Malware Analysis Report

2025-03-15 08:11

Sample ID 240529-2wntcadh76
Target 2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike
SHA256 2deb57cdb578aab95fa36d4a543fb92f8cd38fa28b44fe2bb4786296aa5ca730
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2deb57cdb578aab95fa36d4a543fb92f8cd38fa28b44fe2bb4786296aa5ca730

Threat Level: Known bad

The file 2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 22:56

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 22:56

Reported

2024-05-29 22:58

Platform

win7-20240221-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mzwWLrh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pUbnVZV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EIBiSjR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DImSBIB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lkLFuym.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZIBlMpw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MAcBwLi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aHodQZD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hfnYOVr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IPCjcQI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GRRhHqL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PpdZkRM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PMiltYA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UNbQUNv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bmmLbcu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PRgAqhs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rRmjBJV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BTDyftd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\plbjGZg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kfXHTeb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HWWajLt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzwWLrh.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzwWLrh.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzwWLrh.exe
PID 3048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRmjBJV.exe
PID 3048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRmjBJV.exe
PID 3048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRmjBJV.exe
PID 3048 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\MAcBwLi.exe
PID 3048 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\MAcBwLi.exe
PID 3048 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\MAcBwLi.exe
PID 3048 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUbnVZV.exe
PID 3048 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUbnVZV.exe
PID 3048 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUbnVZV.exe
PID 3048 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIBiSjR.exe
PID 3048 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIBiSjR.exe
PID 3048 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIBiSjR.exe
PID 3048 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTDyftd.exe
PID 3048 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTDyftd.exe
PID 3048 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTDyftd.exe
PID 3048 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\DImSBIB.exe
PID 3048 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\DImSBIB.exe
PID 3048 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\DImSBIB.exe
PID 3048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\lkLFuym.exe
PID 3048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\lkLFuym.exe
PID 3048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\lkLFuym.exe
PID 3048 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHodQZD.exe
PID 3048 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHodQZD.exe
PID 3048 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHodQZD.exe
PID 3048 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PpdZkRM.exe
PID 3048 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PpdZkRM.exe
PID 3048 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PpdZkRM.exe
PID 3048 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMiltYA.exe
PID 3048 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMiltYA.exe
PID 3048 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMiltYA.exe
PID 3048 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZIBlMpw.exe
PID 3048 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZIBlMpw.exe
PID 3048 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZIBlMpw.exe
PID 3048 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\UNbQUNv.exe
PID 3048 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\UNbQUNv.exe
PID 3048 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\UNbQUNv.exe
PID 3048 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\plbjGZg.exe
PID 3048 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\plbjGZg.exe
PID 3048 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\plbjGZg.exe
PID 3048 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmmLbcu.exe
PID 3048 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmmLbcu.exe
PID 3048 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmmLbcu.exe
PID 3048 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfnYOVr.exe
PID 3048 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfnYOVr.exe
PID 3048 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfnYOVr.exe
PID 3048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfXHTeb.exe
PID 3048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfXHTeb.exe
PID 3048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfXHTeb.exe
PID 3048 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWWajLt.exe
PID 3048 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWWajLt.exe
PID 3048 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWWajLt.exe
PID 3048 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRgAqhs.exe
PID 3048 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRgAqhs.exe
PID 3048 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRgAqhs.exe
PID 3048 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\IPCjcQI.exe
PID 3048 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\IPCjcQI.exe
PID 3048 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\IPCjcQI.exe
PID 3048 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRRhHqL.exe
PID 3048 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRRhHqL.exe
PID 3048 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRRhHqL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\mzwWLrh.exe

C:\Windows\System\mzwWLrh.exe

C:\Windows\System\rRmjBJV.exe

C:\Windows\System\rRmjBJV.exe

C:\Windows\System\MAcBwLi.exe

C:\Windows\System\MAcBwLi.exe

C:\Windows\System\pUbnVZV.exe

C:\Windows\System\pUbnVZV.exe

C:\Windows\System\EIBiSjR.exe

C:\Windows\System\EIBiSjR.exe

C:\Windows\System\BTDyftd.exe

C:\Windows\System\BTDyftd.exe

C:\Windows\System\DImSBIB.exe

C:\Windows\System\DImSBIB.exe

C:\Windows\System\lkLFuym.exe

C:\Windows\System\lkLFuym.exe

C:\Windows\System\aHodQZD.exe

C:\Windows\System\aHodQZD.exe

C:\Windows\System\PpdZkRM.exe

C:\Windows\System\PpdZkRM.exe

C:\Windows\System\PMiltYA.exe

C:\Windows\System\PMiltYA.exe

C:\Windows\System\ZIBlMpw.exe

C:\Windows\System\ZIBlMpw.exe

C:\Windows\System\UNbQUNv.exe

C:\Windows\System\UNbQUNv.exe

C:\Windows\System\plbjGZg.exe

C:\Windows\System\plbjGZg.exe

C:\Windows\System\bmmLbcu.exe

C:\Windows\System\bmmLbcu.exe

C:\Windows\System\hfnYOVr.exe

C:\Windows\System\hfnYOVr.exe

C:\Windows\System\kfXHTeb.exe

C:\Windows\System\kfXHTeb.exe

C:\Windows\System\HWWajLt.exe

C:\Windows\System\HWWajLt.exe

C:\Windows\System\PRgAqhs.exe

C:\Windows\System\PRgAqhs.exe

C:\Windows\System\IPCjcQI.exe

C:\Windows\System\IPCjcQI.exe

C:\Windows\System\GRRhHqL.exe

C:\Windows\System\GRRhHqL.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3048-0-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/3048-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\mzwWLrh.exe

MD5 b7018327443fd0b49ce194719328f036
SHA1 21936c7a7066c9df2ca87b9668ba435b1879f1ef
SHA256 65c2decaf24e0ebfd840931fbb73b5491dc8fff79d1254220128c0b0152a6163
SHA512 361c43d9c9364dda2d1d37b1ba67ba730786b2e4581bc80a08801ffdbf690e7ddf899132a0fcd3321c88093c5eac199491c57cc9cd3b5b89e68e6f1233b0429e

memory/3048-6-0x000000013FCD0000-0x0000000140021000-memory.dmp

C:\Windows\system\rRmjBJV.exe

MD5 7c1a50b974abca51ee9a77407020c26c
SHA1 dec188683d9b576e364a52c7ed3fcd2ef3a7d763
SHA256 b8d5bbf0fa0ea79d9069ea15e259d30d4a47bd665d35028f59d0663d2ec76268
SHA512 4196b39ee30b541c9250e0b4696fc6592f801f04b357b18ddd2306d8d63bed1eab23ea7cbe7779c4fd7391c7272cf6d1d3189b8d3dd3f8d98fbb20562af85a1a

memory/3056-10-0x000000013FCD0000-0x0000000140021000-memory.dmp

\Windows\system\MAcBwLi.exe

MD5 04307d7a9259c080a3c84756324e8fa9
SHA1 75e9b8ee414fa64d76052cd5fa2a880b89009c63
SHA256 75406389ed56e9f4f28b677b3c93ddebc9ace2ae7a2aba15c837569bf3f81385
SHA512 0a6556c734eec802de93c806518ac74fba8d6a06e5b83f2d157e1d7e7528dd0b7d39eb4229a72b325930d86af7c0a9732c6d82522180abb5ecdf445dfc8eaaf2

memory/3048-45-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/2972-47-0x000000013FFC0000-0x0000000140311000-memory.dmp

C:\Windows\system\BTDyftd.exe

MD5 b03b94e0c70861d8ce4b984c8c862eef
SHA1 2998d304ac035f3ff0345e8053ae693c1044ca77
SHA256 a520ad6238c4e618f7923df3759fc756b3c58626d8a79accce444be08867ce49
SHA512 7d2dd9efd58963ef4465f3e66160015340d0752035e02413c0a058a381e592b49adae1fe2785d40f95671e04b23024fd60aa3c0d0fd8d0da4bcf7a038b23bc8e

memory/3056-113-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2452-55-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1640-108-0x000000013F8B0000-0x000000013FC01000-memory.dmp

\Windows\system\IPCjcQI.exe

MD5 76ebd5c6d253e818552b1fef35d0dea5
SHA1 3918fd399aff769ec39f52c72ecd2e5243e77ad9
SHA256 b15eb1bf759da557469c46c76b05e95804f6ae3ba2cd99e0181a2d186868d010
SHA512 39ce56c4232de4146cc3b5df87b3c66e3ccf3db07ef1b93e1ccb724f7b4bb49aa470a3c96d80bc5a2c07ceb66040f836aae6f14a4a6a6a6ac589e102bddaca94

memory/3048-98-0x000000013F9F0000-0x000000013FD41000-memory.dmp

\Windows\system\HWWajLt.exe

MD5 ed0201633333025b37c80809df4ee60b
SHA1 166243bd5a490cb4aa4087b530251361d3c82272
SHA256 430b66a5d2d4960d98d1b7fb25fcc09eb5fbfaa0ef2abfb2402489bf07fea2b8
SHA512 f5ce79e808d251b3f107b0e4f80acddc75d9d623ae5a6e3df4c383450d6a1e5c2268701c0eea0bcc4d9072d4f48a1273e9f9054e7c49281a8af04ab243552a21

memory/3048-90-0x000000013FCD0000-0x0000000140021000-memory.dmp

\Windows\system\hfnYOVr.exe

MD5 87ac966dd384c07989603d1e53d384f7
SHA1 9a5ed890cc2c310a8b6bc6ccafeb36a6a4c93f67
SHA256 c9a1414d98f0773c24901d79ef7122b08bf50ea7b1aa1551d2522f74c407c702
SHA512 a23664d78d4359de2d7a13fadb2a765956542550ce06207e2d9484567d5446bff69ea819488d5c4a900fe3f69914454fe88cc23956134a4908d4b693b4d4c07e

C:\Windows\system\UNbQUNv.exe

MD5 79b827c3fe81891dd53b85a0f95eb0b1
SHA1 cb2b37bd4c9d8e523a6f1e60d113cba962a45e3e
SHA256 5ffb02611a6c316fac27f8cb397d7c9537ddd0ccd425f49099e75c8bed03082a
SHA512 12a82a9f6f95ca82cfed842722b667af198e683abc0002fd331f809cf81211225f347aeeb9a64aaa9a89eb2237dc3259a926749e5774bf2e594bd19da19e008b

\Windows\system\plbjGZg.exe

MD5 d45a3b257939749116708ab089e78d5f
SHA1 e7375ae878deb1806a91f23eb01c5af32b35581e
SHA256 43abdb7bb20be4c755bb5c8f50aea2507db4bcff4bbac7ec8cfbe0daf541aeb8
SHA512 6b472d069b5588659f335e3722961969bb2a14210b61119a758d6d41cc81d5a5a5dac442daa88136efc055f9c7ac1f909cdda00aef01fcd6842d3e9b9a3bdc3a

memory/3048-72-0x000000013F4D0000-0x000000013F821000-memory.dmp

C:\Windows\system\PMiltYA.exe

MD5 b8e62c432bf75cf228ea47c60565a774
SHA1 12ea5ad08e5451d68990b46cfd0da56002726d32
SHA256 ad8ad140200e71d2af3793e9c265170ba3e112bac00abc3dce5e3f35ff7195d8
SHA512 27a25818ea3cdaab2c7e1be54fa2bdc2745306e9faac99482cb5c7f86c595fc3980ea5dec6921fcb57a4906eef1d1a303cb90ac4424169aefab7d51017df43f3

\Windows\system\ZIBlMpw.exe

MD5 7a4cfc8991bfde47a09ffa09622ee70c
SHA1 c7cfd165364eae9f1b15c38cef6a12a1ef80ca20
SHA256 c28f8048a8e71d08000c721cd564ed7ca93eddb11b9a3558b7f8719a8e433e71
SHA512 25079b61f7aa5eb61cb0a5ff9a83ecb8cf6def81cd625b16e4eb4d087f996b4016f3194f652d23e277597f2d943261b2c9f241b5556eaefd2e53759c84f4abca

\Windows\system\PpdZkRM.exe

MD5 2aa00e77d84fe6be6283e4338fc30e18
SHA1 42ce429dcad9c9da292d0a85869b893ce8166abc
SHA256 430e682ee90cc6f369f17702b53b5c0404ca53d242d42d71f1d68a07e1b52deb
SHA512 9c6e54a8d691361a0e3588113b7b58b9140bc7f83597b6e5bc77529dfe311c5390e5d1966ba9d15e72b9542786f19d7f821869985502465b86a9ab42e7b66eae

C:\Windows\system\GRRhHqL.exe

MD5 c8b3a3aa0602b568ba3801e7a640bdb9
SHA1 46e5333c18627db006aac1456158995091f0b533
SHA256 e6090ca5332bb94b6ea34d85e728b77a63f44006e4f3f62de70a8a072d6dda48
SHA512 0d20ce04ababae129543e44dc79ec0923dd2a177294f377e5d27c7e8d247c9d11510c406140f0bfa985e283fb8aa7a50a7976cde6e90af4de381f276d0b0b77c

memory/3048-111-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/3048-104-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/3048-103-0x0000000002190000-0x00000000024E1000-memory.dmp

C:\Windows\system\PRgAqhs.exe

MD5 ebce8ab0ff07b364ea76b73ebfe4f29c
SHA1 462e8c9fcc1d8e57d6a0507ee6e6298d26421ef9
SHA256 03b9d650af94fdde7486c350a5b2305742c671eef033aedd2e2f59d99f92ac07
SHA512 ee2bcc73a8eac88785ca61da2b7ebf0b23e43489ea1210dcb8f88662605e55f5e99db9e9d9e784cecf794560e64a88bad3551f31a0505b5b0b7c3a905bd181ee

C:\Windows\system\kfXHTeb.exe

MD5 802c62d819c8ab00a4771c50c549b921
SHA1 67c053185ac82d57e1660d04701fca2dde847503
SHA256 8ff545676081fda0525863bc5bc732ef2d30b3625ea261d1aea8d3d2559f766f
SHA512 39052dfc88416e30597ac69e88a8ab231bb665ff1a329eda5b150a20e69f9aaa26b50ae182d37f579ac30fff0ac2fe0fe2f1ac38358c6bc3d7948933e6ca1f69

memory/1608-86-0x000000013F9F0000-0x000000013FD41000-memory.dmp

C:\Windows\system\bmmLbcu.exe

MD5 049b15e6ae3e4d9e9d2cc38b9c85b7c4
SHA1 d3903d0a61f91d77599d20b39a0279d467129674
SHA256 b3096332fedd98992f875a75adc7dedafbe4e786df9e4b4bcf4228949d69d81c
SHA512 f3c27c1ea1152f5624c6b215e4bf6817bde5c9ae3b15f9476cf9f92ead340a558a3ea71a6ef30e69e699e476425663632be1a22fcc774ea0ccde67751d0cdfc4

memory/2404-84-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/3048-82-0x0000000002190000-0x00000000024E1000-memory.dmp

memory/2972-143-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2452-144-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2456-142-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/3048-136-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2100-61-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/3048-60-0x0000000002190000-0x00000000024E1000-memory.dmp

C:\Windows\system\aHodQZD.exe

MD5 b9b9ab25f4479f71f902825b486cfacc
SHA1 1246200a17876a6cf0f167fdc726c5ae3d5f1118
SHA256 8951aa8ed34b45b903807b39089b8ce3a52f54d05cfb15e39a31e50456fd77e8
SHA512 397cd867fd1428120701527306355cf38d6e8c2471b42af6663620b6a2ceadb2905b1985143df17534521d9aae5633acd3757f577a2b4193f8c8a3ac1b56ea21

memory/2100-145-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2904-154-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2324-157-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/1936-156-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/1324-155-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2836-153-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2812-152-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1640-151-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/1728-150-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/1608-149-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/1800-148-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2404-147-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/672-146-0x000000013FA40000-0x000000013FD91000-memory.dmp

C:\Windows\system\lkLFuym.exe

MD5 13ec576e2317f3df5a0dd80030ea2228
SHA1 c7069a420d9bbe2d73931766202c71743f54cab3
SHA256 fcf72ba524f1af8b3e92c9d60e0ae118ade6607d9c9d3a1a4ff0e9e5bb2c131a
SHA512 65c6e61c62dba13c154904de70485f1c87a029d11a13ba2e77d9ea2408b21a5ffc2e16cb4da99f7fea45bf253e9bbd5c24f78518fd4cef7e28f0d3f79a548c30

memory/2456-53-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/3048-52-0x0000000002190000-0x00000000024E1000-memory.dmp

memory/2692-38-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2544-37-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/3048-35-0x0000000002190000-0x00000000024E1000-memory.dmp

memory/2752-33-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/3048-46-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2428-44-0x000000013F920000-0x000000013FC71000-memory.dmp

C:\Windows\system\DImSBIB.exe

MD5 b7e520586ea3b475726b11a25bbba361
SHA1 046cfa530c04172805a765f5273a800abc99191a
SHA256 dc36af4aaef63d1e6df4f230d8bac184b85a4c1af06152898487fe2a558450a1
SHA512 3d7d638419e899af080caa043a46cb8587cf2e40bd515b410defd5d031883e8a94eaeeef8d98247caa4faf5804306a59d82e522283dcc6064ab0767a9ec92285

memory/3048-42-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/3048-30-0x0000000002190000-0x00000000024E1000-memory.dmp

C:\Windows\system\pUbnVZV.exe

MD5 f6e8c9e332b1bffe63a335ad26df248b
SHA1 2b7492ec0bb861bcb41d8365c999a5182951cb8f
SHA256 ff92721c9887671d169d30df2cc660584cef3e2e13f85e181eb517e2768618b7
SHA512 ae1e1c1ab87623a67a6e771187cbc5890326f0358ac3beca43fdf9f278d0959d3f8c7a6303876c1d54a6ea9e352a44a6914bc314fdba819c944cd41dd19200f0

C:\Windows\system\EIBiSjR.exe

MD5 e523d4e3e70ed0500072dfb8991c8380
SHA1 0e3ba38c353868f92740b2f86bb51740feb91cff
SHA256 2ee1da2d44b0dcded1aab70f1ecdd756736cf9bf1ab303986cc186cc2e296680
SHA512 30b4a43bca92eb27d694b68a95876962539fe16da006cde64a7beb0ab594e6f16a6b4d26c0685996cd59ca0a6a7db509f1df5fc830e52177acde561dc277f492

memory/3048-25-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/3048-158-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/3056-212-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2752-214-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2692-220-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2428-219-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2544-218-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2972-236-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2100-238-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/1640-243-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/1608-242-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2404-239-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2456-248-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/2452-256-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 22:56

Reported

2024-05-29 22:58

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lpHhoNO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GzKVyZx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nmDcelW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VUkHcpy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZaDtxoL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EeUiIAB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WJKGlIU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KkLTvYG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UruJsGg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YMDopTT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jwVClVe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZQSggQG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CoHVkrj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oAxQiFK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AKWTyew.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VZMctgN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sRluTPY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XgxloNg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aZGNjxD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYpzdsn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PvoBTKT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZaDtxoL.exe
PID 3524 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZaDtxoL.exe
PID 3524 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\VZMctgN.exe
PID 3524 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\VZMctgN.exe
PID 3524 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpHhoNO.exe
PID 3524 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpHhoNO.exe
PID 3524 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\YMDopTT.exe
PID 3524 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\YMDopTT.exe
PID 3524 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\jwVClVe.exe
PID 3524 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\jwVClVe.exe
PID 3524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRluTPY.exe
PID 3524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRluTPY.exe
PID 3524 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgxloNg.exe
PID 3524 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgxloNg.exe
PID 3524 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzKVyZx.exe
PID 3524 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzKVyZx.exe
PID 3524 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZGNjxD.exe
PID 3524 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZGNjxD.exe
PID 3524 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\EeUiIAB.exe
PID 3524 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\EeUiIAB.exe
PID 3524 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\WJKGlIU.exe
PID 3524 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\WJKGlIU.exe
PID 3524 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQSggQG.exe
PID 3524 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQSggQG.exe
PID 3524 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\CoHVkrj.exe
PID 3524 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\CoHVkrj.exe
PID 3524 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\oAxQiFK.exe
PID 3524 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\oAxQiFK.exe
PID 3524 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmDcelW.exe
PID 3524 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmDcelW.exe
PID 3524 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYpzdsn.exe
PID 3524 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYpzdsn.exe
PID 3524 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\VUkHcpy.exe
PID 3524 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\VUkHcpy.exe
PID 3524 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkLTvYG.exe
PID 3524 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkLTvYG.exe
PID 3524 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PvoBTKT.exe
PID 3524 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\PvoBTKT.exe
PID 3524 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKWTyew.exe
PID 3524 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKWTyew.exe
PID 3524 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\UruJsGg.exe
PID 3524 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe C:\Windows\System\UruJsGg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZaDtxoL.exe

C:\Windows\System\ZaDtxoL.exe

C:\Windows\System\VZMctgN.exe

C:\Windows\System\VZMctgN.exe

C:\Windows\System\lpHhoNO.exe

C:\Windows\System\lpHhoNO.exe

C:\Windows\System\YMDopTT.exe

C:\Windows\System\YMDopTT.exe

C:\Windows\System\jwVClVe.exe

C:\Windows\System\jwVClVe.exe

C:\Windows\System\sRluTPY.exe

C:\Windows\System\sRluTPY.exe

C:\Windows\System\XgxloNg.exe

C:\Windows\System\XgxloNg.exe

C:\Windows\System\GzKVyZx.exe

C:\Windows\System\GzKVyZx.exe

C:\Windows\System\aZGNjxD.exe

C:\Windows\System\aZGNjxD.exe

C:\Windows\System\EeUiIAB.exe

C:\Windows\System\EeUiIAB.exe

C:\Windows\System\WJKGlIU.exe

C:\Windows\System\WJKGlIU.exe

C:\Windows\System\ZQSggQG.exe

C:\Windows\System\ZQSggQG.exe

C:\Windows\System\CoHVkrj.exe

C:\Windows\System\CoHVkrj.exe

C:\Windows\System\oAxQiFK.exe

C:\Windows\System\oAxQiFK.exe

C:\Windows\System\nmDcelW.exe

C:\Windows\System\nmDcelW.exe

C:\Windows\System\xYpzdsn.exe

C:\Windows\System\xYpzdsn.exe

C:\Windows\System\VUkHcpy.exe

C:\Windows\System\VUkHcpy.exe

C:\Windows\System\KkLTvYG.exe

C:\Windows\System\KkLTvYG.exe

C:\Windows\System\PvoBTKT.exe

C:\Windows\System\PvoBTKT.exe

C:\Windows\System\AKWTyew.exe

C:\Windows\System\AKWTyew.exe

C:\Windows\System\UruJsGg.exe

C:\Windows\System\UruJsGg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/3524-0-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp

memory/3524-1-0x000001B584590000-0x000001B5845A0000-memory.dmp

C:\Windows\System\ZaDtxoL.exe

MD5 87e8edcfbb87acc9a2984cdeb8f3474f
SHA1 16137ee6e2f3bb1b2ebbfd34b0570ab88ca7c541
SHA256 2572ad178277e8eee432116ce25d3b5c978e5aba360d4df84d56816b9a1d545c
SHA512 18e9d6cc2e89d0dd82e2e2e698e8a851d291f541dcb2c9c4da27f960b063b9de0b7117151ae62f785fd61fd13b56e9590f5aa325d8da561d47e2605e657b4014

C:\Windows\System\lpHhoNO.exe

MD5 8fea7c5f197ce5aa6e1534f718472ac8
SHA1 e43d77245a9606ebda974cb421d1e604e87ae9b6
SHA256 8ae5076d9cb1a41f0fa459109d1bf98f7a69d6b9773a100b34e33e4714584605
SHA512 6bf0bbf5ce65d0d327c72501d34a3c521789c1df6b57326057f2103cd5e9563be13db9fa083d0095a8efa29e65b5bb4b2f7160266ce9c0210ad049dd51db9915

C:\Windows\System\VZMctgN.exe

MD5 c6369448894e658a77370b35e47b3801
SHA1 695304ae51b9cd9727ebd510e2012dd2c09ffb2a
SHA256 85560513280d502e0fcccae68ca78adf65c3655a784a10191301653b20f4ff50
SHA512 92ce9c199428c7321d89028e804764474c973c6df9736626c7a0954415303eaf5e5928927d99ff8f06fb69a166ea8106a469c6cfa650b95f220873c2944582fb

memory/2552-29-0x00007FF6B6840000-0x00007FF6B6B91000-memory.dmp

C:\Windows\System\sRluTPY.exe

MD5 96d7a3d0fc06b39775f740dbe1c35504
SHA1 c520bd842ece71e1871f59efc67e85112d858bff
SHA256 205521d54420c1b76be3180b9f777a9be0575f0b86a0599b0744be0014a1a631
SHA512 f4aabb581461cbf5f1bb1aee49eaa67c2a44cd8388c9dcc24e66d4d3723033d8bf6b5c6b51225ba56121249191b1d1b1f70dec48d1854d2e03600436cbd57371

C:\Windows\System\GzKVyZx.exe

MD5 0ab4424d8ae3b34f5ab4d32b040306f6
SHA1 cd0cc0e4a2c3385a84f844a057c6b65a3dd9eddd
SHA256 af766c34deb9101154a35d717360994ca595d5b96e28900ea5d5b76b8950227a
SHA512 b9cdec7df53070b79b335b32f916312ff601568f9a73a4ef55ab8149f83fddb6ffb14eb1406ce8d2124b9018e31298faeb49d0d3dc418664e8d1bcc6963e0412

C:\Windows\System\aZGNjxD.exe

MD5 02e68dd75bf349457081a6dc85064f4c
SHA1 c29a58f594179fe22635e27e2d8f5212c11148b3
SHA256 f9d89ef716d598e230d54e8949037018562e65f6a2694ef7ac21f3e47ab1dbce
SHA512 af3640335e5f39f1bf18d84015b24d6e8c8fcc94c84ec0a16602d2e9947025dbc3fd1fbbba2fee5867cee41ffbcd2d17c8da4c24251d44e8e88e357cbd3b2a05

memory/2720-45-0x00007FF798EA0000-0x00007FF7991F1000-memory.dmp

C:\Windows\System\EeUiIAB.exe

MD5 9596f62e99ebe3a99ac71c184708e3fe
SHA1 42b1cde965833938ae2e1ff87e97a4a73cac514b
SHA256 def01387f1b892c6596603b02ea4291f953dd217ad48412d9b8e298bb62efcd1
SHA512 ce33bf6cbc4d7a5a2f56767795817875eacd9c64fa16fe3d60c7a47a068f097a7a2793cf304f448d612e687d157c23c67f51a89afd08495ec846cfa51ac1241a

memory/3772-66-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp

C:\Windows\System\WJKGlIU.exe

MD5 88e7861c910d57a922da1aac73975a7f
SHA1 bb6982c292d9ac75fc21000359210b21ff87d594
SHA256 719a814d8bc85dbd0e5a21f88b15c12db2c4c257e336a3673a133ff54d8b07ad
SHA512 dce2c6c0e138c530d056418f71ada871ee3b8efa2205bbb02fbb6b6b691bc1473be9e21474d548315dd610f009831f9c510e2cdff4fdd1aefe1f7607ae8d484d

memory/2328-73-0x00007FF6CC340000-0x00007FF6CC691000-memory.dmp

C:\Windows\System\oAxQiFK.exe

MD5 b44a7a57e14096a9f431d0f0fb2a8e25
SHA1 816191134a3025cbadd3e48fd164f6d039eeb715
SHA256 f8db696ab3532e63d7d4f93389ea875f019d704cee0067ac21bea01c16952029
SHA512 2b916c8ff735e471b585310e1e1efc9755168b843a452642b30655d017cd26789fe0963ade00f827bf8ad47daecb3c8ecc0c8b0452fed885a2b39b6ecd44161a

memory/2372-86-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp

C:\Windows\System\xYpzdsn.exe

MD5 7882ecf089d9e716ecf70d4a64cc6473
SHA1 6d29747538b1c8d1c6f1ee089ceb18228cef5aab
SHA256 ce2ba9bd811f7fd760695a248bd46a85abbc81ae6e2be85d46d89012b6d3526d
SHA512 9ac0cfa901bb74e79cee6dac58835b3684e753ebed66600eb0d521fc92e635506b6d1408f4345a56828108287458f5863406fe865185408fe0b5a2e306f361b4

C:\Windows\System\nmDcelW.exe

MD5 17f0516b58f54139b73154dbc6330c6e
SHA1 298b0e479a69fbaabb889c08c436b01e89b197a5
SHA256 1b35d93ad0c1563a49f0203b890995989aad426c3fd0238ae8f3e272a4fd96bc
SHA512 eaf3f031b4e2e15bae5bd39d6b87b188d605b065dd566c6bf85513ea58e25280d62d622c2c04d166b40997c5904ecca2a4a66f9e2dcb9fedee8da217d9f797a7

memory/2872-83-0x00007FF6DCCA0000-0x00007FF6DCFF1000-memory.dmp

memory/1248-82-0x00007FF6FFE70000-0x00007FF7001C1000-memory.dmp

memory/2444-81-0x00007FF77B110000-0x00007FF77B461000-memory.dmp

memory/2100-79-0x00007FF7BAEA0000-0x00007FF7BB1F1000-memory.dmp

C:\Windows\System\CoHVkrj.exe

MD5 530ba1ee15541d5a4a62e366caa23ad0
SHA1 61a95066484b000d8822a7e9faea2b08ff57a5fd
SHA256 e4e9f1dfdfbb45630588fd1477171f0934100f2c294a70346579aee60edc88dc
SHA512 d2fd70270795c6b1f6d2b7668aba2bea30ed776efd24e16721c9d74c641d5f94989a38394222ba0f54c1cda11fdbe345b3eaaaba934c634ad00744c6e51045cc

C:\Windows\System\ZQSggQG.exe

MD5 d2a4496f7414a6e4c166c5386db44c52
SHA1 f267976cb51d5d9925502d618e79bf577660a2da
SHA256 815a0c3b3376338af46eaa207bdf94a227a5287d42ef864d593eb912ed6fb163
SHA512 1c75552f1cb04b1c45092342548e1986685f4cea9a66e37f802212b35304f2155b6ad9a3ff7f8ae236a9a92d1adfe61754a6758779e03fdac4adbccbd726ba55

memory/3740-71-0x00007FF6597F0000-0x00007FF659B41000-memory.dmp

memory/3824-67-0x00007FF672F20000-0x00007FF673271000-memory.dmp

memory/4448-62-0x00007FF6D38E0000-0x00007FF6D3C31000-memory.dmp

C:\Windows\System\XgxloNg.exe

MD5 830b1453fd09537dd237d70a39cab526
SHA1 6239d4f9dafdfe96be3606e13171f44935ed4771
SHA256 179ca7cb92af0abf5bcacd2b9a763d36192b83b182e3fa64262c0f7aed0a1d51
SHA512 011ab580893896ce09a529c590fb445742e1dcc54ab2a9bd9b733b5183703bf0c439d5e9f37becf71bc62ead91471cbbf8cb9f57564e3ef51a9a43dcb0f4b867

C:\Windows\System\jwVClVe.exe

MD5 e160607c756c0cd2e61a25ade5cd4551
SHA1 2cd60978a4654ba86beb59bc0b1ebb19cb2f8fb3
SHA256 41d23fe22f3c6fd30df5398fdfa39029dea984f673c76aa3d6cc75d6f4e17b26
SHA512 75b016f7a2cd22dca4dd2394f30c995d68cf521fc201f7558cdb3a4e9153b209d09bf9d7c57967ab9e87790857dd1835abba61507292bf95793156cda4d721ae

memory/628-25-0x00007FF6CC770000-0x00007FF6CCAC1000-memory.dmp

C:\Windows\System\YMDopTT.exe

MD5 f1fb829d1be5e87c7505bdccbcc0be70
SHA1 1ed14f9a1c94ea4af8cfd967c403c4d0d98e2fbb
SHA256 e5d24fe7f7f22d2b49689d936cb2337e9b3b1f3cf2917ba9d6cb1cd957fe1b2e
SHA512 34a057be91c2c3a141c22f047f308631d4f1b52bbf6ca9aea26511c6c641e8b5123d17059840866947534f40ce1d7ee4aecd6e6cc2d8f038adb13c006e0f0405

memory/3900-12-0x00007FF60F050000-0x00007FF60F3A1000-memory.dmp

C:\Windows\System\VUkHcpy.exe

MD5 5c69cddb8b852f8abdb0f673df50d2ee
SHA1 6623da1da8683987140e848efa091f323cc94312
SHA256 f3b79115de7f955575fc3ed4493bb5104225fd9ea8d0ba43c9e4f76278abdf91
SHA512 f6e07964ca0fdf21aa2189d53a35ff9d9d8b6cf2fa6cdc1e8eacbf8b456ce93aade0ab79be4b72279459584b96f3de55e63027fe5773e15858607ec40812812f

C:\Windows\System\KkLTvYG.exe

MD5 0e1fae0faaca22a843e215685c852ef8
SHA1 a334dbf2950582a2ec185106d67b480a187ca5ed
SHA256 1cf6252f67f75caf1f3c42986d04ffc396d944d99370b42fed851aed71123259
SHA512 97b9adacf0e67cb984ce2f8bb12031c1b395c68758c558ea8e93856eda0510dcd11b384395d7ad84fa69f6acc5c71163605e1a66d19d5c1e9c0ca772b1cc674c

C:\Windows\System\UruJsGg.exe

MD5 553a05130eb8055fe248a2ecea99e207
SHA1 c44e8291b10f4d76fa564780b403559560c78c25
SHA256 5f249f57f83beb1cebacf5b884bb6f2a1afb31d7ddfbbe72498d75f15731dd8c
SHA512 8b7e8bbe5142aba1dec305b5cb375e75c57cd9723aaf88948d8c5a37ae89d985b036cf0a12d2d39f4d34764ff2fd30462c5c55217bfc2a276d384a60f38849b8

memory/2104-142-0x00007FF753E90000-0x00007FF7541E1000-memory.dmp

memory/1000-143-0x00007FF64D270000-0x00007FF64D5C1000-memory.dmp

memory/2952-144-0x00007FF62A420000-0x00007FF62A771000-memory.dmp

memory/1844-141-0x00007FF6392A0000-0x00007FF6395F1000-memory.dmp

memory/4880-140-0x00007FF7CEAA0000-0x00007FF7CEDF1000-memory.dmp

C:\Windows\System\AKWTyew.exe

MD5 af2e9b17df2b3a3053222cbde9f9e53c
SHA1 133be167aa9120748f12158a1ed10406bfe86530
SHA256 909e98b5cf0c92e3ea3c1efdfd9dd16d82e1f358cbbac1f4e74dc6702d4c6719
SHA512 f5f3b5d36a50321932e46ada5842e0cf6d5904cf52fd7877c6317add61e2d0755530a8b8c46ff8fab337484abef946cd61ce0ad781984186c10e57877c19e1a5

memory/4556-129-0x00007FF658350000-0x00007FF6586A1000-memory.dmp

memory/2248-128-0x00007FF67DB80000-0x00007FF67DED1000-memory.dmp

C:\Windows\System\PvoBTKT.exe

MD5 92ea7dcbf2e2a816da613db73e74bf03
SHA1 2cdb5e67146f84ff91005a736bbe02acd31ffc3a
SHA256 287c022e91a0d1bfddfaead13e90fa94da71229082ee714d17f064c3d8563f8f
SHA512 76c5b6b44b0479250bb616abcb420e8e5801d5f796e2a7e72855bac47637d9a0d3aa1d495b403d61d98515ac894cb619e28a5c04cc1ad060cc7e1dfe9ce688d2

memory/3824-110-0x00007FF672F20000-0x00007FF673271000-memory.dmp

memory/4448-106-0x00007FF6D38E0000-0x00007FF6D3C31000-memory.dmp

memory/2720-105-0x00007FF798EA0000-0x00007FF7991F1000-memory.dmp

memory/2552-102-0x00007FF6B6840000-0x00007FF6B6B91000-memory.dmp

memory/628-100-0x00007FF6CC770000-0x00007FF6CCAC1000-memory.dmp

memory/3524-97-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp

memory/3524-145-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp

memory/3524-167-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp

memory/3524-168-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp

memory/3900-192-0x00007FF60F050000-0x00007FF60F3A1000-memory.dmp

memory/628-194-0x00007FF6CC770000-0x00007FF6CCAC1000-memory.dmp

memory/3740-196-0x00007FF6597F0000-0x00007FF659B41000-memory.dmp

memory/2552-199-0x00007FF6B6840000-0x00007FF6B6B91000-memory.dmp

memory/2328-200-0x00007FF6CC340000-0x00007FF6CC691000-memory.dmp

memory/4448-204-0x00007FF6D38E0000-0x00007FF6D3C31000-memory.dmp

memory/2100-206-0x00007FF7BAEA0000-0x00007FF7BB1F1000-memory.dmp

memory/3772-210-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp

memory/2444-209-0x00007FF77B110000-0x00007FF77B461000-memory.dmp

memory/2720-203-0x00007FF798EA0000-0x00007FF7991F1000-memory.dmp

memory/3824-212-0x00007FF672F20000-0x00007FF673271000-memory.dmp

memory/2872-214-0x00007FF6DCCA0000-0x00007FF6DCFF1000-memory.dmp

memory/1248-216-0x00007FF6FFE70000-0x00007FF7001C1000-memory.dmp

memory/2248-222-0x00007FF67DB80000-0x00007FF67DED1000-memory.dmp

memory/2372-220-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp

memory/4556-219-0x00007FF658350000-0x00007FF6586A1000-memory.dmp

memory/1844-234-0x00007FF6392A0000-0x00007FF6395F1000-memory.dmp

memory/1000-236-0x00007FF64D270000-0x00007FF64D5C1000-memory.dmp

memory/4880-240-0x00007FF7CEAA0000-0x00007FF7CEDF1000-memory.dmp

memory/2104-242-0x00007FF753E90000-0x00007FF7541E1000-memory.dmp

memory/2952-239-0x00007FF62A420000-0x00007FF62A771000-memory.dmp