Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-l588mseg83
Target 2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike
SHA256 3cf4f77c79384f3e1361035911f8ab7d43f3460dbfffd3470d018b689a5d1b8f
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cf4f77c79384f3e1361035911f8ab7d43f3460dbfffd3470d018b689a5d1b8f

Threat Level: Known bad

The file 2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Xmrig family

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 10:08

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 10:08

Reported

2024-05-30 10:10

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PFzrQhT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Qjkfwqb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lcLKFqj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bhREUZL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aKDiwYx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JqtoSHv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HowbUBN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bCnjVAi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vgskgtR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pCXZxAZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FAKJbhW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gQNCKhL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pyMYmdH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tJXdxVE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vFgYBMD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UOOWrwe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRKwjIi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\prJbugS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bWWgvcf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wASbZHD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dkdGzTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOOWrwe.exe
PID 2076 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOOWrwe.exe
PID 2076 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOOWrwe.exe
PID 2076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\gQNCKhL.exe
PID 2076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\gQNCKhL.exe
PID 2076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\gQNCKhL.exe
PID 2076 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\pyMYmdH.exe
PID 2076 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\pyMYmdH.exe
PID 2076 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\pyMYmdH.exe
PID 2076 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bhREUZL.exe
PID 2076 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bhREUZL.exe
PID 2076 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bhREUZL.exe
PID 2076 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\aKDiwYx.exe
PID 2076 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\aKDiwYx.exe
PID 2076 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\aKDiwYx.exe
PID 2076 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\PFzrQhT.exe
PID 2076 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\PFzrQhT.exe
PID 2076 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\PFzrQhT.exe
PID 2076 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\JqtoSHv.exe
PID 2076 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\JqtoSHv.exe
PID 2076 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\JqtoSHv.exe
PID 2076 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\HowbUBN.exe
PID 2076 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\HowbUBN.exe
PID 2076 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\HowbUBN.exe
PID 2076 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRKwjIi.exe
PID 2076 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRKwjIi.exe
PID 2076 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRKwjIi.exe
PID 2076 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\Qjkfwqb.exe
PID 2076 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\Qjkfwqb.exe
PID 2076 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\Qjkfwqb.exe
PID 2076 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCnjVAi.exe
PID 2076 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCnjVAi.exe
PID 2076 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCnjVAi.exe
PID 2076 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcLKFqj.exe
PID 2076 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcLKFqj.exe
PID 2076 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcLKFqj.exe
PID 2076 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgskgtR.exe
PID 2076 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgskgtR.exe
PID 2076 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgskgtR.exe
PID 2076 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJXdxVE.exe
PID 2076 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJXdxVE.exe
PID 2076 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJXdxVE.exe
PID 2076 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\prJbugS.exe
PID 2076 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\prJbugS.exe
PID 2076 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\prJbugS.exe
PID 2076 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bWWgvcf.exe
PID 2076 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bWWgvcf.exe
PID 2076 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bWWgvcf.exe
PID 2076 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFgYBMD.exe
PID 2076 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFgYBMD.exe
PID 2076 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFgYBMD.exe
PID 2076 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\wASbZHD.exe
PID 2076 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\wASbZHD.exe
PID 2076 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\wASbZHD.exe
PID 2076 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\pCXZxAZ.exe
PID 2076 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\pCXZxAZ.exe
PID 2076 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\pCXZxAZ.exe
PID 2076 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\FAKJbhW.exe
PID 2076 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\FAKJbhW.exe
PID 2076 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\FAKJbhW.exe
PID 2076 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\dkdGzTS.exe
PID 2076 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\dkdGzTS.exe
PID 2076 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\dkdGzTS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UOOWrwe.exe

C:\Windows\System\UOOWrwe.exe

C:\Windows\System\gQNCKhL.exe

C:\Windows\System\gQNCKhL.exe

C:\Windows\System\pyMYmdH.exe

C:\Windows\System\pyMYmdH.exe

C:\Windows\System\bhREUZL.exe

C:\Windows\System\bhREUZL.exe

C:\Windows\System\aKDiwYx.exe

C:\Windows\System\aKDiwYx.exe

C:\Windows\System\PFzrQhT.exe

C:\Windows\System\PFzrQhT.exe

C:\Windows\System\JqtoSHv.exe

C:\Windows\System\JqtoSHv.exe

C:\Windows\System\HowbUBN.exe

C:\Windows\System\HowbUBN.exe

C:\Windows\System\bRKwjIi.exe

C:\Windows\System\bRKwjIi.exe

C:\Windows\System\Qjkfwqb.exe

C:\Windows\System\Qjkfwqb.exe

C:\Windows\System\bCnjVAi.exe

C:\Windows\System\bCnjVAi.exe

C:\Windows\System\lcLKFqj.exe

C:\Windows\System\lcLKFqj.exe

C:\Windows\System\vgskgtR.exe

C:\Windows\System\vgskgtR.exe

C:\Windows\System\tJXdxVE.exe

C:\Windows\System\tJXdxVE.exe

C:\Windows\System\prJbugS.exe

C:\Windows\System\prJbugS.exe

C:\Windows\System\bWWgvcf.exe

C:\Windows\System\bWWgvcf.exe

C:\Windows\System\vFgYBMD.exe

C:\Windows\System\vFgYBMD.exe

C:\Windows\System\wASbZHD.exe

C:\Windows\System\wASbZHD.exe

C:\Windows\System\pCXZxAZ.exe

C:\Windows\System\pCXZxAZ.exe

C:\Windows\System\FAKJbhW.exe

C:\Windows\System\FAKJbhW.exe

C:\Windows\System\dkdGzTS.exe

C:\Windows\System\dkdGzTS.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2076-0-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2076-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\UOOWrwe.exe

MD5 ac800244d52b83366a65b8ec250a1b5d
SHA1 fc657f7b4d6b7ee334bdf77821b8cd8e489eb87a
SHA256 2e3093313dd5169755d7291923c8492694e4a284d62245bb4a7d095f95693dbd
SHA512 1cdf011b2ac8bcaddce472ad9414bd345d415b93783f536b6071ae6035901da0637cb16d00d9ab151921b46a86fbef6d16d74cc5090b120986d625fd8d18260d

memory/1448-9-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2076-8-0x000000013FA60000-0x000000013FDB4000-memory.dmp

\Windows\system\gQNCKhL.exe

MD5 f5e323da8a2a8a1814482fa16723ec21
SHA1 613a4f3ea4a5543bed8b82d2d7c00397eb9cb0df
SHA256 afb114edc939ae87619fa52e61a26f3e6f5665a9853c89f8dc25f6ea819ec6e8
SHA512 cad36c66c4b3ec65fb5e8439e6835cb765a9f9d93fcf4c82cabb82db80dd691a7cd82c0a1bc3ecabced708cabbf3946fb684f3ee8aff92042201ff86d078b0c6

memory/2076-15-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\pyMYmdH.exe

MD5 6c3ba9c16b9b80e7d04c894cd7c4c5f2
SHA1 7979df1b91c2f2b1f5e5a02c93bc3fe30a9cad0d
SHA256 7d575f93b53e812b62b19b409f770043cd64c47cef3a795ba1b380f728f26413
SHA512 814e6f1a370d16836a57d62ab155ffd177aa8d54fb336c4a48398b1cb259278b07592753a995b199b3f5d5c71e412fdb0b00c1f9ec59202def73c401d8b571e4

memory/2460-25-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2076-34-0x000000013F990000-0x000000013FCE4000-memory.dmp

C:\Windows\system\PFzrQhT.exe

MD5 93f27a8e0598b3a5e7397c8f537879b6
SHA1 8fee760abecdd5772de6e0b4c03d88519afd3704
SHA256 9921c75aeed4bfd87f07a27485a2e6514cca57fccc6d1bf31c489fc10101732a
SHA512 6114562a0788d98e7bf48716dbe8a9fdecad46c8478bbbef4938442dfb80dc1b8eabc3d306bbe2760f84598d54a60c67da4b072bf845fb111d9f3bd97efea3ce

memory/2076-38-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2572-40-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\aKDiwYx.exe

MD5 083118b379b6f992a3bdee9e5d760376
SHA1 f4667ad557a7dd199059ad328c7ea6d7238d4b86
SHA256 9a3088728eb5be5321ab67807e098d59fb8f3b3299f10f01328a152f738a6bdc
SHA512 31bc55f2597ddfc9504c491971f7e0159dec99c9b233b488db56bfdc65c4730c13e7ba8deea56150fd33d532cdf85ea303f7fc68f829c1cea7c1746f555bd170

memory/2860-32-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2900-43-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2076-28-0x000000013F940000-0x000000013FC94000-memory.dmp

C:\Windows\system\bhREUZL.exe

MD5 8f3d0ddd36710c5f9fff1de3b2202e27
SHA1 7c1959763ca65336700144be1b9361dbf67f77fe
SHA256 656ddfef9648a66cdb78704234cf443ce2e8a9885a98f87db5af930b9c53042d
SHA512 81ae9dcd24a1b2b786b34fac9c6bbca0ecc803c5eeaac9f5daa3b4093b8f04ace6d7a2d3726890ec5b2c1219aa8b9516cf8bfcfefc02ccfdddd5a45c153f133e

memory/2076-42-0x000000013F140000-0x000000013F494000-memory.dmp

memory/1740-18-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\HowbUBN.exe

MD5 e659c6db3de80055beb5facba480845d
SHA1 5d91ecda266a1347653d3d98bd875665e544a7a4
SHA256 4d6df361e4f190e9c03b23f17c3934a3aef5d1ec559ceeb684f20ad434fc2569
SHA512 d2b0accc1d546ef7318972c2421f6d9f4bb426166df6c59121659916561fab22b1fd43e51addf1ece2caf0c9e0e957dcdcd71c8f5d78e76cdcd44f368aa65511

\Windows\system\JqtoSHv.exe

MD5 6cde515b20ef3645433ad15c1ecf2876
SHA1 fdec5c77f9891303af0a8cf32c25c74aed600872
SHA256 1ee4b0cb7761736f0d5c89f0b90f29e4ef3196510b6603c3004dfcfd9d75957e
SHA512 67b3cbd5f4888d5a75a52cfd397ca1570f98a4ff09a938e6dfbc17c04ea7fc1544adf2b002284fc2d3cb132d35e062f0641a0c670eb0dcdadb256c5fa0aa8c5f

\Windows\system\Qjkfwqb.exe

MD5 fa4a899a230e1388e2d5c0ebe92fa593
SHA1 8160ba5dbded5682825f2348e59700cd18505972
SHA256 e7a38c51e4c86daf975c1d2f45206cb36315702b0f9ad1f7e7753183d51b26ca
SHA512 7dc69da7b44483b42ca5dab10fddee34e4853977166eed791a83459c5496c8c976fce23a31e4673ff8d18321fc8371d76c7f52fe6d098123e499a612d10fb470

memory/2076-61-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2076-71-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2708-58-0x000000013F0B0000-0x000000013F404000-memory.dmp

\Windows\system\lcLKFqj.exe

MD5 cc97d2268af2c6b5d3abe07e2808c6c0
SHA1 e1ab240913ffed334e018cf793514cb6167cfeae
SHA256 b25de339d1e59b67ae1e711c93372e5b1c2d0586cd17359c64c382a78d354d9c
SHA512 c51cedde3190004f525e5e1f704f207e8c33e2ab02f8635992fff101fa6a44761ecb68d8c864534bd43cb2296c671e0971df45c77c7af48fab8e396ee8d4ae4d

memory/2396-85-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2076-86-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2788-89-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2548-76-0x000000013F7F0000-0x000000013FB44000-memory.dmp

C:\Windows\system\tJXdxVE.exe

MD5 cc5e14829b3b1dfbc0014976c5b7b0b7
SHA1 4223b78096d5b18e9bbded6b634f27f3b365842a
SHA256 d8ab7ded4a5c9346a09f71272c7c0babee4e572ae3378abe27bed36f080c582f
SHA512 b9f09dfbe14315f7032e27d4585219d2f196c583d556c4fccc2f0d40b90f7f4424a15beb70abac8f8cae1fbf003c84d953cd0e90bfd9f85ae589c1feac895c47

memory/2900-107-0x000000013F990000-0x000000013FCE4000-memory.dmp

C:\Windows\system\wASbZHD.exe

MD5 8d77c814e42fb7fae56218cbfb6f6315
SHA1 224fb1f8ef5c9f7327b11e9948933e216a913ad1
SHA256 8983892b024e8c292090ed98e5b4b4f48d56c6d074e8cdb46c7853c9476ce1e8
SHA512 7e70f8a14ebd82c000ab2a681abcaf26f53e578b4700d43cd7b00c3ea495ccffacec5eaadc5bbac2c856bd406becd9880311577aaeb16b7621815106eaa59841

C:\Windows\system\vFgYBMD.exe

MD5 88ce6abebef73de5ae7a0d4294b1bcc8
SHA1 5a757a4f1847380f381bac71ce6a89b98db0e758
SHA256 e290949bdec1069511091e25243a006b256f6e586899c23ded68f3a834efada8
SHA512 bd894a3039f0f3b6c3a3d8b6195a41345bac677eb18ff7277e0dd39da3f3bed9ffe0120bab51564a106a9b8a292fda585f0c2861cce8dce71baf2764c31d27bf

C:\Windows\system\FAKJbhW.exe

MD5 c47e7c3a73a7bca0801b9ab3a9941e16
SHA1 133e8f73342bfbf4166a083c9571b1c9d9e5504b
SHA256 f6396009fb520a09b45b025d9aecbf7be917bf7bb96f87418699224a6afebbcc
SHA512 07fa32a130e8cfa8d486ed5f50c0ad91687c0642783d0d212fa33259c70b13ab817e8fd242db567a4281fac40ab10b3fb492028f479ed296e53ea872d104d058

\Windows\system\dkdGzTS.exe

MD5 e68d570bcb1186b31969d75fc4a7fcfb
SHA1 88072c9744d13f1e661c74b55e3b0903ebffa451
SHA256 1134b7db985557ac17aa4dad8016aa074db6f59623defc46bb0d491cf45342a7
SHA512 850b8fca4d8b9a3ee51bdd654d75bd95b3f8e8b3b6317aaba60fed9c85e90530702f580b64fbf9c14ba83dc334fe21dd44ae3e33c4cf46d0204ea603c5347e09

C:\Windows\system\pCXZxAZ.exe

MD5 fad367bf24506ebeec035c2c8b367328
SHA1 087250cb9c704845d9723f6e05a9acf074ec89a9
SHA256 d035287c078c729fc22012f53179f0f83241119f651b99b4ace3ea1a885c8e28
SHA512 e9d0382aeaaff55513f0299d7da7da49c8a8e9268fb4513dfadc2e87d7102de3304615717de01efe70a89d2fe7802d40fb252039c74ea59980dc815470aa1b28

memory/2708-138-0x000000013F0B0000-0x000000013F404000-memory.dmp

\Windows\system\vFgYBMD.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

C:\Windows\system\prJbugS.exe

MD5 ae2d75dfdacee0a1a1e94576de63b7e9
SHA1 a49e92858b37706a7f56fa34de4ceee5ba04c552
SHA256 71c6ce3d6f8ca1777416fac62a7597b095bf4b213599359389c713830b5f96c9
SHA512 fcc9cc82a0b2ecbaf101f5513a6457900517e2e3df03259a0aca72b92aa8919edd5a28700ef355af970da40d6c82c033664ecd043bbcc3ecbbafea8001adacf1

C:\Windows\system\bWWgvcf.exe

MD5 aa7e1139afb439c92f6ce11919f6ee97
SHA1 b3f38c64f65a38f63c074315a663ac68799954c7
SHA256 b0a18a6bfa0f85d6e8df2917df79440b78bacb509600b5061cd5c6dfe8b7eb70
SHA512 01b9a9b0a26d48d523416f88cdd6e02678c85f95da29d4df75107fdac974e4f2c51130de78c0b87d8fcfe9dd6f01bfa7890d1105c65548235c152c065c2a77b2

memory/676-100-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2076-99-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2304-94-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2076-93-0x0000000002370000-0x00000000026C4000-memory.dmp

C:\Windows\system\vgskgtR.exe

MD5 90348cf666f88e62a8112bbab36375c9
SHA1 1eab0025c4244974cb1f490a7a6b4ab4b352a01e
SHA256 09da4a6752ad85d18e0bca4fde8070c1b826db80bff3c50295689a9d22a114a5
SHA512 c7b5e3d81049ee5b768a85a9389e322b31ef8f68786a4d3f7b942f53e4c52732164dcd2777c78e05a25436fb8338f23c9d1c96f5e013ac05701bcc30d15b44ef

C:\Windows\system\bCnjVAi.exe

MD5 e8619c62d864d51832d8864cfa8da213
SHA1 bb5125bba20c9f315a0dc71d7675fa795efd7862
SHA256 a3c936fdee8c29924fc7cb9f0b814b658f9e34aab968cc767869633d3e865a16
SHA512 06a035f37a11a06330ce1391abaca49501ce0035b234d2a69b2d45ba49f382cd7c33e8fae85f87aa1677b17028cd779ca94a1ef8e6a5588f706ee2eb50f07dd0

memory/2076-78-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2400-77-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2076-139-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2860-81-0x000000013F940000-0x000000013FC94000-memory.dmp

\Windows\system\bRKwjIi.exe

MD5 344a818e29aef3d5295fe4b6787bdf1f
SHA1 45662062bb0380349dace45690151e6a8df1d307
SHA256 9039a390a12ac41b0bde23dc3561364ae329bf25f866b3aa3ae487d0d873102d
SHA512 27bcbfb69b89c5677b24dbc8c90ff96c06eeb7d7a57250070df1e2593a76b95ab7766d155a8cf84ba14b6a3bce3b8b067e90edd78b34a21e81ab37e2313d6edb

memory/2076-70-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2076-68-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/1892-65-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2076-47-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2076-55-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2076-140-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2076-141-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2396-142-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2304-145-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2076-144-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/676-146-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2076-147-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/1448-148-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/1740-149-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2460-150-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2860-151-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2572-152-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/1892-154-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2900-153-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2708-155-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2548-156-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2400-157-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2788-158-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2396-159-0x000000013F230000-0x000000013F584000-memory.dmp

memory/676-160-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2304-161-0x000000013F160000-0x000000013F4B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 10:08

Reported

2024-05-30 10:10

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IxgPcMp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nwXXsJd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dEnICeO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wsTwOyh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TJXrmtH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jUaQUaX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AXtsGhz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bbKodxP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NqACPsp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\flBawAm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UizYDiY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lcCjZzI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qbimJYp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tZzoSvc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cOAyBKV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HhPiUyN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sDaTOWM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qtbjpxW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bgITswr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jpZZCci.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GUxYnfn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bbKodxP.exe
PID 3172 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bbKodxP.exe
PID 3172 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqACPsp.exe
PID 3172 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqACPsp.exe
PID 3172 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\HhPiUyN.exe
PID 3172 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\HhPiUyN.exe
PID 3172 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\jpZZCci.exe
PID 3172 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\jpZZCci.exe
PID 3172 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUxYnfn.exe
PID 3172 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUxYnfn.exe
PID 3172 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bgITswr.exe
PID 3172 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\bgITswr.exe
PID 3172 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\dEnICeO.exe
PID 3172 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\dEnICeO.exe
PID 3172 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDaTOWM.exe
PID 3172 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDaTOWM.exe
PID 3172 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\flBawAm.exe
PID 3172 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\flBawAm.exe
PID 3172 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsTwOyh.exe
PID 3172 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsTwOyh.exe
PID 3172 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\UizYDiY.exe
PID 3172 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\UizYDiY.exe
PID 3172 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcCjZzI.exe
PID 3172 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcCjZzI.exe
PID 3172 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxgPcMp.exe
PID 3172 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxgPcMp.exe
PID 3172 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbimJYp.exe
PID 3172 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbimJYp.exe
PID 3172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwXXsJd.exe
PID 3172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwXXsJd.exe
PID 3172 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZzoSvc.exe
PID 3172 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZzoSvc.exe
PID 3172 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOAyBKV.exe
PID 3172 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOAyBKV.exe
PID 3172 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtbjpxW.exe
PID 3172 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtbjpxW.exe
PID 3172 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJXrmtH.exe
PID 3172 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJXrmtH.exe
PID 3172 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUaQUaX.exe
PID 3172 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUaQUaX.exe
PID 3172 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXtsGhz.exe
PID 3172 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXtsGhz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_a5c3e51af0f819cc57915691653a3782_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bbKodxP.exe

C:\Windows\System\bbKodxP.exe

C:\Windows\System\NqACPsp.exe

C:\Windows\System\NqACPsp.exe

C:\Windows\System\HhPiUyN.exe

C:\Windows\System\HhPiUyN.exe

C:\Windows\System\jpZZCci.exe

C:\Windows\System\jpZZCci.exe

C:\Windows\System\GUxYnfn.exe

C:\Windows\System\GUxYnfn.exe

C:\Windows\System\bgITswr.exe

C:\Windows\System\bgITswr.exe

C:\Windows\System\dEnICeO.exe

C:\Windows\System\dEnICeO.exe

C:\Windows\System\sDaTOWM.exe

C:\Windows\System\sDaTOWM.exe

C:\Windows\System\flBawAm.exe

C:\Windows\System\flBawAm.exe

C:\Windows\System\wsTwOyh.exe

C:\Windows\System\wsTwOyh.exe

C:\Windows\System\UizYDiY.exe

C:\Windows\System\UizYDiY.exe

C:\Windows\System\lcCjZzI.exe

C:\Windows\System\lcCjZzI.exe

C:\Windows\System\IxgPcMp.exe

C:\Windows\System\IxgPcMp.exe

C:\Windows\System\qbimJYp.exe

C:\Windows\System\qbimJYp.exe

C:\Windows\System\nwXXsJd.exe

C:\Windows\System\nwXXsJd.exe

C:\Windows\System\tZzoSvc.exe

C:\Windows\System\tZzoSvc.exe

C:\Windows\System\cOAyBKV.exe

C:\Windows\System\cOAyBKV.exe

C:\Windows\System\qtbjpxW.exe

C:\Windows\System\qtbjpxW.exe

C:\Windows\System\TJXrmtH.exe

C:\Windows\System\TJXrmtH.exe

C:\Windows\System\jUaQUaX.exe

C:\Windows\System\jUaQUaX.exe

C:\Windows\System\AXtsGhz.exe

C:\Windows\System\AXtsGhz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
BE 2.17.196.170:443 www.bing.com tcp
US 8.8.8.8:53 170.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/3172-0-0x00007FF6B0BD0000-0x00007FF6B0F24000-memory.dmp

memory/3172-1-0x0000022F96620000-0x0000022F96630000-memory.dmp

C:\Windows\System\bbKodxP.exe

MD5 40bcbe39f295f29201c17c940359762c
SHA1 f08ad1070eae6bcc1bc32f496870c37563c5f966
SHA256 f5605bc2f4651e2bdcab129a940c86ff8555804fb60d64e3d337dd1bd9676c62
SHA512 4274c30ba59ca2c90b6e4f89d982174643fb54c3e5b552ef0fc5246dcf8d9ba723de0b0920d74cc59bd085bece4cc6d0ecc21949fc94c630bd61edda3deaaa2b

memory/4920-8-0x00007FF7EB340000-0x00007FF7EB694000-memory.dmp

C:\Windows\System\NqACPsp.exe

MD5 b01fc97147579a911c2b0074fb4f22f5
SHA1 ace031722bafdb74db8df3d4b48358b1eed35677
SHA256 8a36eb3a6a129c807334fde1d31fb312d7637375ec14ff7d153186becae2e60e
SHA512 e6a1de64d17724ee92c30daad5b58e73d157fa1ae9890d48383e047abc57d98de9946c26557ac2702ccb4cbd66913e78228009b441aaeaec7f13f90c0a6d3ce7

memory/3352-14-0x00007FF754C40000-0x00007FF754F94000-memory.dmp

C:\Windows\System\HhPiUyN.exe

MD5 749febe6f6778917a0b09963e2211604
SHA1 534d8cbbcb22eb0f93afecfe0b8ccdd320252c99
SHA256 a9438cd4e147333c80ee5fc2fefbed939173c0c9e9db483d0455525eccdd14bf
SHA512 9f452d8288b2f5b669ed1c519afe8ac85262aced7f80ec55363efc160cb808efa370f766bdfdad37219ef5491eb77c699074642e5a6db3a969fff66a1985262e

memory/3492-19-0x00007FF72E8C0000-0x00007FF72EC14000-memory.dmp

C:\Windows\System\jpZZCci.exe

MD5 7859d03b168486300154652f1c18812a
SHA1 2ad358d94ae23e279c7d1498fc3754d93a460b31
SHA256 8784b0028659dd6802108515a69ba5e384eded4b21dc56a81b0e31b95742d59d
SHA512 47373d2f559906299e92a85df86770cd74d9e6667530bcc4b0a673a2f6c41d0199c02d129567f7587d60e3409f66bf96b9bd8b3c951bad162d0f52b93d952eaa

C:\Windows\System\GUxYnfn.exe

MD5 55db93c6da49b777865efa4258b0bb5c
SHA1 4ae080661899e9e4ac9b8a1f7f7fb1a70cc6efd4
SHA256 350b1714e377315aca6718582de8d7f47f422e1d86371be247548866cd1f4e6b
SHA512 d508b4175ba664e9e668f378d13095ddf7d27fa9bef0a625b2daac6ef5c6cf629e79feb22046f92ef2eaf4a64bc914d2aa0d08d02e375608f145a95ffc59dfce

C:\Windows\System\bgITswr.exe

MD5 b07531bfeab0985a169ad74048e88d5b
SHA1 7955eb247168845e61ae3a61c596d1873818a9f7
SHA256 49335cb00d0b9d045c0fcf0f7aa313c176f54c99410f51bf42ec765f38271dd9
SHA512 de4318ef14454738d56f396c31a78da3b67a12e5cc3310abf6d0638e60675a90032940e1c09f012ea010142a8b62f5f47f35e9a520f43fd73d0176db2a7cd8de

C:\Windows\System\dEnICeO.exe

MD5 d48034fca1f737ec49ed5e36232efadd
SHA1 cf874fd31b3c1a7343793b65a3b6c291ed68e40c
SHA256 a3ac9fefc659878cee66b4ad61a616bf058e10197e336eee777ba3cf7b898ea4
SHA512 dd22cbe1bbff9c72d09fbb1893191ec16d56940fa37fc08da61f3309d142d0b490b7ce321391fce1435723501b9d5a4fd95cedd4eefbdc6f0c683c36b6eb7ec0

memory/2444-42-0x00007FF7FC970000-0x00007FF7FCCC4000-memory.dmp

memory/4100-38-0x00007FF757A80000-0x00007FF757DD4000-memory.dmp

memory/4044-32-0x00007FF642C00000-0x00007FF642F54000-memory.dmp

memory/1880-27-0x00007FF771E80000-0x00007FF7721D4000-memory.dmp

C:\Windows\System\sDaTOWM.exe

MD5 d2b7071acb4aef4c9754b7fd1662dc54
SHA1 5038e906ec19a5fa95890d5836a1f4e26747d4f0
SHA256 a59075a653786a5d08336bc7b30deca2efe0141d3cfcc5f6ca1eaa51d28a3d2d
SHA512 a4c7d131d95cac313bf5e17a07e2eb87a5ee48aa0b6ff86518973dd6fbe032999277208074b50517576f5ab39c6e224accd503cff73df625bd4da5bdb01c8109

memory/2928-50-0x00007FF659B50000-0x00007FF659EA4000-memory.dmp

C:\Windows\System\flBawAm.exe

MD5 6475d4faf52977c590a6a39973b72b5c
SHA1 65440200cabbc91284b70a606044944a3250d3af
SHA256 2f700889f04be0a18dd311375cfcd24b88f3325bb14ddfaa44677fd4adf06a7e
SHA512 651ece66490a92f161d759bca0e17eefdc814bbb956a01b2e069caf2dc3f20387f487c511570556fe4457268ebb638bf3a9f8190dc527cb44c03722655d293b9

memory/4980-56-0x00007FF7E7180000-0x00007FF7E74D4000-memory.dmp

C:\Windows\System\wsTwOyh.exe

MD5 40392ed3eafe452b1cde33070dc1ac14
SHA1 07911dbf76b58c4412ea74fcc846925b3d979c09
SHA256 e5a033e65e07826c7da44663bfd884da9af36c088e6f9d9f71e16df0e113f2f0
SHA512 94a99916623302047ca56ed228f1bc354f24d2db24b1b168ab73cdd60b1e3411697ed86ac59b44ad30211cd2b799ff64fa4e3437dc398eaf0445d6f7f8cb017b

C:\Windows\System\UizYDiY.exe

MD5 3983d47249c7988fba32548584036300
SHA1 ef9ace1ee6237a9f30f39cd59860f68969b893eb
SHA256 556530f5028383a911a38d0a8a65c84b8b73b1cf27aee9088a7cb8f933ac06da
SHA512 bc7644c5d0a394e58e66fc176b71de8d35a2d1c56c6cd69d4a595f2f0706bea451cdb0473a4ad4b58042aeec89752c8f4f2293fe23bc785825a59f9b97ed398d

C:\Windows\System\lcCjZzI.exe

MD5 433b845823c3d3d79ffd1adc65fb7080
SHA1 3c3cf184e3b0d5baeb8c9a86f52df033642d94fa
SHA256 e599b9cf4be748b24e42ede46fd4ae030ead8e6468c1320e7a69d403c6854fc5
SHA512 0236dcdac0ff8ce635aeb99217587ae2d7fb40afed140eb3c8bd84e854ab16a6e96482e16179333049dc72ab0799331455ca0a77e2a7eacdc4dcf31a3070d605

memory/1064-71-0x00007FF735280000-0x00007FF7355D4000-memory.dmp

memory/4852-68-0x00007FF6F5300000-0x00007FF6F5654000-memory.dmp

memory/3172-63-0x00007FF6B0BD0000-0x00007FF6B0F24000-memory.dmp

memory/2412-75-0x00007FF702E00000-0x00007FF703154000-memory.dmp

C:\Windows\System\qbimJYp.exe

MD5 afcd9a96b7281dd67b88eefac8a1ec1e
SHA1 3714279fc541208667445ecf5664dc04cebe6319
SHA256 8562edbc16fbfcdade90779a36e6faee5dee10da7757a80bd11a248e3084c6f9
SHA512 050e0a2688066025f8ac5e377913eb389885dbf01f6d0bb8785b84f0cc710a46e6f380616dd3426d7e3633b4e2a6b772612283e497362af259b4b610fd0ab2be

memory/4048-83-0x00007FF757340000-0x00007FF757694000-memory.dmp

memory/2060-85-0x00007FF6EC640000-0x00007FF6EC994000-memory.dmp

C:\Windows\System\tZzoSvc.exe

MD5 90813efd2902baa2e06dbb80f1c2e6c6
SHA1 7aecd6675b64a9fd3a8d97fdb3654deb3d8d9482
SHA256 8fa2bfb4bde3fd2ce797be8fd144a8b13b84bc236c43d1adee380cdf93b4b2c2
SHA512 5b9e84d9ff51f504473c8ecbf9b9b11e2082f12954813a80b43655fc169a41b2b2ca8af46dd5c4e4c9854b2e90dbf2b3c4aa5527b16df3f0012646472f826274

memory/1804-94-0x00007FF7AD4C0000-0x00007FF7AD814000-memory.dmp

C:\Windows\System\nwXXsJd.exe

MD5 d870cdb51ddbceed433bf72210df0b43
SHA1 41a71ebabf017c71dd928fa5d853696c7f457778
SHA256 8907c32e365793065d36539de234a9843e62fed16d9a2f60ac8f32d47fbd8d86
SHA512 f5f71e4198c59b749e554b9242ea910f90219de86aee7d98c5b66a130abfbc6cdc00c6086ac8143563633bbb2a5e7e9303ceaf5a1b8c80a30e436c963d1b4990

memory/1800-95-0x00007FF78E700000-0x00007FF78EA54000-memory.dmp

C:\Windows\System\IxgPcMp.exe

MD5 523347c5b0d39daf8649a6efeb4ce2a1
SHA1 25b776db69d4a6d76dc389360af36e03dd2ea8c3
SHA256 13689654d31b5ddf532f38f3f7b45eb594f4d90e6846259cbc5afc5e774880c4
SHA512 077d8382c27ea11c05053b345cd36cb6bf14d147841e08f58caa6dd93745889beb6f52d97dec23ff1cdc9ffa7099c53cdcd8d53a29b78d213874051f683a7c98

C:\Windows\System\cOAyBKV.exe

MD5 7716eec0926b22e7caeb97e88af29f8d
SHA1 4c19d45b7681b9d85c064fca4f26c68444b15ac8
SHA256 59b05a0c5281d15938946f5b05ce5fe1379fa53dc9c38d39c5bc433df9b6496d
SHA512 28aa807610a399d3ee9ceaa06895b5d114db01e53d4e12a81e413f2ad53409e66f1d2daee9b9f3abe61bb110e42abe5402d5d5684137120579db6909c7cdd882

C:\Windows\System\TJXrmtH.exe

MD5 ac2d061f892774bbfc6e22bbe20d9e58
SHA1 b799d58164b338a2dfd4216b34f34ccb75e7dcd3
SHA256 e511693ccfb574b713e25832fffcbbccf2d94ee9bac8b83852d215bea8ad0bac
SHA512 4655337f81b9543875ba1fc6001db2c0220c1a0eaec564d02e5bed073332265a8942a591ef5acb992603ce24f9b8d44e865633b2fda23687210f9b04864e7e2b

memory/4556-124-0x00007FF6981B0000-0x00007FF698504000-memory.dmp

memory/3472-125-0x00007FF7BEF00000-0x00007FF7BF254000-memory.dmp

memory/2028-130-0x00007FF7F73E0000-0x00007FF7F7734000-memory.dmp

C:\Windows\System\jUaQUaX.exe

MD5 ea039885855ee5b41ce00e7db51d74ad
SHA1 fb88149530c1147353751110f7acc64208060d0f
SHA256 043a315ec6ca5e13504b04de7448c885fcf99adf846de148cf8d5383b622f97a
SHA512 005f58aeec8d239b662e654be54c130b6033503938fe2ac3d028d2a81b9ff5e0fbc47324527f32d1d5cecbbfe793c9dc5c9a45b04268ce59e3e94da9e5920d9c

C:\Windows\System\AXtsGhz.exe

MD5 d49c5f98e061980a29e4eb5d9cd83369
SHA1 0b525dd772f64ace428433dfb55e4b96ff3fe5e0
SHA256 83da504b65b3783bb453309d2fd3d0d6ef40b60c01d62525f5a41b1a897cfaf9
SHA512 fb64e2db3c74af021fba7421982e79743279026ed164ea6816fd281fcadf50a3b7c24c4dd4f3b8096a79a218f423ce75c3c6b71d8e476f53cd539985de26b0c3

memory/4880-121-0x00007FF61A3B0000-0x00007FF61A704000-memory.dmp

memory/2928-116-0x00007FF659B50000-0x00007FF659EA4000-memory.dmp

memory/2444-115-0x00007FF7FC970000-0x00007FF7FCCC4000-memory.dmp

C:\Windows\System\qtbjpxW.exe

MD5 677459433634cd69cb7b4998d25bdf65
SHA1 c00e52d25f5f3dabe8b387ca004c784606aea07e
SHA256 37f6515c5339847612fefba56438bb06fad292414d8a918f26ade7fb0c7b6d27
SHA512 1780f0e9e413d689be9e9de102d6a0ef6f92ed52182a97cd7183ef49177cf7eb2245fb3e853616cdf7a0093dd7586bfa5f9ecb60a9be54a380b141f5a7f2ec7c

memory/3312-105-0x00007FF62A240000-0x00007FF62A594000-memory.dmp

memory/1064-131-0x00007FF735280000-0x00007FF7355D4000-memory.dmp

memory/2412-132-0x00007FF702E00000-0x00007FF703154000-memory.dmp

memory/4048-133-0x00007FF757340000-0x00007FF757694000-memory.dmp

memory/2060-134-0x00007FF6EC640000-0x00007FF6EC994000-memory.dmp

memory/1804-135-0x00007FF7AD4C0000-0x00007FF7AD814000-memory.dmp

memory/1800-136-0x00007FF78E700000-0x00007FF78EA54000-memory.dmp

memory/4556-137-0x00007FF6981B0000-0x00007FF698504000-memory.dmp

memory/2028-138-0x00007FF7F73E0000-0x00007FF7F7734000-memory.dmp

memory/4920-139-0x00007FF7EB340000-0x00007FF7EB694000-memory.dmp

memory/3352-140-0x00007FF754C40000-0x00007FF754F94000-memory.dmp

memory/3492-141-0x00007FF72E8C0000-0x00007FF72EC14000-memory.dmp

memory/1880-142-0x00007FF771E80000-0x00007FF7721D4000-memory.dmp

memory/4044-143-0x00007FF642C00000-0x00007FF642F54000-memory.dmp

memory/4100-144-0x00007FF757A80000-0x00007FF757DD4000-memory.dmp

memory/2444-145-0x00007FF7FC970000-0x00007FF7FCCC4000-memory.dmp

memory/2928-146-0x00007FF659B50000-0x00007FF659EA4000-memory.dmp

memory/4980-147-0x00007FF7E7180000-0x00007FF7E74D4000-memory.dmp

memory/4852-148-0x00007FF6F5300000-0x00007FF6F5654000-memory.dmp

memory/1064-149-0x00007FF735280000-0x00007FF7355D4000-memory.dmp

memory/2412-150-0x00007FF702E00000-0x00007FF703154000-memory.dmp

memory/4048-151-0x00007FF757340000-0x00007FF757694000-memory.dmp

memory/2060-152-0x00007FF6EC640000-0x00007FF6EC994000-memory.dmp

memory/1800-153-0x00007FF78E700000-0x00007FF78EA54000-memory.dmp

memory/1804-154-0x00007FF7AD4C0000-0x00007FF7AD814000-memory.dmp

memory/3312-155-0x00007FF62A240000-0x00007FF62A594000-memory.dmp

memory/4880-156-0x00007FF61A3B0000-0x00007FF61A704000-memory.dmp

memory/3472-157-0x00007FF7BEF00000-0x00007FF7BF254000-memory.dmp

memory/4556-159-0x00007FF6981B0000-0x00007FF698504000-memory.dmp

memory/2028-158-0x00007FF7F73E0000-0x00007FF7F7734000-memory.dmp