Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-l4le7aeg42
Target 2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike
SHA256 a2df6c7b5b32c9526e9d73f51a21103ae34280484ddec031503324feb7b04db9
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2df6c7b5b32c9526e9d73f51a21103ae34280484ddec031503324feb7b04db9

Threat Level: Known bad

The file 2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

UPX dump on OEP (original entry point)

Cobaltstrike family

XMRig Miner payload

Cobalt Strike reflective loader

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 10:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 10:05

Reported

2024-05-30 10:07

Platform

win7-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\INxmBwT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RykKejn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BoYWjIU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SycihBq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jPNpoAh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YlIhwLY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TEQajou.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KrrYrkJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\abrpnrB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cDjGnKD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cXRTRiW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DbkwXYn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ypfQFsN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FWEGVDq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\davkDcu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XifoYzy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IOTxwUY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VTidvgG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jUBBwNq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SwOwFdf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jxqbrzv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RykKejn.exe
PID 2972 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RykKejn.exe
PID 2972 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RykKejn.exe
PID 2972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\davkDcu.exe
PID 2972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\davkDcu.exe
PID 2972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\davkDcu.exe
PID 2972 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\abrpnrB.exe
PID 2972 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\abrpnrB.exe
PID 2972 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\abrpnrB.exe
PID 2972 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cDjGnKD.exe
PID 2972 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cDjGnKD.exe
PID 2972 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cDjGnKD.exe
PID 2972 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jxqbrzv.exe
PID 2972 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jxqbrzv.exe
PID 2972 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jxqbrzv.exe
PID 2972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrrYrkJ.exe
PID 2972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrrYrkJ.exe
PID 2972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrrYrkJ.exe
PID 2972 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BoYWjIU.exe
PID 2972 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BoYWjIU.exe
PID 2972 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BoYWjIU.exe
PID 2972 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XifoYzy.exe
PID 2972 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XifoYzy.exe
PID 2972 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XifoYzy.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IOTxwUY.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IOTxwUY.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IOTxwUY.exe
PID 2972 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SycihBq.exe
PID 2972 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SycihBq.exe
PID 2972 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SycihBq.exe
PID 2972 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\INxmBwT.exe
PID 2972 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\INxmBwT.exe
PID 2972 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\INxmBwT.exe
PID 2972 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXRTRiW.exe
PID 2972 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXRTRiW.exe
PID 2972 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXRTRiW.exe
PID 2972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VTidvgG.exe
PID 2972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VTidvgG.exe
PID 2972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VTidvgG.exe
PID 2972 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbkwXYn.exe
PID 2972 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbkwXYn.exe
PID 2972 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbkwXYn.exe
PID 2972 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ypfQFsN.exe
PID 2972 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ypfQFsN.exe
PID 2972 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ypfQFsN.exe
PID 2972 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUBBwNq.exe
PID 2972 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUBBwNq.exe
PID 2972 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUBBwNq.exe
PID 2972 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwOwFdf.exe
PID 2972 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwOwFdf.exe
PID 2972 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwOwFdf.exe
PID 2972 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPNpoAh.exe
PID 2972 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPNpoAh.exe
PID 2972 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPNpoAh.exe
PID 2972 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlIhwLY.exe
PID 2972 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlIhwLY.exe
PID 2972 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlIhwLY.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWEGVDq.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWEGVDq.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWEGVDq.exe
PID 2972 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEQajou.exe
PID 2972 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEQajou.exe
PID 2972 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEQajou.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\RykKejn.exe

C:\Windows\System\RykKejn.exe

C:\Windows\System\davkDcu.exe

C:\Windows\System\davkDcu.exe

C:\Windows\System\abrpnrB.exe

C:\Windows\System\abrpnrB.exe

C:\Windows\System\cDjGnKD.exe

C:\Windows\System\cDjGnKD.exe

C:\Windows\System\jxqbrzv.exe

C:\Windows\System\jxqbrzv.exe

C:\Windows\System\KrrYrkJ.exe

C:\Windows\System\KrrYrkJ.exe

C:\Windows\System\BoYWjIU.exe

C:\Windows\System\BoYWjIU.exe

C:\Windows\System\XifoYzy.exe

C:\Windows\System\XifoYzy.exe

C:\Windows\System\IOTxwUY.exe

C:\Windows\System\IOTxwUY.exe

C:\Windows\System\SycihBq.exe

C:\Windows\System\SycihBq.exe

C:\Windows\System\INxmBwT.exe

C:\Windows\System\INxmBwT.exe

C:\Windows\System\cXRTRiW.exe

C:\Windows\System\cXRTRiW.exe

C:\Windows\System\VTidvgG.exe

C:\Windows\System\VTidvgG.exe

C:\Windows\System\DbkwXYn.exe

C:\Windows\System\DbkwXYn.exe

C:\Windows\System\ypfQFsN.exe

C:\Windows\System\ypfQFsN.exe

C:\Windows\System\jUBBwNq.exe

C:\Windows\System\jUBBwNq.exe

C:\Windows\System\SwOwFdf.exe

C:\Windows\System\SwOwFdf.exe

C:\Windows\System\jPNpoAh.exe

C:\Windows\System\jPNpoAh.exe

C:\Windows\System\YlIhwLY.exe

C:\Windows\System\YlIhwLY.exe

C:\Windows\System\FWEGVDq.exe

C:\Windows\System\FWEGVDq.exe

C:\Windows\System\TEQajou.exe

C:\Windows\System\TEQajou.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2972-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2972-1-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\RykKejn.exe

MD5 3c93a1f06bc09c7cfd6369f28d0fa8cf
SHA1 874c319040f4926feda1046a4dc8282a85b27149
SHA256 89147a46400a95b3404c673ad2cb475ac2032c6cb4c5c4e3e5d2a3076735e7ee
SHA512 b49a61950d305463da5f277667a474c2c9b016300c4203323dd84a198f1afbb427ba5e7abc09aad60eaab613fdefc0349fb48035a25c5b242e5ec600ed13f937

memory/2792-9-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2972-7-0x000000013F7D0000-0x000000013FB24000-memory.dmp

\Windows\system\davkDcu.exe

MD5 77ea1a759b9d8ffd903fe7a83efaafd8
SHA1 53ef53fc17dc71dad2b9352948625ddbdaaf7f7b
SHA256 9d3a14d692497f55c709368ef8f86612613c8e6c534cb955259ee083c70ab076
SHA512 50acdd9983caac5a0ce3625d764a12ed7945a4449ba7e9effa1db816b38a4c06e76bd7df69fc38ce7b91897901c3bc72a3ed272b38a10e0ca3c7191f2923de6f

memory/2972-13-0x000000013FDE0000-0x0000000140134000-memory.dmp

C:\Windows\system\abrpnrB.exe

MD5 8776735beebca521fc5691e8f44ad478
SHA1 479bbe750917a5971443a2468d59ccf01995ec03
SHA256 81f23408e1ff04334c88bb6718020f20430d4ea1a7b8f980f2a86552124d3b60
SHA512 754299afd3df9cc37c146484d3820cd8bb2cc3201fe69ca898647b63c1cd5d98f1d47de64f0b4ee713ae9b5a1c28047d04f5f122436dd42a2308edc6c8a422e6

memory/2972-24-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2796-18-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/1820-30-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2660-29-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\cDjGnKD.exe

MD5 ab06e9aa1e7e2b92bc0454a095241e57
SHA1 7cb8daee2b48b2a38fb88c051c59c9753a9a199a
SHA256 b969d189ef946137d28f435adffd8dd436b791e02f06c8c53ecc74a58c1b9085
SHA512 3d8837feda15a6c000b92d9b3c5b39cd07d69c2cd148165574682c3bfe08b93f254aa66c18e906e29419d0dd2b154cac64d2f709c1722f29b66768b53f73f99b

memory/2972-22-0x000000013F510000-0x000000013F864000-memory.dmp

C:\Windows\system\jxqbrzv.exe

MD5 5c39e50b96a7ec1768fbde1fb97f5361
SHA1 2403070f3fb2a5ac1f0fc59b10947ee80d03ca77
SHA256 35a62cb51a86a3f64b171b59c11aa62781de936859b5267232ea419f067b1c62
SHA512 e942d88685a5d307fb83c5089ded321333ca6de80a9c73463c349abb8f0424e4831ccff3a8201df54ac9153e8de07443e556c2a260a9df1cee7a1bd4029209c5

\Windows\system\KrrYrkJ.exe

MD5 aeaeb9999c7bc7b79d919ed029d06a76
SHA1 c400a8ad437854ec80b93938cb2e11e6ef087690
SHA256 2e548719b7823e0f482b4f85d48ae3bd4109c08785f3ebb64afdc6f59e2aad4b
SHA512 c74798ab5ba6e4f7911f6e51e1021c11617abbece8379d8b3e6619a2375f0842fb854e938941c383bf0aa7f71e94781489f22b15b743d2168e15f65eac8bb893

memory/2972-43-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2556-44-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2676-36-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2972-35-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2972-39-0x000000013F520000-0x000000013F874000-memory.dmp

C:\Windows\system\BoYWjIU.exe

MD5 89381b736967731eed10803577b02b74
SHA1 7915f7afcad6ad7550f3a8669d0cc6b94de1008d
SHA256 1cfdb5e19e1e89caf2d229df463d611a81a138b27b65a0949bac80a3dbaa0366
SHA512 40b3520cd0015e94e179c65b074bb8bc8fc12fc8f077d3510dfbaedd16a19fc9b8179327ec4468e6c123544993eac7ab34389ba89b77d3ee5b4e7263ec59320d

C:\Windows\system\XifoYzy.exe

MD5 5e3e60c2e27a2f739e1ed7b2e8dabcf5
SHA1 6169a2bf3fb4da57e2e29c61c3408f30314750f1
SHA256 02ef538e7746e766df61c3945f6cad5c7c2ed11ef3b657924a0a47495949ccd4
SHA512 aa52139e30ebe84da1f9d1b45a122f15ed545ffae91e181523c73d4a705983ccbbd42835f768b1a935d1482423adbd999c288b71ac974b10c2141eb84e9791ec

memory/2632-63-0x000000013F940000-0x000000013FC94000-memory.dmp

\Windows\system\DbkwXYn.exe

MD5 e557cf6eaa9f0490d9cf6fdbb48a2465
SHA1 7d4f7644302c7e90a623bb4fa05d0ef40b631105
SHA256 bc87b612e4db6328e4e98e1689cb620bd8baf49416d50d8f05b23c0cdfc9f4bd
SHA512 b9d2cf6cbfe5a251f5fee11ad462acd7c64beba70ac9a43381844e2bfac06cb504b36ba1776bc61f62bd7fd132ec65cc61cac4e46065e1d2403124c5dc5507bd

memory/2272-83-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2972-89-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/3016-92-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2852-97-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

C:\Windows\system\SwOwFdf.exe

MD5 2b2b9b7a3cb8282d5ef4ea265d550eb1
SHA1 0aa71e6162699daaebca72b879dfb26ebeafabfa
SHA256 95fff5700b2f02a34dc1ea35520fdbe908cc8c001ed8bfb419d146fd247f5fb3
SHA512 1cd40c4daf1ccb632721cafff002347cf73126b10504529ad3b5cdd0243743d4c938714074fea6bfbee3a536d0f9041b8f63d1ff794bc363b376478b09fdff2f

C:\Windows\system\YlIhwLY.exe

MD5 50f131c5b7d9d885ac2f34f2415f9ef1
SHA1 c5e7d5b4c5fbe4283cd0de988b0033f279631bb1
SHA256 8550718447925e09414b9113c796854e143dea39572c98bde014c6ec5ccc3387
SHA512 739ccb652f179e13952b3e1fb74a5b6216b5cf53a10b3abbb1640dab37153413a7c8355a5ee50b2bcf5b0b84858fe7276d3e347222deb83dc8b9318c5d2b5db6

C:\Windows\system\FWEGVDq.exe

MD5 faea00418f08d5c2712af33f9059dfd7
SHA1 d83557cdb9fd5cda8a0f8066d37b9b57d02fe141
SHA256 7885fd5c884b333086f87d337d45c03906675b0bb5a5eca4b580e35d36c3e652
SHA512 9c95747b93fadac14ae5fec95a465fd4dd9c6eb12db335bf88b3a213a602988b100ec4898438026a85c3f0322855d4f193583417dc8ae6c599066a866ff06cde

\Windows\system\TEQajou.exe

MD5 3d12c10469d6f99c178313d1282df3c5
SHA1 a37fc3d84b575241076b54aa126a741fb82effca
SHA256 f451af887afb8efeadbbd906826e0e7ca68dc0d352bc1a134eb0f51c628e8428
SHA512 e73429ef52680937c48cb2988a987c79ea5101a0a0164d09188f11f60ce846b25bcbcb32e7358f03347a8a753fd53fafcea9d779efda820739a2fdd0fd48eb2e

C:\Windows\system\jPNpoAh.exe

MD5 019bf98ff4691294c75a78e6bc4e4d28
SHA1 1308f17df880bb2b625af764b64e62e0ebadb766
SHA256 011b415bec1ec50432683c94d42cbcb01300b124bb8a1e144f6402a0775ecbe9
SHA512 1ff160b757e3c2187f87e10719015aee183e3b6d636a49b1c92855c5856ba6bc309bf807d1a3baf73449513106abbe858e3952b0ea162ef0deab5b89d907719c

C:\Windows\system\jUBBwNq.exe

MD5 ee80c03a00718874ec8bc983b9b48d3c
SHA1 5a7c3907df97bd70434be8db65bee9e0a8232913
SHA256 9fdea06785b1bdf8072d87e7759dabeb602fbad1378e5c2875b83fc5f64dbefd
SHA512 4faa9fbda176cbceef65dc48db9b03d8c8bda2ca5f320d38cd7d03fea915a5ae6e353a7138888ee9292743ec3e29f8fc0d04d5ae168dfd03c82a961b67aaa90b

memory/2676-103-0x000000013F8B0000-0x000000013FC04000-memory.dmp

C:\Windows\system\ypfQFsN.exe

MD5 9448daf76301c38b0c15a7d312262323
SHA1 645f4dd47b361e9f8c089008b8e28c3401a756e2
SHA256 cda69bdf60363d5d68c095785ce42e334a193ae16a6be11a3f107f4ccf3d42c3
SHA512 7dbaa6a0f110aa0396c75fde6dcd5fc8337121d94bd9a7db42284e372daa3be4e3c8827f58aea90aedc99dbce06bfd9e311da0b9cf31f56d7eb12ff983087823

memory/1760-96-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2972-77-0x000000013F550000-0x000000013F8A4000-memory.dmp

\Windows\system\VTidvgG.exe

MD5 d43c989ce6d22f0e528de3fb98992156
SHA1 829119f468ed4cd97ce5bb125042751e214fb3f2
SHA256 054d2735e4b47e47f66dba942ab55a3d92b885da21e44b4f7c842b0c342909b2
SHA512 a4570d9270e4d222f97f558ad1d186e8fe8b5d341814851040739d38246d226d00f33029701023e672cc731750ab73cea24973520d6ec6591c2f71cc8601a64f

C:\Windows\system\SycihBq.exe

MD5 66054d20bbe5add9b92fefe1e4d1a250
SHA1 232fe1c83d7ba21f06ea76a230a4f8ecd1ced2d9
SHA256 bc8a4b513834fd2ff85c2f6c2fb6ff3e2ac6da6eeff25a1099773cfeb1820f6f
SHA512 3550a522f86d8618f6d5eedbac4423052d5c926b16044336eca953b9733333f6d22c3852fd4fb394c880e8352413175a01aec83c573c69d7745ad5177e26e295

memory/2536-90-0x000000013F140000-0x000000013F494000-memory.dmp

C:\Windows\system\INxmBwT.exe

MD5 6678f1f0f04952deed816757ff87d3b5
SHA1 b19ddbe63e54cbdc27731bd6159415cbae7c19ca
SHA256 9bf86db35fd1465bc040bbe7bbdc734a0a7dae7cba572c444badc002c7453939
SHA512 3256ee1b4c84029fd245505aebdcb25a926495e00af69b690311c7db0901d5cbfdeaeec564f056a5beede9d12b097143e2ec9def34fc2bd4b0931528288ddadd

memory/2972-87-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2972-86-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

C:\Windows\system\IOTxwUY.exe

MD5 633142a724565c70dbed6b2157b4f0c1
SHA1 a0ad44267a775689365cf1bb60d78cc8f2f74a95
SHA256 b102e101763687dfbc0db8fe2bfb9e8707e9bad9ab91a233d340ea9fe8986c7d
SHA512 ad0ee48a99aa4f31b9e82e943f1ecb2db524d9d0006b7c8fbe2b41cb5dd5bd57dac2e723a92372ce5d6fdf261cbec168b5d9975da43a4da7a0d739f6caefb6f1

memory/2592-82-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2972-81-0x000000013FE60000-0x00000001401B4000-memory.dmp

C:\Windows\system\cXRTRiW.exe

MD5 6218d7e64fb68d31e6c5ee272805e870
SHA1 4642e04426c1fd868a90b8f46a4bd331ac4673e1
SHA256 e9721ef26a5efce3ebf42da559442cd5d9eedcde781f78fd83c55fe592fe8a12
SHA512 514a9acbd869028586af7496f3c458fc5615267f11a314eafe21b0d02a445a048d696dd30704e1a5e759171d9e07945e10317d14909240fda8bd477006feec81

memory/2796-73-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2972-71-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/2656-56-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2972-136-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2556-137-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2972-138-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/2972-139-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2972-140-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2972-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/1760-142-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2852-143-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2792-144-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/1820-146-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2796-145-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2660-147-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2676-148-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2556-149-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2656-150-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2632-151-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2592-152-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2272-153-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/3016-154-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2536-155-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2852-156-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/1760-157-0x000000013F4F0000-0x000000013F844000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 10:05

Reported

2024-05-30 10:07

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oZBTcPX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qjBrCtx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BlojyNA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bMnkYNS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SvKNZPi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cpEiRZW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jEtwMPG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fbckKWV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TCcefXL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WfQTLVo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SiUQIOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XFptWZE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gknNLEY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kzIkxNm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZdBGbI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fihLDnn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZbfnhYu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QGnFbod.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OLBzpmW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bwAIaDI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KKcuypT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4044 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bwAIaDI.exe
PID 4044 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bwAIaDI.exe
PID 4044 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbckKWV.exe
PID 4044 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbckKWV.exe
PID 4044 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCcefXL.exe
PID 4044 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCcefXL.exe
PID 4044 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKcuypT.exe
PID 4044 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKcuypT.exe
PID 4044 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fihLDnn.exe
PID 4044 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fihLDnn.exe
PID 4044 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbfnhYu.exe
PID 4044 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbfnhYu.exe
PID 4044 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfQTLVo.exe
PID 4044 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfQTLVo.exe
PID 4044 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMnkYNS.exe
PID 4044 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMnkYNS.exe
PID 4044 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLBzpmW.exe
PID 4044 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLBzpmW.exe
PID 4044 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiUQIOZ.exe
PID 4044 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiUQIOZ.exe
PID 4044 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFptWZE.exe
PID 4044 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFptWZE.exe
PID 4044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cpEiRZW.exe
PID 4044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cpEiRZW.exe
PID 4044 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gknNLEY.exe
PID 4044 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gknNLEY.exe
PID 4044 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzIkxNm.exe
PID 4044 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzIkxNm.exe
PID 4044 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZdBGbI.exe
PID 4044 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZdBGbI.exe
PID 4044 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SvKNZPi.exe
PID 4044 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SvKNZPi.exe
PID 4044 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QGnFbod.exe
PID 4044 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QGnFbod.exe
PID 4044 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jEtwMPG.exe
PID 4044 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jEtwMPG.exe
PID 4044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oZBTcPX.exe
PID 4044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oZBTcPX.exe
PID 4044 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\qjBrCtx.exe
PID 4044 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\qjBrCtx.exe
PID 4044 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlojyNA.exe
PID 4044 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlojyNA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bwAIaDI.exe

C:\Windows\System\bwAIaDI.exe

C:\Windows\System\fbckKWV.exe

C:\Windows\System\fbckKWV.exe

C:\Windows\System\TCcefXL.exe

C:\Windows\System\TCcefXL.exe

C:\Windows\System\KKcuypT.exe

C:\Windows\System\KKcuypT.exe

C:\Windows\System\fihLDnn.exe

C:\Windows\System\fihLDnn.exe

C:\Windows\System\ZbfnhYu.exe

C:\Windows\System\ZbfnhYu.exe

C:\Windows\System\WfQTLVo.exe

C:\Windows\System\WfQTLVo.exe

C:\Windows\System\bMnkYNS.exe

C:\Windows\System\bMnkYNS.exe

C:\Windows\System\OLBzpmW.exe

C:\Windows\System\OLBzpmW.exe

C:\Windows\System\SiUQIOZ.exe

C:\Windows\System\SiUQIOZ.exe

C:\Windows\System\XFptWZE.exe

C:\Windows\System\XFptWZE.exe

C:\Windows\System\cpEiRZW.exe

C:\Windows\System\cpEiRZW.exe

C:\Windows\System\gknNLEY.exe

C:\Windows\System\gknNLEY.exe

C:\Windows\System\kzIkxNm.exe

C:\Windows\System\kzIkxNm.exe

C:\Windows\System\uZdBGbI.exe

C:\Windows\System\uZdBGbI.exe

C:\Windows\System\SvKNZPi.exe

C:\Windows\System\SvKNZPi.exe

C:\Windows\System\QGnFbod.exe

C:\Windows\System\QGnFbod.exe

C:\Windows\System\jEtwMPG.exe

C:\Windows\System\jEtwMPG.exe

C:\Windows\System\oZBTcPX.exe

C:\Windows\System\oZBTcPX.exe

C:\Windows\System\qjBrCtx.exe

C:\Windows\System\qjBrCtx.exe

C:\Windows\System\BlojyNA.exe

C:\Windows\System\BlojyNA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4044-0-0x00007FF731280000-0x00007FF7315D4000-memory.dmp

memory/4044-1-0x000001AC31260000-0x000001AC31270000-memory.dmp

C:\Windows\System\bwAIaDI.exe

MD5 1ae7d4b63dcf10977ce5e2fcbc78dd47
SHA1 7393ac720d4a23b1bd36757de219e6a8fca2b624
SHA256 f4275240a4a526f51c57f42fc07d24c171a3da099a0354606b44a970a9504610
SHA512 7c238423fd651161bab31e9abd7e27958df30995cd0876010ce2a5456e07874584654b67638fc79a0fc39bda78092fe2524b52e41d247b71fd8b022d5567abaf

memory/536-8-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp

C:\Windows\System\TCcefXL.exe

MD5 0d349f512d8967d0a2a9dd973ade37b8
SHA1 c05cabca1ff9790d6dae835078f8c5495c0a0ea6
SHA256 c2f92a2a7e5d8cc935917bf91bfd4c10513a0d3105673db34741cb927e43c980
SHA512 a0013ddeff6410b95e6f9d4b6e2a4e3302d1514c4847ebeab3f0ac0a84e823fcdf59c20313d2ffd387d8edddaa7eb4e0dcd4f8d39320fc81996b8dd3fc506a8a

C:\Windows\System\fbckKWV.exe

MD5 86a2825c940654031661cbae73c40418
SHA1 907d22a5d7d84d2f56765873d443c0ef40512083
SHA256 8b7e3774e15372b5006d7a7e3b2d595adc172c8afbc25aaf4fbf41ad88cbc0b1
SHA512 0f9d8f24964b3ec710cc8c21f672d4727554566f181b86fe4479fc310b838383a89fffdd18c3b75507b8528bf6f38de7103574efe5c54ee2f772e5a0ec77be68

memory/4484-12-0x00007FF691A20000-0x00007FF691D74000-memory.dmp

C:\Windows\System\KKcuypT.exe

MD5 0f57c3c315fb0bafd10862415f936f0f
SHA1 46fc0428a8b005aa38d7cf56b16f9fb5eeac08c7
SHA256 86b7ed70c10e46073f0e073c65d5cfbb00ea1fd0533f70eb5127856971a804ad
SHA512 35f0b0ae1f67b35637fdcf45354966e1a3eaa17cc0f2fd48a5513ec2a05ca1a8de5fd04fff396f0dc6d93fdc6cbf0c9fa7b588aa17c6756f60b35bd35d3182ed

C:\Windows\System\fihLDnn.exe

MD5 83833653567f5cd86b0dcd7b24445d7e
SHA1 cf4005a01be1d111520d96c7a173297d0d55377d
SHA256 3ed9cd78aefdab585a2601285e876cce4f923c7ea2ce8b04a7ca6635cad89199
SHA512 f8d318f834b2d661971a38d52e6d4f6f443fb47bf54ff086d039761b7a6d412ed593814c2618b12e724c2cff5171ba73ab71511250380f07188fbb8aeb0fccd8

C:\Windows\System\ZbfnhYu.exe

MD5 dbd056ab0be7b06dfe5093a05e9e4350
SHA1 cc32e24980cb9a176a9787475bda3d34e74505c5
SHA256 74d6081db8779d476bb63f87f335c5b540d1e7a0a7a303d74ca14dff067211a2
SHA512 14a49e5b85a629fbd6a083436dd788d81a0aab9b58e9aa96b7a32c6ea0b36eec09cde88a038910bea050d71d96aecebff41bb154f9ab2993eedfcf82ac5bdd61

memory/2032-38-0x00007FF606B70000-0x00007FF606EC4000-memory.dmp

memory/3936-28-0x00007FF68FF30000-0x00007FF690284000-memory.dmp

memory/3728-27-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp

memory/3204-22-0x00007FF745980000-0x00007FF745CD4000-memory.dmp

C:\Windows\System\WfQTLVo.exe

MD5 14759289163cb6c8f03636bf02d70fee
SHA1 a867510ef0f328effc9c351c09639858dbc02606
SHA256 39cbda44ad536c27d9249ab7c8bfdf1536ca4803071d60bd489d3d31598475b6
SHA512 9e2f2b51acd89aee7daf4f4ef67d32ecb51c111b29ae575ded7bde07a88a18f936842a3de927b1c71556f3ae4903263ce9d89688d56c114920783007d1148541

memory/2820-43-0x00007FF6889A0000-0x00007FF688CF4000-memory.dmp

C:\Windows\System\bMnkYNS.exe

MD5 b5184fb9eac56f92eb176e304db78178
SHA1 0d175ec596e7ffe4773161270d1b08b1f8f7774c
SHA256 b6d10c0778d1d8acf068bcab8079e86001ad6b7931b48a68aeaea66b935f3e8c
SHA512 1c8db91c405c95eb3413447cbde7b8b3bc3b4da6393acdb00cc0547ec513b32d6c785450c96ce304c4518b3e065833156a8ec757635c283ffcea362bda650538

memory/3560-50-0x00007FF796EF0000-0x00007FF797244000-memory.dmp

C:\Windows\System\OLBzpmW.exe

MD5 33f4111715e4704e2389d80563b942b9
SHA1 faebc8356bcd71e10f3ae40ca7322993a1810562
SHA256 0f49199be820a41cb1aa303c21fb7a30c1356deb9e23477295ca283198e1a15f
SHA512 0d59b2235c8f7bce67abaffe9ec1f82e939c9b0cc4903c70bbbf66f91e2c7d1c03f5523e4a9346f0d127fc23c27221eea15aaf49c210cc2ba9ca0db9c91b26f0

memory/4800-54-0x00007FF7155B0000-0x00007FF715904000-memory.dmp

C:\Windows\System\SiUQIOZ.exe

MD5 d99dd76bcdd5f40cbc7e3e938df1a4cf
SHA1 11565fd391ba766e9fb00e8e8cc8b60029a1f2ef
SHA256 4e8e1bf3fc86f3badcf7c268ca45b0e92aa56fab13f5ded4956dd84bc3a9c241
SHA512 e121fd1e17bdefe5a99141f5af9402dd8df2f46a27f358bea8ae0f21365059e596ddbf006db3ede2285fb24f69c74e7c52455b0fb7a1ef160be65b25fa70b71b

memory/1680-61-0x00007FF6E4BA0000-0x00007FF6E4EF4000-memory.dmp

C:\Windows\System\XFptWZE.exe

MD5 b82bfa661b139aef6148ec3ca8ce1240
SHA1 9c5224b5d6e9fb261ba106df67694cc8eca1daf7
SHA256 345dae67f17eb37bbccb0112b24fc4416fe9ddec1c4db7865d7b3e689c1bd88c
SHA512 03818e8fb32d12948dbdc2b6cb7f9317f9f487397cf1ef3978dae134fe0fdc756334563809ec8a6c757082f8c72d67c26d0c78e84f67b38640181cc41fa66944

memory/4044-60-0x00007FF731280000-0x00007FF7315D4000-memory.dmp

C:\Windows\System\cpEiRZW.exe

MD5 3a6b641afadae03b55988745622369c7
SHA1 f94577128210ce2a0e6c629d084d1f2e21665dba
SHA256 2a0f398bcf8d0af0e6f084a2b655898d8bac93674418139b615078f3a650395f
SHA512 822b64399111b8b31597d123799b008128ded3eff0694b918b5af337409a3574af1ffa017c14a99fc9127685a0b7be33105ad04e0c496a500708bb740ed59eab

memory/5080-70-0x00007FF7CF220000-0x00007FF7CF574000-memory.dmp

memory/4484-75-0x00007FF691A20000-0x00007FF691D74000-memory.dmp

memory/1416-77-0x00007FF72AC70000-0x00007FF72AFC4000-memory.dmp

memory/536-69-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp

C:\Windows\System\gknNLEY.exe

MD5 01434ed364e80b8f07036ea20c2a260b
SHA1 de36d502531e29242d8bb5764717b610011a26b5
SHA256 a776990908cf321f0305f9f50426b8b1220224514f5cfd4ccd8f05c21a07de77
SHA512 d37c2fab2ae3af0c045475eebc9ab5797c2dd1f707929f1f130ac9824c9568aca8954d1a6a6a6d7f235efb59ae4182888f90c2103e6c5e8fdb082657ec891f26

memory/3728-81-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp

memory/1780-84-0x00007FF6F6500000-0x00007FF6F6854000-memory.dmp

C:\Windows\System\kzIkxNm.exe

MD5 233567b7a0ef62a5ab79e24b265a6a39
SHA1 3fe414dacf8d31c1fdb7c9208c18cb522aeb930d
SHA256 d3c24493b0b3290b922582f81e13a6d4c1d99cf98c14afbf93807b8cd41056ef
SHA512 70133b7293c686605eb309f4d43815c10383dd6ac76a0b6cc1f1780d7f7f21622f162f1554076f7609215d9664601e8ef68f17815acf261c57e1ef9a2d8707f7

memory/3480-90-0x00007FF6B7990000-0x00007FF6B7CE4000-memory.dmp

C:\Windows\System\uZdBGbI.exe

MD5 7b722cdf0e55561b4582ebab7c82b29e
SHA1 1b51deb99f9378e8a362f7f0be28592c5a7cd0bf
SHA256 1fcc2d86ba429a0150f2189d7c053891662c3ebc44e9c7f8860e7995689b98a2
SHA512 62cd3fddf1b070584bf299a148c17017353ef784d8b38875f144d839e38532077a8be622249a1d3eb8fb6850e1f566976ca0179417b0c2509d3012f817849356

memory/3936-96-0x00007FF68FF30000-0x00007FF690284000-memory.dmp

memory/2624-97-0x00007FF638D20000-0x00007FF639074000-memory.dmp

C:\Windows\System\SvKNZPi.exe

MD5 5e6bffa2c0a0e1cbd5c9b8764195897c
SHA1 688482f0f6deab5f4af9a6ce083900804795df88
SHA256 f4ddc69124f69e4bad383696b417297c4339e06b1393fed2999d0896636945dc
SHA512 d14e7bd8884d83b5a9ea07501aafd07b0273c15592e2d334952b710af7304b87174ad60bca7b2683a2bc0e49bf16fd7f10eb6cac6e09e636c0184aa554235f3f

memory/376-106-0x00007FF67BF30000-0x00007FF67C284000-memory.dmp

C:\Windows\System\QGnFbod.exe

MD5 28d1bcfa30ece836ab17e93e70068e9f
SHA1 cf5f1067d41c632cf392035698e4f04c5b5fe7b3
SHA256 51c82a520a60ad5bb685f2db0e520cdc7dc472d897b6e91746f87d0f7224419b
SHA512 40638288d266e5b7bfc2c39c13d59793258136c6c6fa1521180310b1498ff9f582bb690960b18c1f3c3913b40e0b88d646b29e5dd7a9ea48b3f1b489590b121c

C:\Windows\System\jEtwMPG.exe

MD5 e73bc6b9a837fa7afa4e7e9fd6261a63
SHA1 06212bf7351bc187fd73424529296cd49a0bff73
SHA256 45f4cd7f8fc751497b1802a77083e30365cf8b6c1c73784fe524a1377945800f
SHA512 39e143271c72a231cdf1f16bcb05be0d7b7d5c20554e3f39ff7f90121053a3acb0eb3a27346e80a6d55fd27795bff4dee93d32ef7ed2e0d4b3fcdf0913a4a85b

memory/400-110-0x00007FF703CE0000-0x00007FF704034000-memory.dmp

memory/2820-107-0x00007FF6889A0000-0x00007FF688CF4000-memory.dmp

memory/2108-117-0x00007FF71C3D0000-0x00007FF71C724000-memory.dmp

memory/3560-116-0x00007FF796EF0000-0x00007FF797244000-memory.dmp

C:\Windows\System\oZBTcPX.exe

MD5 b59c747c2df74651025a9179fe26ff04
SHA1 4564a56d75e26443b407bd81ba2898a669f83bec
SHA256 ee3048c7baaab609a01915a4dc3ca546fc41a1f8c33ec5a6d9eb6521574343bd
SHA512 57210108538edc096fe7dc8111b1fce4246c13962df00609f7fa3d729029e6518259eeb4143ac7b4f355ed156fb045a1f96ed9abc9196fae08eefb530ecb5fdc

C:\Windows\System\qjBrCtx.exe

MD5 71134a7c95815444d28a0e3f2e1cf76b
SHA1 51b762e21ff7a656960b2b78b904473922ac6275
SHA256 6f7a878bab424fe401e62159455ab0269145be5a8c43cf65b4a415102507bdff
SHA512 04f8649fe062ed3f845a513d3d59877faf5f502e83a788a429613f0b1c6ce347e73c4544d4d02e346627b1baec636e59f253bc4fb4e85996337a5061acf62be3

memory/552-129-0x00007FF707710000-0x00007FF707A64000-memory.dmp

memory/1680-128-0x00007FF6E4BA0000-0x00007FF6E4EF4000-memory.dmp

memory/2016-126-0x00007FF6C0330000-0x00007FF6C0684000-memory.dmp

memory/4800-123-0x00007FF7155B0000-0x00007FF715904000-memory.dmp

C:\Windows\System\BlojyNA.exe

MD5 8bc6c68df8ce66d773ed4d11d12d51f3
SHA1 1988268f2238ff749de05abd6cdcb7018b0ee257
SHA256 827e9f8b72edd4c444e868c5c58be4b75c287c468a987224dd2b7b173cbf93f7
SHA512 9dd4015ff2b815e1ece9807334262c9b56b9f3c4f91fb3e5d16030faf2adfee18cc76d75dcf6b3b99b56d8d9bee84e85c45d5a154b9c8152685b5b18bcee5f69

memory/4824-136-0x00007FF657D90000-0x00007FF6580E4000-memory.dmp

memory/1416-137-0x00007FF72AC70000-0x00007FF72AFC4000-memory.dmp

memory/1780-138-0x00007FF6F6500000-0x00007FF6F6854000-memory.dmp

memory/3480-139-0x00007FF6B7990000-0x00007FF6B7CE4000-memory.dmp

memory/400-140-0x00007FF703CE0000-0x00007FF704034000-memory.dmp

memory/552-141-0x00007FF707710000-0x00007FF707A64000-memory.dmp

memory/536-142-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp

memory/4484-143-0x00007FF691A20000-0x00007FF691D74000-memory.dmp

memory/3204-144-0x00007FF745980000-0x00007FF745CD4000-memory.dmp

memory/3728-145-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp

memory/2032-146-0x00007FF606B70000-0x00007FF606EC4000-memory.dmp

memory/3936-147-0x00007FF68FF30000-0x00007FF690284000-memory.dmp

memory/2820-148-0x00007FF6889A0000-0x00007FF688CF4000-memory.dmp

memory/3560-149-0x00007FF796EF0000-0x00007FF797244000-memory.dmp

memory/4800-150-0x00007FF7155B0000-0x00007FF715904000-memory.dmp

memory/1680-151-0x00007FF6E4BA0000-0x00007FF6E4EF4000-memory.dmp

memory/5080-152-0x00007FF7CF220000-0x00007FF7CF574000-memory.dmp

memory/1416-153-0x00007FF72AC70000-0x00007FF72AFC4000-memory.dmp

memory/1780-154-0x00007FF6F6500000-0x00007FF6F6854000-memory.dmp

memory/3480-155-0x00007FF6B7990000-0x00007FF6B7CE4000-memory.dmp

memory/2624-156-0x00007FF638D20000-0x00007FF639074000-memory.dmp

memory/376-157-0x00007FF67BF30000-0x00007FF67C284000-memory.dmp

memory/400-158-0x00007FF703CE0000-0x00007FF704034000-memory.dmp

memory/2108-159-0x00007FF71C3D0000-0x00007FF71C724000-memory.dmp

memory/2016-160-0x00007FF6C0330000-0x00007FF6C0684000-memory.dmp

memory/552-161-0x00007FF707710000-0x00007FF707A64000-memory.dmp

memory/4824-162-0x00007FF657D90000-0x00007FF6580E4000-memory.dmp