Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-l6tjkseg93
Target 2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike
SHA256 d725205e3d6765bc50db32dd189a745832cae07733055187fd5a8ea075c6c877
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d725205e3d6765bc50db32dd189a745832cae07733055187fd5a8ea075c6c877

Threat Level: Known bad

The file 2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Xmrig family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 10:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 10:09

Reported

2024-05-30 10:11

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZShHjdm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lzophDD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PwfdURE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bGaMdwP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\chNadLB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bmZhzVT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NJkImYx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZlfEQTO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vUhlVVq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FaTpToB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YGeDcBB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XhbuoOi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aMHbMOc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CJKonhh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aHSPhjy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dBIVhFt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QFLwidW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yNUDeHc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HHvfAZj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kmASGIz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iJwwNlu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNUDeHc.exe
PID 2168 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNUDeHc.exe
PID 2168 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNUDeHc.exe
PID 2168 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJKonhh.exe
PID 2168 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJKonhh.exe
PID 2168 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJKonhh.exe
PID 2168 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHvfAZj.exe
PID 2168 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHvfAZj.exe
PID 2168 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHvfAZj.exe
PID 2168 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGaMdwP.exe
PID 2168 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGaMdwP.exe
PID 2168 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGaMdwP.exe
PID 2168 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\chNadLB.exe
PID 2168 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\chNadLB.exe
PID 2168 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\chNadLB.exe
PID 2168 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmZhzVT.exe
PID 2168 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmZhzVT.exe
PID 2168 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmZhzVT.exe
PID 2168 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJkImYx.exe
PID 2168 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJkImYx.exe
PID 2168 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJkImYx.exe
PID 2168 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZlfEQTO.exe
PID 2168 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZlfEQTO.exe
PID 2168 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZlfEQTO.exe
PID 2168 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUhlVVq.exe
PID 2168 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUhlVVq.exe
PID 2168 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUhlVVq.exe
PID 2168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZShHjdm.exe
PID 2168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZShHjdm.exe
PID 2168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZShHjdm.exe
PID 2168 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHSPhjy.exe
PID 2168 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHSPhjy.exe
PID 2168 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHSPhjy.exe
PID 2168 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaTpToB.exe
PID 2168 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaTpToB.exe
PID 2168 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaTpToB.exe
PID 2168 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmASGIz.exe
PID 2168 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmASGIz.exe
PID 2168 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmASGIz.exe
PID 2168 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGeDcBB.exe
PID 2168 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGeDcBB.exe
PID 2168 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGeDcBB.exe
PID 2168 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhbuoOi.exe
PID 2168 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhbuoOi.exe
PID 2168 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhbuoOi.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\aMHbMOc.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\aMHbMOc.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\aMHbMOc.exe
PID 2168 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBIVhFt.exe
PID 2168 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBIVhFt.exe
PID 2168 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBIVhFt.exe
PID 2168 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzophDD.exe
PID 2168 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzophDD.exe
PID 2168 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzophDD.exe
PID 2168 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\iJwwNlu.exe
PID 2168 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\iJwwNlu.exe
PID 2168 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\iJwwNlu.exe
PID 2168 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\PwfdURE.exe
PID 2168 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\PwfdURE.exe
PID 2168 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\PwfdURE.exe
PID 2168 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\QFLwidW.exe
PID 2168 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\QFLwidW.exe
PID 2168 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\QFLwidW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\yNUDeHc.exe

C:\Windows\System\yNUDeHc.exe

C:\Windows\System\CJKonhh.exe

C:\Windows\System\CJKonhh.exe

C:\Windows\System\HHvfAZj.exe

C:\Windows\System\HHvfAZj.exe

C:\Windows\System\bGaMdwP.exe

C:\Windows\System\bGaMdwP.exe

C:\Windows\System\chNadLB.exe

C:\Windows\System\chNadLB.exe

C:\Windows\System\bmZhzVT.exe

C:\Windows\System\bmZhzVT.exe

C:\Windows\System\NJkImYx.exe

C:\Windows\System\NJkImYx.exe

C:\Windows\System\ZlfEQTO.exe

C:\Windows\System\ZlfEQTO.exe

C:\Windows\System\vUhlVVq.exe

C:\Windows\System\vUhlVVq.exe

C:\Windows\System\ZShHjdm.exe

C:\Windows\System\ZShHjdm.exe

C:\Windows\System\aHSPhjy.exe

C:\Windows\System\aHSPhjy.exe

C:\Windows\System\FaTpToB.exe

C:\Windows\System\FaTpToB.exe

C:\Windows\System\kmASGIz.exe

C:\Windows\System\kmASGIz.exe

C:\Windows\System\YGeDcBB.exe

C:\Windows\System\YGeDcBB.exe

C:\Windows\System\XhbuoOi.exe

C:\Windows\System\XhbuoOi.exe

C:\Windows\System\aMHbMOc.exe

C:\Windows\System\aMHbMOc.exe

C:\Windows\System\dBIVhFt.exe

C:\Windows\System\dBIVhFt.exe

C:\Windows\System\lzophDD.exe

C:\Windows\System\lzophDD.exe

C:\Windows\System\iJwwNlu.exe

C:\Windows\System\iJwwNlu.exe

C:\Windows\System\PwfdURE.exe

C:\Windows\System\PwfdURE.exe

C:\Windows\System\QFLwidW.exe

C:\Windows\System\QFLwidW.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2168-0-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2168-2-0x000000013F130000-0x000000013F484000-memory.dmp

C:\Windows\system\yNUDeHc.exe

MD5 fd7eb81ca8d88c3e72dec4d80d4a09fe
SHA1 e04c58734636e497c6bf9225ebc9db7ed7c30997
SHA256 5e38857af697a59920b68fddbe7a0e8e3b892744e69ebde9598c6270e634f6ad
SHA512 39c9ac1460f40c142e0c15cb214124175f24de1d2e5d79f922bbc169b5afc9d15924c6dee1e54af08c151b04876e52db662333b8a7833a5f724c0a767cb6fea8

memory/2596-9-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2168-8-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\CJKonhh.exe

MD5 9e94c92236c0b5c1fb2081f17c51476c
SHA1 633107062d209ab56e95ffc55ae4504732267182
SHA256 67e3e1b829a3fb9d64036128b4297a899e03324d54499248bc7a8ff27aefc5d5
SHA512 066094d1e5f16d4a0293a62d8cc8d6c1baa6a409bc25a62f05db4572117b03a165e82452d7b63e714760d6312f594e0b6bf90c5975398f38c635756feae5cdb3

memory/2168-14-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2708-15-0x000000013FA30000-0x000000013FD84000-memory.dmp

C:\Windows\system\HHvfAZj.exe

MD5 36c952f3e15c30d5efd1f234ebb843c8
SHA1 e7075341f61c4052f6949c582fe1800d03cf1664
SHA256 653e73b78f974607b6f93c5c0cd763c3ef2c9acadbb141fd114304aaefb08eb1
SHA512 762c49a083138487f5c4ed6e6c62251dc89cfc4d4c6195f5eb826a266a4b2a00a30e763e7d115ad91d16e3c2813776a3964fb75cf82d236888471511ac247ee0

memory/3052-23-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2168-22-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\bGaMdwP.exe

MD5 cab2b9f855a247b1e946d59429d36a1d
SHA1 c3dda8782c18faa0af616d452395bb91791e6879
SHA256 0215af8daf4bea1e5a0b279ba7ccb06543acb8d14d534d1f8f82770e6a50b950
SHA512 f43f24021fdf546ec65fcf238522e0b5fb2889cf7466b4e7f48439fdfd852d3991c6cad309e92566af4da260f13213fd3201502dcdfc6606331a36a09431915b

memory/2728-29-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2168-27-0x000000013FB90000-0x000000013FEE4000-memory.dmp

\Windows\system\bmZhzVT.exe

MD5 1d88dc59499c63a181c1aadf0c52fa91
SHA1 8610ec6bd2655da2e7e181b2731e928fffaac1df
SHA256 d549c395c786cd311fdd92e198199ddef5d6c58dc57d67ddf872de2b4bdf3db2
SHA512 eeda450f1ed614d7a3d995ceae7565b428a3b3afe738e2da84f71f053f7db9c9ebb9da2c5362f3a62aef6ac7af44dc0dcade453e619e9ca1928f1b257ec8740d

memory/2632-43-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2168-39-0x000000013F750000-0x000000013FAA4000-memory.dmp

\Windows\system\ZlfEQTO.exe

MD5 5024f70d755fe2e5a585051b373fd445
SHA1 f46c85d7b9f9f1c4781dbe31d28f47e587bdb8ad
SHA256 9fab8730756dfaf3906d888e377f71b54a1c7e488105315b1eafedb12e11c512
SHA512 09e68e6cb4ee8ad1442b645d1bda69c4e7332b008287c2b6976fbd871474033b51eabeef4852a9bd0feeec59276d8407395dcb7b7ad75a4418b3d2cf0f0449b3

memory/1976-60-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2168-59-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2980-75-0x000000013F460000-0x000000013F7B4000-memory.dmp

C:\Windows\system\aHSPhjy.exe

MD5 83ca326330fecbb7b7eaed753af5493b
SHA1 074734e8eb1d9854bdb7944b005666b8c3cd82e6
SHA256 26f6ad8dcfca5f988196ae2db122710458928e34c7c6f960b64bf488fa219ede
SHA512 fcb02884c0083fc50f37d70da3ff98395dd1cee9fffe9ebb53ea0f07a1a525e4cb64ac4c32d340a7fc023630194153908bbf9b08598a91b84e8738433c50ac32

memory/2772-92-0x000000013FEF0000-0x0000000140244000-memory.dmp

\Windows\system\lzophDD.exe

MD5 1c794de87b07a750eac6d5c6943b0130
SHA1 080dca6f88c03b44ec2f299bf2b13be53992f6af
SHA256 f1008d6e79d05bb9ffb2f1f58ff9c7f0a979394460fabc4b760efc4219110363
SHA512 5e378e108a2aa76abaf6328bc1467818d0e5252d74cbbfdd0d6b4d78ffb77926d1054b5085346e0b826e0c5a8e1950a83516626bb05c64d406c6a28f81d99e6a

\Windows\system\QFLwidW.exe

MD5 3fa5b832d6c18fdee1597752828d12d6
SHA1 f754390edfd49395912a725f49feaf0cd6344ffe
SHA256 9b6d4b9a8670871bb263f90fe905914f30e6affbe3aba3193095e0c52dcffa9a
SHA512 f7cf9cbb7dfd284d7618a8cf45eada753d7d3a446b1d2dfa2e730a84da6265106b09e93839cfca0e32a4ee4bd176a5c4f352791c5b7d24e6f95489a54e475a37

C:\Windows\system\PwfdURE.exe

MD5 27304fab92af79dde697b2a4a67675ca
SHA1 3e9f3350ca64f5a88c6b6d526fa7045ddadf813e
SHA256 9c7118bba2d186fbaf72b99151624c6ad81e2f162d2ff719e12611ca26c0ad06
SHA512 5af5aac407d70148141099d79628d818a61e0f4da03bc38123358fd38fba9d30eac200ee3526a85dd3f65828fb191eda14e0649ce63f8f3d5007d76aff6183f3

C:\Windows\system\iJwwNlu.exe

MD5 f68e3ff3adefdb5456a9fcc497c60ea7
SHA1 f8ed6fa0b4824e41a1085ee6146b72a2480ea0e3
SHA256 d03f1e1d366bb4d0c78f29ad4ca3aabd8d8bd07370a3374e0629fbb590683ea4
SHA512 05f8ebd0be8345e1b6a39b3a9c1ca38786198163a4657bd13725b0cf09396bb7cace9d909ab8de42cdd6fc64b246d57c9796f6c8ad4c996621a449f5ab6f5bd3

C:\Windows\system\dBIVhFt.exe

MD5 0c6e3680149de4daa740f79d2110e809
SHA1 d4d351c0da3a3a03d98d7f01335b7fc7ec24800b
SHA256 6faaad6dbab999059448923071a9b0d52d2a8bca5385dd32e4f3e6bcce7cd4a8
SHA512 b010bd2bde3b7df74b4ef72fde4b74a8341f7f07901bb25f03336d948026d423ca464ba36fb176057c8aa97988d95388c9a789f196ecfa158ea628040492c068

C:\Windows\system\aMHbMOc.exe

MD5 5f64a5331e935f921587cde35c135250
SHA1 684f7f76144e2319cd0882663b017a86810da9e0
SHA256 d36c270153802940c5850467d6f2f33ca8f6d621eb350fd3505480b651cf7aff
SHA512 86899f6d01074717e2137a520f47ab43b95005bcc140dc17405d38912764ddff1bfda289a52e28fc0b2418589ae4ed3dba694c6515d581fea28e7b9fa8117e8f

memory/2980-146-0x000000013F460000-0x000000013F7B4000-memory.dmp

C:\Windows\system\XhbuoOi.exe

MD5 39b03741832a5082fd7bf12f34a8cf19
SHA1 13e62df3bf64a470a5ad8f94116704fcf9221a16
SHA256 5385c8997eaa3cc12de4aff616312e3d98d5c3cbd6fdaa1cb75c885703536566
SHA512 0e56bb33c178481167a604f7a78c96ce40b1ab8fe94cec0293360b1f6e7a87117226b0f4dfc485bfd01296ede76d3a2eea2b38276fb51ba5103041f4086d387b

memory/2168-112-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2168-111-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/1728-109-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2568-108-0x000000013F260000-0x000000013F5B4000-memory.dmp

C:\Windows\system\YGeDcBB.exe

MD5 f096ac77a81f5d238100ad0fd86e5b11
SHA1 8560dddd0e5bdbe12f4173584aa9b7df52f73076
SHA256 a9a6d3492275f5a136d8fddee14d38b85b6a7aba8e084318bad6937ada6128ee
SHA512 cb11243d53c274d8b01a22e75c8948a5ffc3942a25bf61b97d9743a363a1b748d3b45345df1a841358698c3ca0cc254559e95f1a58b260b8d6a7bb74a4791e87

memory/2168-103-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2168-102-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2972-99-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/1976-98-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2168-97-0x00000000023B0000-0x0000000002704000-memory.dmp

C:\Windows\system\kmASGIz.exe

MD5 6f411c7bd8a0f22260dae1f9bd62efd0
SHA1 d543ba78f73c31f0b06101808e1577a30b599aeb
SHA256 b61fe7fc67725fea17f1c516f5e227905d61bb9a198f21a566f106c300e4781d
SHA512 3e31e160d53e51d5e98320a64ffcc4b00af7056225621886304ba09c915a1c6560c40802e245cdda5390bc78cd303887c06d574960312f1900405bc4116c07ac

C:\Windows\system\FaTpToB.exe

MD5 35f6ad95b58d42ecc8f69fd234aa2a99
SHA1 c6e7acde267c34a717f80d192bb94f271624f3a2
SHA256 de111f5edce00bb47a6c26d036ffd717c2728652c00064667a442f896862140c
SHA512 b39405b3cf4a62f6845afe89c06883c94df7dbe118e8368a1678e7b98eff9e091258b50ef0e138f05a54fac96888fed07d40f8d4d86253a5d1760fd399c88a16

memory/2168-87-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2168-147-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2632-86-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/1988-82-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2168-79-0x000000013FA60000-0x000000013FDB4000-memory.dmp

C:\Windows\system\ZShHjdm.exe

MD5 20285e3066cb1e689defbe82cbb877ec
SHA1 b0079547b57c1e799f3dead1430da2c6f49418ad
SHA256 db7540062f5faf46ae5ea94adf789dd81cf005111348c38f879cee673fe228b6
SHA512 3a8b69cd6246248a2aeac999e83683dc6560ec94de277f6468524223c9ac8dc8cb740df749b95a620562c9421c53f161c76b4fd6d697808c7e1fcd7efca52b31

memory/2168-72-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2728-71-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2568-68-0x000000013F260000-0x000000013F5B4000-memory.dmp

C:\Windows\system\vUhlVVq.exe

MD5 459a6e585e7e6a6318d353cc21830732
SHA1 0230f0653ec7b26ccb1f5a545576e17e4e78677c
SHA256 f91051b9cbac9d3f94485f132780f8c5207f6743d1172fdc897ebbc75408817c
SHA512 ebc466c519492f7abaa528b08bd2790781ed92254fb5cbabea1e5cca19e0d886b596cc56a93987582dffc6a6e38e9f0f285e125b6a7dc5b4d7b99f484aab0c37

memory/2168-64-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2168-63-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2708-58-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2168-57-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2540-52-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2168-51-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\NJkImYx.exe

MD5 eaba6a6f936ce5df5be39c5db237b94d
SHA1 f67fc7a9588149f5af34e6b739a80231dc278d2c
SHA256 fe940cd462eb8fdf24f4a6e39f42e9b742400dcd7299cec8f939f24478102d68
SHA512 d65ce5658cb455e2794573cbdbf1eb5d748002a98dc7bce67cf6a8370ef765c1c184897eed17f44f8d9a8c36b974a6699afd384ef828fc314bde95aaaf1f276b

memory/1988-148-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2168-46-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2812-37-0x000000013F890000-0x000000013FBE4000-memory.dmp

C:\Windows\system\chNadLB.exe

MD5 8134aa9142d5d3317470c875f376dccf
SHA1 abd06e0ef25282be33313d664a1fd685278dab45
SHA256 9a361415457105fbe978611a36cc38df2e0a95fb10d8e0219d6cb2fb193eff6c
SHA512 3d0e6723979ec3782a491f4db25c6107b734e64813740c554d8380bc895e40e5d223ee8da45eb616e2d6331967168bc94550572fca66c723637947a384530b0c

memory/2168-31-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2168-149-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2972-150-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2168-151-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2168-152-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2596-153-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/3052-154-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2708-155-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2812-156-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2728-157-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2632-158-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2540-159-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/1976-160-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2568-161-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2980-162-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1988-163-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2772-164-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2972-165-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/1728-166-0x000000013F1B0000-0x000000013F504000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 10:09

Reported

2024-05-30 10:11

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cyTLhou.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FAOfzWk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BLjiigX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sAQAVVk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tAyQshP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EbyfUet.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jswfTye.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KGEXyXA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sIKUytw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dDEUNvf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WNMkrVK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qrfKRju.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XuhseOG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xwZAJvk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ruReaOl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tKOEDbY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ivTopcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CyoipiN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WsEopIW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TrwJDEL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\egMHQNJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\CyoipiN.exe
PID 2980 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\CyoipiN.exe
PID 2980 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsEopIW.exe
PID 2980 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsEopIW.exe
PID 2980 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\qrfKRju.exe
PID 2980 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\qrfKRju.exe
PID 2980 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\KGEXyXA.exe
PID 2980 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\KGEXyXA.exe
PID 2980 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIKUytw.exe
PID 2980 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIKUytw.exe
PID 2980 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\dDEUNvf.exe
PID 2980 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\dDEUNvf.exe
PID 2980 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuhseOG.exe
PID 2980 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuhseOG.exe
PID 2980 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\sAQAVVk.exe
PID 2980 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\sAQAVVk.exe
PID 2980 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwZAJvk.exe
PID 2980 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwZAJvk.exe
PID 2980 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAyQshP.exe
PID 2980 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAyQshP.exe
PID 2980 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbyfUet.exe
PID 2980 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbyfUet.exe
PID 2980 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\FAOfzWk.exe
PID 2980 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\FAOfzWk.exe
PID 2980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruReaOl.exe
PID 2980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruReaOl.exe
PID 2980 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLjiigX.exe
PID 2980 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLjiigX.exe
PID 2980 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNMkrVK.exe
PID 2980 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNMkrVK.exe
PID 2980 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\jswfTye.exe
PID 2980 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\jswfTye.exe
PID 2980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\tKOEDbY.exe
PID 2980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\tKOEDbY.exe
PID 2980 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivTopcJ.exe
PID 2980 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivTopcJ.exe
PID 2980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\TrwJDEL.exe
PID 2980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\TrwJDEL.exe
PID 2980 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\egMHQNJ.exe
PID 2980 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\egMHQNJ.exe
PID 2980 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\cyTLhou.exe
PID 2980 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe C:\Windows\System\cyTLhou.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\CyoipiN.exe

C:\Windows\System\CyoipiN.exe

C:\Windows\System\WsEopIW.exe

C:\Windows\System\WsEopIW.exe

C:\Windows\System\qrfKRju.exe

C:\Windows\System\qrfKRju.exe

C:\Windows\System\KGEXyXA.exe

C:\Windows\System\KGEXyXA.exe

C:\Windows\System\sIKUytw.exe

C:\Windows\System\sIKUytw.exe

C:\Windows\System\dDEUNvf.exe

C:\Windows\System\dDEUNvf.exe

C:\Windows\System\XuhseOG.exe

C:\Windows\System\XuhseOG.exe

C:\Windows\System\sAQAVVk.exe

C:\Windows\System\sAQAVVk.exe

C:\Windows\System\xwZAJvk.exe

C:\Windows\System\xwZAJvk.exe

C:\Windows\System\tAyQshP.exe

C:\Windows\System\tAyQshP.exe

C:\Windows\System\EbyfUet.exe

C:\Windows\System\EbyfUet.exe

C:\Windows\System\FAOfzWk.exe

C:\Windows\System\FAOfzWk.exe

C:\Windows\System\ruReaOl.exe

C:\Windows\System\ruReaOl.exe

C:\Windows\System\BLjiigX.exe

C:\Windows\System\BLjiigX.exe

C:\Windows\System\WNMkrVK.exe

C:\Windows\System\WNMkrVK.exe

C:\Windows\System\jswfTye.exe

C:\Windows\System\jswfTye.exe

C:\Windows\System\tKOEDbY.exe

C:\Windows\System\tKOEDbY.exe

C:\Windows\System\ivTopcJ.exe

C:\Windows\System\ivTopcJ.exe

C:\Windows\System\TrwJDEL.exe

C:\Windows\System\TrwJDEL.exe

C:\Windows\System\egMHQNJ.exe

C:\Windows\System\egMHQNJ.exe

C:\Windows\System\cyTLhou.exe

C:\Windows\System\cyTLhou.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2980-0-0x00007FF631980000-0x00007FF631CD4000-memory.dmp

memory/2980-1-0x0000019700600000-0x0000019700610000-memory.dmp

C:\Windows\System\CyoipiN.exe

MD5 a7e9beca0ef164c20ad24448d942fc14
SHA1 0ff45f854dd5c89419cf6c0e0de3ea122a0f1059
SHA256 9abf7e16d608a21d5eba3aa4af62107274dbc31f14f1ea2d373cf95ca3285b1f
SHA512 21557d3669b80bfac21e58759e2637119a9a0ca9943032263bbf20c4f7af869ab1c2c77548ba5ea1a2b59ddfde3d722c46b78c8d917cd8ac7847eb2da18fcdef

memory/340-8-0x00007FF6A24A0000-0x00007FF6A27F4000-memory.dmp

C:\Windows\System\WsEopIW.exe

MD5 091eafe336fa2022b25eb19a7b05287b
SHA1 46549fe48f5c83b9eec8f32a0be617bcaad4c2ae
SHA256 4fe69a7e518f09aefc3c8f014cf37b68be0ec61b84e8818f01bb0eb174907687
SHA512 9ef8b442396d646b0d4643ee749f0ac0295ced040d289bdbd423f0a61ae4b947aeb84958c0315284eaed04f5e8c4feb9135930bc55d102eff56b4e376006dd18

C:\Windows\System\qrfKRju.exe

MD5 517e00c3d4ab8d2d2cf781d9c869fcf4
SHA1 ade331f4126bebcad28d57e646cb127d0e567411
SHA256 cd8b602dfd29483b2ae6039591aaf1cbfd5e7310f82a1c1e3429c7d6cbaff31b
SHA512 d34b57ee3e529f5e3e44b2d26d3c6eb6db7cbb2a8510d48036f35c4a43823f875ecb85f1c77076a9dece7da220d2d954333623b96495e8c8a672a853cc137299

memory/2668-14-0x00007FF6099A0000-0x00007FF609CF4000-memory.dmp

memory/1816-20-0x00007FF6A7490000-0x00007FF6A77E4000-memory.dmp

C:\Windows\System\KGEXyXA.exe

MD5 3b18180de008dc42ce708ad473379458
SHA1 8c25898557683f57701ce2c1b11a63d3d264814b
SHA256 1639176c37ef9f66ed9ae43ee1ae40ff84885e959838d8460736d441ef324913
SHA512 cb41d11df1e4ba6e0ab24d9783c24c6b00470b73b9e95b195bebbc40052e022b4ea50e407a8bb1212f938fc61b030e2d615f8b2cd6bba8f456e3be9b584edd2e

memory/4840-25-0x00007FF7D5D60000-0x00007FF7D60B4000-memory.dmp

C:\Windows\System\sIKUytw.exe

MD5 a3d8eadcb5da535e7e959a6b88f2e300
SHA1 cfec08b20ec04cca3286f2e876d3c655cd9b48fe
SHA256 ce4cd3b63dd0256ba73059d267af60f06573aa21211c292589c1eb576232f7de
SHA512 630eb1c91d4ab3a6af9c3fa0848fd7c89ca349adc0ebf65fd6a1579dba96e91d92ee5b059658f2f1bc815af8d29e76b15e6ec7071069e58231bd73f0ebb416a6

memory/3500-32-0x00007FF784EE0000-0x00007FF785234000-memory.dmp

C:\Windows\System\dDEUNvf.exe

MD5 ef9c9495db921fc27afcfc60b8a08b77
SHA1 33be6766909ce5777a6ab5c1189ae9f03db0e203
SHA256 3d2bd108dbf5efa220c6d03db6f3eae57515ea4b8bf4928e1b03faafc1b265cb
SHA512 f73ff574696290d1783befa604d02f3b87f337f08702198cb2ca76ae135669f2d2575e8932a8ba32ca33a95793c3c04bee73d00d6acd455f7070c2a9476a2002

C:\Windows\System\sAQAVVk.exe

MD5 86a73fbcee3a799c6ee8bd6278ed7092
SHA1 1030c6eb98030c7bf5f7683cf4f48fe1b57d9080
SHA256 c566082961799d8dbb6d305d69f7d7b746a900451c90334c140c1e32111cca01
SHA512 141e221a8c0a099c838062ef0d4bb94f1a3535737b2eaa61171b5e834cf7da0c79268e397d608bc15682ab481afbd49bb1e6f03df30dfce4462404dbbe92fd9b

C:\Windows\System\XuhseOG.exe

MD5 27be1e4636f183719d55ad1d24d3102e
SHA1 f888d3e925ff65c9329a869670fbf98dee5a1f40
SHA256 267e01991ade675d451d42f13a9655bd7ffd837ee8f04542779af43d721e20df
SHA512 cecb822235129227666fccac1976c27eb2029595e5e39ab7245e64f8cfff3e4964a16754cfab05d1e928f670e47354df81ce5b683faf7ed38c9c3c98057d3994

memory/4116-38-0x00007FF6EE440000-0x00007FF6EE794000-memory.dmp

memory/888-47-0x00007FF76E680000-0x00007FF76E9D4000-memory.dmp

memory/4196-48-0x00007FF764930000-0x00007FF764C84000-memory.dmp

C:\Windows\System\xwZAJvk.exe

MD5 655e2987e388ba0813999cd01e980d39
SHA1 2d1c84dfd2bc9109c71fd2be9cd5343265482124
SHA256 43eb0d53be604eec63f205c11aaf1a46c3362ec7686d8d8bee3f4de94bb3697f
SHA512 9d945e4eab1b3e8969589eef276c1996ec651d103a1bd44cfd2ca6f40cca7141fdd29543f9843bd0b99ccaa5846c9da4290cd448d0cc6b11fb7e1a8559ee03c8

C:\Windows\System\tAyQshP.exe

MD5 e9d45a1b74b881e8f15ec44d53365c6d
SHA1 3ef184449f8cddd697a98f09868da317041e2d35
SHA256 e6031b010b640ce34e1705cd4350df2abde944a588fbd9faa847f3a72ab4b409
SHA512 c2b92b3a77bd83069183de05dc0460dd97c05e1127d621ae66f57a0d53680e8fb9a25dbf6f68a295b6d33d392a55a76c1a5f75046b293c7e726a05ccabfb6cad

C:\Windows\System\EbyfUet.exe

MD5 dbda301aad02d33b076a6583b833239b
SHA1 505ab09bd414a0f1b9570281b16728de724cd328
SHA256 b3df557a76b136a6561cc47147b64752d7c11d5ee52c180c45abdcf291eaacb4
SHA512 0629c0b5ca9502825466602eaa2c00d58378481287fb6f910ea8a3f1f7a888f4c6d22bc43223925ff8ba309db45e95662c763025f460387ac2708fb8fc1bb697

memory/4364-64-0x00007FF68C710000-0x00007FF68CA64000-memory.dmp

memory/1188-56-0x00007FF7A41A0000-0x00007FF7A44F4000-memory.dmp

C:\Windows\System\ruReaOl.exe

MD5 64c9b6c09dc64068f86bf52ca5024755
SHA1 869d6a675b2f7259a6f8681227aaac471dc4ef00
SHA256 be6467943f63c8ad9e6ae3034d25e151422368aa0a2f735dd5f302daba58199c
SHA512 ef5a54c484509d5e25281b0b62e628b812df2ca581fc4d31011f46fa3ed932f655ce6e18881fbe1f7711f7a78640ab6c65619c4c8507a35af7fea814f8d4155c

memory/2668-84-0x00007FF6099A0000-0x00007FF609CF4000-memory.dmp

C:\Windows\System\BLjiigX.exe

MD5 d6b5c491dc531232fd74195f2a2bd14f
SHA1 d92492d9cbb1db38b3106f6d8d7fb0c53a038427
SHA256 65070efc5901a5cb6c40b852d03d8a035bcbb68190d9b25e457e197056aa25ee
SHA512 0656456f0a064f3b614d2fc4b7c9cbe382316b74428be2969d116003a2b0bf4fbca5cc7e9380b4f76d4d117a0b39a60338d76bcfc480e649fabcfa0bcca7ed6b

memory/884-85-0x00007FF7C2230000-0x00007FF7C2584000-memory.dmp

memory/5020-83-0x00007FF63C2A0000-0x00007FF63C5F4000-memory.dmp

memory/628-80-0x00007FF7D73E0000-0x00007FF7D7734000-memory.dmp

C:\Windows\System\FAOfzWk.exe

MD5 bef13931f262979e4d9bbec1f4a6eaca
SHA1 0c262764c559dae82f5e40ffceed8d9663d86429
SHA256 7960582e929f62878d81dc6a62f21f154ac77beea151b4e36a7aae6462babc60
SHA512 f54b536e6af15535890fb6147734e9d07653c469f9b352d2b415361989ea7cb0d3494b33d7882ef7608756585ee88f138da7b392a42e4b340262740cf429c1ad

memory/788-69-0x00007FF77F4F0000-0x00007FF77F844000-memory.dmp

memory/2980-68-0x00007FF631980000-0x00007FF631CD4000-memory.dmp

C:\Windows\System\WNMkrVK.exe

MD5 05ff5e8e259cd4e0d7b5e11741401924
SHA1 b52ab2c21dc45fb5c14ab37b84b548c6816da945
SHA256 6788f308d0d65d1f80a4aacc237dcbff5336c1a7e3bf62544e0fa06b0517ca96
SHA512 40f6eb2504c81b0230568808c9b247fa0d91468531092c157603947b221a781cd3d4fda65c538344100ffe27e054bbbf56acc393d90d6d8125ded5fce8fe1e89

C:\Windows\System\jswfTye.exe

MD5 b0c575e6440d46597fbd9d6a8c31a35a
SHA1 d049c1a0d9388a2f8f76e79ec32f32d1820f0ee4
SHA256 ceb7b43aca5a376b28a658119855de3dac5fb34ccfada7ed5e9eef1712363161
SHA512 34a35acfd486e8c60326946de723e83ff8b59325f904226db615437a4e841afa6355adc45a9805cf8306e5e3281dec78a07068d1772c6484a221822b9715493e

memory/624-105-0x00007FF614560000-0x00007FF6148B4000-memory.dmp

C:\Windows\System\tKOEDbY.exe

MD5 72d18d0bc738d5109882906785a36ae4
SHA1 8f67bd8a47609cafb17af7a3ae6d54fb949bce0c
SHA256 08453a2ba97f5847b0dd7e4e7b80ec1ed983a70def1bc7f1b1290837fef9e9e3
SHA512 1d8be9a950c92b0b4ff9f56e8a613cc61ef6d5df1b71cfd24fca5fc63207f297be475c1283db69fd53e62672e7fd02cf5acbdcdbcdaf2552aa05e974927d2b2a

memory/3500-107-0x00007FF784EE0000-0x00007FF785234000-memory.dmp

memory/3476-106-0x00007FF704100000-0x00007FF704454000-memory.dmp

memory/4840-104-0x00007FF7D5D60000-0x00007FF7D60B4000-memory.dmp

memory/4328-93-0x00007FF7ACF70000-0x00007FF7AD2C4000-memory.dmp

memory/1816-92-0x00007FF6A7490000-0x00007FF6A77E4000-memory.dmp

C:\Windows\System\ivTopcJ.exe

MD5 97c1580f60eac427614bb61238e53539
SHA1 946733f96290be8d9b50ea3f426edda6c8849f9e
SHA256 600055b9114240ec4754b118ba7abf99056c36226cdbee63f49929ed02f97a80
SHA512 b7c7351896703aae01d7d439c082a9968ba6d10c9c4e77953042e2de14cde1c46ae64043347f5510e8045420a0ad87fa6e73a01f2a7cdb5575cba5ad672aacb7

memory/4236-114-0x00007FF696450000-0x00007FF6967A4000-memory.dmp

memory/4100-121-0x00007FF7AA250000-0x00007FF7AA5A4000-memory.dmp

C:\Windows\System\egMHQNJ.exe

MD5 b7d6e52b3eb3c0f6ee9f2ada5e8ec5d1
SHA1 797c80b71e1b7d511dcebd2cf7850632ca26d1a0
SHA256 0268a391c5306d47bb6633fde192f3aa7ba68c6da62c3e276f9340da3af5fe8d
SHA512 9ab72da9dbc551fa0d7e3e6e445d498eb8af0b2712a44cfdb048c98123a0353d0c8082ca69330d7d98db9a637149e60470c7d31c2f494e569275ff0f48c0d117

C:\Windows\System\cyTLhou.exe

MD5 0100a44bd49f18b61db1202c659d5d0d
SHA1 349bb41531f856fd60eb6a7be93124bda3037f95
SHA256 458e6fae39113087c8a70f6e7d52ec85ea51dd346768aeacdef7def4bbaa4834
SHA512 f02fd33d14fef8dd368597ab6c9f528c0e7a6ca22d4e87ab1995c254ae4e07858fba8f45afd26035d508fa9b9bf11e45e452cab588c2cc3a11a50821e35ed7d4

memory/3532-129-0x00007FF6EF950000-0x00007FF6EFCA4000-memory.dmp

memory/3636-133-0x00007FF6FEBF0000-0x00007FF6FEF44000-memory.dmp

C:\Windows\System\TrwJDEL.exe

MD5 07fc98aba3e4905a0cf30c7137b01764
SHA1 6cb92db174df1fe8e8063fee9cad541029ddc442
SHA256 f46093a2b42b3772583b1836fc858a1a3d4968e4ce8eca77eb3af2bd3ca0cdd8
SHA512 f5f95dbd3576623a59b9a0a91dabc6ee722869afe0820d35368fd8d265cb18744ca8ac0b7c49dcfd1c9eab30047e2e674769e888130fedde0d279aab6c53c969

memory/4196-119-0x00007FF764930000-0x00007FF764C84000-memory.dmp

memory/884-134-0x00007FF7C2230000-0x00007FF7C2584000-memory.dmp

memory/4328-135-0x00007FF7ACF70000-0x00007FF7AD2C4000-memory.dmp

memory/3476-136-0x00007FF704100000-0x00007FF704454000-memory.dmp

memory/4236-137-0x00007FF696450000-0x00007FF6967A4000-memory.dmp

memory/4100-138-0x00007FF7AA250000-0x00007FF7AA5A4000-memory.dmp

memory/340-139-0x00007FF6A24A0000-0x00007FF6A27F4000-memory.dmp

memory/2668-140-0x00007FF6099A0000-0x00007FF609CF4000-memory.dmp

memory/1816-141-0x00007FF6A7490000-0x00007FF6A77E4000-memory.dmp

memory/4840-142-0x00007FF7D5D60000-0x00007FF7D60B4000-memory.dmp

memory/3500-143-0x00007FF784EE0000-0x00007FF785234000-memory.dmp

memory/4116-144-0x00007FF6EE440000-0x00007FF6EE794000-memory.dmp

memory/888-145-0x00007FF76E680000-0x00007FF76E9D4000-memory.dmp

memory/4196-146-0x00007FF764930000-0x00007FF764C84000-memory.dmp

memory/1188-147-0x00007FF7A41A0000-0x00007FF7A44F4000-memory.dmp

memory/4364-148-0x00007FF68C710000-0x00007FF68CA64000-memory.dmp

memory/788-149-0x00007FF77F4F0000-0x00007FF77F844000-memory.dmp

memory/628-150-0x00007FF7D73E0000-0x00007FF7D7734000-memory.dmp

memory/5020-151-0x00007FF63C2A0000-0x00007FF63C5F4000-memory.dmp

memory/884-152-0x00007FF7C2230000-0x00007FF7C2584000-memory.dmp

memory/4328-153-0x00007FF7ACF70000-0x00007FF7AD2C4000-memory.dmp

memory/624-154-0x00007FF614560000-0x00007FF6148B4000-memory.dmp

memory/3476-155-0x00007FF704100000-0x00007FF704454000-memory.dmp

memory/4236-156-0x00007FF696450000-0x00007FF6967A4000-memory.dmp

memory/4100-157-0x00007FF7AA250000-0x00007FF7AA5A4000-memory.dmp

memory/3532-158-0x00007FF6EF950000-0x00007FF6EFCA4000-memory.dmp

memory/3636-159-0x00007FF6FEBF0000-0x00007FF6FEF44000-memory.dmp