memory.dmp

memory/5020-236-0x00007FF6AB060000-0x00007FF6AB3B1000-memory.dmp

memory/1372-238-0x00007FF750090000-0x00007FF7503E1000-memory.dmp

memory/4436-241-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp

memory/3608-243-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp

memory/4836-244-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp

memory/4592-247-0x00007FF67AFC0000-0x00007FF67B311000-memory.dmp

memory/544-249-0x00007FF7A89F0000-0x00007FF7A8D41000-memory.dmp

memory/4264-252-0x00007FF6BEEC0000-0x00007FF6BF211000-memory.dmp

memory/3644-255-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp

memory/4384-253-0x00007FF67B200000-0x00007FF67B551000-memory.dmp

memory/4576-257-0x00007FF729990000-0x00007FF729CE1000-memory.dmp