Malware Analysis Report

2025-03-15 08:11

Sample ID 240529-1r37ssca36
Target 2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike
SHA256 19bbbabaca818038443d32fd552ce2d3f523fd9cae3c8d06606e679b40843301
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19bbbabaca818038443d32fd552ce2d3f523fd9cae3c8d06606e679b40843301

Threat Level: Known bad

The file 2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

UPX dump on OEP (original entry point)

xmrig

Xmrig family

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 21:53

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 21:53

Reported

2024-05-29 21:56

Platform

win7-20240221-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DxgvBxl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NGgsJJD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LynZrPp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AmdsSOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aaMaadW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LHOcPDx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dcZdrnX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LAkoLNa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lbMMGca.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WuatAju.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\utphlxh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LislqQR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sKCOsQq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LzseMhO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pcPMPfo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rAIqXsj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mixpxmv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZyApJlx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IyDCpQn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SpEdBNy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\emtJVnX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\dcZdrnX.exe
PID 2020 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\dcZdrnX.exe
PID 2020 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\dcZdrnX.exe
PID 2020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LAkoLNa.exe
PID 2020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LAkoLNa.exe
PID 2020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LAkoLNa.exe
PID 2020 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKCOsQq.exe
PID 2020 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKCOsQq.exe
PID 2020 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKCOsQq.exe
PID 2020 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxgvBxl.exe
PID 2020 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxgvBxl.exe
PID 2020 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\DxgvBxl.exe
PID 2020 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzseMhO.exe
PID 2020 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzseMhO.exe
PID 2020 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzseMhO.exe
PID 2020 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZyApJlx.exe
PID 2020 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZyApJlx.exe
PID 2020 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZyApJlx.exe
PID 2020 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\IyDCpQn.exe
PID 2020 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\IyDCpQn.exe
PID 2020 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\IyDCpQn.exe
PID 2020 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGgsJJD.exe
PID 2020 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGgsJJD.exe
PID 2020 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGgsJJD.exe
PID 2020 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\pcPMPfo.exe
PID 2020 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\pcPMPfo.exe
PID 2020 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\pcPMPfo.exe
PID 2020 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbMMGca.exe
PID 2020 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbMMGca.exe
PID 2020 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbMMGca.exe
PID 2020 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuatAju.exe
PID 2020 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuatAju.exe
PID 2020 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuatAju.exe
PID 2020 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LynZrPp.exe
PID 2020 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LynZrPp.exe
PID 2020 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LynZrPp.exe
PID 2020 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\AmdsSOQ.exe
PID 2020 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\AmdsSOQ.exe
PID 2020 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\AmdsSOQ.exe
PID 2020 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\SpEdBNy.exe
PID 2020 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\SpEdBNy.exe
PID 2020 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\SpEdBNy.exe
PID 2020 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\aaMaadW.exe
PID 2020 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\aaMaadW.exe
PID 2020 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\aaMaadW.exe
PID 2020 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\rAIqXsj.exe
PID 2020 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\rAIqXsj.exe
PID 2020 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\rAIqXsj.exe
PID 2020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\utphlxh.exe
PID 2020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\utphlxh.exe
PID 2020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\utphlxh.exe
PID 2020 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LHOcPDx.exe
PID 2020 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LHOcPDx.exe
PID 2020 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LHOcPDx.exe
PID 2020 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\emtJVnX.exe
PID 2020 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\emtJVnX.exe
PID 2020 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\emtJVnX.exe
PID 2020 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\mixpxmv.exe
PID 2020 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\mixpxmv.exe
PID 2020 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\mixpxmv.exe
PID 2020 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LislqQR.exe
PID 2020 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LislqQR.exe
PID 2020 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LislqQR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dcZdrnX.exe

C:\Windows\System\dcZdrnX.exe

C:\Windows\System\LAkoLNa.exe

C:\Windows\System\LAkoLNa.exe

C:\Windows\System\sKCOsQq.exe

C:\Windows\System\sKCOsQq.exe

C:\Windows\System\DxgvBxl.exe

C:\Windows\System\DxgvBxl.exe

C:\Windows\System\LzseMhO.exe

C:\Windows\System\LzseMhO.exe

C:\Windows\System\ZyApJlx.exe

C:\Windows\System\ZyApJlx.exe

C:\Windows\System\IyDCpQn.exe

C:\Windows\System\IyDCpQn.exe

C:\Windows\System\NGgsJJD.exe

C:\Windows\System\NGgsJJD.exe

C:\Windows\System\pcPMPfo.exe

C:\Windows\System\pcPMPfo.exe

C:\Windows\System\lbMMGca.exe

C:\Windows\System\lbMMGca.exe

C:\Windows\System\WuatAju.exe

C:\Windows\System\WuatAju.exe

C:\Windows\System\LynZrPp.exe

C:\Windows\System\LynZrPp.exe

C:\Windows\System\AmdsSOQ.exe

C:\Windows\System\AmdsSOQ.exe

C:\Windows\System\SpEdBNy.exe

C:\Windows\System\SpEdBNy.exe

C:\Windows\System\aaMaadW.exe

C:\Windows\System\aaMaadW.exe

C:\Windows\System\rAIqXsj.exe

C:\Windows\System\rAIqXsj.exe

C:\Windows\System\utphlxh.exe

C:\Windows\System\utphlxh.exe

C:\Windows\System\LHOcPDx.exe

C:\Windows\System\LHOcPDx.exe

C:\Windows\System\emtJVnX.exe

C:\Windows\System\emtJVnX.exe

C:\Windows\System\mixpxmv.exe

C:\Windows\System\mixpxmv.exe

C:\Windows\System\LislqQR.exe

C:\Windows\System\LislqQR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2020-0-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2020-1-0x0000000000300000-0x0000000000310000-memory.dmp

\Windows\system\dcZdrnX.exe

MD5 ffb6e414dadd3c8197c0b7978f2ea7bc
SHA1 93e09fc5532418dfab3b7a678f94e17e79cbe388
SHA256 f14c2345d845d4b1df6dc2baf458fa1fd40e630a2ea00b23353651d88f20fbef
SHA512 875eca41a8351d25de4b4d938d6c94f3c5e307e2625c1111e6b29924fd31bff024bf9b2cc6339dab89ca6d384a5b1ddad8bd48107894787e5f5e27653e3c5f7e

\Windows\system\LAkoLNa.exe

MD5 41ca104450ea4c38209e872307c88561
SHA1 84d0d2a25ca0a220c8ac04f72909131e5166fafb
SHA256 3ef9b087a0bbfb4d61cd948998f174404a1fe482d8b58e3a81d702c07cf60407
SHA512 210f6dbe37c43e3194a6fd53480527d92584d8b12a43d90d83c6e092bd0a25b326ab7a6618fbf3e0d72fbaccc60a2237c33627d024e5188179cc609a1eb6f5eb

C:\Windows\system\sKCOsQq.exe

MD5 3dfdc5a7e462db30d23631fdccf14864
SHA1 cc3aaf8152aa1a374202e95279f6eafc5dc8021b
SHA256 4c3ba97dea576840fb3c9eceecc0edba504d9f18b4f2458c27a404c6dd5e3cac
SHA512 274533d8e2961356746ee133262badeddb1bb4d0b5455dff42bf29e52d86b5546a473c671cf26f0a8fd50fee2337802be71adb7b84bcd6178f7aafe2c023b5a5

memory/2020-37-0x00000000021D0000-0x0000000002521000-memory.dmp

\Windows\system\IyDCpQn.exe

MD5 825a485ee547c880fb266f1e8db529d9
SHA1 82ada232c9cdf9371a69fd0562fb31827607abef
SHA256 6cee684e1a6e6116b9214a0d02c4e0cf79fe9a64f599b4002d1cc460f60e5912
SHA512 bd039d88de81dafab418b864dee856fdf84807ba00d7e3e0c3130fd7b2d5252d7d64fe28e038f29f7bbdf2f884e94b57d8bf3f19a3cf478cb9a40547ef820e16

memory/2716-45-0x000000013FA60000-0x000000013FDB1000-memory.dmp

C:\Windows\system\LzseMhO.exe

MD5 d0ee6c008a6314427d6279eb807755af
SHA1 6da7d4278152060a4007ceb03139445db71123fa
SHA256 3db1542e9d5df9a5800e923379f8f11c76bf133638dd2907023e4d29ca9849cf
SHA512 325311a0ee682009329aa9d7a341308e3ead2b9e446faba2838a7bb7b4c4ccf7d8e977a90e0aa310f17a8b42971943e32b68edf587244e3fce4653db3a1efd07

memory/2020-30-0x00000000021D0000-0x0000000002521000-memory.dmp

memory/2536-53-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2020-60-0x000000013F160000-0x000000013F4B1000-memory.dmp

C:\Windows\system\SpEdBNy.exe

MD5 9845cf41adf3f017dbab7eb3042422c1
SHA1 fe364ebafaab03933626443271c5e0f9ee5323d2
SHA256 604f677596e99a0135c2c4d66dc33eb3d24d86d792cd5df096384d6ede8cafb9
SHA512 1a5d0341aa0544b15490e9eec41c94257e7930f13c4294d9a8f86f0864abd11517331af58608014cd62f53593b256f3f6e3bc21d6d1d7323174aa824e43cde75

C:\Windows\system\mixpxmv.exe

MD5 919a62ebe77fb56bdd6ae7978434677c
SHA1 b476ba903d9874e8be49cb3bf69d8cf1cb95ef48
SHA256 5b1aa7fcae8a38e4971383498b814e225678eba54eeaf21b05fcf22363f45530
SHA512 a5d56344b4dac06c9db975f9a9cf2dcc6ae81f7f8b36c030800aeb7b2dbcb583dc9c51e02ff6df32c702c46757743c6cc6cb043cc7d63f5ebaaea7fc6d45d9ff

memory/1688-108-0x000000013F150000-0x000000013F4A1000-memory.dmp

\Windows\system\LHOcPDx.exe

MD5 5d5ea7283175a77e7216d019eb154b2b
SHA1 e8700da9524a3e4cf718f7392fbff96eb82475fd
SHA256 f3b21c3958ce2fbfed4a40cd3f5c2f22f61bf3566086146b1ef35151ac90959e
SHA512 a5f9f57a8cf09de4ebe9036ad142f79581e8463992f9813535523767bb96a001e41b7e8775baeddb3f1302e120ef4c778d02f5632eddc1712dfb34094c2690dc

\Windows\system\rAIqXsj.exe

MD5 0d28829a77ff3f8be1d7ffb5b7d517b5
SHA1 c1ae8a1e570c06ac60b78e9fd3a9cebaf6dd273e
SHA256 413828ec3ff24f397f3e7e64db62b852d236bf660ff20a336ebfa6be162ed101
SHA512 f1f097508797bf6e86cfb2b47d525f455cc5a7a03bcbd2bdc77ebe4431dd75a96cee93b64f3453a59f7138e22ce0cecea4f0e7fccee4fbccc407c3fda48db411

C:\Windows\system\LislqQR.exe

MD5 0714a5edfdc9ee3fa1540cb669e92b34
SHA1 b7f6de57854de10ff48e9b6884a812c57193a2cd
SHA256 2735411c7d43c4eb2f53a18dcecfa6eaede97287078dd8ab0950d4b3a647477d
SHA512 4816f62365c5632785bfa5208a637654a26eb154625614413ab8851bf91f91486c3f8589412957d13d6c8ce90f8a0ceee03767fdaa185fb00ba5d216758298c8

memory/2872-114-0x000000013F650000-0x000000013F9A1000-memory.dmp

C:\Windows\system\emtJVnX.exe

MD5 e5f131fadb6d60435d05652b68547287
SHA1 3da3f397bec27e8b7fe0cdd474f31202c443aba5
SHA256 db30b9634378816a5c9b19abdc7a69cc5d0723276e3032f934230b1c7cea0039
SHA512 f20eccf3114fbb56707a1a0185844c5a3012b64e091f8806204ccccc30447dd33906de4397ffe6ab126dc0cb7e811cf7610fa9345bdb37806164f8496f744183

memory/2396-112-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2020-78-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\AmdsSOQ.exe

MD5 a1add0e8fbb3d6676af6c8b6951b67aa
SHA1 64edcc71ffa5926a3aadf36d82993c481267a70b
SHA256 ef5b5df95edba5486ecdde905cd6aea11c4d947313276c86435a6985f95bfdf6
SHA512 e948d8d0938921ab38ddec39eea923abfada8803e0d392407509bfa18979535d81e2a0432d4b5093c5098bf1e399db22f687dfc9edf47460b154a072bb9f024b

\Windows\system\LynZrPp.exe

MD5 94e7f43f08ce3e46111d48d905f97936
SHA1 ccc9a29d0535a57947e68b66aee1dd8da67b82d6
SHA256 b3153d8c6dbcaab5dbfad8f7e1f5f7c8def275e8c51c5d4f5e936cce81748b0c
SHA512 87f0ec9b0110c94e27ce53f0e0902b980613593bf2a90c2b4170bb19cbdcca51d44337580bb7d86467c77b4974edbdb2a89feb98084d802e25b5fec65b0aa494

memory/2448-62-0x000000013F160000-0x000000013F4B1000-memory.dmp

\Windows\system\lbMMGca.exe

MD5 95c7e1009185f3e0e810b4b2a95345bb
SHA1 2536d4f65bbf6c6270b30401e32e98a83b0f5d2a
SHA256 2994a3800cba18431794ed75c1ff21f219ca4dcf34a99c4bb44a3f19a57b28b4
SHA512 a174554521e98b15a51699a981ae8ef55a291cf57dcf49445b3951a874def4ed7683d53a7bd2600ca3ff7ac2d7357b0657e435f2a38215adde7a271bf5a2de2b

C:\Windows\system\utphlxh.exe

MD5 769c93988a5faba80ed4baf0c90104bd
SHA1 f7ac26fab0b1c42a096e3397a29df6ffacd4f95d
SHA256 9833b242c0219d588ea1b8978b1a383b9dd051885afc0e1f03756ae1c7234389
SHA512 493479aeb60694569b33481e6ec3a9769cb7536b66e1bd18bb5e851fda3d0561865fdb988b697dd52d03ace5fa370901a7acdb44fd8b47f1833c5e67be0f0ead

C:\Windows\system\aaMaadW.exe

MD5 d8954bf97d650914265be9c018124d65
SHA1 754bc6620cc3ba55fff421964fb55826124de9de
SHA256 072f0852a10cb2b493304c4ab4b00e5a76167b742312b4bb26d1108a3348cc0e
SHA512 4cdbdc07408c88588506f41dc265d0d6ed87f4e6f64cc345399bdae7497da3d11b1d017b9b5897232bba0cd6fb5486eba14a4f4e90930ff4b308a78555c53ec8

memory/2020-91-0x000000013F760000-0x000000013FAB1000-memory.dmp

C:\Windows\system\NGgsJJD.exe

MD5 661a6d51135cbd35fd6486be7cba098a
SHA1 cc8550d718147504193885a5bc72d2b606fcfdbc
SHA256 54294b67ac0cc6635eed56f01c1c3bc0fa2af0f14b8f8b3a6450246e869e0065
SHA512 193a16fd86cbdc9399286514da458dd88a7ff948f56ec6af5335ca150e9daec3273a172b1dcad272ac6d5732506af3959f40ec635339af9571e724c51765eafc

memory/2020-88-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2492-87-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2068-86-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2020-85-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2020-84-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2020-73-0x000000013FE90000-0x00000001401E1000-memory.dmp

C:\Windows\system\WuatAju.exe

MD5 e46828658a7feec7ec645062340b5974
SHA1 cdf81e8b22895b76dca177696dcc04a169ac76ac
SHA256 b05a86756a78c273e23a57d418a7ef83e884ca194231b0cf9aa895724c3dd36a
SHA512 67a472a0932a7ed121c5f841b4b5a6c3f93073b619551e29ed11c05e3d89ebf36cb56d71706c0df9c98f0d8cb08cf13985f76b61be9e81c05f0fe0f783c8cb0d

C:\Windows\system\pcPMPfo.exe

MD5 cbfc8d09a0ab8aa54312b32786231afd
SHA1 2f89ebd800dbe77ac227a819dc8bd9f8cbec1f4a
SHA256 2a4f44ee23085b1ef6f4d3239e817449a836d55ed64d1f68e97a60b8573e293d
SHA512 8ee0b4b4b658cc8a1e1c7a31375104864c7fb2dfe9cff0f8545890aeee3597d9f605621f91b42071289d937de45b00c50fb496eecb9fd2397e6791d8ffea3cf4

\Windows\system\ZyApJlx.exe

MD5 bc9b358c32324e8fd2445a6a0fdf23fc
SHA1 3f582b0343596519d1bd48f91cb4361667cb4844
SHA256 3454f8e132960511c8a71827bd5b7c9c7470043ebf9205bd1267987849ea0d4e
SHA512 847d0f3e7ae3bb54153190fb2f27799df6d043a43d9554809dc8b9f946790bdc9115b0e59097fbc8c91fec4695d25aae8823b739e093788360354c5115fb8da1

memory/2968-23-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2532-48-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2632-46-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2532-136-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2632-135-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2020-133-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2020-44-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2020-20-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2556-43-0x000000013F580000-0x000000013F8D1000-memory.dmp

C:\Windows\system\DxgvBxl.exe

MD5 5fd0b61f1792a7d0a13a4cfe7fca4374
SHA1 7123d5f9d0e12ef12c994ef204808ab2482fde0f
SHA256 41675bb863a70a31d717107f777e45b467706a476179d1b9de51a76bfcb3365a
SHA512 2472fd8f43cdc305d673aa89697b6d39f170f9e24c5b217278e195cd4db80dab0d9cf015b819e57559e276a74f6f1b7eca1c6e9eac75a0cb6cd9a79dc3421241

memory/2020-40-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2020-39-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/1540-27-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2492-17-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2472-147-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/1688-151-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/944-152-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2016-150-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/788-157-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1100-156-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2764-155-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2488-154-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2696-153-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2872-148-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2396-146-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2448-145-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2536-144-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2020-158-0x00000000021D0000-0x0000000002521000-memory.dmp

memory/2020-159-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2020-181-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/1540-214-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2968-218-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2492-217-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2556-220-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2716-222-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2448-230-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2068-229-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2632-228-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2532-225-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2472-233-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2536-234-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/1688-238-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2872-242-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2396-248-0x000000013F880000-0x000000013FBD1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 21:53

Reported

2024-05-29 21:56

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nSxgCdm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HWWpxgU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oydfXNO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PaFyYmZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kqAyAqh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NKMUSKR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hIyPTPS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KlZtdXJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LgJdXII.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GONqUVV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\olsvaQO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yWVOWnl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dhQgAJV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bEPLJlY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FfDyjZg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XGuEQik.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OilOVHm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cwsmGeS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XskEfEe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MqneBPp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JZgVbrE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKMUSKR.exe
PID 60 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKMUSKR.exe
PID 60 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\dhQgAJV.exe
PID 60 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\dhQgAJV.exe
PID 60 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\hIyPTPS.exe
PID 60 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\hIyPTPS.exe
PID 60 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\MqneBPp.exe
PID 60 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\MqneBPp.exe
PID 60 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\bEPLJlY.exe
PID 60 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\bEPLJlY.exe
PID 60 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\FfDyjZg.exe
PID 60 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\FfDyjZg.exe
PID 60 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\KlZtdXJ.exe
PID 60 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\KlZtdXJ.exe
PID 60 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGuEQik.exe
PID 60 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGuEQik.exe
PID 60 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSxgCdm.exe
PID 60 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSxgCdm.exe
PID 60 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\OilOVHm.exe
PID 60 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\OilOVHm.exe
PID 60 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWWpxgU.exe
PID 60 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWWpxgU.exe
PID 60 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LgJdXII.exe
PID 60 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\LgJdXII.exe
PID 60 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwsmGeS.exe
PID 60 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwsmGeS.exe
PID 60 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\oydfXNO.exe
PID 60 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\oydfXNO.exe
PID 60 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\olsvaQO.exe
PID 60 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\olsvaQO.exe
PID 60 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\yWVOWnl.exe
PID 60 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\yWVOWnl.exe
PID 60 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaFyYmZ.exe
PID 60 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaFyYmZ.exe
PID 60 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\JZgVbrE.exe
PID 60 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\JZgVbrE.exe
PID 60 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqAyAqh.exe
PID 60 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqAyAqh.exe
PID 60 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\XskEfEe.exe
PID 60 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\XskEfEe.exe
PID 60 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\GONqUVV.exe
PID 60 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe C:\Windows\System\GONqUVV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NKMUSKR.exe

C:\Windows\System\NKMUSKR.exe

C:\Windows\System\dhQgAJV.exe

C:\Windows\System\dhQgAJV.exe

C:\Windows\System\hIyPTPS.exe

C:\Windows\System\hIyPTPS.exe

C:\Windows\System\MqneBPp.exe

C:\Windows\System\MqneBPp.exe

C:\Windows\System\bEPLJlY.exe

C:\Windows\System\bEPLJlY.exe

C:\Windows\System\FfDyjZg.exe

C:\Windows\System\FfDyjZg.exe

C:\Windows\System\KlZtdXJ.exe

C:\Windows\System\KlZtdXJ.exe

C:\Windows\System\XGuEQik.exe

C:\Windows\System\XGuEQik.exe

C:\Windows\System\nSxgCdm.exe

C:\Windows\System\nSxgCdm.exe

C:\Windows\System\OilOVHm.exe

C:\Windows\System\OilOVHm.exe

C:\Windows\System\HWWpxgU.exe

C:\Windows\System\HWWpxgU.exe

C:\Windows\System\LgJdXII.exe

C:\Windows\System\LgJdXII.exe

C:\Windows\System\cwsmGeS.exe

C:\Windows\System\cwsmGeS.exe

C:\Windows\System\oydfXNO.exe

C:\Windows\System\oydfXNO.exe

C:\Windows\System\olsvaQO.exe

C:\Windows\System\olsvaQO.exe

C:\Windows\System\yWVOWnl.exe

C:\Windows\System\yWVOWnl.exe

C:\Windows\System\PaFyYmZ.exe

C:\Windows\System\PaFyYmZ.exe

C:\Windows\System\JZgVbrE.exe

C:\Windows\System\JZgVbrE.exe

C:\Windows\System\kqAyAqh.exe

C:\Windows\System\kqAyAqh.exe

C:\Windows\System\XskEfEe.exe

C:\Windows\System\XskEfEe.exe

C:\Windows\System\GONqUVV.exe

C:\Windows\System\GONqUVV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.216:443 www.bing.com tcp
US 8.8.8.8:53 216.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 150.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/60-0-0x00007FF7AAE10000-0x00007FF7AB161000-memory.dmp

memory/60-1-0x00000255FBC60000-0x00000255FBC70000-memory.dmp

C:\Windows\System\NKMUSKR.exe

MD5 9b14219226907e53abe84d4ad6a3788b
SHA1 4e890d5f24f751e471aeb4e694ca814a5b3a8314
SHA256 33ed1d71c382ad9d81ae9c3db5f9a7ce9ca2093f3211e6c33785cf4c0a9fef14
SHA512 7b63455902b738c7b1be8acd977c2aa0c4eb3fb7fda4bd6c3772cafeea3f7223d4bb1b483f91d0cea8b9ca2fd8e87ae3faa783648a5243aae69221caa8108118

C:\Windows\System\hIyPTPS.exe

MD5 f2af9d12d21138eda68c3a9a39656254
SHA1 56c76f6d213257a048aa3720aa53ecdd76a53331
SHA256 7c836ab66a4a03750ff6566a4c840fd18dae4f3be3738e094ce2c4616f170de3
SHA512 860737255b7f9d970b79262a37cf83fa5b27a0aa7b7e977ec26655d1a42a051e74a7960c33ed11914a259a5374ff4f509b40572dbc219fac8384baf2e2b4d1d8

C:\Windows\System\dhQgAJV.exe

MD5 b5da2192c3e3fd0e8c707de4fd8b794b
SHA1 6ce7ba19e32c4df627997788c47c6881b581e383
SHA256 c901b42680a5f68e0177eb2efeba332f9c5477474b1f861a0d9955ff61807524
SHA512 0eb2bb8ab4f0dc7614c9b902cb57c77a72f6d1a1593a662d06a8810b68218cfb176b066added4f1efbf7d05566f07348accc66c5e678f07a2608f5ce38fa7682

memory/404-14-0x00007FF666D20000-0x00007FF667071000-memory.dmp

C:\Windows\System\MqneBPp.exe

MD5 32d3a9da77e52b10137d85ebb6cd813c
SHA1 ade0b2b6d52a5e97458cf3017ea8c510a9255fd7
SHA256 880df22c3176b1121746a6b46a70c95b513db622aba21faddbde71021804511c
SHA512 e6e38a802da15a0fc02b67f97c75c4042dcaccb5a0ed594f741ea751733c4179c0ce9565c4b8588733c56c1667ef8a9014de2909dab3cb18f00a333d860a17e1

memory/2688-26-0x00007FF660DC0000-0x00007FF661111000-memory.dmp

memory/3932-21-0x00007FF63ACC0000-0x00007FF63B011000-memory.dmp

memory/1000-8-0x00007FF70C0E0000-0x00007FF70C431000-memory.dmp

C:\Windows\System\bEPLJlY.exe

MD5 de108bf1c50d7b9780d8204aa249bad6
SHA1 9a510695993feb9eb5e598bf8ba7f44563f5fa8f
SHA256 62aa8ac62e03b7f1bcbc827fb86f3aebffc2d492e60c2a27a23f8702b7131555
SHA512 eb7415cbf378e461e635d753d23c96cdcd40a7d7f1d70680a13ad72a54772b46b11a3b7496c82ffc488b47e4e4b68e7290e451cec719c76b0fe73eb7b108c565

memory/3040-32-0x00007FF745310000-0x00007FF745661000-memory.dmp

C:\Windows\System\FfDyjZg.exe

MD5 991cb4380e96d5e3a2db7a281ed2ac59
SHA1 cac68e097f41bb1003dc75b2155da6b4b987a2a4
SHA256 d1ff06cfabe403d5ad7c1f0a45ff4f2734a17e7970a255417a7612af23c44a1d
SHA512 2350bc36b0689be4ac36a20fd5fb69acf2ed6106f89f08b107f600007bec8f7b62f60a041157832aa55ef4e58e8f96f250e00b095ad4d78126a81226feee78eb

memory/3928-38-0x00007FF685B80000-0x00007FF685ED1000-memory.dmp

C:\Windows\System\KlZtdXJ.exe

MD5 72958c9c4305a8a1fac28fb766ae46d2
SHA1 25872ae05594d283299904067da0cb1b9151439c
SHA256 c38947899786c840074edb731e25f580caf2d9572a8a3f6d6e5b4ac7a74f571a
SHA512 1443017f229f0909c04b56cd609e10cd0d261f3f7763348699c9027b9bf431c3864d966d8b84e128b38e0c72825b7b91fe4c6543565d63aa9456ffe3d4aff3cb

memory/4388-44-0x00007FF717D60000-0x00007FF7180B1000-memory.dmp

C:\Windows\System\XGuEQik.exe

MD5 3b52bdf6792a0720a7c8159d1fc78fcf
SHA1 c94d78cd0bf7a45a86fedb426cc76bdd111d81e4
SHA256 9affbff4c254ad4ebe75ad5b958d4a9242622e06aecff9325357facd41f792b4
SHA512 785818dd16007ae1bf1f6e29af934e5de3968c01456bedaab865b52fd1686b3fcc1cb040b2cf59babb4946cabe37d99151fac35fdee4d289cdecac748a81b2d9

C:\Windows\System\nSxgCdm.exe

MD5 ad1581a7317543390b7e778488a1de5e
SHA1 943c0f8ccc70aab8b16ab0e501f0fbd05411f4e0
SHA256 518fc1cbec49c22b1a4d07bc1176852f0473983fba86e24bbdc9e5c5bef2dca3
SHA512 9d778f9a484ee00ce9d96c470aa0a92579d2e0e76e839de4baa5bb00bff5c7a62c655a5e4fa37750c3e3568c32850a6621d26a00ff7526029185bdb4adc6369d

memory/3516-49-0x00007FF7A8510000-0x00007FF7A8861000-memory.dmp

C:\Windows\System\HWWpxgU.exe

MD5 5b78d9eb67ebf4cf497c1985a81568ee
SHA1 b084c23d2685a6d822d9a388ad4270928b3b454c
SHA256 cd5aab9d1b6cf3bfa71d00b89ea00faa5e232bb52d7e181efd210ef85025410b
SHA512 64edb5e2e2d8f2f4b80bd90b62e09e254b2f11b357994ac9b03b313f0c1ca6d75cf3a976007e19bb54fde8d3328c126ce6cb30d6ac3d62d026b19bc15dfd6b9c

C:\Windows\System\OilOVHm.exe

MD5 6345fec7acd13220d21cacc4ea34bdd7
SHA1 5bb5c808504cc59d5060dae1f8290cbbea7c3e55
SHA256 37b50e7adc120b3890f53bbbd68302c8e68b5ac5a3def1ce8511de95e602a3bb
SHA512 2359701835230332b9a609881d48342a788a3da2c0345dc7b6305722694cccfda61c3aa3196e8ad86ea03500297b12a19c349c0717fef16452c79ecf5b9e5c06

C:\Windows\System\cwsmGeS.exe

MD5 c177c2324a722597e34e7053090ec860
SHA1 e876106c3f374c7855d76b0ebad1104ee46835a3
SHA256 4b9d2d4d57b9d7a4a3de87e2055217ed5bc2a0832cc3937e3d08b5b4e1672ed9
SHA512 18d3450a9a26b433c4eb5ab30bd5cd820669904ad86473c25820d30e34e9eb48bc33ec7e46617513a78932926f42b00bb192fd7462291521cee3ef7fc11fba84

C:\Windows\System\olsvaQO.exe

MD5 b7e4131d637e46535e89e89cdb7c96cd
SHA1 11fc38701696cbfbc6ea29b7fda096ef88c53051
SHA256 3a86d0790310ca1b85acfddd6d0f5fd1bb63903b26494cc308865d97abce379b
SHA512 d637d899a099248cbf40f38e02187cc56c9eb0f6c6b7c362cd15b7b6e1fbb644a9504be1a1139cdc18a221822304d6c5910d5718168513794c55dfd118e4b2c1

C:\Windows\System\yWVOWnl.exe

MD5 7149a240048443f1a84b1a1d1a14f4c0
SHA1 39e44ec6e73cc1f4a9e1958a934ebc5d7eff77fb
SHA256 0801093b0c81b6ff2038ee9863d6b144f9e77c855c3e7a73d4bc1e3152f4ff9a
SHA512 230e48694b5c5a057bd82888d555c623c922dc7d7dedc40d351692aab607c347dd7396a7739d9322069abe09e6237e67fe3b6df42ea016ee31ad81891d221b94

C:\Windows\System\PaFyYmZ.exe

MD5 97cfde77a05c20f7663bcaf6730d37aa
SHA1 c1f26c333e57018f730f44dafd7370fc96f52eea
SHA256 9a6eb5ccac28de7a814ec39244b779100a6c1afd79413f197320b964d578cc05
SHA512 43beabfc4bde9429e8b83fcfa66bd5a4789e53c1105402c46aa7bddcb835d88ce728302ad0bb9da3466842413ba9975bf375ad09548b0091e85b179138ad4606

C:\Windows\System\kqAyAqh.exe

MD5 600d3c55201becb3d98ba0cea4cb36a3
SHA1 0595b87bc40fb624a7f1af4e6306a6ac309ecc69
SHA256 927c03cdaa38ccdeee589c79ae368650de5a4c39bd864d1ef5d54f2c88770ab5
SHA512 f93e6e4754d7496f715b0391416252ed934160ea5aa0302f8bc796f5539d4264e2630b02d40df6a57efe61e6dce8dfce55364b49908d4b96f418a7882c959358

C:\Windows\System\GONqUVV.exe

MD5 ac8224f710d2e3dd602766b144c9f75b
SHA1 714e51b6d18fe996832d03928917d9accca0d872
SHA256 2a5ccb68af1b165123fe8a75c41ad810b861f38141958c219891d5a55d2af341
SHA512 146aae6d0b2fab4426d0740e12508cb0ac6e816d38fe0459715c2ac4e4425b4369c4435cb7d000a231b952a529c728050e1173ef1a4b0c97a3169c356dbf9801

C:\Windows\System\XskEfEe.exe

MD5 a7238f9c93f17d72d7dc5af6204f4558
SHA1 7efdefd6a4f032c7976ce5a27a9e3d50ee3b2eb9
SHA256 e211ad941b1190cd4657875237342afb29c09334e6733ee34b00fd99202df13a
SHA512 a5dc6fd11046f5e8fe4e590bd22664ec0db371dadb352f0cb89e2221c3cc395dbf064885ab6484df8f3d37165cbbbb79dd647c4aee8921e115fc6e1940b17735

C:\Windows\System\JZgVbrE.exe

MD5 b5e23ae3aecafef664196e61795f3137
SHA1 f47e86ab57b049223f2bc4aa7b888e400936d77f
SHA256 cfc32e9580b024b04cfb8a8db275e75375b5bb9b901e7f7a7b466ea1d60abe2c
SHA512 5d9f59242522ccd06aeb1342c8851102434097dd8703ac18236052d23d2385096f06479564515da5434c3bb13a8188b267ba7bf9f83bd91a3ab9d6ec41b44c3b

C:\Windows\System\oydfXNO.exe

MD5 d3454536b29e150d5f8bcfc095c462f7
SHA1 1ebf0466b048a7f31c02119a51e5ffaa8226bab9
SHA256 b45a02443c0c66f011131bfb9d927e2bb90b88c09585f53b54defdc2bde026b5
SHA512 3801d435903faee1272cac55594b1f26bf72ac5c017d17c485f00067163defe51672182726ad839a960ea5334c365e4545d81286353cf1804a336ed3afdd701d

C:\Windows\System\LgJdXII.exe

MD5 8caf65d3d25a01cee8670480b575e406
SHA1 dd87728d138142cdb67b5f4ac4f5a692573f1148
SHA256 e2202db27441039d1012ff7e90365773f9fa6191a250ffe86f79c0c261803ba6
SHA512 146f19bcbc1d01874dd4c323455260a5a88854340d592609a8a972600e1ca91897be2fdde4b5e64fc9164d281fb2f3e95bc66e217396869816fd7c10a113d95d

memory/432-71-0x00007FF77A1A0000-0x00007FF77A4F1000-memory.dmp

memory/3748-65-0x00007FF601CD0000-0x00007FF602021000-memory.dmp

memory/60-62-0x00007FF7AAE10000-0x00007FF7AB161000-memory.dmp

memory/2776-53-0x00007FF7CEF80000-0x00007FF7CF2D1000-memory.dmp

memory/60-119-0x00007FF7AAE10000-0x00007FF7AB161000-memory.dmp

memory/3516-127-0x00007FF7A8510000-0x00007FF7A8861000-memory.dmp

memory/2776-128-0x00007FF7CEF80000-0x00007FF7CF2D1000-memory.dmp

memory/1000-120-0x00007FF70C0E0000-0x00007FF70C431000-memory.dmp

memory/3928-125-0x00007FF685B80000-0x00007FF685ED1000-memory.dmp

memory/3932-122-0x00007FF63ACC0000-0x00007FF63B011000-memory.dmp

memory/3748-130-0x00007FF601CD0000-0x00007FF602021000-memory.dmp

memory/432-132-0x00007FF77A1A0000-0x00007FF77A4F1000-memory.dmp

memory/4516-133-0x00007FF740BB0000-0x00007FF740F01000-memory.dmp

memory/4976-134-0x00007FF7DC3D0000-0x00007FF7DC721000-memory.dmp

memory/2316-135-0x00007FF6C7290000-0x00007FF6C75E1000-memory.dmp

memory/2128-137-0x00007FF6B04A0000-0x00007FF6B07F1000-memory.dmp

memory/724-131-0x00007FF6401E0000-0x00007FF640531000-memory.dmp

memory/3380-129-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp

memory/428-138-0x00007FF770F90000-0x00007FF7712E1000-memory.dmp

memory/452-148-0x00007FF666330000-0x00007FF666681000-memory.dmp

memory/4912-146-0x00007FF776470000-0x00007FF7767C1000-memory.dmp

memory/1556-147-0x00007FF75C8B0000-0x00007FF75CC01000-memory.dmp

memory/60-149-0x00007FF7AAE10000-0x00007FF7AB161000-memory.dmp

memory/1000-194-0x00007FF70C0E0000-0x00007FF70C431000-memory.dmp

memory/404-196-0x00007FF666D20000-0x00007FF667071000-memory.dmp

memory/2688-198-0x00007FF660DC0000-0x00007FF661111000-memory.dmp

memory/3932-203-0x00007FF63ACC0000-0x00007FF63B011000-memory.dmp

memory/3040-205-0x00007FF745310000-0x00007FF745661000-memory.dmp

memory/3928-214-0x00007FF685B80000-0x00007FF685ED1000-memory.dmp

memory/4388-216-0x00007FF717D60000-0x00007FF7180B1000-memory.dmp

memory/3516-218-0x00007FF7A8510000-0x00007FF7A8861000-memory.dmp

memory/2776-220-0x00007FF7CEF80000-0x00007FF7CF2D1000-memory.dmp

memory/3748-222-0x00007FF601CD0000-0x00007FF602021000-memory.dmp

memory/432-224-0x00007FF77A1A0000-0x00007FF77A4F1000-memory.dmp

memory/3380-226-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp

memory/4976-229-0x00007FF7DC3D0000-0x00007FF7DC721000-memory.dmp

memory/4516-230-0x00007FF740BB0000-0x00007FF740F01000-memory.dmp

memory/724-234-0x00007FF6401E0000-0x00007FF640531000-memory.dmp

memory/2316-233-0x00007FF6C7290000-0x00007FF6C75E1000-memory.dmp

memory/2128-236-0x00007FF6B04A0000-0x00007FF6B07F1000-memory.dmp

memory/1556-238-0x00007FF75C8B0000-0x00007FF75CC01000-memory.dmp

memory/452-242-0x00007FF666330000-0x00007FF666681000-memory.dmp

memory/428-241-0x00007FF770F90000-0x00007FF7712E1000-memory.dmp

memory/4912-244-0x00007FF776470000-0x00007FF7767C1000-memory.dmp