Malware Analysis Report

2025-03-15 08:09

Sample ID 240530-lfhz6aea46
Target 2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike
SHA256 5ec5330a2e519adb7e667559c0c60a8a2509f3890b40a805d218b78d78eb74eb
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ec5330a2e519adb7e667559c0c60a8a2509f3890b40a805d218b78d78eb74eb

Threat Level: Known bad

The file 2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

xmrig

Xmrig family

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 09:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 09:28

Reported

2024-05-30 09:31

Platform

win7-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ucGDUBt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DpgwpVh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zfnhZPK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xGQbEMe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gpJqXxf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pZZTvBk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VFsbHxr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DtShMdw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LzfPTDE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\slzvHRa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eFweDFV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PpZJvrq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dbSfsaW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DMkpHwV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xhDBmgB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RuFleJF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sDHkXIG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zcYTtIB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XCDZDTO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FNbrfQY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QxfpDCl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\gpJqXxf.exe
PID 1424 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\gpJqXxf.exe
PID 1424 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\gpJqXxf.exe
PID 1424 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\PpZJvrq.exe
PID 1424 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\PpZJvrq.exe
PID 1424 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\PpZJvrq.exe
PID 1424 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbSfsaW.exe
PID 1424 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbSfsaW.exe
PID 1424 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbSfsaW.exe
PID 1424 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDHkXIG.exe
PID 1424 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDHkXIG.exe
PID 1424 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDHkXIG.exe
PID 1424 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMkpHwV.exe
PID 1424 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMkpHwV.exe
PID 1424 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMkpHwV.exe
PID 1424 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZZTvBk.exe
PID 1424 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZZTvBk.exe
PID 1424 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZZTvBk.exe
PID 1424 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\VFsbHxr.exe
PID 1424 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\VFsbHxr.exe
PID 1424 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\VFsbHxr.exe
PID 1424 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhDBmgB.exe
PID 1424 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhDBmgB.exe
PID 1424 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhDBmgB.exe
PID 1424 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtShMdw.exe
PID 1424 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtShMdw.exe
PID 1424 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtShMdw.exe
PID 1424 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\RuFleJF.exe
PID 1424 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\RuFleJF.exe
PID 1424 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\RuFleJF.exe
PID 1424 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\slzvHRa.exe
PID 1424 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\slzvHRa.exe
PID 1424 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\slzvHRa.exe
PID 1424 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\zcYTtIB.exe
PID 1424 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\zcYTtIB.exe
PID 1424 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\zcYTtIB.exe
PID 1424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzfPTDE.exe
PID 1424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzfPTDE.exe
PID 1424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzfPTDE.exe
PID 1424 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\XCDZDTO.exe
PID 1424 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\XCDZDTO.exe
PID 1424 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\XCDZDTO.exe
PID 1424 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfnhZPK.exe
PID 1424 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfnhZPK.exe
PID 1424 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfnhZPK.exe
PID 1424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNbrfQY.exe
PID 1424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNbrfQY.exe
PID 1424 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNbrfQY.exe
PID 1424 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\ucGDUBt.exe
PID 1424 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\ucGDUBt.exe
PID 1424 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\ucGDUBt.exe
PID 1424 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpgwpVh.exe
PID 1424 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpgwpVh.exe
PID 1424 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpgwpVh.exe
PID 1424 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFweDFV.exe
PID 1424 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFweDFV.exe
PID 1424 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\eFweDFV.exe
PID 1424 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\QxfpDCl.exe
PID 1424 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\QxfpDCl.exe
PID 1424 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\QxfpDCl.exe
PID 1424 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\xGQbEMe.exe
PID 1424 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\xGQbEMe.exe
PID 1424 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\xGQbEMe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gpJqXxf.exe

C:\Windows\System\gpJqXxf.exe

C:\Windows\System\PpZJvrq.exe

C:\Windows\System\PpZJvrq.exe

C:\Windows\System\dbSfsaW.exe

C:\Windows\System\dbSfsaW.exe

C:\Windows\System\sDHkXIG.exe

C:\Windows\System\sDHkXIG.exe

C:\Windows\System\DMkpHwV.exe

C:\Windows\System\DMkpHwV.exe

C:\Windows\System\pZZTvBk.exe

C:\Windows\System\pZZTvBk.exe

C:\Windows\System\VFsbHxr.exe

C:\Windows\System\VFsbHxr.exe

C:\Windows\System\xhDBmgB.exe

C:\Windows\System\xhDBmgB.exe

C:\Windows\System\DtShMdw.exe

C:\Windows\System\DtShMdw.exe

C:\Windows\System\RuFleJF.exe

C:\Windows\System\RuFleJF.exe

C:\Windows\System\slzvHRa.exe

C:\Windows\System\slzvHRa.exe

C:\Windows\System\zcYTtIB.exe

C:\Windows\System\zcYTtIB.exe

C:\Windows\System\LzfPTDE.exe

C:\Windows\System\LzfPTDE.exe

C:\Windows\System\XCDZDTO.exe

C:\Windows\System\XCDZDTO.exe

C:\Windows\System\zfnhZPK.exe

C:\Windows\System\zfnhZPK.exe

C:\Windows\System\FNbrfQY.exe

C:\Windows\System\FNbrfQY.exe

C:\Windows\System\ucGDUBt.exe

C:\Windows\System\ucGDUBt.exe

C:\Windows\System\DpgwpVh.exe

C:\Windows\System\DpgwpVh.exe

C:\Windows\System\eFweDFV.exe

C:\Windows\System\eFweDFV.exe

C:\Windows\System\QxfpDCl.exe

C:\Windows\System\QxfpDCl.exe

C:\Windows\System\xGQbEMe.exe

C:\Windows\System\xGQbEMe.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1424-0-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1424-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\gpJqXxf.exe

MD5 a01fcf5c60028ee275b4bf5c24a968fa
SHA1 41586f272a325fc810a62c619a730ece7d15701c
SHA256 53260a4c01efbaeaf371a15497e22339b3c32b1e50ec69efd9864085a665ec5d
SHA512 9c7cf1d80a3a8b3367bae092e63eb9965149a871aabf9fa47d8d203bbf0dde296e704b7741952edf08f6b2d97a1bceef0a1df4562ffa72aa8f357c27997b7057

memory/1424-6-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/1992-8-0x000000013F2F0000-0x000000013F641000-memory.dmp

C:\Windows\system\PpZJvrq.exe

MD5 7c34d59aa0b61d179e9727a800b79e81
SHA1 20cb4b102a36d3b1f91c085ae56adbf039a9ca24
SHA256 1b22e2522c4f64a403fef4bf52425ffbf9a0ac83df6b7d58f22b797916ef3ce8
SHA512 18ce90c79309e0e1a8f25da669e13a53b95c69c70fb52b330c83a60a52492e0c760d2a5ce9cd96945601e93bece423bb118aa704dbeac4f891563d860509de2b

memory/2704-16-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/1424-15-0x000000013F6B0000-0x000000013FA01000-memory.dmp

C:\Windows\system\dbSfsaW.exe

MD5 36335d5014997ee3df7bb1a1aa52c3d9
SHA1 23122907f3771b96d9661a66cb34c80cbe65f326
SHA256 8ec36eed8e522da8f8502676c7f2f3febc051af1434c2a8a07cde506a5e03608
SHA512 1136b055aec033bbbb116b0ca2941b5d22cfc86f08705171d330cfc1c6b9c1aab4ad3f642afbea3c9f16ce829de26fff5f05d3daacb5b958fce3bc750ea21b1f

memory/3012-24-0x000000013FFA0000-0x00000001402F1000-memory.dmp

\Windows\system\sDHkXIG.exe

MD5 1f39891c176f773555518807589c4401
SHA1 0cda1a3dd5973e19ba0a5f32f429d844e2970fdf
SHA256 9f9cd7f5c598ac2730d642a196d662b9aea3927e96f12cba088dceebfcfbf86d
SHA512 6063a657af67eb4cf12f4e3856f1e61e81394983c5e37cd94c823942ac00d36d76b7fa05091365517d8e6e42c5c255bcb21a5e3218fcd774f0b597245bcb2110

memory/1424-22-0x000000013FFA0000-0x00000001402F1000-memory.dmp

C:\Windows\system\DMkpHwV.exe

MD5 77164abd07cade964c30e3f97dc23f3b
SHA1 30c13761ce405adc6f0024f1f11a81216f8a55b7
SHA256 fe220a1f0413a3fb38f3259b408f9d4f0298cb2f65baa84c58e58d82ff23f772
SHA512 0d755c61965f01bbbedc1a4ba9a0580a9dc28c7d10d59788e425ba2b835a38f7415ab5d6ba7b97a40bfdda0db864be72f5fb6a2d616958725de25da029a4a552

memory/2736-34-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/3008-40-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1424-39-0x0000000002370000-0x00000000026C1000-memory.dmp

C:\Windows\system\pZZTvBk.exe

MD5 579788dcf2ae3c7f93ada709d275a1d3
SHA1 2fb10716298e4de0147b0511242e23986b305869
SHA256 f5e24d2b37d33af22d9aa0a3524effeacb45bc28ec99e06237edbaa890ea4050
SHA512 76e07045ccf8e05118338146428f3542e1a8d6cd742fc287c239f53ab2bfec9d3fc8e074fcb74a26e73485bfe4c1e6b3879041e0736c14f5b47f6c6ee16e3664

memory/2668-32-0x000000013F320000-0x000000013F671000-memory.dmp

memory/1424-28-0x000000013F320000-0x000000013F671000-memory.dmp

\Windows\system\VFsbHxr.exe

MD5 b5701497911d9499dae2392523ae80ce
SHA1 0f1ac9dace20b56e0b93e8d9870d904ee22b5c87
SHA256 d18f4adf3f5e711cbd2364708e068816f4beadfeb032b6707579146c982b3101
SHA512 50cefc8edf66407698ae6deb469d0679fbbdb6def832c46aef84a2113c98e84f480c8c4bf4b938575a9d3b4a9d47bac0ce4d441a6c88785f7cade58b8e7c6ce8

memory/2636-50-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1424-49-0x000000013FC10000-0x000000013FF61000-memory.dmp

\Windows\system\xhDBmgB.exe

MD5 74e689ff1e79dd4b4f2aad2b61388a4a
SHA1 9ced0d16c39c7f0c78e254c7d080910520cebc2e
SHA256 6abf6a62de1d17b2d7a12b60670a20fe705de9d54d7a66982c831a4639b19960
SHA512 66972d01edbb5301c4cd300469af815cf5285154979eb73ce30c05d547bab13f99bec1fe85e43e3be5ae39c9d58e75afb6fea5a1ca72f6741bb59fb593de494c

\Windows\system\DtShMdw.exe

MD5 e92004c01168e16b5d28f57c634fe004
SHA1 5926f4e0587aa4ea0a19babe45a8c39463ae7a2a
SHA256 c82e66b47ff307467397e1d530bba983194da52b7da212ee6c3e0ade952fd914
SHA512 93bac31dc49bd2a85f370a884380728f8c7cfe4581b730efaa16354db1f74ed493683b6e83fd077a9a7feecf6074828d0ff8d7c2aedfdc643d93bf35072daaac

memory/2512-64-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2472-63-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/1424-61-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/1992-59-0x000000013F2F0000-0x000000013F641000-memory.dmp

C:\Windows\system\RuFleJF.exe

MD5 47ce3a3d4b8272908d26cd92d78b4590
SHA1 9e737a2841914d764fcd8b0378b2305d21d9ee81
SHA256 5fd26cd0c55ca21d80249b7fa97e1f37ff7cd635d3af29229eb06002aca54975
SHA512 d2f432640c093e2a19f1e419864d36314de91285090b23573e8c926fe75602b8fdea4aaaccfe4224aebd0420044901f8639de165a348412598df4873b8cde000

memory/3040-71-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/1424-70-0x000000013FFE0000-0x0000000140331000-memory.dmp

\Windows\system\slzvHRa.exe

MD5 203c9fda6cd40c683d4fbdda16268274
SHA1 2378b94d762f9b5567a2e6246c237c84ed8f7068
SHA256 a67409819a4a583e538a438f368da4feeb92d0e557391b42f318425969d7d3fc
SHA512 c135f9af1414da334c8b89ef01083494dd9f9c69cc5653e1b90410c57bff4aec458dc3cfa4c77c995dfd9bfbc0351444b1970d2110e85f47618df8f3d960eb60

memory/1040-77-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1424-75-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

\Windows\system\zcYTtIB.exe

MD5 f97d0c861f9ccbff0f36ea627b2810c9
SHA1 5cb04e52cb7c21550136ecdfa17a4e2e47773602
SHA256 5354d7b392b516ff8d592dc008bc0709b6a49704438ec034dc8f9d3c141ed560
SHA512 cd7e64e61e79535ecb63e906e237511534aef75d35d63c5679c5421b71bf884a8effbcb50b5e28804220141f12fd2b7e8eed09998ced7b8ecbc8b24e3a2d6dea

\Windows\system\LzfPTDE.exe

MD5 6f68a282c5d550ce4022c67f5f7278b3
SHA1 6f3446b5439baaf869c3d256d743c7a3f3294b16
SHA256 268b3216660af912e98673baec6a15acd42f0113897e9b3145bef213b6106f13
SHA512 068dcd598c00c913dac2a5b7664f1ba5920f596c98acd92054d80bccc689224af9f350cfe0719e2af11650bb4d6a6f2c554d181d7ff7239320a8db0a8ed252f5

memory/2668-86-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2736-91-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1424-90-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2568-89-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1836-88-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/1424-87-0x000000013F710000-0x000000013FA61000-memory.dmp

\Windows\system\zfnhZPK.exe

MD5 38cb2b8aa4c6080a70815ee20c93f5b0
SHA1 7a762b693ddad333351786a69ec286d69dc21ab4
SHA256 4a03f13677a3f2d7812e5fdab9386fb44eb7f592764b0aed4a86af490b43085b
SHA512 f50527beb23135e2ba99572a35019a2aefdcca90c9c49659a3dac58c921366f2ee1b28349eb7e0026f2c4b3554794541d11b8d3fe30ea41a08bd9042e1d9ac48

\Windows\system\ucGDUBt.exe

MD5 4e848e50eba244aa6ebb72a4612d1666
SHA1 dc7bbc836002306c406efb23adc6e8fd6ee0bc6a
SHA256 f0e916784b6dedc8f48ae7ea43b929860f1ad7e7ccf0c41c224561d564828e12
SHA512 8085eba93731cc4e047f81129ceae0ae57cde97b3da894b72be01f4a97abe6523f6ea8cd8771d24743715d8f53f6728a28b70f1f41bd0a259ec6493454067224

\Windows\system\FNbrfQY.exe

MD5 966b3a0bfb0f9bad789702bf22da6e25
SHA1 7b15e64e96f01ce8cf0b25bc552e162747c86330
SHA256 5bd484910beda81cbfb085176ae92ec882be7c8f44fe8c67fd01ae684aebbab0
SHA512 b703296c3720a78410743da2e769e94eef58b9c668a81ccb7fa55eedb425c96080419843426c57378abf4c015c50cb4660ff2ba9516447ad0c83020a87336a08

C:\Windows\system\DpgwpVh.exe

MD5 8557b7317092182f4984bf35182d5633
SHA1 07341ca893d7a9b1bab4343d1bc6db5fad4f131f
SHA256 a1a391c853640edfc166e56fe6d73a0b12af34a1b8ddd878920c34cc8f82a2a3
SHA512 221c7e12ebfbfd33cb3020071fbf052d35aae5c5b8836e17dabc21ceba2ee38cb7fecb8bb8b9878a2d157710fcd5d01e2ef634fb03f04c623f313b26bdeff57c

memory/1424-116-0x000000013F1B0000-0x000000013F501000-memory.dmp

C:\Windows\system\QxfpDCl.exe

MD5 5098ed8c77b87389b332b6a14de1c5ee
SHA1 aad5af09671891b5cd7592c3e9e667fd031ac5c6
SHA256 de3ae99a97f80f0eba3ae6dbce358a98580236921900809dc79b679b36009fe6
SHA512 82fae88b366f2033d4386587fedd4c5a880cbbd3fedf7dfd759081e3efb4c4390f1d8bdfeb0b14287fd145fb8c608527afacf6921e001b7dc00216d54ab96e17

\Windows\system\xGQbEMe.exe

MD5 30f276394ce2d364011302eca64c65bd
SHA1 0f5c2aedebc3e1ddb4e112834cd09ecd24079070
SHA256 709ac17295a8fa90afa3445d8bcbd84e8fbd23600ac4527ade3f54c5a479dc19
SHA512 3e50a5897f28f61ba0056f90667d9ccbee871c3b063036a5252dbbefcfa0d0d2b139d2f2eeaa32e6ce9acfbb794d7c847b738a015068490700a610bc993aa112

C:\Windows\system\eFweDFV.exe

MD5 17c0a240ce686540952db88c34858874
SHA1 78abbd7a6c57aa4972faf7926bd9178df6dffafe
SHA256 18272ae5221da88fc44b8fc895c3f660a795d000711f30fca9cba60d6e43cfac
SHA512 36bc43ec8ce87da53001fce9107eb3d03ca4058011535c5a94b58ba8c32ab1ce3af6f4d63d89270976ea2e8badddd93122db873de7af8b227b69aabe87d5f5ae

memory/1064-114-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/1424-111-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/3008-109-0x000000013FB30000-0x000000013FE81000-memory.dmp

C:\Windows\system\XCDZDTO.exe

MD5 45c41504d3f8bad7aa299deb2bab86a4
SHA1 89d482af99db5083cf3663832058b54965b575b2
SHA256 57ee8a149df8a76b5aba73c1edbcf384ae225c1731dfade6e41df59b4716f265
SHA512 6eb55372baf492d279f3acd85fa2b41855dd4a5e48d6f85cf3069b0ab8d90650888644e25d6f4d8863ff86161b855c634ff2ce45127355b175cbb5398204f214

memory/1424-138-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1424-146-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/1040-150-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2568-152-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1836-151-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/1424-153-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2908-155-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1188-159-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/556-160-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/1424-162-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/332-161-0x000000013F130000-0x000000013F481000-memory.dmp

memory/1208-158-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2028-157-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2016-156-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/1424-163-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1424-171-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/1424-186-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/1992-212-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2704-214-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/3012-216-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2668-218-0x000000013F320000-0x000000013F671000-memory.dmp

memory/3008-220-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2736-222-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2636-224-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2472-226-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2512-230-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/3040-232-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/1040-243-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1836-245-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/1064-248-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2568-249-0x000000013F0C0000-0x000000013F411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 09:28

Reported

2024-05-30 09:31

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EqKLXRF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cssLUrB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vXaMShG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cvUVMQf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NoatkZp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dUrYxPw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zjyePtl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IOxsYiX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qxgqsko.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PPuXvEY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IbpuPVk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OcLliKr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qxFdDhg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SynZQfc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PdyJatp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RSmLkao.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LCByrmN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HnkcGxA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qVqytqJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dysBoqV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vbBDmGf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\zjyePtl.exe
PID 3516 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\zjyePtl.exe
PID 3516 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\SynZQfc.exe
PID 3516 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\SynZQfc.exe
PID 3516 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdyJatp.exe
PID 3516 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdyJatp.exe
PID 3516 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\RSmLkao.exe
PID 3516 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\RSmLkao.exe
PID 3516 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqKLXRF.exe
PID 3516 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqKLXRF.exe
PID 3516 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\LCByrmN.exe
PID 3516 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\LCByrmN.exe
PID 3516 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvUVMQf.exe
PID 3516 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvUVMQf.exe
PID 3516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\NoatkZp.exe
PID 3516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\NoatkZp.exe
PID 3516 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\HnkcGxA.exe
PID 3516 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\HnkcGxA.exe
PID 3516 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\IOxsYiX.exe
PID 3516 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\IOxsYiX.exe
PID 3516 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\dUrYxPw.exe
PID 3516 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\dUrYxPw.exe
PID 3516 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\qVqytqJ.exe
PID 3516 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\qVqytqJ.exe
PID 3516 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxgqsko.exe
PID 3516 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxgqsko.exe
PID 3516 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\dysBoqV.exe
PID 3516 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\dysBoqV.exe
PID 3516 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\cssLUrB.exe
PID 3516 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\cssLUrB.exe
PID 3516 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPuXvEY.exe
PID 3516 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPuXvEY.exe
PID 3516 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxFdDhg.exe
PID 3516 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxFdDhg.exe
PID 3516 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\vbBDmGf.exe
PID 3516 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\vbBDmGf.exe
PID 3516 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\IbpuPVk.exe
PID 3516 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\IbpuPVk.exe
PID 3516 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\vXaMShG.exe
PID 3516 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\vXaMShG.exe
PID 3516 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\OcLliKr.exe
PID 3516 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe C:\Windows\System\OcLliKr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\zjyePtl.exe

C:\Windows\System\zjyePtl.exe

C:\Windows\System\SynZQfc.exe

C:\Windows\System\SynZQfc.exe

C:\Windows\System\PdyJatp.exe

C:\Windows\System\PdyJatp.exe

C:\Windows\System\RSmLkao.exe

C:\Windows\System\RSmLkao.exe

C:\Windows\System\EqKLXRF.exe

C:\Windows\System\EqKLXRF.exe

C:\Windows\System\LCByrmN.exe

C:\Windows\System\LCByrmN.exe

C:\Windows\System\cvUVMQf.exe

C:\Windows\System\cvUVMQf.exe

C:\Windows\System\NoatkZp.exe

C:\Windows\System\NoatkZp.exe

C:\Windows\System\HnkcGxA.exe

C:\Windows\System\HnkcGxA.exe

C:\Windows\System\IOxsYiX.exe

C:\Windows\System\IOxsYiX.exe

C:\Windows\System\dUrYxPw.exe

C:\Windows\System\dUrYxPw.exe

C:\Windows\System\qVqytqJ.exe

C:\Windows\System\qVqytqJ.exe

C:\Windows\System\qxgqsko.exe

C:\Windows\System\qxgqsko.exe

C:\Windows\System\dysBoqV.exe

C:\Windows\System\dysBoqV.exe

C:\Windows\System\cssLUrB.exe

C:\Windows\System\cssLUrB.exe

C:\Windows\System\PPuXvEY.exe

C:\Windows\System\PPuXvEY.exe

C:\Windows\System\qxFdDhg.exe

C:\Windows\System\qxFdDhg.exe

C:\Windows\System\vbBDmGf.exe

C:\Windows\System\vbBDmGf.exe

C:\Windows\System\IbpuPVk.exe

C:\Windows\System\IbpuPVk.exe

C:\Windows\System\vXaMShG.exe

C:\Windows\System\vXaMShG.exe

C:\Windows\System\OcLliKr.exe

C:\Windows\System\OcLliKr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3516-0-0x00007FF7316D0000-0x00007FF731A21000-memory.dmp

memory/3516-1-0x000001ABD29B0000-0x000001ABD29C0000-memory.dmp

C:\Windows\System\zjyePtl.exe

MD5 ae7175485e084a14213384128d261fe4
SHA1 13e24759552088091b348a2e08ed44b0e7bfba6a
SHA256 90988b080980d6847ed513ca0d5da1f70f056238eb6c3dc45b2b3cf264997da1
SHA512 30cacb1622b52189d7c03549ceabb6341e0ca1d0fa163f302963aac1bc7538165803df04d6a1eccb6b6cc8f8496559627f4fe765a50d6d5fa525ccd9e55f4873

memory/3728-10-0x00007FF74A1E0000-0x00007FF74A531000-memory.dmp

C:\Windows\System\SynZQfc.exe

MD5 9ae268093febc9b4433451e2faabb891
SHA1 50ac839e684b50cb4260f7c32db46222fdee7af6
SHA256 d9e43f4b7565eebd4e0c2a939ed6ff663690132f2d5d27924138ffed54ed23ec
SHA512 8fd2893f8c5d71cb590f9bdb1963f30e3666d0a71cbf7c21352aadaff566a5e66052bb8a3aeda1dd0182d0d6df084d82d9951d1a253d268fde617cd78ee3694d

C:\Windows\System\PdyJatp.exe

MD5 d178095bf4ee8481416e3c33d708298c
SHA1 b25107e937a89b5164048cb609a5b412a1cc9e23
SHA256 707d59916782e9e093d2b9f9d0e8457ac1342e2f125dd980f5970f9239e46af0
SHA512 14a00af5957672bce14baf4cb3d3968cc705941e0e0f9449ecd8d00a414896a8741c1c8b1b28eed2838523dc966e0300c933320e8b593be8f34e112e444013cb

memory/2016-14-0x00007FF735600000-0x00007FF735951000-memory.dmp

C:\Windows\System\RSmLkao.exe

MD5 73e71873ce368b6c9eee625e9c9ff044
SHA1 fd184b4b46c0f0ecd3872601714741caa25a7793
SHA256 bbb8491c6d17c1f83cc36b3a7cd44ec9eb0e2cd592943778bae70751eb0133cb
SHA512 046e6411728f8b8dfffa377e8f8f6d51075e30fe3fba79bc90434b12016a6f2f972e7f9b39b8682c9255085dda1690ca3edf566ad05a767cc147fa7f4180a4e3

memory/4972-24-0x00007FF629890000-0x00007FF629BE1000-memory.dmp

C:\Windows\System\EqKLXRF.exe

MD5 32660a866c2f43fff59e6018a21edb41
SHA1 c6f71bda97831d496253340171100e0b2328c3e9
SHA256 d16bffae81c9bfd3b98570f26a0d9f1afba96140d6ca892d103341590986858e
SHA512 6ab71a007d12ada955991aa78cf1b77e5e9dfdd89d544c5558e3a07af5db678abe5f36c09cae62182b10cf44101dc6af9475d66178786ef78ad19e280f869b45

memory/8-32-0x00007FF6E7160000-0x00007FF6E74B1000-memory.dmp

C:\Windows\System\LCByrmN.exe

MD5 6fd098e82181fa98bdd93a53a4839a3b
SHA1 9fb2d6579e453d49ad23d591280a11848c991f27
SHA256 e8f078baff39aa668a7bef2228ed3698e0af46a91ffd63407570f325d0b6fd5c
SHA512 2f90d7f22e6d851818cf2f49cd11f97eb15790d82372bc3dbde8ffcc64b1c756b5ac9960666cf0b86d7dc87328a42fd76f3d012b2120560423dd53561e034ed7

C:\Windows\System\cvUVMQf.exe

MD5 df6788882542be53e0655efbef4e92f6
SHA1 1a4657a5312e2f1ab9db90fd3dfe7de41c4160fe
SHA256 46b9bfcf8ce68953e736dfc5c3c5046549fbaa1f430617d6e5fc48026f79c842
SHA512 29754c18b6884f980c47d3bf1be147ac25de35b86579818bcd2d2c56fd54241351ba28fffe37f5a2c2525c9dd3665be53bbe8916a6277e62d253ba60be591426

C:\Windows\System\IOxsYiX.exe

MD5 10de483b8ff3e92b280359913a8a1e7a
SHA1 075a0d46ef33f201f50b295234ed469aea730ecd
SHA256 2b63acde7b6819e97f4eb24d1da0d2b8340f61181ab7e05e7749a6c608f54633
SHA512 9a69cf18e89c37ac43dd23ef12dd5ae2d4128291987dd2fb9895b3972c88db1dea57413e15bf591798da1f24672e8e3bef0c836c5a691698c2f9c4dcf9e02400

C:\Windows\System\qxgqsko.exe

MD5 4163d8612af99f7ca639ac1694edc4b6
SHA1 8742c09c580582fd13bc07c01800bc6ecfffe2e5
SHA256 1252440a72358e540ed11b4db88acf68a3e168730a4c2f46286e7a48381a912a
SHA512 26f8262cbe730a23dcf2ac60aac5826b3a0b93abd372d86f368090b400ef164446b6544f3f37e8017735982695c6799fe9a5717369167bd5ad31686be6615a6b

memory/3328-86-0x00007FF77EBD0000-0x00007FF77EF21000-memory.dmp

C:\Windows\System\vbBDmGf.exe

MD5 a0ae75aa178e6577a66c82239414be70
SHA1 7eb0ef4c88f2bb7a582ee4518615d8a16ec715fd
SHA256 bd17064470e4d4061237212d01a69b8fad542092f0c6822b53171c730d4d6bf2
SHA512 12079765a840677419689a7147ea4b92fcf009ecf7497439cb255ee5c6f61b7ac0a6eb6aa411c4bd6255b9930f3b7f29aa58209beb11a11d869b48d51b848454

C:\Windows\System\PPuXvEY.exe

MD5 63af2fc5c10565fe46dc348f8146edb3
SHA1 22385b180bee4873be06912b298d6e5617dbab47
SHA256 db7f640cb31d536adb927aed0e22b347a151e927bea53752c27890945dad6a94
SHA512 29c307378d04f6d5fb2b5ed4ce45c3f437934797d9efebe331923a56215feaffdf58a91331d5de4da187ae125a8543f9b55d46f9c39a4d080a9761287f76e4c8

C:\Windows\System\vXaMShG.exe

MD5 90365d665ede52dc9d5b176d68d13e4e
SHA1 7ee58865834beb33a46bf24fbee6beab4835820a
SHA256 b2483be6b38009451871f25ea48302f9cce714065906fa58efb4f9e45bde7a6b
SHA512 f1478f82729b57c80326e89e0c0cc609c8dec066ac3d80971b4f64b85c89f022735b4b7e90d0c8d20ea74a54c6e3d5433d99faccc444a7d8560b4b6dd3de2749

C:\Windows\System\OcLliKr.exe

MD5 657ad0b9269fff6a52380d5d7a34862f
SHA1 8afab1c1a42afa26713a4602630e98d2b51cdef5
SHA256 412d29fdb3a8f40e509946a0025ff20eb1e4deeee23b135a3e5a122d84ad60fa
SHA512 e295b90a81a4863cf045b86fbcba52c71ac953eab91ef41837721cbd2b47d2ac2a8f60178b866ef79755f7cad653087ee09c2ac8ea061bcdadb84448e111c402

C:\Windows\System\IbpuPVk.exe

MD5 6ad1f9c68a77289468ec99192cd2d944
SHA1 d2cc16f5aed12dae17a92ddcc3167eb5bde5efe0
SHA256 93754af5b8ad75ce057953a6a7d2c2241f6991195c78421bb0bf1b7eb8ff7efe
SHA512 463b737801095a9df021620a0181cf24635d61b784e5d606cb8ce9a7d38945dba3ff6db8f69311ce5116dd238a937793f0ce46692b4323d97293a17fe6fbd9d1

memory/3032-110-0x00007FF751270000-0x00007FF7515C1000-memory.dmp

C:\Windows\System\qxFdDhg.exe

MD5 64045befb200449711d5e3c982f94f1f
SHA1 ddb9f5ac419a190072c96e136917ffcde7571052
SHA256 1b5b3b86eb908d6b4453393273d27e14c7420e48165fe400e8fea930f1b4a2f6
SHA512 d240d20fbdc341350bdcd320bf5e3047e267074deae22548824124a0c5787b6ab51f60b0d1dd33acb489e1cb7e146743542ebae6e4efa14cc4db33905eda56c9

C:\Windows\System\cssLUrB.exe

MD5 ab393c4510080e7198874418ce8ac60f
SHA1 5678028e7f7434799cca90673532e08f4354189c
SHA256 5895aeb3cda52e03929b4b6c1684a2aaeb966ee6ac615cd58e472a5bd7a073df
SHA512 ba67015577e0410bda7f4cffb18cae2ae14ba6351fef8f96283b62587f701dc9514fb62db8e9f49d6bc50fdbdc2d0418765ded6d51477ade60e4dc6ddb7ee37f

memory/3824-97-0x00007FF71DAD0000-0x00007FF71DE21000-memory.dmp

C:\Windows\System\dUrYxPw.exe

MD5 2c0775bff2466ad2676ca30e6df1675f
SHA1 0014975bc1584e090abd6aff2b3024941d61f3ce
SHA256 94b46502c1b032d62c831141b66a95a1ef4fcbb88aad2e0c6fc06f9a1fa7266e
SHA512 aabbc5c3f7ca1c6383b91ef586c12d786e8a203870ab4393c31d78c613200880bcc7a5841debe0131902f183385ac140f507913b514f277d3f94f4bdd3784883

C:\Windows\System\qVqytqJ.exe

MD5 17269c702879368f697d0f82d7c175ac
SHA1 7789601057b95e86cb66179bcdc5dc6dc044d96b
SHA256 a3247d3b58dfd566d2a7a8c634fc37a9ad0840e52719b9e57e75598724e4d891
SHA512 a3bbb40586d2c296e5a52fe4abf9e42653b0b706c09b85ea514f28f43d9e80f75ed17a88f3060b83bdbc14cad24aacc149abc9a62566bef326121e854487097b

memory/2924-87-0x00007FF723890000-0x00007FF723BE1000-memory.dmp

C:\Windows\System\dysBoqV.exe

MD5 9959f4067357d89f5255d80e1f2c835f
SHA1 e5b35d98c15c73773a08d6dddbf98c7153da4aee
SHA256 7d81e4c36ba071bac8306d76b21c690521c81fcd3cce40cc62036d36c24487d6
SHA512 5ad62e97b2a0cf2912a646d58a04cdd493cd28c5794cb88b724a7f56ace1eb11161b7867e69b7bbd91f779440f917a6f3904c3e891f9aa5c15f61562a0cdd141

memory/4008-78-0x00007FF66CA00000-0x00007FF66CD51000-memory.dmp

memory/2944-70-0x00007FF6C71A0000-0x00007FF6C74F1000-memory.dmp

memory/1808-67-0x00007FF625BC0000-0x00007FF625F11000-memory.dmp

C:\Windows\System\HnkcGxA.exe

MD5 83283b23465da68e74f41376e3efa1e7
SHA1 cd61b03492c98fa953556958737b451b2af9f583
SHA256 f37f5284762809c04e308fb0fea6525d16ea09dfe9043639759353a17376bd3b
SHA512 bc5417ecdeb218dfb3baeeb51b1b9ac2c201eebb7656f916ef1a9a6b7d07f104b69aa7b3fb03b45f52df10356848847673cb6332e6e49fb35922507e6524c8f5

C:\Windows\System\NoatkZp.exe

MD5 cf348731ffd92b0993e9785f48b9757d
SHA1 0ec740eca29ed3f4499eac0a57d4d0269ab02285
SHA256 d3151f7831d0b90bff1ff2c3e34a3b9dcca5917ed4cdaef25399dc97bc5aa92c
SHA512 e9be688d5c6018feeddaafbeee7f64b90eccbccb19d334287fb5a691d15e93f1b4d777848dbff07d954640cbaa87a02a0875a90ebfd04915cf4de9b9a0d8972a

memory/1412-48-0x00007FF6D2F60000-0x00007FF6D32B1000-memory.dmp

memory/4712-44-0x00007FF68FC90000-0x00007FF68FFE1000-memory.dmp

memory/4832-41-0x00007FF7AD130000-0x00007FF7AD481000-memory.dmp

memory/1816-22-0x00007FF76C730000-0x00007FF76CA81000-memory.dmp

memory/1996-124-0x00007FF64C780000-0x00007FF64CAD1000-memory.dmp

memory/3404-126-0x00007FF6CE670000-0x00007FF6CE9C1000-memory.dmp

memory/4848-127-0x00007FF7D2F30000-0x00007FF7D3281000-memory.dmp

memory/4168-125-0x00007FF718F60000-0x00007FF7192B1000-memory.dmp

memory/3764-123-0x00007FF769C50000-0x00007FF769FA1000-memory.dmp

memory/1220-122-0x00007FF6164A0000-0x00007FF6167F1000-memory.dmp

memory/3728-130-0x00007FF74A1E0000-0x00007FF74A531000-memory.dmp

memory/3516-129-0x00007FF7316D0000-0x00007FF731A21000-memory.dmp

memory/3516-128-0x00007FF7316D0000-0x00007FF731A21000-memory.dmp

memory/4972-134-0x00007FF629890000-0x00007FF629BE1000-memory.dmp

memory/1412-138-0x00007FF6D2F60000-0x00007FF6D32B1000-memory.dmp

memory/2924-146-0x00007FF723890000-0x00007FF723BE1000-memory.dmp

memory/4712-137-0x00007FF68FC90000-0x00007FF68FFE1000-memory.dmp

memory/3328-144-0x00007FF77EBD0000-0x00007FF77EF21000-memory.dmp

memory/4008-142-0x00007FF66CA00000-0x00007FF66CD51000-memory.dmp

memory/3516-152-0x00007FF7316D0000-0x00007FF731A21000-memory.dmp

memory/3728-197-0x00007FF74A1E0000-0x00007FF74A531000-memory.dmp

memory/2016-199-0x00007FF735600000-0x00007FF735951000-memory.dmp

memory/1816-201-0x00007FF76C730000-0x00007FF76CA81000-memory.dmp

memory/4972-205-0x00007FF629890000-0x00007FF629BE1000-memory.dmp

memory/8-225-0x00007FF6E7160000-0x00007FF6E74B1000-memory.dmp

memory/4832-226-0x00007FF7AD130000-0x00007FF7AD481000-memory.dmp

memory/1808-228-0x00007FF625BC0000-0x00007FF625F11000-memory.dmp

memory/1412-230-0x00007FF6D2F60000-0x00007FF6D32B1000-memory.dmp

memory/2944-232-0x00007FF6C71A0000-0x00007FF6C74F1000-memory.dmp

memory/4712-234-0x00007FF68FC90000-0x00007FF68FFE1000-memory.dmp

memory/3032-237-0x00007FF751270000-0x00007FF7515C1000-memory.dmp

memory/4008-238-0x00007FF66CA00000-0x00007FF66CD51000-memory.dmp

memory/1220-246-0x00007FF6164A0000-0x00007FF6167F1000-memory.dmp

memory/4168-248-0x00007FF718F60000-0x00007FF7192B1000-memory.dmp

memory/3328-244-0x00007FF77EBD0000-0x00007FF77EF21000-memory.dmp

memory/3824-242-0x00007FF71DAD0000-0x00007FF71DE21000-memory.dmp

memory/2924-241-0x00007FF723890000-0x00007FF723BE1000-memory.dmp

memory/1996-251-0x00007FF64C780000-0x00007FF64CAD1000-memory.dmp

memory/4848-256-0x00007FF7D2F30000-0x00007FF7D3281000-memory.dmp

memory/3764-254-0x00007FF769C50000-0x00007FF769FA1000-memory.dmp

memory/3404-253-0x00007FF6CE670000-0x00007FF6CE9C1000-memory.dmp