Malware Analysis Report

2025-03-15 08:09

Sample ID 240530-lgc6asda9v
Target 2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike
SHA256 27abd97ccbbf25171d9ce3571e3479f374090a014684d67382e3a26646149d3f
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27abd97ccbbf25171d9ce3571e3479f374090a014684d67382e3a26646149d3f

Threat Level: Known bad

The file 2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Xmrig family

Cobaltstrike

Detects Reflective DLL injection artifacts

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 09:29

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 09:29

Reported

2024-05-30 09:32

Platform

win7-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FGLNsqp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eyQVIxh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dBeSHZd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TEIYzyi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kKUMwiy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CgSeHad.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ezGMVpl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PYXaJvt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHBHaLF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XNLObNQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qQJVOJX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MWewTWM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZnQDxQB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ORUdPbP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZAwEZli.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uDLNabY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HwUuAQh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IESXuth.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RhYyRol.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UsgcVsf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WdMesTv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ORUdPbP.exe
PID 1644 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ORUdPbP.exe
PID 1644 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ORUdPbP.exe
PID 1644 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgSeHad.exe
PID 1644 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgSeHad.exe
PID 1644 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgSeHad.exe
PID 1644 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UsgcVsf.exe
PID 1644 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UsgcVsf.exe
PID 1644 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UsgcVsf.exe
PID 1644 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezGMVpl.exe
PID 1644 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezGMVpl.exe
PID 1644 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezGMVpl.exe
PID 1644 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGLNsqp.exe
PID 1644 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGLNsqp.exe
PID 1644 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGLNsqp.exe
PID 1644 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdMesTv.exe
PID 1644 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdMesTv.exe
PID 1644 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdMesTv.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\PYXaJvt.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\PYXaJvt.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\PYXaJvt.exe
PID 1644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyQVIxh.exe
PID 1644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyQVIxh.exe
PID 1644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyQVIxh.exe
PID 1644 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHBHaLF.exe
PID 1644 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHBHaLF.exe
PID 1644 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHBHaLF.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAwEZli.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAwEZli.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAwEZli.exe
PID 1644 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDLNabY.exe
PID 1644 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDLNabY.exe
PID 1644 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDLNabY.exe
PID 1644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBeSHZd.exe
PID 1644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBeSHZd.exe
PID 1644 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBeSHZd.exe
PID 1644 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwUuAQh.exe
PID 1644 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwUuAQh.exe
PID 1644 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwUuAQh.exe
PID 1644 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEIYzyi.exe
PID 1644 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEIYzyi.exe
PID 1644 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEIYzyi.exe
PID 1644 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\kKUMwiy.exe
PID 1644 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\kKUMwiy.exe
PID 1644 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\kKUMwiy.exe
PID 1644 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\XNLObNQ.exe
PID 1644 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\XNLObNQ.exe
PID 1644 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\XNLObNQ.exe
PID 1644 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQJVOJX.exe
PID 1644 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQJVOJX.exe
PID 1644 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQJVOJX.exe
PID 1644 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\IESXuth.exe
PID 1644 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\IESXuth.exe
PID 1644 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\IESXuth.exe
PID 1644 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWewTWM.exe
PID 1644 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWewTWM.exe
PID 1644 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWewTWM.exe
PID 1644 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\RhYyRol.exe
PID 1644 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\RhYyRol.exe
PID 1644 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\RhYyRol.exe
PID 1644 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnQDxQB.exe
PID 1644 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnQDxQB.exe
PID 1644 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnQDxQB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ORUdPbP.exe

C:\Windows\System\ORUdPbP.exe

C:\Windows\System\CgSeHad.exe

C:\Windows\System\CgSeHad.exe

C:\Windows\System\UsgcVsf.exe

C:\Windows\System\UsgcVsf.exe

C:\Windows\System\ezGMVpl.exe

C:\Windows\System\ezGMVpl.exe

C:\Windows\System\FGLNsqp.exe

C:\Windows\System\FGLNsqp.exe

C:\Windows\System\WdMesTv.exe

C:\Windows\System\WdMesTv.exe

C:\Windows\System\PYXaJvt.exe

C:\Windows\System\PYXaJvt.exe

C:\Windows\System\eyQVIxh.exe

C:\Windows\System\eyQVIxh.exe

C:\Windows\System\rHBHaLF.exe

C:\Windows\System\rHBHaLF.exe

C:\Windows\System\ZAwEZli.exe

C:\Windows\System\ZAwEZli.exe

C:\Windows\System\uDLNabY.exe

C:\Windows\System\uDLNabY.exe

C:\Windows\System\dBeSHZd.exe

C:\Windows\System\dBeSHZd.exe

C:\Windows\System\HwUuAQh.exe

C:\Windows\System\HwUuAQh.exe

C:\Windows\System\TEIYzyi.exe

C:\Windows\System\TEIYzyi.exe

C:\Windows\System\kKUMwiy.exe

C:\Windows\System\kKUMwiy.exe

C:\Windows\System\XNLObNQ.exe

C:\Windows\System\XNLObNQ.exe

C:\Windows\System\qQJVOJX.exe

C:\Windows\System\qQJVOJX.exe

C:\Windows\System\IESXuth.exe

C:\Windows\System\IESXuth.exe

C:\Windows\System\MWewTWM.exe

C:\Windows\System\MWewTWM.exe

C:\Windows\System\RhYyRol.exe

C:\Windows\System\RhYyRol.exe

C:\Windows\System\ZnQDxQB.exe

C:\Windows\System\ZnQDxQB.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1644-0-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/1644-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\ORUdPbP.exe

MD5 2e069e4ecfe2330527d5db9e37be9a33
SHA1 94e97f60ae12705a17f1b526c828c241159e5b04
SHA256 cf5115af0dc1774e9866584656423009bf182a7236acd11bca2879308555384f
SHA512 b6b0896f5985cffd85595fa7deeadbdebc6e3e836c1068b62e241ee1f146c92807bed50fc61600a0654ba8b9ade38d79566ba40650a22ae0ece54a041cb56496

memory/1644-14-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2052-15-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1060-16-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/1644-9-0x000000013F860000-0x000000013FBB1000-memory.dmp

\Windows\system\CgSeHad.exe

MD5 2690b0a5a1e260a1049fad357afe1bec
SHA1 e6990300803316745beb149b4bbde18dfa16d72c
SHA256 93c5bfb455a3486790772466c02ea61d62c84bcb15ae2ce76685d6cf09760c1c
SHA512 6fcf5f332542bbe78d6c2e5a6a795bb7e242b61ffbe077009f094c9ac850800c223657ae32a0a9f39a0160cc71def79a7d40e9c03561008fbc021afdfe6e784d

C:\Windows\system\UsgcVsf.exe

MD5 166eb795e5a74547573ecdf1ad39aa91
SHA1 b455cd4e50b090191dae0ee677b3712719f57f5f
SHA256 3b56b5dd4eef6f78289c37b0a8e72d8d5c6a54509c9b02ad2d46721cb6f8ae07
SHA512 6b9ec155b768bd460180c48a7641d75f13984c1b4bb1e686da253bb64ff21a328745f04de866aa4bcf23ea0e67dc1005bfbf125f5462601f574cf9d175b9e61f

memory/2596-28-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1644-29-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2692-30-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1644-26-0x000000013F9E0000-0x000000013FD31000-memory.dmp

C:\Windows\system\ezGMVpl.exe

MD5 bd9d25e63eeabdbfd80d5ad3d8eb9179
SHA1 a93bfb68a29f9b88991d9af9dc47bfca0daed647
SHA256 50b6179d6f735618eaca96501c88e7c954dad44032052e03b4521e4d7969142a
SHA512 e8a7615df804204184b29d03bedce9a1d8342865cf7453fb8b5db365dad60285a8e23d55dd84806a226b0ffe59500648d4da22229a6a6212f58d9d7f5184b00f

C:\Windows\system\WdMesTv.exe

MD5 c935a99f067e0767fb6bc6adc48613e2
SHA1 ad64c5d0608b7e8658b7fb3a438d8c4b448a27d8
SHA256 f83bc1f379cf541324f04f1a57e82c903957ec23c68a9948d3d18401502c6be1
SHA512 ed427c6a11c83d71a2f045ea4d2e075b30074717abf441b485b7493c1999e250c5169860b8ab46ce9406b9f5b202040ed395b719a0c7416a9d45403b5a2b9a4c

memory/1644-43-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2524-44-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/1644-53-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2600-54-0x000000013FD00000-0x0000000140051000-memory.dmp

C:\Windows\system\ZAwEZli.exe

MD5 6b43ed97183ebabffc9e6a7f7f60850e
SHA1 eea2e814453e4f62c08b152e0585e4d95d628c65
SHA256 1c80f120665a66d99dfab533978045b2685b1c796d5c6dd2e963cc120b63a643
SHA512 a1f2c304987173c8ecaf7acef92291a88c0f42ff6ac1faf5f4fb4200c44adc133c3bba94461961ef2ed8506c0754626559294321544a36b670c6b692273314a6

memory/2508-62-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2720-71-0x000000013F5B0000-0x000000013F901000-memory.dmp

C:\Windows\system\HwUuAQh.exe

MD5 191010e5b9cb69e485a0d3939f668c8d
SHA1 035489933f6b3969b5562e4687e7607ba4cd91d3
SHA256 bc12f0ad7898f67a17ae7449dcd7a318b3201f8e492c42c4574b989407330852
SHA512 e1335e3ccd4fb16cfafbdcdab9a1ed551f067c9a9cb010e700eb5378dd5a33acc61237d43a314a0a2a82067a54a3515b96652223ec40139d4440232c609720e5

memory/2820-92-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1812-99-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1644-107-0x000000013F090000-0x000000013F3E1000-memory.dmp

C:\Windows\system\IESXuth.exe

MD5 62ff1bb59015bd6450026ac01e97e7cc
SHA1 518fb4ac44eadd7f71c1d1da0a8886dcde279ca6
SHA256 1d653c65d589c3ee44d8f74643ced883c297a47796a04292c0ca26cae4fb81b8
SHA512 d9dddf6c69c32f7413e37e9bd94c64e9266be1bf00af295886a3e2f01e188082ba94f05f478c033fa91d95a0b69843bf7cea3b3e717b6d7da69240b80fba3b20

\Windows\system\ZnQDxQB.exe

MD5 d3bc95394c7c3ad0c392e5e1d302120c
SHA1 d5f310edc70232fd6912a452d9b3378dbf4d551b
SHA256 fbeb7eb8d59efd0d36b9902e6e213fd5fe89fa37b4645b4b73913da246d52466
SHA512 b2e3c4b2b5a7ddba525c9feaa8ae09a7f8654626a1ded118a007c38e5af8de11b3e50e93120d2493c6f3ce402594804e5d9c4c6aba362af9507136a10e8da163

C:\Windows\system\RhYyRol.exe

MD5 d404a97933cba32de07ab0fb09e1fe37
SHA1 2e5ed5d278433911c6c090d06a70c8e0a6bd8a8a
SHA256 dffb6a20a7e5a0c89dce2cc45445bd52bc861ba1b3597a35b979d096ab9f3a93
SHA512 1d350bc71f9324d4d79afa2b5c5efc52dd2e254d4b1fd2ed695bc35eb68515c8427eca3a33f3affcc2889e2374df2bb57f7e4293a14b325ded0cf78cfd38e2e4

C:\Windows\system\MWewTWM.exe

MD5 90d604217abd728ec7eddf7e88afa7f3
SHA1 b9c41752bf745c43b4d1ae0c44fac368a446e50d
SHA256 d9777d60dd2d87257b5cf5c42722d48820108b2c9e30c0edb6605ecbc76277db
SHA512 5b044034e454f693eb19652c1ab9f9a1e1e4ed6d2900c08c69221de252e90338cb1158d47dcb0a6c7d4564ee304c3f3eaee98908367d6c07690cc756e980360d

C:\Windows\system\qQJVOJX.exe

MD5 772eadcc57e4063b5c34dc476fafb046
SHA1 43e869856cfa8aa29b19382f3dafa13561d959cb
SHA256 b4b7afc666b81cf9477de831f0bfb946c45e41a6a494f483934e4e506c539dfc
SHA512 7093c39a1fab7f85037f8f90984440c2fa6b855a123b110f121adbcac023918515cf6f43664c19e4d7379298ee30c2d0a9eff9787d05ac5b9291a2e24a2e8781

C:\Windows\system\XNLObNQ.exe

MD5 c0297ed1157a60b7f52a0ed69e693484
SHA1 5a8f4d94ccb902b695e4bc9637a96bd39497345d
SHA256 e0b82dae56692856cd78c6dbe85a1d7e736889d474b6b1988aa2f182a0bf21e7
SHA512 99b4c485bc95c5b42ee1147641e2065a3b5025947eaebb2319ff126bb2925b8c773595f013d04548eeae55662244b65e7199b45ea928672d5ae8bac3bf071dfe

memory/2632-106-0x000000013F6E0000-0x000000013FA31000-memory.dmp

C:\Windows\system\kKUMwiy.exe

MD5 05ebb1380b118cb5c3a7cd95f2c1bdc6
SHA1 1f6bd59c96b318636e445c17cf32e5eb8319481d
SHA256 a4f231097b8413e2b9fb9da28c7630c07268a0301c52788f70fdda3a28a41eb5
SHA512 badf95d8f2a45cfd0b707dde11f563be17aa8d38d7444b05e291d0e8eda8d3cbf0f417ae97c18242d3f81a2ec660d009ec9642133567c21db40a5e1fa04b9c3c

memory/1644-98-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2596-97-0x000000013F9E0000-0x000000013FD31000-memory.dmp

C:\Windows\system\TEIYzyi.exe

MD5 f2c30ddbb3e252682d7205887d75af74
SHA1 66939215d136aaa1967092ee2a348040dd8a7b47
SHA256 7ec13a0302f97f5178c44b3f3455d2999ff188f78ba2abdc7253d5f636ca7b76
SHA512 d35ac1ce6cf2f443de7e4dd5fae6060ce0ab608563ad475a32aab66c2459af4a435d0c40e9664a39699bc088e193c57e62b5c294917987cd1bfc0969ee173b8b

memory/1644-91-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2788-85-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1644-84-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1600-77-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/1644-76-0x000000013F8C0000-0x000000013FC11000-memory.dmp

C:\Windows\system\uDLNabY.exe

MD5 075811b969720459dc583380fa18bc6a
SHA1 5765bde375fd85dfd18992269c92f13b0229a69e
SHA256 4c54705a1221e1cf9928d3a79913d7f9bbc0a10fee6ab12f4979c84422378563
SHA512 ec736584b2fb67cdb46eac2a20da1cf397bd128001d0f58f505e643f64c48b4264c4977b991dfe8bb7577f281033b280e85238694ce89e443e87db4a9c096d55

C:\Windows\system\dBeSHZd.exe

MD5 3934e699ea4e5937f759eb740d7f5af3
SHA1 9332da24793d2e4f0e51f15f1f91119fed980496
SHA256 807e8dc86d694cf88933dea2ac9664ba35c06cba57d90ee7611f03a2eec51656
SHA512 d5c18be3d89fd7b89cdb5118f5c895ac8da8a7880d709e80bcab01178abef6ffa40552f28aaa6c22dd80b7ea0fd42f7ac0d2b53b757a94116e364a14c3c620f9

memory/1644-70-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2652-61-0x000000013F230000-0x000000013F581000-memory.dmp

memory/1644-60-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/1644-69-0x000000013F4D0000-0x000000013F821000-memory.dmp

C:\Windows\system\rHBHaLF.exe

MD5 4ca386c7af534abc1afbf95e00f6a40a
SHA1 5cbb5c95d6364270997143c9031bf58d552e031f
SHA256 3dea0deebccbd223c407a3cc56355e9181c67a2538584640b26e2f219a773280
SHA512 8e47aa2595ed6fd5bef8255b88ab8c4eca505b671ddeef1fcda7e7cdde0d9c189a10a583c1dcf27b8209b7874a9a52e43826af280b1f61f1af031b798c38667e

C:\Windows\system\PYXaJvt.exe

MD5 d9777b9d5039427c75014287bbca666a
SHA1 56411d708db41018cb96a55c993bf327cc8179bb
SHA256 895d3fb580bc88d44f8a8671e1fb4890414445d951b03ecd64eb94cfb6ae7792
SHA512 fdb7504faef691361b91699803e2e41de568fb1a26c03ba70c7d9369659648a677a225918239178f00a138f10b91cbe077e7d5d9f02e71de7fa35b2a678fa845

C:\Windows\system\eyQVIxh.exe

MD5 ab4b98b5f67b57b845e664de1c66654c
SHA1 abd009aaa6c4726b97c27ffcb9b123b1d8e6c8f1
SHA256 80182c3d151608d54e804d29861daeeff7d0f069b53d75adcd0c50844fd1b067
SHA512 8144c57f8af1272f3abcb3163698ad6de5d61cabaa85048198019563e1643df5daac92392d326ba8eb6c8e5d9be18678caf25a6b1cda1b67b694f2344a8c2fa3

memory/2632-36-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/1644-35-0x00000000021E0000-0x0000000002531000-memory.dmp

C:\Windows\system\FGLNsqp.exe

MD5 f4bfcc68312a4313d337662759f81a09
SHA1 65ce6b6ca59f5ce93e8eb84ae19b88921e67a792
SHA256 d8d5aac0466172c2815e3258b17e0483fbd7932d609e583aa82f84dad4dfe1ed
SHA512 744ed116d5addcaddff698da9d343b8d031317359a8233744299abd1e35458ffa43280337222a10c79dd798ca66c62f1b8722897e18cc2c35eaf9e698a896b97

memory/1644-138-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2720-148-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2508-147-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/1600-149-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2652-145-0x000000013F230000-0x000000013F581000-memory.dmp

memory/1608-154-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/1880-155-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1588-156-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/1644-160-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/856-158-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/768-157-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/1080-153-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/1812-152-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2820-151-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2788-150-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/868-159-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1644-161-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/1644-162-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1644-163-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/1644-185-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1644-186-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/1060-216-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2052-217-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2692-219-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2596-221-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2632-223-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2524-225-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2600-227-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2652-231-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2508-230-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2720-245-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1600-247-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2788-249-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2820-251-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1812-253-0x000000013F170000-0x000000013F4C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 09:29

Reported

2024-05-30 09:32

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UsgcVsf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eyQVIxh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZAwEZli.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uDLNabY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RhYyRol.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZnQDxQB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MWewTWM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FGLNsqp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PYXaJvt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHBHaLF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HwUuAQh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TEIYzyi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XNLObNQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CgSeHad.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WdMesTv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dBeSHZd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qQJVOJX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IESXuth.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ORUdPbP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ezGMVpl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kKUMwiy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ORUdPbP.exe
PID 2884 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ORUdPbP.exe
PID 2884 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgSeHad.exe
PID 2884 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgSeHad.exe
PID 2884 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UsgcVsf.exe
PID 2884 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UsgcVsf.exe
PID 2884 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezGMVpl.exe
PID 2884 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezGMVpl.exe
PID 2884 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGLNsqp.exe
PID 2884 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGLNsqp.exe
PID 2884 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdMesTv.exe
PID 2884 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdMesTv.exe
PID 2884 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\PYXaJvt.exe
PID 2884 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\PYXaJvt.exe
PID 2884 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyQVIxh.exe
PID 2884 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyQVIxh.exe
PID 2884 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHBHaLF.exe
PID 2884 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHBHaLF.exe
PID 2884 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAwEZli.exe
PID 2884 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAwEZli.exe
PID 2884 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDLNabY.exe
PID 2884 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDLNabY.exe
PID 2884 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBeSHZd.exe
PID 2884 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBeSHZd.exe
PID 2884 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwUuAQh.exe
PID 2884 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwUuAQh.exe
PID 2884 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEIYzyi.exe
PID 2884 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEIYzyi.exe
PID 2884 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\kKUMwiy.exe
PID 2884 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\kKUMwiy.exe
PID 2884 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\XNLObNQ.exe
PID 2884 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\XNLObNQ.exe
PID 2884 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQJVOJX.exe
PID 2884 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQJVOJX.exe
PID 2884 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\IESXuth.exe
PID 2884 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\IESXuth.exe
PID 2884 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWewTWM.exe
PID 2884 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWewTWM.exe
PID 2884 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\RhYyRol.exe
PID 2884 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\RhYyRol.exe
PID 2884 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnQDxQB.exe
PID 2884 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnQDxQB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ORUdPbP.exe

C:\Windows\System\ORUdPbP.exe

C:\Windows\System\CgSeHad.exe

C:\Windows\System\CgSeHad.exe

C:\Windows\System\UsgcVsf.exe

C:\Windows\System\UsgcVsf.exe

C:\Windows\System\ezGMVpl.exe

C:\Windows\System\ezGMVpl.exe

C:\Windows\System\FGLNsqp.exe

C:\Windows\System\FGLNsqp.exe

C:\Windows\System\WdMesTv.exe

C:\Windows\System\WdMesTv.exe

C:\Windows\System\PYXaJvt.exe

C:\Windows\System\PYXaJvt.exe

C:\Windows\System\eyQVIxh.exe

C:\Windows\System\eyQVIxh.exe

C:\Windows\System\rHBHaLF.exe

C:\Windows\System\rHBHaLF.exe

C:\Windows\System\ZAwEZli.exe

C:\Windows\System\ZAwEZli.exe

C:\Windows\System\uDLNabY.exe

C:\Windows\System\uDLNabY.exe

C:\Windows\System\dBeSHZd.exe

C:\Windows\System\dBeSHZd.exe

C:\Windows\System\HwUuAQh.exe

C:\Windows\System\HwUuAQh.exe

C:\Windows\System\TEIYzyi.exe

C:\Windows\System\TEIYzyi.exe

C:\Windows\System\kKUMwiy.exe

C:\Windows\System\kKUMwiy.exe

C:\Windows\System\XNLObNQ.exe

C:\Windows\System\XNLObNQ.exe

C:\Windows\System\qQJVOJX.exe

C:\Windows\System\qQJVOJX.exe

C:\Windows\System\IESXuth.exe

C:\Windows\System\IESXuth.exe

C:\Windows\System\MWewTWM.exe

C:\Windows\System\MWewTWM.exe

C:\Windows\System\RhYyRol.exe

C:\Windows\System\RhYyRol.exe

C:\Windows\System\ZnQDxQB.exe

C:\Windows\System\ZnQDxQB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2884-0-0x00007FF67BCE0000-0x00007FF67C031000-memory.dmp

memory/2884-1-0x0000022D089A0000-0x0000022D089B0000-memory.dmp

C:\Windows\System\ORUdPbP.exe

MD5 2e069e4ecfe2330527d5db9e37be9a33
SHA1 94e97f60ae12705a17f1b526c828c241159e5b04
SHA256 cf5115af0dc1774e9866584656423009bf182a7236acd11bca2879308555384f
SHA512 b6b0896f5985cffd85595fa7deeadbdebc6e3e836c1068b62e241ee1f146c92807bed50fc61600a0654ba8b9ade38d79566ba40650a22ae0ece54a041cb56496

C:\Windows\System\UsgcVsf.exe

MD5 166eb795e5a74547573ecdf1ad39aa91
SHA1 b455cd4e50b090191dae0ee677b3712719f57f5f
SHA256 3b56b5dd4eef6f78289c37b0a8e72d8d5c6a54509c9b02ad2d46721cb6f8ae07
SHA512 6b9ec155b768bd460180c48a7641d75f13984c1b4bb1e686da253bb64ff21a328745f04de866aa4bcf23ea0e67dc1005bfbf125f5462601f574cf9d175b9e61f

C:\Windows\System\CgSeHad.exe

MD5 2690b0a5a1e260a1049fad357afe1bec
SHA1 e6990300803316745beb149b4bbde18dfa16d72c
SHA256 93c5bfb455a3486790772466c02ea61d62c84bcb15ae2ce76685d6cf09760c1c
SHA512 6fcf5f332542bbe78d6c2e5a6a795bb7e242b61ffbe077009f094c9ac850800c223657ae32a0a9f39a0160cc71def79a7d40e9c03561008fbc021afdfe6e784d

memory/2568-19-0x00007FF600A80000-0x00007FF600DD1000-memory.dmp

memory/3168-16-0x00007FF6485B0000-0x00007FF648901000-memory.dmp

memory/2176-8-0x00007FF7971D0000-0x00007FF797521000-memory.dmp

C:\Windows\System\ezGMVpl.exe

MD5 bd9d25e63eeabdbfd80d5ad3d8eb9179
SHA1 a93bfb68a29f9b88991d9af9dc47bfca0daed647
SHA256 50b6179d6f735618eaca96501c88e7c954dad44032052e03b4521e4d7969142a
SHA512 e8a7615df804204184b29d03bedce9a1d8342865cf7453fb8b5db365dad60285a8e23d55dd84806a226b0ffe59500648d4da22229a6a6212f58d9d7f5184b00f

C:\Windows\System\FGLNsqp.exe

MD5 f4bfcc68312a4313d337662759f81a09
SHA1 65ce6b6ca59f5ce93e8eb84ae19b88921e67a792
SHA256 d8d5aac0466172c2815e3258b17e0483fbd7932d609e583aa82f84dad4dfe1ed
SHA512 744ed116d5addcaddff698da9d343b8d031317359a8233744299abd1e35458ffa43280337222a10c79dd798ca66c62f1b8722897e18cc2c35eaf9e698a896b97

memory/1148-33-0x00007FF65A2C0000-0x00007FF65A611000-memory.dmp

C:\Windows\System\PYXaJvt.exe

MD5 d9777b9d5039427c75014287bbca666a
SHA1 56411d708db41018cb96a55c993bf327cc8179bb
SHA256 895d3fb580bc88d44f8a8671e1fb4890414445d951b03ecd64eb94cfb6ae7792
SHA512 fdb7504faef691361b91699803e2e41de568fb1a26c03ba70c7d9369659648a677a225918239178f00a138f10b91cbe077e7d5d9f02e71de7fa35b2a678fa845

C:\Windows\System\ZAwEZli.exe

MD5 6b43ed97183ebabffc9e6a7f7f60850e
SHA1 eea2e814453e4f62c08b152e0585e4d95d628c65
SHA256 1c80f120665a66d99dfab533978045b2685b1c796d5c6dd2e963cc120b63a643
SHA512 a1f2c304987173c8ecaf7acef92291a88c0f42ff6ac1faf5f4fb4200c44adc133c3bba94461961ef2ed8506c0754626559294321544a36b670c6b692273314a6

memory/4944-53-0x00007FF78F3D0000-0x00007FF78F721000-memory.dmp

memory/3212-63-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp

memory/3640-64-0x00007FF6A9A20000-0x00007FF6A9D71000-memory.dmp

C:\Windows\System\uDLNabY.exe

MD5 075811b969720459dc583380fa18bc6a
SHA1 5765bde375fd85dfd18992269c92f13b0229a69e
SHA256 4c54705a1221e1cf9928d3a79913d7f9bbc0a10fee6ab12f4979c84422378563
SHA512 ec736584b2fb67cdb46eac2a20da1cf397bd128001d0f58f505e643f64c48b4264c4977b991dfe8bb7577f281033b280e85238694ce89e443e87db4a9c096d55

memory/1060-66-0x00007FF694620000-0x00007FF694971000-memory.dmp

memory/3208-65-0x00007FF7260C0000-0x00007FF726411000-memory.dmp

C:\Windows\System\rHBHaLF.exe

MD5 4ca386c7af534abc1afbf95e00f6a40a
SHA1 5cbb5c95d6364270997143c9031bf58d552e031f
SHA256 3dea0deebccbd223c407a3cc56355e9181c67a2538584640b26e2f219a773280
SHA512 8e47aa2595ed6fd5bef8255b88ab8c4eca505b671ddeef1fcda7e7cdde0d9c189a10a583c1dcf27b8209b7874a9a52e43826af280b1f61f1af031b798c38667e

C:\Windows\System\eyQVIxh.exe

MD5 ab4b98b5f67b57b845e664de1c66654c
SHA1 abd009aaa6c4726b97c27ffcb9b123b1d8e6c8f1
SHA256 80182c3d151608d54e804d29861daeeff7d0f069b53d75adcd0c50844fd1b067
SHA512 8144c57f8af1272f3abcb3163698ad6de5d61cabaa85048198019563e1643df5daac92392d326ba8eb6c8e5d9be18678caf25a6b1cda1b67b694f2344a8c2fa3

memory/3268-47-0x00007FF690C20000-0x00007FF690F71000-memory.dmp

memory/5072-45-0x00007FF6512A0000-0x00007FF6515F1000-memory.dmp

C:\Windows\System\WdMesTv.exe

MD5 c935a99f067e0767fb6bc6adc48613e2
SHA1 ad64c5d0608b7e8658b7fb3a438d8c4b448a27d8
SHA256 f83bc1f379cf541324f04f1a57e82c903957ec23c68a9948d3d18401502c6be1
SHA512 ed427c6a11c83d71a2f045ea4d2e075b30074717abf441b485b7493c1999e250c5169860b8ab46ce9406b9f5b202040ed395b719a0c7416a9d45403b5a2b9a4c

C:\Windows\System\dBeSHZd.exe

MD5 3934e699ea4e5937f759eb740d7f5af3
SHA1 9332da24793d2e4f0e51f15f1f91119fed980496
SHA256 807e8dc86d694cf88933dea2ac9664ba35c06cba57d90ee7611f03a2eec51656
SHA512 d5c18be3d89fd7b89cdb5118f5c895ac8da8a7880d709e80bcab01178abef6ffa40552f28aaa6c22dd80b7ea0fd42f7ac0d2b53b757a94116e364a14c3c620f9

C:\Windows\System\HwUuAQh.exe

MD5 191010e5b9cb69e485a0d3939f668c8d
SHA1 035489933f6b3969b5562e4687e7607ba4cd91d3
SHA256 bc12f0ad7898f67a17ae7449dcd7a318b3201f8e492c42c4574b989407330852
SHA512 e1335e3ccd4fb16cfafbdcdab9a1ed551f067c9a9cb010e700eb5378dd5a33acc61237d43a314a0a2a82067a54a3515b96652223ec40139d4440232c609720e5

memory/2236-79-0x00007FF69A5A0000-0x00007FF69A8F1000-memory.dmp

memory/2884-80-0x00007FF67BCE0000-0x00007FF67C031000-memory.dmp

C:\Windows\System\TEIYzyi.exe

MD5 f2c30ddbb3e252682d7205887d75af74
SHA1 66939215d136aaa1967092ee2a348040dd8a7b47
SHA256 7ec13a0302f97f5178c44b3f3455d2999ff188f78ba2abdc7253d5f636ca7b76
SHA512 d35ac1ce6cf2f443de7e4dd5fae6060ce0ab608563ad475a32aab66c2459af4a435d0c40e9664a39699bc088e193c57e62b5c294917987cd1bfc0969ee173b8b

C:\Windows\System\kKUMwiy.exe

MD5 05ebb1380b118cb5c3a7cd95f2c1bdc6
SHA1 1f6bd59c96b318636e445c17cf32e5eb8319481d
SHA256 a4f231097b8413e2b9fb9da28c7630c07268a0301c52788f70fdda3a28a41eb5
SHA512 badf95d8f2a45cfd0b707dde11f563be17aa8d38d7444b05e291d0e8eda8d3cbf0f417ae97c18242d3f81a2ec660d009ec9642133567c21db40a5e1fa04b9c3c

C:\Windows\System\XNLObNQ.exe

MD5 c0297ed1157a60b7f52a0ed69e693484
SHA1 5a8f4d94ccb902b695e4bc9637a96bd39497345d
SHA256 e0b82dae56692856cd78c6dbe85a1d7e736889d474b6b1988aa2f182a0bf21e7
SHA512 99b4c485bc95c5b42ee1147641e2065a3b5025947eaebb2319ff126bb2925b8c773595f013d04548eeae55662244b65e7199b45ea928672d5ae8bac3bf071dfe

memory/3164-100-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp

memory/520-104-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp

C:\Windows\System\IESXuth.exe

MD5 62ff1bb59015bd6450026ac01e97e7cc
SHA1 518fb4ac44eadd7f71c1d1da0a8886dcde279ca6
SHA256 1d653c65d589c3ee44d8f74643ced883c297a47796a04292c0ca26cae4fb81b8
SHA512 d9dddf6c69c32f7413e37e9bd94c64e9266be1bf00af295886a3e2f01e188082ba94f05f478c033fa91d95a0b69843bf7cea3b3e717b6d7da69240b80fba3b20

C:\Windows\System\MWewTWM.exe

MD5 90d604217abd728ec7eddf7e88afa7f3
SHA1 b9c41752bf745c43b4d1ae0c44fac368a446e50d
SHA256 d9777d60dd2d87257b5cf5c42722d48820108b2c9e30c0edb6605ecbc76277db
SHA512 5b044034e454f693eb19652c1ab9f9a1e1e4ed6d2900c08c69221de252e90338cb1158d47dcb0a6c7d4564ee304c3f3eaee98908367d6c07690cc756e980360d

memory/4796-115-0x00007FF7298B0000-0x00007FF729C01000-memory.dmp

memory/4740-118-0x00007FF766520000-0x00007FF766871000-memory.dmp

C:\Windows\System\RhYyRol.exe

MD5 d404a97933cba32de07ab0fb09e1fe37
SHA1 2e5ed5d278433911c6c090d06a70c8e0a6bd8a8a
SHA256 dffb6a20a7e5a0c89dce2cc45445bd52bc861ba1b3597a35b979d096ab9f3a93
SHA512 1d350bc71f9324d4d79afa2b5c5efc52dd2e254d4b1fd2ed695bc35eb68515c8427eca3a33f3affcc2889e2374df2bb57f7e4293a14b325ded0cf78cfd38e2e4

memory/2176-113-0x00007FF7971D0000-0x00007FF797521000-memory.dmp

memory/944-112-0x00007FF7B9D70000-0x00007FF7BA0C1000-memory.dmp

C:\Windows\System\qQJVOJX.exe

MD5 772eadcc57e4063b5c34dc476fafb046
SHA1 43e869856cfa8aa29b19382f3dafa13561d959cb
SHA256 b4b7afc666b81cf9477de831f0bfb946c45e41a6a494f483934e4e506c539dfc
SHA512 7093c39a1fab7f85037f8f90984440c2fa6b855a123b110f121adbcac023918515cf6f43664c19e4d7379298ee30c2d0a9eff9787d05ac5b9291a2e24a2e8781

memory/1380-94-0x00007FF6A4720000-0x00007FF6A4A71000-memory.dmp

memory/3752-83-0x00007FF79EE90000-0x00007FF79F1E1000-memory.dmp

memory/2568-129-0x00007FF600A80000-0x00007FF600DD1000-memory.dmp

C:\Windows\System\ZnQDxQB.exe

MD5 d3bc95394c7c3ad0c392e5e1d302120c
SHA1 d5f310edc70232fd6912a452d9b3378dbf4d551b
SHA256 fbeb7eb8d59efd0d36b9902e6e213fd5fe89fa37b4645b4b73913da246d52466
SHA512 b2e3c4b2b5a7ddba525c9feaa8ae09a7f8654626a1ded118a007c38e5af8de11b3e50e93120d2493c6f3ce402594804e5d9c4c6aba362af9507136a10e8da163

memory/2976-131-0x00007FF767FA0000-0x00007FF7682F1000-memory.dmp

memory/5072-136-0x00007FF6512A0000-0x00007FF6515F1000-memory.dmp

memory/3212-140-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp

memory/1060-142-0x00007FF694620000-0x00007FF694971000-memory.dmp

memory/900-144-0x00007FF6A27C0000-0x00007FF6A2B11000-memory.dmp

memory/4740-151-0x00007FF766520000-0x00007FF766871000-memory.dmp

memory/944-150-0x00007FF7B9D70000-0x00007FF7BA0C1000-memory.dmp

memory/2884-154-0x00007FF67BCE0000-0x00007FF67C031000-memory.dmp

memory/2176-207-0x00007FF7971D0000-0x00007FF797521000-memory.dmp

memory/3168-209-0x00007FF6485B0000-0x00007FF648901000-memory.dmp

memory/2568-211-0x00007FF600A80000-0x00007FF600DD1000-memory.dmp

memory/1148-213-0x00007FF65A2C0000-0x00007FF65A611000-memory.dmp

memory/5072-215-0x00007FF6512A0000-0x00007FF6515F1000-memory.dmp

memory/3268-218-0x00007FF690C20000-0x00007FF690F71000-memory.dmp

memory/4944-219-0x00007FF78F3D0000-0x00007FF78F721000-memory.dmp

memory/3208-221-0x00007FF7260C0000-0x00007FF726411000-memory.dmp

memory/3212-225-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp

memory/3640-224-0x00007FF6A9A20000-0x00007FF6A9D71000-memory.dmp

memory/1060-227-0x00007FF694620000-0x00007FF694971000-memory.dmp

memory/2236-235-0x00007FF69A5A0000-0x00007FF69A8F1000-memory.dmp

memory/3752-237-0x00007FF79EE90000-0x00007FF79F1E1000-memory.dmp

memory/1380-239-0x00007FF6A4720000-0x00007FF6A4A71000-memory.dmp

memory/3164-241-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp

memory/520-243-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp

memory/4796-245-0x00007FF7298B0000-0x00007FF729C01000-memory.dmp

memory/944-247-0x00007FF7B9D70000-0x00007FF7BA0C1000-memory.dmp

memory/4740-249-0x00007FF766520000-0x00007FF766871000-memory.dmp

memory/2976-251-0x00007FF767FA0000-0x00007FF7682F1000-memory.dmp

memory/900-255-0x00007FF6A27C0000-0x00007FF6A2B11000-memory.dmp