Malware Analysis Report

2025-03-15 08:09

Sample ID 240530-ety5zafb29
Target 2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike
SHA256 1417b103cca2ab8faca64d0c08e2c67f1bc3e09146fd029dc1d3c835442774f6
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1417b103cca2ab8faca64d0c08e2c67f1bc3e09146fd029dc1d3c835442774f6

Threat Level: Known bad

The file 2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

xmrig

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 04:14

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 04:14

Reported

2024-05-30 04:17

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wTOKYaj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TYnqgMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HHtLcGh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xIwiSgp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xQAyZnR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WBxMRAJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MiNPZhJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pAAxbJz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fblFQJH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xKjYzfD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eAeidMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EzHGzAC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LzKXzyn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TjyNNgE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hBzFtBI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eSQyTOq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wPRzUbI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BvStomb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GrkmSet.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wIixmwn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bBJPwnH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBJPwnH.exe
PID 2100 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBJPwnH.exe
PID 2100 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBJPwnH.exe
PID 2100 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzHGzAC.exe
PID 2100 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzHGzAC.exe
PID 2100 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzHGzAC.exe
PID 2100 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xQAyZnR.exe
PID 2100 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xQAyZnR.exe
PID 2100 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xQAyZnR.exe
PID 2100 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eSQyTOq.exe
PID 2100 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eSQyTOq.exe
PID 2100 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eSQyTOq.exe
PID 2100 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBzFtBI.exe
PID 2100 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBzFtBI.exe
PID 2100 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBzFtBI.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIwiSgp.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIwiSgp.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIwiSgp.exe
PID 2100 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzKXzyn.exe
PID 2100 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzKXzyn.exe
PID 2100 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzKXzyn.exe
PID 2100 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBxMRAJ.exe
PID 2100 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBxMRAJ.exe
PID 2100 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBxMRAJ.exe
PID 2100 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPRzUbI.exe
PID 2100 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPRzUbI.exe
PID 2100 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPRzUbI.exe
PID 2100 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MiNPZhJ.exe
PID 2100 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MiNPZhJ.exe
PID 2100 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MiNPZhJ.exe
PID 2100 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvStomb.exe
PID 2100 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvStomb.exe
PID 2100 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvStomb.exe
PID 2100 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAAxbJz.exe
PID 2100 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAAxbJz.exe
PID 2100 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAAxbJz.exe
PID 2100 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTOKYaj.exe
PID 2100 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTOKYaj.exe
PID 2100 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTOKYaj.exe
PID 2100 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fblFQJH.exe
PID 2100 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fblFQJH.exe
PID 2100 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fblFQJH.exe
PID 2100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrkmSet.exe
PID 2100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrkmSet.exe
PID 2100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrkmSet.exe
PID 2100 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKjYzfD.exe
PID 2100 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKjYzfD.exe
PID 2100 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKjYzfD.exe
PID 2100 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYnqgMJ.exe
PID 2100 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYnqgMJ.exe
PID 2100 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYnqgMJ.exe
PID 2100 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHtLcGh.exe
PID 2100 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHtLcGh.exe
PID 2100 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHtLcGh.exe
PID 2100 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TjyNNgE.exe
PID 2100 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TjyNNgE.exe
PID 2100 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TjyNNgE.exe
PID 2100 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wIixmwn.exe
PID 2100 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wIixmwn.exe
PID 2100 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wIixmwn.exe
PID 2100 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eAeidMJ.exe
PID 2100 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eAeidMJ.exe
PID 2100 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eAeidMJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bBJPwnH.exe

C:\Windows\System\bBJPwnH.exe

C:\Windows\System\EzHGzAC.exe

C:\Windows\System\EzHGzAC.exe

C:\Windows\System\xQAyZnR.exe

C:\Windows\System\xQAyZnR.exe

C:\Windows\System\eSQyTOq.exe

C:\Windows\System\eSQyTOq.exe

C:\Windows\System\hBzFtBI.exe

C:\Windows\System\hBzFtBI.exe

C:\Windows\System\xIwiSgp.exe

C:\Windows\System\xIwiSgp.exe

C:\Windows\System\LzKXzyn.exe

C:\Windows\System\LzKXzyn.exe

C:\Windows\System\WBxMRAJ.exe

C:\Windows\System\WBxMRAJ.exe

C:\Windows\System\wPRzUbI.exe

C:\Windows\System\wPRzUbI.exe

C:\Windows\System\MiNPZhJ.exe

C:\Windows\System\MiNPZhJ.exe

C:\Windows\System\BvStomb.exe

C:\Windows\System\BvStomb.exe

C:\Windows\System\pAAxbJz.exe

C:\Windows\System\pAAxbJz.exe

C:\Windows\System\wTOKYaj.exe

C:\Windows\System\wTOKYaj.exe

C:\Windows\System\fblFQJH.exe

C:\Windows\System\fblFQJH.exe

C:\Windows\System\GrkmSet.exe

C:\Windows\System\GrkmSet.exe

C:\Windows\System\xKjYzfD.exe

C:\Windows\System\xKjYzfD.exe

C:\Windows\System\TYnqgMJ.exe

C:\Windows\System\TYnqgMJ.exe

C:\Windows\System\HHtLcGh.exe

C:\Windows\System\HHtLcGh.exe

C:\Windows\System\TjyNNgE.exe

C:\Windows\System\TjyNNgE.exe

C:\Windows\System\wIixmwn.exe

C:\Windows\System\wIixmwn.exe

C:\Windows\System\eAeidMJ.exe

C:\Windows\System\eAeidMJ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2100-1-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2100-0-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\bBJPwnH.exe

MD5 e9f1b2fc5fc1f0276c571f75f65a6376
SHA1 44c6c2a654ff9bb325c2de5acae1061aaf115387
SHA256 1fcc776b26aee2f4823445c086616e3e8453d96be3eb26ef291f125a1140c56c
SHA512 a1d8b0eef106edf7f16e09db46be61c8f32c33cc2e341d912d5948aa903ad7c8c3c1598966363b1c2e4f163e37ac4334b294e17431a015a7ea06fba99835011a

memory/2100-10-0x000000013F020000-0x000000013F374000-memory.dmp

\Windows\system\EzHGzAC.exe

MD5 05390f7b77d8ccd22e66079c5164e455
SHA1 707a82cf315f830a0b768b8a4805b72f60b712a0
SHA256 ea9922e8c00d77589c87f34665e9c62dbd90ff47184dad16fa7d06c53e3f4592
SHA512 8f137a8120faa47b808736b294437ff05f1419f25591d09c7a4fe8f3cbcc122484394561f561d116465edaaaf3a887429ee8cb6e093837b9f1021c46cf16a50a

C:\Windows\system\xQAyZnR.exe

MD5 c4cceaa7c3f385b796ad1b4956b71bec
SHA1 80680f21e27ef1ac9f1393cb373d8cd0f3fd0c17
SHA256 6038ef825ecb19a6b1d2c8f6f95eabc6c78514893f9becd1507124e8316cfb21
SHA512 5c998580fcb557e72ad9f661aabd7187bfe164391f79e8f378c8d1c9d0fa1ba8d282c2ae9f1beafac6d79f2a18d54ab3c4c31d9a6d45e18d82bf2275f3306934

memory/2464-18-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2100-20-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2512-22-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2568-21-0x000000013F1B0000-0x000000013F504000-memory.dmp

\Windows\system\eSQyTOq.exe

MD5 f08fb127e9d861f408759c0061873904
SHA1 26e22d0309f76b9c990761a8d1b8fcaa60c2e520
SHA256 5b44fbbaa4d1b57b6cea6dc97a049753c74532774a796cb5c956328f8fe76bfd
SHA512 b404f44def8f244bcd68baa945b95b8323275f9e38735bc20bb8754d573d18fd6bc4e73c849f3d35ea8b240252bdeefab0173c26c2ebf4c11cc8cf8110d84700

\Windows\system\hBzFtBI.exe

MD5 218b122af4403fde8601192badaae6d4
SHA1 595dd166f94b7c410250e0346ef2094a8b75a067
SHA256 66141492e97d5c6a99f8a0b1b960542aed3697492368b64b8a9af8fc0469184b
SHA512 c8ac3ab1165f7a26d69ce4e56a8410b27c96b5488a8c1eb8b6cff8512618c5c6abc880cdf95219813c03d36828949ac4755f5994be98b5a4dd34caaa15a91a39

memory/2100-34-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2496-33-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2988-35-0x000000013F750000-0x000000013FAA4000-memory.dmp

\Windows\system\xIwiSgp.exe

MD5 2fdc393e0080f8254787b209a9f16e9d
SHA1 85dd79c80fa3342a69d1455481a5ad0360e92a8b
SHA256 302661fc7c1a3c4e75779b3b290fd71550ebc040c7ab71a95880c4720f85ccb9
SHA512 615119ff7a4575acde01c8ac2b916ee1a9ff59d3e0d10210bbd760490575b8ba2eb09cf25f73d0c1be61d23d469f8bf91211dc35510e339622776c4a200a6b75

\Windows\system\LzKXzyn.exe

MD5 8da051a6ce299b2947600faf6853e606
SHA1 94ac919979ee9716834ad506e753d8748db895e9
SHA256 a6d59fa5084128516ae5af6370d771e7a213f83e7502aeb6c90af0eab721d6e2
SHA512 144e0ed6f2cdc5a5f96897e11b35a221f4ca815897a6b3b72c26ab475675ab99584605e3c0f401bea68e1bb6f7b9e44e5ac8866afe9894a54cfc09f7cf69e411

memory/2100-46-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\WBxMRAJ.exe

MD5 8b13fad3352ca7a651cedbeef4ee7e7a
SHA1 84ceb937f729f52e54521ecaa3999c5e36f35e74
SHA256 842ea757af24ab45dec97bc41f853b3770589baa782c4ed68d42ef4c54b881be
SHA512 e0549e6d39b71e95e14f16089ceb2cae3e6f86d0c210f8df47c95c94e0cb62c411be28ddfe7a8b3fdd6afa9549b278cac10f527a8456d635fb91359e4132ad07

memory/2100-56-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2428-57-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2100-54-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2812-53-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2952-51-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2100-44-0x000000013F320000-0x000000013F674000-memory.dmp

C:\Windows\system\wPRzUbI.exe

MD5 f3843d5fcf9d9be906e59baa5c54feca
SHA1 3908a6995bbbefd9f51c2b92fedbaa124e1b0744
SHA256 d38feb465cc7507284137a5046e27155e44db6682b9a563016d1c39333ea802e
SHA512 834c680c98346dd9168148f3b33181724e0a7a4d3b318ab21ae1e8cfba8343e840146665900141f9b384c7e167cdfe9db578768a797fe14e19ae8901634cead2

C:\Windows\system\MiNPZhJ.exe

MD5 e7198587b47b13f6fc8980200e82c8e1
SHA1 7631c507f749e8331bc729b2981f289863d40de5
SHA256 669606190646270ed696c1edf72b080730ef6c90783f708f344df88a87117145
SHA512 077510d23ed8a371b48f1e297aa2d86f562ecb5dce1573392e66f2d3d4fe4a2a69e39411e49cb9b7d2c1c714580d18593b1474e970c494b4a4050ce857e554e6

memory/2100-70-0x0000000002320000-0x0000000002674000-memory.dmp

memory/856-71-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2444-63-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2100-62-0x000000013F240000-0x000000013F594000-memory.dmp

C:\Windows\system\BvStomb.exe

MD5 94da64ae0627267d1f93cf8915c7a3e6
SHA1 4b89ac4f398a0b20b12fdbdd233463e9806ed643
SHA256 d447bcacb55e3dbd3dbba706fea0b348dc4071cd92ebd81418793ba197b41582
SHA512 69786627288d6dc87e8645ff88f21319481fa27197319341dcb2fc7c1adfedfaee4d5618df1b642685653e9492bdd76c60c4c667547ccfb7837392a41695c253

memory/2640-78-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2100-77-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2100-93-0x000000013F110000-0x000000013F464000-memory.dmp

\Windows\system\fblFQJH.exe

MD5 dbab89b4d2adad92b5b5c95e1fc85016
SHA1 773225a389e1e9850dacaefcca76cfa06007e371
SHA256 729edf163eec69ca270ad2c08ea41a94ce065f303e5f9b3701fe9954ca6c323d
SHA512 d3c43265cbf41b3707b9e76f14457d983108839d7b9c57a0af65c56d05010b64cd8f912af601d701ede465e16bcd2c8ac365f551c3e5e2c60a6ab5776c792750

C:\Windows\system\HHtLcGh.exe

MD5 44690b013c5cc3a33c31559aba6554c1
SHA1 48fb3952b10484077304dbc0d2cc4ba39d9affdb
SHA256 1364579f064158cb3e04cf9d94e93d6a75faaa75ccb148a98d0660dbdfdfb283
SHA512 6a280e93fa689196cc70f960663e1656d81776096cb8413081c9c4bb9b85bcea54f7614d155415bcb2d7438da61d6a7901bff9cb6e95870c2f4020a600e74d88

memory/2100-115-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

C:\Windows\system\TjyNNgE.exe

MD5 77e7ee6d9f6fbbc29b8327f571fed88a
SHA1 48b1df5dc45cce02053c19ff82e3ed9b819e1b8a
SHA256 5e4210dbd80d20d1156db15e8efbabfb6c32a4de3cba254d90b1e2a386fe7ae9
SHA512 165341ec83ddb8e845819a0eaa3255c64af4e0f4ff69dafad14163f9682e771aae3438b863bb9823527746c1bc89897b88d06a4fbcac10a748ab0660d2ad93aa

\Windows\system\eAeidMJ.exe

MD5 1f67288072ff80dfbf9d2df55449deff
SHA1 af45f1be98496f8d4474b8a6afab80ec9a06b724
SHA256 ffdeba9270f41d3519fdcae0325f29189fdbfc8ea5207b6159bde2f33516c953
SHA512 a00deeef040d781c83d1ab5e3a4351979c3f93228dd095a8c011caeaeffe427035e3cfb7f3dffcea4a106a62b782d34a9d45c931b3a239d38b77fde328f119e7

C:\Windows\system\wIixmwn.exe

MD5 a93ce691ce4ea7fdeba9a5af04f5a283
SHA1 bcfda2654faba94c26f6900de3929731cc74d58a
SHA256 6ad2b3384f82489fa65d251088af65d14a3084992e8ded0a8aa6b2dccf935ee6
SHA512 589dc7ad985558d19da8e37db60168eb1c62c2812983ebf8bb205918ceeb543c8a30b0adfd56a9005e61395589492d80e63e1be72a0c0c847c8c4c3ea17b1a0e

\Windows\system\TYnqgMJ.exe

MD5 24866fa7bf2bc8f60c71a749afdb4839
SHA1 3706a73a89a52d68264da851bbd8e85683285b83
SHA256 f0c368d3c723595f23050ffa800e2ab206512fce7acf528ab79e5fe8430e93f6
SHA512 5661e054574d809343426a4f57034e619a9c5d32a6408b87cb7eed6ee453632970f3f98153efaa12f84003fdad080a33b361d910d661c5c3148c82f4d8077c32

\Windows\system\GrkmSet.exe

MD5 ad7e1b54d790f15dca8e0d4872d0d144
SHA1 28963f7c1632dbfe366a835bad789a7a8f0dc5a7
SHA256 446570a61dba029d8c1cd59f82f5ad5e23df6c70e4f5307198082cbe32a56ec5
SHA512 9057cf75aa8f75d0f3fb1f2a76625fe3b7a04f9827ebb05a814a4b752e02f0d8179edf496859784dd510039d67a4f958b319d0dbec23515850f0afbc67511af0

memory/996-113-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2100-112-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\xKjYzfD.exe

MD5 4916bc840d77eda70511924a8e1eb0d1
SHA1 c018cef0460cd9a0c4d7b1c0b9ed733840b5462c
SHA256 b86ee313001c5480ed469e404731fa89b382c3190d758819c5a855e649180683
SHA512 6b045683aac2a0f4d60c6b7e2c63a2a9a249b51ff518e203aaa0b79c146396df70edb192bf3e1680b2a80db30c11694d1b6bc2e726f20bd1acec16e910eb5c26

memory/2100-88-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\wTOKYaj.exe

MD5 ed350921b3883049d18a7b022ce47207
SHA1 7710e2cac7e737f84b3143d5cc4eb97f52b3dbdc
SHA256 740435b2d2223f7ddd5aa8772b0da852b12f966e4de5d272af7013ad498618e1
SHA512 ba8e40dbdf3c0e8fa5bad7fc7bcf77271669f0fc1599d1be279180cb626300c5f936b5d00ea4694e3ab4105a8d8766bd3fb21b4772eed4138f29cab3feb03f57

memory/2712-109-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2740-102-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\pAAxbJz.exe

MD5 aa862605910d834e2db3ad8af95dd72c
SHA1 29d8688515f2f01972053fb2083ab2477d176cb5
SHA256 058ec11f0c388ed0fa7196000600005bad7cf869cd2878d70045b9c992ffbe7a
SHA512 87d2b0018a0a8dd8535d5f819de3766c16ecd99556ff40a244a268f2b5808183fbc42212bd0ddcece088605b9e6ce28b6b3883b31807b8bea8563a377fe514dd

memory/2100-135-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2952-136-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2444-137-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2100-138-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2100-140-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2100-139-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2464-141-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2512-142-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2568-143-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2496-144-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2988-145-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2812-146-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2952-147-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2428-148-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2444-149-0x000000013F240000-0x000000013F594000-memory.dmp

memory/856-150-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2640-151-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2740-152-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2712-153-0x000000013F110000-0x000000013F464000-memory.dmp

memory/996-154-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 04:14

Reported

2024-05-30 04:17

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ztFahrf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uORAISW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vwqLojG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SolQDZa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mIVwIux.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DCwfUGa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kEpHNxc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HVCEGbE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hXZaJXs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TlXNORK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\meCOWkx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gtbkbrP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRXdEPS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aidUBbI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iKgcIGs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AJjuOvE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lXSiJgN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PkmQPrw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yNrdYoT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HJVVNno.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DZCShYX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwqLojG.exe
PID 1384 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwqLojG.exe
PID 1384 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJVVNno.exe
PID 1384 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJVVNno.exe
PID 1384 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKgcIGs.exe
PID 1384 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKgcIGs.exe
PID 1384 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZCShYX.exe
PID 1384 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZCShYX.exe
PID 1384 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXZaJXs.exe
PID 1384 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXZaJXs.exe
PID 1384 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TlXNORK.exe
PID 1384 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TlXNORK.exe
PID 1384 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SolQDZa.exe
PID 1384 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SolQDZa.exe
PID 1384 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIVwIux.exe
PID 1384 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIVwIux.exe
PID 1384 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJjuOvE.exe
PID 1384 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJjuOvE.exe
PID 1384 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DCwfUGa.exe
PID 1384 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DCwfUGa.exe
PID 1384 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\meCOWkx.exe
PID 1384 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\meCOWkx.exe
PID 1384 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtbkbrP.exe
PID 1384 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtbkbrP.exe
PID 1384 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRXdEPS.exe
PID 1384 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRXdEPS.exe
PID 1384 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXSiJgN.exe
PID 1384 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXSiJgN.exe
PID 1384 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEpHNxc.exe
PID 1384 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEpHNxc.exe
PID 1384 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVCEGbE.exe
PID 1384 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVCEGbE.exe
PID 1384 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkmQPrw.exe
PID 1384 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkmQPrw.exe
PID 1384 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ztFahrf.exe
PID 1384 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ztFahrf.exe
PID 1384 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNrdYoT.exe
PID 1384 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNrdYoT.exe
PID 1384 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aidUBbI.exe
PID 1384 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aidUBbI.exe
PID 1384 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uORAISW.exe
PID 1384 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uORAISW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ab5d892bcf671c3a35d9a1871442879a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vwqLojG.exe

C:\Windows\System\vwqLojG.exe

C:\Windows\System\HJVVNno.exe

C:\Windows\System\HJVVNno.exe

C:\Windows\System\iKgcIGs.exe

C:\Windows\System\iKgcIGs.exe

C:\Windows\System\DZCShYX.exe

C:\Windows\System\DZCShYX.exe

C:\Windows\System\hXZaJXs.exe

C:\Windows\System\hXZaJXs.exe

C:\Windows\System\TlXNORK.exe

C:\Windows\System\TlXNORK.exe

C:\Windows\System\SolQDZa.exe

C:\Windows\System\SolQDZa.exe

C:\Windows\System\mIVwIux.exe

C:\Windows\System\mIVwIux.exe

C:\Windows\System\AJjuOvE.exe

C:\Windows\System\AJjuOvE.exe

C:\Windows\System\DCwfUGa.exe

C:\Windows\System\DCwfUGa.exe

C:\Windows\System\meCOWkx.exe

C:\Windows\System\meCOWkx.exe

C:\Windows\System\gtbkbrP.exe

C:\Windows\System\gtbkbrP.exe

C:\Windows\System\bRXdEPS.exe

C:\Windows\System\bRXdEPS.exe

C:\Windows\System\lXSiJgN.exe

C:\Windows\System\lXSiJgN.exe

C:\Windows\System\kEpHNxc.exe

C:\Windows\System\kEpHNxc.exe

C:\Windows\System\HVCEGbE.exe

C:\Windows\System\HVCEGbE.exe

C:\Windows\System\PkmQPrw.exe

C:\Windows\System\PkmQPrw.exe

C:\Windows\System\ztFahrf.exe

C:\Windows\System\ztFahrf.exe

C:\Windows\System\yNrdYoT.exe

C:\Windows\System\yNrdYoT.exe

C:\Windows\System\aidUBbI.exe

C:\Windows\System\aidUBbI.exe

C:\Windows\System\uORAISW.exe

C:\Windows\System\uORAISW.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/1384-0-0x00007FF6D3220000-0x00007FF6D3574000-memory.dmp

memory/1384-1-0x000001D37B470000-0x000001D37B480000-memory.dmp

C:\Windows\System\vwqLojG.exe

MD5 e2e3805a0ebcce9327d41d214b4a3739
SHA1 a7da1771954e4761f931ffd2d91fcfacf20ff6e5
SHA256 221c0f4749052c9ac6741959e10ce29d27829bd5b694dff66775be4b86178943
SHA512 caa542973d0f05381d241618cfc25b493830f96e07d84f2858cc283756756e56acdbe57437036715c2b74657f18d956f00706554ab3d5b38197dc1e5e5e80733

memory/4112-8-0x00007FF6EFAF0000-0x00007FF6EFE44000-memory.dmp

C:\Windows\System\HJVVNno.exe

MD5 301584823e2e362c49b3254cb236d083
SHA1 898394b02b02d62b515d88ad9807dd3b546f1553
SHA256 205af3e7b58229f5e4c014c699bc8a2082c7ae4a9b1a51302379f32092306be8
SHA512 1b9fd0759b6a8395f8de21f535ab7d71860d0b51d1107b72319242317509c0d5de9960404faec8512030b0d07691d9c06ed5b4d2aa1948c4dfd04e56587cd2ae

memory/3656-14-0x00007FF6AD990000-0x00007FF6ADCE4000-memory.dmp

C:\Windows\System\iKgcIGs.exe

MD5 1ddff0db308023b987c42839aeb64315
SHA1 06d9f4eb84e2fd0e9217e89826b262de5b5629d1
SHA256 d1aeaa686f359e804fca493f7bb25285efecdf14f028a8592b2e9e3f2b4a00bf
SHA512 e34ddc210643a8774387dfaed05d57d73099f47ab18c8d1e0ca37a2cc05a6b73346d6fb99f52280a09f0b1cf2db84febe79e13a851c803e935f3346a6031278a

C:\Windows\System\DZCShYX.exe

MD5 426b2d75c0c44ec77799ec6cfed3e688
SHA1 6dbdad9f40034737d741b9ab591261ec7607f057
SHA256 8802835d0d1d584542ecde95f408ca42748bacebe42e2841843684db57a7cf01
SHA512 54e39f44d22781751f4d3ba9e80463916cc297c41340ad31834d11d2f1ef5c56d005406451ff9eb46915301646c9b751f31dd100a08bedc06426a2df59e0d54f

memory/772-24-0x00007FF74A570000-0x00007FF74A8C4000-memory.dmp

memory/5092-23-0x00007FF6AB650000-0x00007FF6AB9A4000-memory.dmp

C:\Windows\System\hXZaJXs.exe

MD5 fd4a7e0e7042f6a7e8f8fe01510eade5
SHA1 67002f0c531b556cf203993d9ba0d13454c1fe19
SHA256 e47af8d9d5aea6f5c84eb42b10096655604f537628c3b0afae34725542fd50fd
SHA512 706105e64a7b86508a0576f4610c415bc09cc95a37e3844e84c3efe54cce8444fc9db4769d4ff1b83cf0d35d290b6547c019ed7f90f06bdc9aedcef0db05bb21

memory/3904-32-0x00007FF6116D0000-0x00007FF611A24000-memory.dmp

C:\Windows\System\TlXNORK.exe

MD5 643fd0165f579bb77762cf3a26c8089b
SHA1 4e9ff269a8561ff66faa3f13d33a5852bc179b9e
SHA256 41af9795cda00faaf30e06316a3c13b31cd8f870f95f357ff38579f7b0a70104
SHA512 b21590530acc0fa89f2ee927f41bcae89926dc32551e017a941392524a824e5bff5ee5da0c5bca0a9d8c83838d93ac6a278347c479b79ac0ac573ede52f5a7cb

memory/4180-36-0x00007FF70C980000-0x00007FF70CCD4000-memory.dmp

C:\Windows\System\SolQDZa.exe

MD5 f62444c2b854fd496af81f72295fbcd8
SHA1 d3dfe29736866baba8b085ea3b00181083ea8b11
SHA256 caca17818d718b1158f77e67d5e82103173b734d1f85c5b7e9efa22bdc4ad8b4
SHA512 b0db8627e629c6cfe081a7aa5cdeb0e99ec48534cf10b4c332341a5fb3aa0a9a55d785657dd9759e45c728bfd9d0550c687832b283ac78a360a4bbf927506b0b

memory/3000-43-0x00007FF771590000-0x00007FF7718E4000-memory.dmp

C:\Windows\System\mIVwIux.exe

MD5 2b6ae6eae43056a5712b0918a8a6a3e2
SHA1 a9fcc9d623698e8a0cb9939dd8be8ed6b93c7a92
SHA256 4b7c830df3da0d848fa0a39e14e9f56ec7d6f4a8ac0bcf035caeaefbb577b987
SHA512 2bfc51fdce975ee031961ec042fb560ec54de44261f3923ead38b70ac5c930e8a1daaeca197644c2c6998590ff568b4945dd56cf3be0f12e68449a850d28ceec

memory/1784-49-0x00007FF6DE260000-0x00007FF6DE5B4000-memory.dmp

C:\Windows\System\AJjuOvE.exe

MD5 f8abf625102a27fb860acd431665e02b
SHA1 4b8f972c24636f4fffbf64f5d6845ec9758edaa8
SHA256 3870393b0b9011dbfbcf5318d9ca5daf005c5fb30f8e40b5c571245f3ba3cf90
SHA512 c497b1487cfa00718ca0709dba49fdaaaf0edbbfb3031906ab15189fcc2642a9c8f73bc18825ae83a9a531d46c352ba8edd81170d2850f4e425d609d35863657

memory/1624-55-0x00007FF6152B0000-0x00007FF615604000-memory.dmp

memory/1384-54-0x00007FF6D3220000-0x00007FF6D3574000-memory.dmp

C:\Windows\System\DCwfUGa.exe

MD5 55a5d9e1cd8d9e79192f8ef93a3a619f
SHA1 4ef0d1b966203e60ee962a55df69d587f1481c32
SHA256 83f9fec98525681a4e8317ed989617976bd5e4d51a2da9742bd6b0359a97efc2
SHA512 9d3badb9365c3aa412de26e7f65dca7ba449466df4bdda69e191a8e1f72c6192e69396d0b08be26793fc7c6ce380bb460c04edc99f8ed079b7b095aca3997b6c

C:\Windows\System\meCOWkx.exe

MD5 023cafcbb95cdc2a5c4848ac05ce4472
SHA1 ffd5457d480c6f013dd830cc8585e50257a9a3a5
SHA256 ecaecc84ad0700a7262ff24ee973de39fe8362815d73c5c0eab888678b29a983
SHA512 ca66f05857adf2a7d4f0b6adb93fcacb8f04594f816a530090037bb1fdeee488a49811376a37a0494c3768f917e86284252544730bb0421abb25bab6f159a42c

C:\Windows\System\gtbkbrP.exe

MD5 1a6b348ea092c4ba27672cd1261ab42d
SHA1 62a4e72dc3fecbbb26258133aedc32ea4270c311
SHA256 e8c319a9a519e3737e479e1b4146c79f51d5d7d991e84c38daa794a797c41184
SHA512 51cadab0c6fbf2cdfa2af3cc7e163bd1c4a144ebd4539dd764a8d22602cae896546108da4627c9a66974a0443d80dfa79f34fe7fd80d59a89be858c887c4b75f

C:\Windows\System\bRXdEPS.exe

MD5 f1156c3ca480bc39d0228e77423df9ce
SHA1 138cc2320182b508b720a023156be3c386a0e16c
SHA256 49be241b62b9e17fabd559c16c5c8646c00d7a734b29e262b829a70eff421733
SHA512 3dad174b545c534ea0f4a8f71a3ef4b809d5edf2f981ad8300663934ae7ec3ea25d2842bcfea1d1e89f2db1d0640549bd27126d4f0c02bd6ae0c35c2ce4a73d0

C:\Windows\System\lXSiJgN.exe

MD5 bc6357d71b05e3ff2b30fe679f11dc27
SHA1 7bdb9a90ac740dfbbcd3fd3a1b688c61f7bf4d27
SHA256 359a961f74313a9c65db92192abf51631ab60a91ed85dfd41fc0550e616986b4
SHA512 6f002c336de0375172805a7247ea5f7d51ad426daaf8ab5190d555888082cdf40ce53e0e51017966be82d525a91baa156a98dcf4bc0cf9d55675ab268ac938c9

C:\Windows\System\kEpHNxc.exe

MD5 a81969cf5cd1f2e495b2b4b08a1a9f76
SHA1 401d2bc2e9f487933524b36800c96d08c05523b2
SHA256 fd427cc8a81f60c2734f1f1d1f8ec8ad53771bb7497486a748c65e98d1a87335
SHA512 5970a68053828713c911d9c1d8a51d99bad2d1c71611e7ddc13c6740af625e0697e3beb577870c75c96c18d4bb9f0b430ae58859cd550fdb41cbd2f676723363

C:\Windows\System\HVCEGbE.exe

MD5 5abd0cbc141ab670b62ec18200338a0c
SHA1 825eaff5c1036b5f49b44fac3811a6fbb28d274b
SHA256 310e6265ea75d6e01a4790c869fa5d6560874f1219dd62f823181fafbacbed5c
SHA512 7b15906866794fd759728937376aed419ba3835d77338d34bda1d8527825950569e6fd70bb64df683697550b156c4f42afd96df0129bfe1b039c75126c4b1ee8

C:\Windows\System\PkmQPrw.exe

MD5 568dc0f8e3e54b613ad4117a1bb52ac1
SHA1 eff48ee96fb4b7995acd2514e4915e08330a031d
SHA256 9280e4b10e348812d2547e94f31dea47641ede652135142fae48bebb1f36237d
SHA512 a7c9dc2079c84982882debee1c4c90155b030d81e9da652c2da88a00f578324813e0417f9af46eb59c19537d6900da79e51ce1ee0e8c737ce59576c71e71de3e

C:\Windows\System\yNrdYoT.exe

MD5 ed3802404e6898d5f1cc79aff85aaf3a
SHA1 10ac5babe3bda941700de4fcf7d7452b769aaeb3
SHA256 3e0dc4a704f8b955ffbfdc29408f57061cdc179306ec5653b19f6c5f67369f86
SHA512 5491c93879292775c73f47be84ab33d49cf974a88ee43b503841cb35d68136be541800047dafdebbf7e720cab8c9eafed378ead8e33e6593870b4bc16609a906

C:\Windows\System\aidUBbI.exe

MD5 491f1b87b8bde025744b05fd1dcf3e23
SHA1 39b4c79d9a42351ac52533f762c566a6400a489f
SHA256 497439f428cad3175f509ad080e5fa389b684f84bf9c804faca385d7f9b347cd
SHA512 6509c826e00e90a50097fbbd79f346c4ba3b3678572e1905d77d31d0ef4d512ffca0d245f26285283ec8d676332620ebd13ada8439bbfe930387042b25cd0d12

C:\Windows\System\uORAISW.exe

MD5 9199a8f1e1df42f8df011d13ee2fcf60
SHA1 d9fc249729c7fe75b29d2bced6c527090386e541
SHA256 ff7aacd314cd7daa7d3f0f347893e65e8c550b1c91926327c62d713d744c0e9c
SHA512 7882138eac53bdce55347d8ad8b3088940105d6784fb97fa0eb00e903410a8b1c06c1b20dbf1e0a173c8c100034bfd465954cc815785ebef7087a8334ec0f096

C:\Windows\System\ztFahrf.exe

MD5 01d4bd8d398209010c3b67c792fc7e20
SHA1 6f6ea2350ff103317fd31b4cac0af3aaa2ee37de
SHA256 b01f25efbb5db19ebab0784d08c0b276ef6f4e949663f1a0443833e3c7157301
SHA512 1c5ce4c960a0a2927bca347949d9a013ef800f50286624b03968a25c69fd5975f88d9e5f67f2fe2fdafedda391a6d319605309d6135a2e048410da22daa45050

memory/4112-117-0x00007FF6EFAF0000-0x00007FF6EFE44000-memory.dmp

memory/5020-118-0x00007FF6AF6F0000-0x00007FF6AFA44000-memory.dmp

memory/3136-120-0x00007FF7E3E10000-0x00007FF7E4164000-memory.dmp

memory/888-121-0x00007FF6E51F0000-0x00007FF6E5544000-memory.dmp

memory/1968-122-0x00007FF74ED90000-0x00007FF74F0E4000-memory.dmp

memory/1652-123-0x00007FF7F8AA0000-0x00007FF7F8DF4000-memory.dmp

memory/112-125-0x00007FF71BED0000-0x00007FF71C224000-memory.dmp

memory/2524-124-0x00007FF69B2F0000-0x00007FF69B644000-memory.dmp

memory/3644-126-0x00007FF7469D0000-0x00007FF746D24000-memory.dmp

memory/4392-128-0x00007FF639FA0000-0x00007FF63A2F4000-memory.dmp

memory/1912-129-0x00007FF795C00000-0x00007FF795F54000-memory.dmp

memory/2596-127-0x00007FF623E40000-0x00007FF624194000-memory.dmp

memory/4680-119-0x00007FF69EB60000-0x00007FF69EEB4000-memory.dmp

memory/3656-130-0x00007FF6AD990000-0x00007FF6ADCE4000-memory.dmp

memory/772-131-0x00007FF74A570000-0x00007FF74A8C4000-memory.dmp

memory/4180-132-0x00007FF70C980000-0x00007FF70CCD4000-memory.dmp

memory/3000-133-0x00007FF771590000-0x00007FF7718E4000-memory.dmp

memory/1784-134-0x00007FF6DE260000-0x00007FF6DE5B4000-memory.dmp

memory/4112-135-0x00007FF6EFAF0000-0x00007FF6EFE44000-memory.dmp

memory/1624-136-0x00007FF6152B0000-0x00007FF615604000-memory.dmp

memory/3656-137-0x00007FF6AD990000-0x00007FF6ADCE4000-memory.dmp

memory/5092-138-0x00007FF6AB650000-0x00007FF6AB9A4000-memory.dmp

memory/772-139-0x00007FF74A570000-0x00007FF74A8C4000-memory.dmp

memory/3904-140-0x00007FF6116D0000-0x00007FF611A24000-memory.dmp

memory/3000-141-0x00007FF771590000-0x00007FF7718E4000-memory.dmp

memory/4180-142-0x00007FF70C980000-0x00007FF70CCD4000-memory.dmp

memory/1784-143-0x00007FF6DE260000-0x00007FF6DE5B4000-memory.dmp

memory/1624-144-0x00007FF6152B0000-0x00007FF615604000-memory.dmp

memory/5020-145-0x00007FF6AF6F0000-0x00007FF6AFA44000-memory.dmp

memory/4680-146-0x00007FF69EB60000-0x00007FF69EEB4000-memory.dmp

memory/3136-147-0x00007FF7E3E10000-0x00007FF7E4164000-memory.dmp

memory/1968-149-0x00007FF74ED90000-0x00007FF74F0E4000-memory.dmp

memory/888-148-0x00007FF6E51F0000-0x00007FF6E5544000-memory.dmp

memory/2524-150-0x00007FF69B2F0000-0x00007FF69B644000-memory.dmp

memory/1652-151-0x00007FF7F8AA0000-0x00007FF7F8DF4000-memory.dmp

memory/112-152-0x00007FF71BED0000-0x00007FF71C224000-memory.dmp

memory/3644-153-0x00007FF7469D0000-0x00007FF746D24000-memory.dmp

memory/2596-154-0x00007FF623E40000-0x00007FF624194000-memory.dmp

memory/1912-155-0x00007FF795C00000-0x00007FF795F54000-memory.dmp

memory/4392-156-0x00007FF639FA0000-0x00007FF63A2F4000-memory.dmp