Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-lhz2fseb28
Target 2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike
SHA256 cba075263c7ade39c144e71cb254b428e68dea102f13ca91e5bad6f1d7d03178
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cba075263c7ade39c144e71cb254b428e68dea102f13ca91e5bad6f1d7d03178

Threat Level: Known bad

The file 2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 09:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 09:32

Reported

2024-05-30 09:35

Platform

win7-20240221-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PfEJrfK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JDjYznP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AQlUctw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AwfHkiA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ESbYbbW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tojrtXD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VbmQMKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zDhKJmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rXvTUOR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bKziTKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QAbeXut.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FGvFrih.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FeWeEof.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVPyjjI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fKtEpVO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bKAwCZl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qaNhIpX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NujhpZW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nmMYMqD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jkxresb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qDJwbWw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qaNhIpX.exe
PID 2880 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qaNhIpX.exe
PID 2880 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qaNhIpX.exe
PID 2880 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\NujhpZW.exe
PID 2880 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\NujhpZW.exe
PID 2880 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\NujhpZW.exe
PID 2880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmMYMqD.exe
PID 2880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmMYMqD.exe
PID 2880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmMYMqD.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGvFrih.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGvFrih.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGvFrih.exe
PID 2880 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\PfEJrfK.exe
PID 2880 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\PfEJrfK.exe
PID 2880 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\PfEJrfK.exe
PID 2880 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\tojrtXD.exe
PID 2880 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\tojrtXD.exe
PID 2880 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\tojrtXD.exe
PID 2880 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeWeEof.exe
PID 2880 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeWeEof.exe
PID 2880 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeWeEof.exe
PID 2880 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\VbmQMKJ.exe
PID 2880 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\VbmQMKJ.exe
PID 2880 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\VbmQMKJ.exe
PID 2880 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\JDjYznP.exe
PID 2880 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\JDjYznP.exe
PID 2880 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\JDjYznP.exe
PID 2880 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQlUctw.exe
PID 2880 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQlUctw.exe
PID 2880 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQlUctw.exe
PID 2880 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkxresb.exe
PID 2880 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkxresb.exe
PID 2880 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkxresb.exe
PID 2880 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVPyjjI.exe
PID 2880 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVPyjjI.exe
PID 2880 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVPyjjI.exe
PID 2880 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDhKJmd.exe
PID 2880 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDhKJmd.exe
PID 2880 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDhKJmd.exe
PID 2880 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXvTUOR.exe
PID 2880 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXvTUOR.exe
PID 2880 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXvTUOR.exe
PID 2880 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwfHkiA.exe
PID 2880 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwfHkiA.exe
PID 2880 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwfHkiA.exe
PID 2880 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKtEpVO.exe
PID 2880 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKtEpVO.exe
PID 2880 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKtEpVO.exe
PID 2880 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDJwbWw.exe
PID 2880 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDJwbWw.exe
PID 2880 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDJwbWw.exe
PID 2880 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKAwCZl.exe
PID 2880 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKAwCZl.exe
PID 2880 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKAwCZl.exe
PID 2880 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKziTKQ.exe
PID 2880 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKziTKQ.exe
PID 2880 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKziTKQ.exe
PID 2880 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAbeXut.exe
PID 2880 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAbeXut.exe
PID 2880 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAbeXut.exe
PID 2880 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\ESbYbbW.exe
PID 2880 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\ESbYbbW.exe
PID 2880 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\ESbYbbW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qaNhIpX.exe

C:\Windows\System\qaNhIpX.exe

C:\Windows\System\NujhpZW.exe

C:\Windows\System\NujhpZW.exe

C:\Windows\System\nmMYMqD.exe

C:\Windows\System\nmMYMqD.exe

C:\Windows\System\FGvFrih.exe

C:\Windows\System\FGvFrih.exe

C:\Windows\System\PfEJrfK.exe

C:\Windows\System\PfEJrfK.exe

C:\Windows\System\tojrtXD.exe

C:\Windows\System\tojrtXD.exe

C:\Windows\System\FeWeEof.exe

C:\Windows\System\FeWeEof.exe

C:\Windows\System\VbmQMKJ.exe

C:\Windows\System\VbmQMKJ.exe

C:\Windows\System\JDjYznP.exe

C:\Windows\System\JDjYznP.exe

C:\Windows\System\AQlUctw.exe

C:\Windows\System\AQlUctw.exe

C:\Windows\System\jkxresb.exe

C:\Windows\System\jkxresb.exe

C:\Windows\System\uVPyjjI.exe

C:\Windows\System\uVPyjjI.exe

C:\Windows\System\zDhKJmd.exe

C:\Windows\System\zDhKJmd.exe

C:\Windows\System\rXvTUOR.exe

C:\Windows\System\rXvTUOR.exe

C:\Windows\System\AwfHkiA.exe

C:\Windows\System\AwfHkiA.exe

C:\Windows\System\fKtEpVO.exe

C:\Windows\System\fKtEpVO.exe

C:\Windows\System\qDJwbWw.exe

C:\Windows\System\qDJwbWw.exe

C:\Windows\System\bKAwCZl.exe

C:\Windows\System\bKAwCZl.exe

C:\Windows\System\bKziTKQ.exe

C:\Windows\System\bKziTKQ.exe

C:\Windows\System\QAbeXut.exe

C:\Windows\System\QAbeXut.exe

C:\Windows\System\ESbYbbW.exe

C:\Windows\System\ESbYbbW.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2880-0-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/2880-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\qaNhIpX.exe

MD5 58fc977d61f8005c04eb7ab4f74ff984
SHA1 ab2ee01e23593efe3410f9ddb6b072c35b8cf00a
SHA256 69e8d887de1019eb76334e7885ed5c03d1f1e2a244e24b29c30ec0672dd82ef6
SHA512 30ebdcfaaa475030dd8f3b48f6370119ec49f6a56ef3604f05564312bd4289d867cda2c076bb300fa3cd8022eb12bafadde17d94bd3000848facedbde9fcec43

memory/2892-9-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2880-7-0x0000000002330000-0x0000000002681000-memory.dmp

C:\Windows\system\NujhpZW.exe

MD5 0258e2728b68c35b9f3ab3c2bacd4dd7
SHA1 a7e43176403ff582587bf931cd60fc683332296e
SHA256 4e3f46c6b5fd707e9dd77408f151e2604f2d748a26aa1fca0c2adb09128bbaea
SHA512 abf34e03ea145ff078b2f5d3bf5c1d4e377f26463f9b45bd8306fc188479a8e291f39a4121bace7a4298149ebb97a19a1e122f8276f95735c425ebfd4e16d3b0

C:\Windows\system\nmMYMqD.exe

MD5 9bfb4af410379f65ad8f44abd7a22df7
SHA1 8647dc21ac906f10d3d563d8e089284869b31b09
SHA256 82380874bcea64d8f7f308ec0c8bb992b03c09a0928806cb31970f46d2aade93
SHA512 e2261ff37ef48f3c9f4680e8b6cafb01446e8b5e15acfdede37215a9fcf010d6ab9e14029a1712ac54963ca9f878aedf9020d287ef62528ec42671c471e05505

memory/1984-22-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2880-25-0x000000013F050000-0x000000013F3A1000-memory.dmp

C:\Windows\system\FGvFrih.exe

MD5 1e26c8a222dcbe3cddbf5aa39e183dbd
SHA1 9591b4ddc0c086d2c79f61a28298d84ce4cc4e8a
SHA256 eb7c18190e7a7f6d91d548f3b95d2dc2db26707508862170b2cf3e412c94fe90
SHA512 e8f4d275920f3f95e8096bf90c3be18251647dba9543201480b231a03ab606236fd047f73b1b3452fade73bbfc5c0d6c616b62c788c00f8f598a7e4d319637bb

\Windows\system\PfEJrfK.exe

MD5 4fe866ebda96c9ae26a1c479b04b6def
SHA1 5c1c184ba8174304d6c0919884379dd552400268
SHA256 13ca563d1ab50a02abfb763fa3e8b8732487ff2a2031c715f21823c173e0b0d5
SHA512 d24218612bc10f0a6a148bfdfafe008ae81f31875608050023702d54ce1f85800783fdb8a9575b7404aa8578fc2d77f20eb644f86fed1ca422dfe5ab22f5da6e

memory/2880-18-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2880-38-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2172-58-0x000000013FB40000-0x000000013FE91000-memory.dmp

\Windows\system\zDhKJmd.exe

MD5 92cd4934dad4432705e0da1882fcba7c
SHA1 67eb80a67a75aeee56e074769827e250ad1939c6
SHA256 eab2be7d7ed164d3f42922a95e132c4f19fdd7156c63ce7383cfe35dc24b3c31
SHA512 b7bf40254df9c1789f6cdb8f3487ec60bca3cbaff322acd86e753a1dde7b54e1fa392d6851b2d5677f1e0d8e5d821e2834b164ee357f6edd9f3880e5e26eb0d7

C:\Windows\system\rXvTUOR.exe

MD5 08aae75a6ca92183ddd26a718b8aa7f7
SHA1 1e4320a4e4b2beb7c8e846bc90665b1a474d895b
SHA256 767aa4a9733b7c020632a9d489e3e3a395ba00a5d3a8bc934b950751f4e100b9
SHA512 b60b8276acb02f3a4feed0d0a6eb15239aa44b1c90b2a40601c5feb990374e25b11848dd81beb977056fe05acfe67bb133ac5c7acccdcf0938ab97dd3248e4fb

C:\Windows\system\JDjYznP.exe

MD5 734f05b73c736221a31a3a698d8f2c1b
SHA1 b0dc8685fd39a37d18ba1e897760d8ce1aa1f0e6
SHA256 a097f987fb2de47a77b1f4f721fc2a5e495c2b26044325bb38e6d057fd76f09b
SHA512 90d6b46f0e036fb2bf862bf653378a4b423b8eb061bec734a23685d65f53a891338d144bfae0745f24d5cf0895f28f4d336bf21452007036b7a7e9c918e80c9a

memory/2880-78-0x000000013F2B0000-0x000000013F601000-memory.dmp

C:\Windows\system\uVPyjjI.exe

MD5 e3402a5b68735880a66269438781612f
SHA1 23bdadc6c3f5b9b150e0970ce679829c66de21b6
SHA256 91807182cabf2ce06a5e5189f78b64b335a2964ff8a83b9347f708d65621004e
SHA512 120319024d27ca89f3469264619644e50cc6a849c104d109caeaa5b7a134c2b1dd255531e5d5e2f7f4c5f47aea4ee93dc4cd70f9e4345360119056e087065650

memory/2496-103-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2616-102-0x000000013F220000-0x000000013F571000-memory.dmp

C:\Windows\system\fKtEpVO.exe

MD5 e31d242b0c1b96e5ad8ab98874cfa306
SHA1 bafac5665e09ddee4a86a6f71aee2a58d5172a99
SHA256 19bdf0f02beef0e635c78a40b3fa21df927e44a03d43809cadd72265a348c39f
SHA512 c466a3f612e13f09c23b7f37497cc17414f60b367b71850e79b9f7f9ad341417e0774f78f979d3c4545ba16c9afeb01017d44221769a50e3a9a9e84117b2f287

C:\Windows\system\QAbeXut.exe

MD5 f13f8d34e27df501d4228987ef78fbd2
SHA1 9e058db8f9e4275db2a2452eb3ad60ae9a4f39f8
SHA256 cfeb20483ef8dfed3edf2b8dd33ffeac21a7ef05014fd85846d175caf5e6c780
SHA512 de0a40ef6ed5bd040a45f7cda29b8675865d0db3399b256c9459d6940d13aab107de2925ae6bf977fdf3367e2e9b1408dc58d856f2552d24618354a0f3a4c08d

\Windows\system\ESbYbbW.exe

MD5 242db20e8094aae4e7c7a279631eaf42
SHA1 897d314bc8ff71ba660ad18a1dc4fc047a409725
SHA256 98ff86ca035231e1ee48686d7c91fe3586b760d814108dbfb25f16c6e0a6fbc8
SHA512 989a3dde1aca2ce7d0bec0ad17ac29b1d8f9a91e810228d4d1c01be3cbe42c7b0c96344d0a879e936f219c5e94b6e12986fab9d4281510cd8919b8fceb088659

C:\Windows\system\bKziTKQ.exe

MD5 77181b69fa2154c95cc215174d4b3f88
SHA1 6eb3ab7071542c37bbfa0599307ff1aa0909d2ab
SHA256 a8327b82f3944a032270b7cf746123a444e468c563efa0a0f1b975ded459cf0d
SHA512 21f8b20feb3ca17afb945bc1c34fc1db643d1fc7755e4272331e8b05418ac15b36f9f6f02b741e24820334c893085a479794d782179d3514abb2d1d4bd098600

C:\Windows\system\bKAwCZl.exe

MD5 6154e8a300e1a3ab0a5eab50da99b3c5
SHA1 e3b16074a8f1d0dcd93f199d7f15bbc9a330e213
SHA256 3940fa23fdd9bfa79cdb93a43c21960fdbb0a0895d701a31855985cab2f41e55
SHA512 51ad8b53e6b39af429da2a2589b901847fa0f8d9485b4ed0aa2bf5e875a6e6f19dbc5b19a05d956b2e9785dee9aa486a3c6cadc5a1ee7667051ee431978e1e59

C:\Windows\system\qDJwbWw.exe

MD5 d8a04f6642a93fe058707de5fc49af4d
SHA1 ad9f87c495254e9a1bf376c084b2ce1e2456545d
SHA256 871295d9b9e3c7be56b15b37af81af27f8b4276fcbbedaf48f94d497a1b8150b
SHA512 e43ee56a197bdba890796b92ceb52e7fd764de6bda571d84767519e8547be5b7e0ff8e502b6dfc86c203336c8c316ae1cce88b7f690a51f5a6443deed8e33231

memory/2880-101-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2880-100-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2880-99-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2880-97-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2456-96-0x000000013F2B0000-0x000000013F601000-memory.dmp

C:\Windows\system\AwfHkiA.exe

MD5 3ceef367c3a86981d5032eb71944ec4c
SHA1 1024125a703535e0c390ea6f57e286c957ba3c82
SHA256 f18d5387fcbb3a7dd44a0e35b7d1130bf4cac58ebd7129fb6679a6ae4b966844
SHA512 27744e230806b8e26a7d9d92337cd32ab22be5b2dd77a3c2998743860bec842e17342a633639dcb7ec58e167a2251a5f0d5338212a1d6fab8418f60bbed51560

memory/2920-94-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2564-93-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2880-91-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2880-90-0x0000000002330000-0x0000000002681000-memory.dmp

memory/548-88-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2544-86-0x000000013FE60000-0x00000001401B1000-memory.dmp

C:\Windows\system\jkxresb.exe

MD5 fca9572d77c76695a637c959f95cd00c
SHA1 99d755fa50d806112d94a017671ead6111a1bc09
SHA256 15c5449df5614980f132d688b45bc329194c4746fa28cdb8acdcc45aeb50ae3e
SHA512 25cbb1a60e3382d95355498c2951da549399da2f7c5f68facd66332247c69e950507d7571c7a1bef24e4ac0257f4c3cad16e107b5def6c0c3593cc788e3de132

memory/2880-74-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2728-72-0x000000013F630000-0x000000013F981000-memory.dmp

C:\Windows\system\AQlUctw.exe

MD5 3369fa81f1170dd435dde9c3a931374b
SHA1 a3dac950494cd1048333944e3fefaaedd7f9b897
SHA256 bbec17fc6047cb593eed0604aba90d076778783f1b724ca5094083a19c2075da
SHA512 f3d11bbd5f5fcb7d21a5a50d69e2ad27df8959428c7826dc0683366acad02f5e0a1d1b5fd9148719272236acb179454a4cbf9e98d8f67c02ad4c34460d0bf39b

C:\Windows\system\VbmQMKJ.exe

MD5 95a308ab20a66b5a96fd6e0d55d8e9a5
SHA1 e58381e2c9579036477c33dde547b1fc4c96ddcf
SHA256 048b0866bbfa17e7ce6136fb40483184ee792f42fbfa602b9fcf82ab2105ea7a
SHA512 60c5e459dfa0a8af9463fe441acc2d957c97394695f639141d4f8437d298f23a37d63bf76c9ab310a15d0924eb06f48249d01e254dcf91dc09a968d8bcfd24d9

memory/2740-47-0x000000013F770000-0x000000013FAC1000-memory.dmp

C:\Windows\system\FeWeEof.exe

MD5 117f167fb3030d96c2a1a39c9f64b3a7
SHA1 b5f0760069d343393d9aeced25b67445bf781c67
SHA256 5fd09d1995c409a291e6deb5c4f765864c97ae377164e8df97f1d967d88838de
SHA512 413cfb70e098f72897963c20edd5c5fd04d2afa2b10e1665e748fbee4d3dfb34e80fc73ecd781db1c5d37dcba573f3d5ae3f03b75d605c997e85961a351466fd

C:\Windows\system\tojrtXD.exe

MD5 bbec9b8f1dcbd38dae46de5ad594bbb3
SHA1 f1f87877a8338198332bb911eb16a04b5165ada4
SHA256 c35117237642ac365b54637de5affd83e0869e1dda332167a9b84e9dfc4bb59d
SHA512 a5d25137de42cca8d16697fd31af207f3ec942a3a9ba56844cb4db441e3c5c6f89b4c732596af401c3e4427ce64ca9482131f40e982a5b3a1c4f8d17bc5b0a01

memory/2548-34-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2652-32-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2880-133-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/2892-134-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2652-137-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/376-151-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/1412-154-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2404-153-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2880-155-0x0000000002330000-0x0000000002681000-memory.dmp

memory/1540-150-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/1444-149-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1340-148-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/1536-152-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2880-156-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/2880-178-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2880-179-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2892-203-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1984-205-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2548-207-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2740-222-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2652-227-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/548-233-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2728-231-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2544-235-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2172-230-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2616-239-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2564-243-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2496-245-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2456-242-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2920-238-0x000000013F2B0000-0x000000013F601000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 09:32

Reported

2024-05-30 09:35

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nmMYMqD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PfEJrfK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JDjYznP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AQlUctw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jkxresb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qaNhIpX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FeWeEof.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rXvTUOR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bKziTKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QAbeXut.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ESbYbbW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NujhpZW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tojrtXD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zDhKJmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AwfHkiA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fKtEpVO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qDJwbWw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bKAwCZl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FGvFrih.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VbmQMKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVPyjjI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4988 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qaNhIpX.exe
PID 4988 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qaNhIpX.exe
PID 4988 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\NujhpZW.exe
PID 4988 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\NujhpZW.exe
PID 4988 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmMYMqD.exe
PID 4988 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmMYMqD.exe
PID 4988 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGvFrih.exe
PID 4988 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGvFrih.exe
PID 4988 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\PfEJrfK.exe
PID 4988 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\PfEJrfK.exe
PID 4988 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\tojrtXD.exe
PID 4988 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\tojrtXD.exe
PID 4988 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeWeEof.exe
PID 4988 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\FeWeEof.exe
PID 4988 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\VbmQMKJ.exe
PID 4988 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\VbmQMKJ.exe
PID 4988 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\JDjYznP.exe
PID 4988 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\JDjYznP.exe
PID 4988 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQlUctw.exe
PID 4988 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQlUctw.exe
PID 4988 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkxresb.exe
PID 4988 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkxresb.exe
PID 4988 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVPyjjI.exe
PID 4988 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVPyjjI.exe
PID 4988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDhKJmd.exe
PID 4988 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDhKJmd.exe
PID 4988 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXvTUOR.exe
PID 4988 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXvTUOR.exe
PID 4988 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwfHkiA.exe
PID 4988 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwfHkiA.exe
PID 4988 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKtEpVO.exe
PID 4988 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKtEpVO.exe
PID 4988 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDJwbWw.exe
PID 4988 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDJwbWw.exe
PID 4988 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKAwCZl.exe
PID 4988 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKAwCZl.exe
PID 4988 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKziTKQ.exe
PID 4988 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKziTKQ.exe
PID 4988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAbeXut.exe
PID 4988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAbeXut.exe
PID 4988 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\ESbYbbW.exe
PID 4988 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe C:\Windows\System\ESbYbbW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qaNhIpX.exe

C:\Windows\System\qaNhIpX.exe

C:\Windows\System\NujhpZW.exe

C:\Windows\System\NujhpZW.exe

C:\Windows\System\nmMYMqD.exe

C:\Windows\System\nmMYMqD.exe

C:\Windows\System\FGvFrih.exe

C:\Windows\System\FGvFrih.exe

C:\Windows\System\PfEJrfK.exe

C:\Windows\System\PfEJrfK.exe

C:\Windows\System\tojrtXD.exe

C:\Windows\System\tojrtXD.exe

C:\Windows\System\FeWeEof.exe

C:\Windows\System\FeWeEof.exe

C:\Windows\System\VbmQMKJ.exe

C:\Windows\System\VbmQMKJ.exe

C:\Windows\System\JDjYznP.exe

C:\Windows\System\JDjYznP.exe

C:\Windows\System\AQlUctw.exe

C:\Windows\System\AQlUctw.exe

C:\Windows\System\jkxresb.exe

C:\Windows\System\jkxresb.exe

C:\Windows\System\uVPyjjI.exe

C:\Windows\System\uVPyjjI.exe

C:\Windows\System\zDhKJmd.exe

C:\Windows\System\zDhKJmd.exe

C:\Windows\System\rXvTUOR.exe

C:\Windows\System\rXvTUOR.exe

C:\Windows\System\AwfHkiA.exe

C:\Windows\System\AwfHkiA.exe

C:\Windows\System\fKtEpVO.exe

C:\Windows\System\fKtEpVO.exe

C:\Windows\System\qDJwbWw.exe

C:\Windows\System\qDJwbWw.exe

C:\Windows\System\bKAwCZl.exe

C:\Windows\System\bKAwCZl.exe

C:\Windows\System\bKziTKQ.exe

C:\Windows\System\bKziTKQ.exe

C:\Windows\System\QAbeXut.exe

C:\Windows\System\QAbeXut.exe

C:\Windows\System\ESbYbbW.exe

C:\Windows\System\ESbYbbW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4988-0-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp

memory/4988-1-0x0000026EE22F0000-0x0000026EE2300000-memory.dmp

C:\Windows\System\qaNhIpX.exe

MD5 58fc977d61f8005c04eb7ab4f74ff984
SHA1 ab2ee01e23593efe3410f9ddb6b072c35b8cf00a
SHA256 69e8d887de1019eb76334e7885ed5c03d1f1e2a244e24b29c30ec0672dd82ef6
SHA512 30ebdcfaaa475030dd8f3b48f6370119ec49f6a56ef3604f05564312bd4289d867cda2c076bb300fa3cd8022eb12bafadde17d94bd3000848facedbde9fcec43

memory/752-9-0x00007FF76A1E0000-0x00007FF76A531000-memory.dmp

C:\Windows\System\nmMYMqD.exe

MD5 9bfb4af410379f65ad8f44abd7a22df7
SHA1 8647dc21ac906f10d3d563d8e089284869b31b09
SHA256 82380874bcea64d8f7f308ec0c8bb992b03c09a0928806cb31970f46d2aade93
SHA512 e2261ff37ef48f3c9f4680e8b6cafb01446e8b5e15acfdede37215a9fcf010d6ab9e14029a1712ac54963ca9f878aedf9020d287ef62528ec42671c471e05505

C:\Windows\System\NujhpZW.exe

MD5 0258e2728b68c35b9f3ab3c2bacd4dd7
SHA1 a7e43176403ff582587bf931cd60fc683332296e
SHA256 4e3f46c6b5fd707e9dd77408f151e2604f2d748a26aa1fca0c2adb09128bbaea
SHA512 abf34e03ea145ff078b2f5d3bf5c1d4e377f26463f9b45bd8306fc188479a8e291f39a4121bace7a4298149ebb97a19a1e122f8276f95735c425ebfd4e16d3b0

C:\Windows\System\FGvFrih.exe

MD5 1e26c8a222dcbe3cddbf5aa39e183dbd
SHA1 9591b4ddc0c086d2c79f61a28298d84ce4cc4e8a
SHA256 eb7c18190e7a7f6d91d548f3b95d2dc2db26707508862170b2cf3e412c94fe90
SHA512 e8f4d275920f3f95e8096bf90c3be18251647dba9543201480b231a03ab606236fd047f73b1b3452fade73bbfc5c0d6c616b62c788c00f8f598a7e4d319637bb

C:\Windows\System\tojrtXD.exe

MD5 bbec9b8f1dcbd38dae46de5ad594bbb3
SHA1 f1f87877a8338198332bb911eb16a04b5165ada4
SHA256 c35117237642ac365b54637de5affd83e0869e1dda332167a9b84e9dfc4bb59d
SHA512 a5d25137de42cca8d16697fd31af207f3ec942a3a9ba56844cb4db441e3c5c6f89b4c732596af401c3e4427ce64ca9482131f40e982a5b3a1c4f8d17bc5b0a01

C:\Windows\System\PfEJrfK.exe

MD5 4fe866ebda96c9ae26a1c479b04b6def
SHA1 5c1c184ba8174304d6c0919884379dd552400268
SHA256 13ca563d1ab50a02abfb763fa3e8b8732487ff2a2031c715f21823c173e0b0d5
SHA512 d24218612bc10f0a6a148bfdfafe008ae81f31875608050023702d54ce1f85800783fdb8a9575b7404aa8578fc2d77f20eb644f86fed1ca422dfe5ab22f5da6e

C:\Windows\System\VbmQMKJ.exe

MD5 95a308ab20a66b5a96fd6e0d55d8e9a5
SHA1 e58381e2c9579036477c33dde547b1fc4c96ddcf
SHA256 048b0866bbfa17e7ce6136fb40483184ee792f42fbfa602b9fcf82ab2105ea7a
SHA512 60c5e459dfa0a8af9463fe441acc2d957c97394695f639141d4f8437d298f23a37d63bf76c9ab310a15d0924eb06f48249d01e254dcf91dc09a968d8bcfd24d9

C:\Windows\System\zDhKJmd.exe

MD5 92cd4934dad4432705e0da1882fcba7c
SHA1 67eb80a67a75aeee56e074769827e250ad1939c6
SHA256 eab2be7d7ed164d3f42922a95e132c4f19fdd7156c63ce7383cfe35dc24b3c31
SHA512 b7bf40254df9c1789f6cdb8f3487ec60bca3cbaff322acd86e753a1dde7b54e1fa392d6851b2d5677f1e0d8e5d821e2834b164ee357f6edd9f3880e5e26eb0d7

memory/5008-79-0x00007FF70B6D0000-0x00007FF70BA21000-memory.dmp

memory/4812-91-0x00007FF7FABC0000-0x00007FF7FAF11000-memory.dmp

C:\Windows\System\fKtEpVO.exe

MD5 e31d242b0c1b96e5ad8ab98874cfa306
SHA1 bafac5665e09ddee4a86a6f71aee2a58d5172a99
SHA256 19bdf0f02beef0e635c78a40b3fa21df927e44a03d43809cadd72265a348c39f
SHA512 c466a3f612e13f09c23b7f37497cc17414f60b367b71850e79b9f7f9ad341417e0774f78f979d3c4545ba16c9afeb01017d44221769a50e3a9a9e84117b2f287

memory/4352-111-0x00007FF66FE80000-0x00007FF6701D1000-memory.dmp

memory/4628-117-0x00007FF7482D0000-0x00007FF748621000-memory.dmp

memory/3280-116-0x00007FF793EA0000-0x00007FF7941F1000-memory.dmp

memory/1516-115-0x00007FF7C0E20000-0x00007FF7C1171000-memory.dmp

C:\Windows\System\bKziTKQ.exe

MD5 77181b69fa2154c95cc215174d4b3f88
SHA1 6eb3ab7071542c37bbfa0599307ff1aa0909d2ab
SHA256 a8327b82f3944a032270b7cf746123a444e468c563efa0a0f1b975ded459cf0d
SHA512 21f8b20feb3ca17afb945bc1c34fc1db643d1fc7755e4272331e8b05418ac15b36f9f6f02b741e24820334c893085a479794d782179d3514abb2d1d4bd098600

memory/4988-112-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp

C:\Windows\System\bKAwCZl.exe

MD5 6154e8a300e1a3ab0a5eab50da99b3c5
SHA1 e3b16074a8f1d0dcd93f199d7f15bbc9a330e213
SHA256 3940fa23fdd9bfa79cdb93a43c21960fdbb0a0895d701a31855985cab2f41e55
SHA512 51ad8b53e6b39af429da2a2589b901847fa0f8d9485b4ed0aa2bf5e875a6e6f19dbc5b19a05d956b2e9785dee9aa486a3c6cadc5a1ee7667051ee431978e1e59

C:\Windows\System\AwfHkiA.exe

MD5 3ceef367c3a86981d5032eb71944ec4c
SHA1 1024125a703535e0c390ea6f57e286c957ba3c82
SHA256 f18d5387fcbb3a7dd44a0e35b7d1130bf4cac58ebd7129fb6679a6ae4b966844
SHA512 27744e230806b8e26a7d9d92337cd32ab22be5b2dd77a3c2998743860bec842e17342a633639dcb7ec58e167a2251a5f0d5338212a1d6fab8418f60bbed51560

C:\Windows\System\qDJwbWw.exe

MD5 d8a04f6642a93fe058707de5fc49af4d
SHA1 ad9f87c495254e9a1bf376c084b2ce1e2456545d
SHA256 871295d9b9e3c7be56b15b37af81af27f8b4276fcbbedaf48f94d497a1b8150b
SHA512 e43ee56a197bdba890796b92ceb52e7fd764de6bda571d84767519e8547be5b7e0ff8e502b6dfc86c203336c8c316ae1cce88b7f690a51f5a6443deed8e33231

memory/4536-104-0x00007FF7C0ED0000-0x00007FF7C1221000-memory.dmp

memory/1296-100-0x00007FF6B7D90000-0x00007FF6B80E1000-memory.dmp

memory/3900-99-0x00007FF768C60000-0x00007FF768FB1000-memory.dmp

C:\Windows\System\uVPyjjI.exe

MD5 e3402a5b68735880a66269438781612f
SHA1 23bdadc6c3f5b9b150e0970ce679829c66de21b6
SHA256 91807182cabf2ce06a5e5189f78b64b335a2964ff8a83b9347f708d65621004e
SHA512 120319024d27ca89f3469264619644e50cc6a849c104d109caeaa5b7a134c2b1dd255531e5d5e2f7f4c5f47aea4ee93dc4cd70f9e4345360119056e087065650

C:\Windows\System\rXvTUOR.exe

MD5 08aae75a6ca92183ddd26a718b8aa7f7
SHA1 1e4320a4e4b2beb7c8e846bc90665b1a474d895b
SHA256 767aa4a9733b7c020632a9d489e3e3a395ba00a5d3a8bc934b950751f4e100b9
SHA512 b60b8276acb02f3a4feed0d0a6eb15239aa44b1c90b2a40601c5feb990374e25b11848dd81beb977056fe05acfe67bb133ac5c7acccdcf0938ab97dd3248e4fb

C:\Windows\System\jkxresb.exe

MD5 fca9572d77c76695a637c959f95cd00c
SHA1 99d755fa50d806112d94a017671ead6111a1bc09
SHA256 15c5449df5614980f132d688b45bc329194c4746fa28cdb8acdcc45aeb50ae3e
SHA512 25cbb1a60e3382d95355498c2951da549399da2f7c5f68facd66332247c69e950507d7571c7a1bef24e4ac0257f4c3cad16e107b5def6c0c3593cc788e3de132

C:\Windows\System\AQlUctw.exe

MD5 3369fa81f1170dd435dde9c3a931374b
SHA1 a3dac950494cd1048333944e3fefaaedd7f9b897
SHA256 bbec17fc6047cb593eed0604aba90d076778783f1b724ca5094083a19c2075da
SHA512 f3d11bbd5f5fcb7d21a5a50d69e2ad27df8959428c7826dc0683366acad02f5e0a1d1b5fd9148719272236acb179454a4cbf9e98d8f67c02ad4c34460d0bf39b

memory/4708-66-0x00007FF67C750000-0x00007FF67CAA1000-memory.dmp

C:\Windows\System\JDjYznP.exe

MD5 734f05b73c736221a31a3a698d8f2c1b
SHA1 b0dc8685fd39a37d18ba1e897760d8ce1aa1f0e6
SHA256 a097f987fb2de47a77b1f4f721fc2a5e495c2b26044325bb38e6d057fd76f09b
SHA512 90d6b46f0e036fb2bf862bf653378a4b423b8eb061bec734a23685d65f53a891338d144bfae0745f24d5cf0895f28f4d336bf21452007036b7a7e9c918e80c9a

memory/4940-54-0x00007FF6D95E0000-0x00007FF6D9931000-memory.dmp

memory/4220-48-0x00007FF76E660000-0x00007FF76E9B1000-memory.dmp

C:\Windows\System\FeWeEof.exe

MD5 117f167fb3030d96c2a1a39c9f64b3a7
SHA1 b5f0760069d343393d9aeced25b67445bf781c67
SHA256 5fd09d1995c409a291e6deb5c4f765864c97ae377164e8df97f1d967d88838de
SHA512 413cfb70e098f72897963c20edd5c5fd04d2afa2b10e1665e748fbee4d3dfb34e80fc73ecd781db1c5d37dcba573f3d5ae3f03b75d605c997e85961a351466fd

memory/704-49-0x00007FF6E2140000-0x00007FF6E2491000-memory.dmp

memory/1216-45-0x00007FF774630000-0x00007FF774981000-memory.dmp

memory/3192-44-0x00007FF63BC20000-0x00007FF63BF71000-memory.dmp

memory/4228-28-0x00007FF74F410000-0x00007FF74F761000-memory.dmp

memory/1548-18-0x00007FF76C830000-0x00007FF76CB81000-memory.dmp

memory/3340-17-0x00007FF737910000-0x00007FF737C61000-memory.dmp

memory/752-123-0x00007FF76A1E0000-0x00007FF76A531000-memory.dmp

memory/704-133-0x00007FF6E2140000-0x00007FF6E2491000-memory.dmp

memory/4812-137-0x00007FF7FABC0000-0x00007FF7FAF11000-memory.dmp

memory/2644-145-0x00007FF609010000-0x00007FF609361000-memory.dmp

C:\Windows\System\ESbYbbW.exe

MD5 242db20e8094aae4e7c7a279631eaf42
SHA1 897d314bc8ff71ba660ad18a1dc4fc047a409725
SHA256 98ff86ca035231e1ee48686d7c91fe3586b760d814108dbfb25f16c6e0a6fbc8
SHA512 989a3dde1aca2ce7d0bec0ad17ac29b1d8f9a91e810228d4d1c01be3cbe42c7b0c96344d0a879e936f219c5e94b6e12986fab9d4281510cd8919b8fceb088659

memory/440-146-0x00007FF7DAEC0000-0x00007FF7DB211000-memory.dmp

memory/4352-143-0x00007FF66FE80000-0x00007FF6701D1000-memory.dmp

memory/4536-140-0x00007FF7C0ED0000-0x00007FF7C1221000-memory.dmp

memory/4708-134-0x00007FF67C750000-0x00007FF67CAA1000-memory.dmp

memory/4940-132-0x00007FF6D95E0000-0x00007FF6D9931000-memory.dmp

memory/4220-131-0x00007FF76E660000-0x00007FF76E9B1000-memory.dmp

memory/4228-128-0x00007FF74F410000-0x00007FF74F761000-memory.dmp

memory/1548-127-0x00007FF76C830000-0x00007FF76CB81000-memory.dmp

memory/5008-136-0x00007FF70B6D0000-0x00007FF70BA21000-memory.dmp

C:\Windows\System\QAbeXut.exe

MD5 f13f8d34e27df501d4228987ef78fbd2
SHA1 9e058db8f9e4275db2a2452eb3ad60ae9a4f39f8
SHA256 cfeb20483ef8dfed3edf2b8dd33ffeac21a7ef05014fd85846d175caf5e6c780
SHA512 de0a40ef6ed5bd040a45f7cda29b8675865d0db3399b256c9459d6940d13aab107de2925ae6bf977fdf3367e2e9b1408dc58d856f2552d24618354a0f3a4c08d

memory/4988-149-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp

memory/440-193-0x00007FF7DAEC0000-0x00007FF7DB211000-memory.dmp

memory/752-197-0x00007FF76A1E0000-0x00007FF76A531000-memory.dmp

memory/3340-199-0x00007FF737910000-0x00007FF737C61000-memory.dmp

memory/1548-201-0x00007FF76C830000-0x00007FF76CB81000-memory.dmp

memory/4228-204-0x00007FF74F410000-0x00007FF74F761000-memory.dmp

memory/3192-205-0x00007FF63BC20000-0x00007FF63BF71000-memory.dmp

memory/1216-207-0x00007FF774630000-0x00007FF774981000-memory.dmp

memory/4220-209-0x00007FF76E660000-0x00007FF76E9B1000-memory.dmp

memory/4940-211-0x00007FF6D95E0000-0x00007FF6D9931000-memory.dmp

memory/704-213-0x00007FF6E2140000-0x00007FF6E2491000-memory.dmp

memory/4708-215-0x00007FF67C750000-0x00007FF67CAA1000-memory.dmp

memory/4812-218-0x00007FF7FABC0000-0x00007FF7FAF11000-memory.dmp

memory/5008-221-0x00007FF70B6D0000-0x00007FF70BA21000-memory.dmp

memory/3900-219-0x00007FF768C60000-0x00007FF768FB1000-memory.dmp

memory/3280-229-0x00007FF793EA0000-0x00007FF7941F1000-memory.dmp

memory/1516-231-0x00007FF7C0E20000-0x00007FF7C1171000-memory.dmp

memory/4536-228-0x00007FF7C0ED0000-0x00007FF7C1221000-memory.dmp

memory/4352-225-0x00007FF66FE80000-0x00007FF6701D1000-memory.dmp

memory/4628-224-0x00007FF7482D0000-0x00007FF748621000-memory.dmp

memory/1296-233-0x00007FF6B7D90000-0x00007FF6B80E1000-memory.dmp

memory/2644-238-0x00007FF609010000-0x00007FF609361000-memory.dmp

memory/440-240-0x00007FF7DAEC0000-0x00007FF7DB211000-memory.dmp