Malware Analysis Report

2025-03-15 08:10

Sample ID 240530-bdd83she62
Target 2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike
SHA256 34c7c70ec2dd176df22551f6928b4c23ea1b324d20d95ade3d5a3e6a4e1a964c
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34c7c70ec2dd176df22551f6928b4c23ea1b324d20d95ade3d5a3e6a4e1a964c

Threat Level: Known bad

The file 2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 01:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 01:01

Reported

2024-05-30 01:03

Platform

win7-20240419-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GmiiXOC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vyKcXnW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fkgDDWv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qNyWYsC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XLCtvZp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hHJZfov.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xtYByjm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FdpJPYm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YSMpmPy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uRXbgIo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bJxFmKq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TqbqKqv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EdIeRIC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hycMwqq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zMVJpeT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VZcpHvV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ecKetds.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qAHFXgN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PbeFDtr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jFkhEik.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rxnRUdF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJxFmKq.exe
PID 2068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJxFmKq.exe
PID 2068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJxFmKq.exe
PID 2068 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbeFDtr.exe
PID 2068 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbeFDtr.exe
PID 2068 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbeFDtr.exe
PID 2068 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\TqbqKqv.exe
PID 2068 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\TqbqKqv.exe
PID 2068 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\TqbqKqv.exe
PID 2068 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdIeRIC.exe
PID 2068 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdIeRIC.exe
PID 2068 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdIeRIC.exe
PID 2068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFkhEik.exe
PID 2068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFkhEik.exe
PID 2068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFkhEik.exe
PID 2068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\hycMwqq.exe
PID 2068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\hycMwqq.exe
PID 2068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\hycMwqq.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FdpJPYm.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FdpJPYm.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FdpJPYm.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxnRUdF.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxnRUdF.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxnRUdF.exe
PID 2068 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLCtvZp.exe
PID 2068 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLCtvZp.exe
PID 2068 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\XLCtvZp.exe
PID 2068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\hHJZfov.exe
PID 2068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\hHJZfov.exe
PID 2068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\hHJZfov.exe
PID 2068 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMVJpeT.exe
PID 2068 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMVJpeT.exe
PID 2068 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMVJpeT.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\VZcpHvV.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\VZcpHvV.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\VZcpHvV.exe
PID 2068 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtYByjm.exe
PID 2068 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtYByjm.exe
PID 2068 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtYByjm.exe
PID 2068 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ecKetds.exe
PID 2068 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ecKetds.exe
PID 2068 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ecKetds.exe
PID 2068 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSMpmPy.exe
PID 2068 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSMpmPy.exe
PID 2068 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSMpmPy.exe
PID 2068 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmiiXOC.exe
PID 2068 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmiiXOC.exe
PID 2068 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmiiXOC.exe
PID 2068 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAHFXgN.exe
PID 2068 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAHFXgN.exe
PID 2068 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAHFXgN.exe
PID 2068 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vyKcXnW.exe
PID 2068 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vyKcXnW.exe
PID 2068 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vyKcXnW.exe
PID 2068 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkgDDWv.exe
PID 2068 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkgDDWv.exe
PID 2068 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkgDDWv.exe
PID 2068 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\uRXbgIo.exe
PID 2068 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\uRXbgIo.exe
PID 2068 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\uRXbgIo.exe
PID 2068 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNyWYsC.exe
PID 2068 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNyWYsC.exe
PID 2068 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNyWYsC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bJxFmKq.exe

C:\Windows\System\bJxFmKq.exe

C:\Windows\System\PbeFDtr.exe

C:\Windows\System\PbeFDtr.exe

C:\Windows\System\TqbqKqv.exe

C:\Windows\System\TqbqKqv.exe

C:\Windows\System\EdIeRIC.exe

C:\Windows\System\EdIeRIC.exe

C:\Windows\System\jFkhEik.exe

C:\Windows\System\jFkhEik.exe

C:\Windows\System\hycMwqq.exe

C:\Windows\System\hycMwqq.exe

C:\Windows\System\FdpJPYm.exe

C:\Windows\System\FdpJPYm.exe

C:\Windows\System\rxnRUdF.exe

C:\Windows\System\rxnRUdF.exe

C:\Windows\System\XLCtvZp.exe

C:\Windows\System\XLCtvZp.exe

C:\Windows\System\hHJZfov.exe

C:\Windows\System\hHJZfov.exe

C:\Windows\System\zMVJpeT.exe

C:\Windows\System\zMVJpeT.exe

C:\Windows\System\VZcpHvV.exe

C:\Windows\System\VZcpHvV.exe

C:\Windows\System\xtYByjm.exe

C:\Windows\System\xtYByjm.exe

C:\Windows\System\ecKetds.exe

C:\Windows\System\ecKetds.exe

C:\Windows\System\YSMpmPy.exe

C:\Windows\System\YSMpmPy.exe

C:\Windows\System\GmiiXOC.exe

C:\Windows\System\GmiiXOC.exe

C:\Windows\System\qAHFXgN.exe

C:\Windows\System\qAHFXgN.exe

C:\Windows\System\vyKcXnW.exe

C:\Windows\System\vyKcXnW.exe

C:\Windows\System\fkgDDWv.exe

C:\Windows\System\fkgDDWv.exe

C:\Windows\System\uRXbgIo.exe

C:\Windows\System\uRXbgIo.exe

C:\Windows\System\qNyWYsC.exe

C:\Windows\System\qNyWYsC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2068-0-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2068-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\bJxFmKq.exe

MD5 3db87a360e32f323f1d9c078983397e0
SHA1 555ee6985b73afbc3c1830d2c312be4cda929184
SHA256 469b62a37465bc0edc972f1d4298671a73c7e3fee17376344c94e2d5c3f7923b
SHA512 f7d25f0d00167eee162c9521f89218ec8f9b4971e07ece39e42cf0e22c27a53f068607b2d5d0eb999bfb6648f6d243f53a6d7cba2584d9e55667438ec107d270

C:\Windows\system\PbeFDtr.exe

MD5 c595d83055452dbb17cb0b50a8aba724
SHA1 03d4c05bfb893741c3047e93609060e87199e349
SHA256 487b2643d38152617a3389b1e68bf768a04cec16f83e53a86bb0d3b97c3e6c87
SHA512 a5705fbe6ff91bc35ab5cf4a7a10033fa998e60ddfa91d7e428ddb9b45f12f60961ac45bd51fbfb45fe647f8d4d2c0b2286dc5c35ed3c4489f9ff47b473f832a

\Windows\system\TqbqKqv.exe

MD5 e88e913c0aea1c3aacba74b29abe0b15
SHA1 c322acd828cd3707ce1c30d0ef46b008d37acaba
SHA256 3bb25f9f3f10f49b18ebe77866dfee190bb32fb484cc0056127467d8662b555c
SHA512 2b82c43106ffb1d4fce6f4e139be61912a0e47e1547a453b91491587e262b5342e3db198a1a23f9bac1b7e2e49f239138a06a40599118c45e98ab820093d7ca2

C:\Windows\system\EdIeRIC.exe

MD5 07264a57d17c780284aab8500718585c
SHA1 d1bff4a1ea287727b0b442aaedcf951bff83e7d6
SHA256 4a12df9fb4476017f858514f921af55eebb1ff74403a6004c2aef3ff496beaae
SHA512 04bc0cbc6fc96f1009498acdef2264ccba5d8fa12292329bdf37f15ed85d35b10f4cb01f1d842c2be8ba3c1798de8d46413c7731059214362336e508a23229de

\Windows\system\jFkhEik.exe

MD5 e76aac89c5fcf3a8657496348cf9e1e6
SHA1 a5c9e95d93d48cf2e07aa1691baef2788ac72f95
SHA256 2d0ea9963c2879eeed90ff1a2efac829fb5232267e7909a7a32605d55791ef8e
SHA512 7e9f0fe6a9942d0fc27cdcad9fc22de254ecce628c98fe2c349c6a7a76dfc191d001b89c903f0787d36876a67bc552ed0adfc37fa6e065c78c0e71124f8a90f8

memory/2604-17-0x000000013FAC0000-0x000000013FE11000-memory.dmp

\Windows\system\hycMwqq.exe

MD5 d711bc62a2067e8d38d9b05e611ec434
SHA1 1efb359f257ebd5405d91449a8aed8fe2c27cca4
SHA256 f53984a36d2a8229ccd40739d538209dd5113bf14f75b1c3b5a169c977d165dd
SHA512 2a9695fcaafba3adbd92d791586c4ceb710a7dcc32120c4fe7cd19afa9cfc56c1e827023b3557ae6e9671d39b5526c565e973659be408685618dced0ceb5b3dd

memory/2624-48-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2856-54-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2836-69-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2520-81-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

C:\Windows\system\zMVJpeT.exe

MD5 407b82ef19aff7c67a73ced612506924
SHA1 e446796be33ace52f9baafc08a1ba1770157a542
SHA256 e414d7325a80bd1ce0e62772f93a6e88698137763e14ca2d4b4e98978b420568
SHA512 c310b41a98bf7a98263d726a5f275f606c54d9539ecb42a13cfeff5c191d888d23a8bce037f03bdfaff2c73b407dc2a9892bef6d2b559c879172939b029bf7aa

C:\Windows\system\GmiiXOC.exe

MD5 3ade26363a89885e3c241dad75e797ff
SHA1 71dc55f869bc28cc06fd6a3362043fca53487c89
SHA256 97259811da0575846fab5192eb18773fb1c48f12f2759232018eaacab05fe9d1
SHA512 14bcd86009b6f3310ac4b721938f8ad66d5a23c791e50c49050896b1d45efc7865ac6b7e6e5711ac4cca7db5303d73bfbc9b97d22cc132f7fc94cd5948002e82

C:\Windows\system\vyKcXnW.exe

MD5 551bafcdb7a05f2867ed4746e6cba3e3
SHA1 f9b80c0603a3d96f8e844eb586ce5bebf2d8457b
SHA256 90319362110977c3a6f8d86360b85ace4dad926c352360ca5f03da4004169054
SHA512 c894e9e2e12d59cdb05f0e9c9b3a72d02505c943ca2b058ab6f56e91a7299b49e25fe045c002b8e6fd30c86becf24dd978ca2f92d0620c04fd50ed03b847aa75

C:\Windows\system\fkgDDWv.exe

MD5 46cf96f55926ab63725b2357a281d2b5
SHA1 1913b69547203c558a1287a4ac6d83e9f4d34c50
SHA256 58f86ef6fb9340c6cbfce2d83111181323083c4a5641bd4aaf9d923af220f13c
SHA512 cfca574d6ba1e515e2b9255dea13c7df114e1dd7e2676939a1727356b67ef96fbbba10abf446e88c30f921711f1904dbb19d4aef175787c3703d7b5119d5bd51

\Windows\system\qNyWYsC.exe

MD5 9e52af66a6b49774f21880ef70dcbda6
SHA1 2019b199d291683b2f6b6d04932ffb94c12295e9
SHA256 0398653d72dddd15c7cd2a6f9c0381b1d5c3333be7f1b63a41b945b2a3c42485
SHA512 1010da9add4bf1022b10cdb9d3808a18ae82ad4837824b1ff80b3278e634389c96edb137d8e8aa882c402f8b01ad882de69cf42114994266e09c3668bc460156

C:\Windows\system\qAHFXgN.exe

MD5 19a53079b33c5b0310603c8248ca347a
SHA1 09663130c820c1faccca0cd0f608b86203066310
SHA256 88e69cc93629bdf316d3e6fece6e2860e94bf85410ef9175f3aa78e12c27e9c5
SHA512 c01e0f5f8b1b9db37b6c3a373b5a0ef4f539031e1ffbc006a8e4d4f68e16ea04f3a9ea285cf5f954ac2dfe9f8b4b2c28eca88756f8224c33b27e9304bc4936cd

C:\Windows\system\uRXbgIo.exe

MD5 94044f173be9be3f8e723758bf43fd40
SHA1 eebea970d4afb1eb21d891bc6a9678059a0aa990
SHA256 40ea892740e346b3eac69563a1995068e826305df25fe4707b9e2f2c2af4642d
SHA512 e3be9e6a89222fe89156c21bb3be91f8496e6a0981e167fbcb39cb67c59465597d1e1ae73dc5665b63772f0d1a3631222b2c78d1171da986716133e15ff919d2

memory/2068-105-0x0000000002410000-0x0000000002761000-memory.dmp

memory/2844-104-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2624-136-0x000000013F0D0000-0x000000013F421000-memory.dmp

C:\Windows\system\YSMpmPy.exe

MD5 8f4ff74ff0803f37e4f497491c2847e3
SHA1 dd11607e7b915482851a025794c6eee62d18695b
SHA256 4b99da1f6562726f4a3dc070e3f7239a85d9cea8d334c80545c651da1c9b1266
SHA512 09841fe0041caf47e5be101c1689cbabc2064a109a0d79d6849283d95bb3522dd36f6c19a8d1ecf6e108a01bd51705081bad3c32430eb5cf5c9b6feded65b367

memory/2584-91-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/1664-90-0x000000013FC20000-0x000000013FF71000-memory.dmp

C:\Windows\system\xtYByjm.exe

MD5 3b18259cb6df2f71fffdf10a5af40f93
SHA1 ef8dae1a1085307f0e5a031164f9fd7e5f00b701
SHA256 630fb3a139745435bd6054c79149efcf89eb72acf98b9fd2f3ebb3064114c0ef
SHA512 48452e7e256ed877a4e289e4fb441e38ffbb7b536d7694c331589b3cb747735e054af6041c3de16748fb1f49fe9d1b3d926c7d26c7e223ac034067803e094a82

memory/2068-87-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2604-86-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2856-137-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2164-97-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2068-96-0x0000000002410000-0x0000000002761000-memory.dmp

memory/2692-76-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2068-75-0x000000013F470000-0x000000013F7C1000-memory.dmp

C:\Windows\system\ecKetds.exe

MD5 0ce392ee03146595941643ffda4f965d
SHA1 2a3bb37ba4c3c08fe57f3351310ea8ced92b8767
SHA256 95ee0de3f899c6cb0363f86fc33b1f7360b1323c69b927f1a6583b86b190a4c3
SHA512 a6bd7227c26e92a99be3f51ad94b02b0be3dbdda2ade4445a6b497e6c287e3dd4d675d6dea996583a5e54668aeb069ba3070faf194ad1016a1944f7ca66dc503

C:\Windows\system\VZcpHvV.exe

MD5 6ccfdb5c07b1d79e79c37d7fd9af36db
SHA1 7ec9ce8c6c2c713f17d217874e62b0b9b5b699ec
SHA256 8b2d24a33479ccc0d189eb35e12477627cca5a06129946690f6a4bc604fe3684
SHA512 18aa0fea28222cd2a504f6cc7139f2fd86d7addb9866d606561c74500b89d0c2ffbe3008c7a61d5197257dbf5f5a298aedfab43550ccd7b3a0baf0b276734d11

memory/2068-68-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2556-63-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2068-62-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

C:\Windows\system\hHJZfov.exe

MD5 87edcb13e816890d84e5879cd5b07467
SHA1 969a4af72817323fef6999b35d0e7906f3b1a65b
SHA256 90ee602c7b5b0d006a854a611826782eae01c188d3dac85cbac38423a2dc6374
SHA512 d366bf311f6ba7818717a3aee82d5711c061a67e9b1e03b306e89b3c62fa1fb10d4e9fa94629758f091c27fc03275faff9c55ef40d278d9047c82244f3461aa1

C:\Windows\system\XLCtvZp.exe

MD5 f18eef96b54c324593aeb4a4c0c588a6
SHA1 5bf4663742b360d73090278b84a9870a80f673ab
SHA256 02ff24fa6f29f4def6dab56c2fd5c228633eaa383bc45676e3f5eab390ab092d
SHA512 96ec57afdf399e24c4a5cc1e69f63e1b3b43632495a676a39e5bf23591912c08cb430e209a5d759886b0f113d06846f0288ad26b99f128752d2adfe9c03a4402

memory/2068-53-0x0000000002410000-0x0000000002761000-memory.dmp

C:\Windows\system\rxnRUdF.exe

MD5 0253e3380852bd7d96e6930dfdfebbb0
SHA1 ad0927137cd16d4d12cbb6dbcf89dc18501c96cc
SHA256 248e95dd0917935f33c3afc18437d044adcfb7bcdd069f7914afb36a79cac96f
SHA512 a4c8158bc513905b661b7bef189dfd258fd6cba5f3a1a5d047478f83ba4d3fedf1025650d865b5724dd203c30671558803cac677744eab1474c457477c7af83e

C:\Windows\system\FdpJPYm.exe

MD5 00acbdf96cc1c7b700d70d18b41a9651
SHA1 82488baad223c3d8af2507225f0eba1a72b1e4c1
SHA256 b719baf76e2dc82d9ff644d295725b1d7763bccd4eaa8c551ebe31a67f4681e5
SHA512 40efe670a971af46bd6914f234c77003f3f3d4f264c6587111fabbd453c9a0a76ef5f6afea02ec711f054cf1c8b762bcd58ca9c71b9d65c97aeb70f3f261ed78

memory/2844-46-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2612-44-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2068-43-0x0000000002410000-0x0000000002761000-memory.dmp

memory/2912-42-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2068-39-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2956-38-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2068-37-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/1664-34-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2692-149-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2584-151-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2520-150-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2836-148-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2068-138-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2068-11-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2068-7-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1500-157-0x000000013F510000-0x000000013F861000-memory.dmp

memory/1032-159-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1996-158-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/1952-156-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/1940-155-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/1436-154-0x000000013F300000-0x000000013F651000-memory.dmp

memory/1052-153-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2164-152-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2068-160-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2068-161-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2068-183-0x0000000002410000-0x0000000002761000-memory.dmp

memory/2604-207-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2956-210-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/1664-211-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2912-213-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2612-215-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2856-219-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2844-217-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2624-223-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2556-222-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2836-225-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2692-241-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2520-233-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2164-245-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2584-244-0x000000013FF40000-0x0000000140291000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 01:01

Reported

2024-05-30 01:04

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lGNDimT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nnykvCw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\neUMNxu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NuTagyu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mQZpjaC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dIluwjn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WDNPKHE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DAjSMTr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QcLMJnK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vlBScoT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nqTSQXc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jcYGjmG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAPEHmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IKckOAD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNruAIC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oCgPtrD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MRNfCeN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oiPbuma.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vivNLAa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\grBHHAe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YtVfnRI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\lGNDimT.exe
PID 1856 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\lGNDimT.exe
PID 1856 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QcLMJnK.exe
PID 1856 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QcLMJnK.exe
PID 1856 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\MRNfCeN.exe
PID 1856 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\MRNfCeN.exe
PID 1856 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlBScoT.exe
PID 1856 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlBScoT.exe
PID 1856 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqTSQXc.exe
PID 1856 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqTSQXc.exe
PID 1856 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\oiPbuma.exe
PID 1856 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\oiPbuma.exe
PID 1856 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jcYGjmG.exe
PID 1856 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jcYGjmG.exe
PID 1856 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vivNLAa.exe
PID 1856 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vivNLAa.exe
PID 1856 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\dIluwjn.exe
PID 1856 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\dIluwjn.exe
PID 1856 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\grBHHAe.exe
PID 1856 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\grBHHAe.exe
PID 1856 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\WDNPKHE.exe
PID 1856 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\WDNPKHE.exe
PID 1856 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAPEHmd.exe
PID 1856 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAPEHmd.exe
PID 1856 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKckOAD.exe
PID 1856 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKckOAD.exe
PID 1856 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\DAjSMTr.exe
PID 1856 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\DAjSMTr.exe
PID 1856 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\NuTagyu.exe
PID 1856 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\NuTagyu.exe
PID 1856 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNruAIC.exe
PID 1856 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNruAIC.exe
PID 1856 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCgPtrD.exe
PID 1856 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCgPtrD.exe
PID 1856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnykvCw.exe
PID 1856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnykvCw.exe
PID 1856 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQZpjaC.exe
PID 1856 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQZpjaC.exe
PID 1856 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\neUMNxu.exe
PID 1856 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\neUMNxu.exe
PID 1856 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YtVfnRI.exe
PID 1856 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YtVfnRI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\lGNDimT.exe

C:\Windows\System\lGNDimT.exe

C:\Windows\System\QcLMJnK.exe

C:\Windows\System\QcLMJnK.exe

C:\Windows\System\MRNfCeN.exe

C:\Windows\System\MRNfCeN.exe

C:\Windows\System\vlBScoT.exe

C:\Windows\System\vlBScoT.exe

C:\Windows\System\nqTSQXc.exe

C:\Windows\System\nqTSQXc.exe

C:\Windows\System\oiPbuma.exe

C:\Windows\System\oiPbuma.exe

C:\Windows\System\jcYGjmG.exe

C:\Windows\System\jcYGjmG.exe

C:\Windows\System\vivNLAa.exe

C:\Windows\System\vivNLAa.exe

C:\Windows\System\dIluwjn.exe

C:\Windows\System\dIluwjn.exe

C:\Windows\System\grBHHAe.exe

C:\Windows\System\grBHHAe.exe

C:\Windows\System\WDNPKHE.exe

C:\Windows\System\WDNPKHE.exe

C:\Windows\System\NAPEHmd.exe

C:\Windows\System\NAPEHmd.exe

C:\Windows\System\IKckOAD.exe

C:\Windows\System\IKckOAD.exe

C:\Windows\System\DAjSMTr.exe

C:\Windows\System\DAjSMTr.exe

C:\Windows\System\NuTagyu.exe

C:\Windows\System\NuTagyu.exe

C:\Windows\System\pNruAIC.exe

C:\Windows\System\pNruAIC.exe

C:\Windows\System\oCgPtrD.exe

C:\Windows\System\oCgPtrD.exe

C:\Windows\System\nnykvCw.exe

C:\Windows\System\nnykvCw.exe

C:\Windows\System\mQZpjaC.exe

C:\Windows\System\mQZpjaC.exe

C:\Windows\System\neUMNxu.exe

C:\Windows\System\neUMNxu.exe

C:\Windows\System\YtVfnRI.exe

C:\Windows\System\YtVfnRI.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

memory/1856-0-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp

memory/1856-1-0x000001A3109C0000-0x000001A3109D0000-memory.dmp

C:\Windows\System\lGNDimT.exe

MD5 eb26281c5abcecbbc5b31744fa3add54
SHA1 b643709018ad6818a3aff87c5098024103f36821
SHA256 cc5b6dcef901a43cf55b2349c8516d6fe966322c0c5d786d6a941149fd764459
SHA512 c02b560447b7a1b885bbbd5bc0efc82bc680f6c4c89800e37cbb55345fc9f882d247b9323c1a656c1b928e7fe97b8d9815e6ac79e78da1b305577f6ddfa5f420

C:\Windows\System\MRNfCeN.exe

MD5 01d8ec88513dc8ac6de180250e4977bb
SHA1 a86b55c1b5c62c335ab8cb3b3e15b1a4b204e5ff
SHA256 7db5322b5b373b17d7bf0b1132869ad8e9f7ce9dd947a7773bc0f56b05704437
SHA512 295edd2990c731d0320f35cbce32e29526f3bac53417052e67abae1193f598ddcec9dbde61b11c3f7d61d6814c3cb5f2153b5dbce13e9cf05bb96c61b8b2dba7

C:\Windows\System\QcLMJnK.exe

MD5 99d172869b9098e404d327fd8e94f84c
SHA1 5a999cbfd18eae0c20b3534706a4937cf0f1610f
SHA256 0503f73d815a21e1aaf70201cc0eeaf7dd431eb36f4156f9950c65d0015c638e
SHA512 e4432d1245acbab24cf6a3fcb730697c44191d8cd8765d99fb83f79ce7bc7375bc961dc03eab4f0643aa70f57b2fcfbd9776db0f5d52bf0b51babaa809a93107

memory/2744-12-0x00007FF7CCF60000-0x00007FF7CD2B1000-memory.dmp

memory/1984-8-0x00007FF7C3B30000-0x00007FF7C3E81000-memory.dmp

C:\Windows\System\vlBScoT.exe

MD5 04c34172a144b7826e325d9c88a5c80b
SHA1 95aa3a5303374c208443a52d63bca95694e407a3
SHA256 ea3d5f0b51abafdf4397a119f75005302506a3e3acec3a4d4c2d2966fefd83b4
SHA512 3dc25336946da755db2a39aa07d0d907281d4a459e63a4bdf5d3cae3d37322829dbe23d7b194ea8c6b16f6802e633a3b839c7b8b03e61a31ae12ee3b89a6b7ac

memory/1992-18-0x00007FF6D8BD0000-0x00007FF6D8F21000-memory.dmp

C:\Windows\System\oiPbuma.exe

MD5 dc893e8e4816f97a400f6f904da75943
SHA1 400cbb089f966ad2bbdeee79e1219026ec5ef288
SHA256 ff55ebc5a766176a6d8ca61f28f9fc1f58e4aab849f2c05f889b86402497d311
SHA512 9f02fc3cc16d8de50a5731182d1700ace750cae71587c28b32f2eaa6705fb986af18c6f7f9699b44593acb601d4f3fd736f83da3b9e0f49b4bf77db32f59f2bd

C:\Windows\System\nqTSQXc.exe

MD5 1b17bd55549899f827ff75806eafbcf1
SHA1 ffda8c502547958285cec43f4b972b3d963f5536
SHA256 6d771fbaa8d3ceae2db74fafbb7e723842df3a5a12a1c0e3feb36a05635ead35
SHA512 6b26129054517467140c899592912120f4b278011caf9d57c14695bf40e64f81b3353d7aad57fb7ed4071aa17b3e21a86ea1a4965f484a3a7aef268c8903f664

C:\Windows\System\jcYGjmG.exe

MD5 e98319ddd3b288230202c5d45a59f4cf
SHA1 b45e559643272ffa871c8c7bd5ae79877cbe6065
SHA256 ef3a858bc90a913d50e88a4e75da5217975cb64e998ac482a892a1ab4a9b7482
SHA512 e742f8cde5672df8b68c1c99a85403aca342e116df31337b89aff3ffb52b3b5c8a9ddfce3a45c726ca203bb0b35fa4c39f11cffa65c3b412e251a348946448cf

memory/3672-38-0x00007FF66E250000-0x00007FF66E5A1000-memory.dmp

memory/2396-33-0x00007FF7B4D90000-0x00007FF7B50E1000-memory.dmp

memory/1020-28-0x00007FF7E55C0000-0x00007FF7E5911000-memory.dmp

memory/4912-44-0x00007FF73D7F0000-0x00007FF73DB41000-memory.dmp

C:\Windows\System\vivNLAa.exe

MD5 754d1296aba65ca97e739ad368d96943
SHA1 e9637bc18148fdc618ab8e3e13a4250461f3bd82
SHA256 b6c816512e991f3b39c0a118948bec741ceede579fd9bc4158d8a4cea1ad88d1
SHA512 a8803189eef62f457b06586eaa36df0164cb5d2c0afa4add163f87f0bc39905163e38d8b360e27dc4653a7a61d7187aa45dc6123dd2c234c97c3ccfc6dd69288

memory/4944-49-0x00007FF6EEA70000-0x00007FF6EEDC1000-memory.dmp

C:\Windows\System\dIluwjn.exe

MD5 2e3d0ddf4f99316f84c7a88a78bb9173
SHA1 6278906eb35fc1f513ecdff1864f2145886cf168
SHA256 50be82411e385fe2f1e9758e9164a8083d4f0d67b74b2122932aac1e5433eb6c
SHA512 09e607dfbf0c0773033227b3ffd9f99adc8ac1864cf578d2145beab71e90ece777dd3089a15b701b7e3fbb4b38597288471a9666efedd07da23723d0ee3cae88

memory/2372-56-0x00007FF77FF40000-0x00007FF780291000-memory.dmp

C:\Windows\System\grBHHAe.exe

MD5 b670b3eaff8f5c560695e923d895fc9f
SHA1 a79cf2665ac1813677ad8229df12e11193c7f281
SHA256 9819c345fc913580be1a64dd92c4ca73cbdbb942c81d0ecbf6563e94c7168777
SHA512 396d5c338f5b5842343f0e58612f95c5afb5638cc7b9223ff889603a9a41d1a53b2ef8983c20bf44b9fad877f371534457e61678be8aa29495731d589ea1b658

C:\Windows\System\WDNPKHE.exe

MD5 13332f4eba1e911e89977fe24b6c0e47
SHA1 07a2c13c0c1fc289ed24712a676187cc3c9a7364
SHA256 6f432adb2ed2148d3dffffa4eb0933d86c7c216839ba1aa09b0ba898e408685a
SHA512 8ede730c54240ed27045ac812eb7fc6fc2d5e5c5726a7300f13322f8c0e31a3ac437cdbfcc2393415c899b0d383a6c3d2bb00180a630b91a206bc15cf797de8a

memory/1856-67-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp

C:\Windows\System\NAPEHmd.exe

MD5 0d19982db39d3b146e3b15843134b28a
SHA1 272a501dc08ed83a386f2ffd44e267fec678ea35
SHA256 dbd04dea307cf9c343393d0605afb16a3234abd141c01ea1dd03f1e121d575a4
SHA512 184754fba88dac023f918d12b0dd8379e5c99e3968bd7c56d03cc6a0107e156dbee2838c6e178d104bfc314387265802085d180eee4e5c2f178e172b980149d8

memory/2308-71-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp

memory/2444-61-0x00007FF7884A0000-0x00007FF7887F1000-memory.dmp

memory/4184-76-0x00007FF715590000-0x00007FF7158E1000-memory.dmp

memory/1984-75-0x00007FF7C3B30000-0x00007FF7C3E81000-memory.dmp

C:\Windows\System\IKckOAD.exe

MD5 1a4cb6cafca447e1b1b75999e80e60ac
SHA1 a49d49558e84b89ed662070887a4efb7f54b39fe
SHA256 887e72a68067977558e7da9cc83334322e865a7d89a7aee212ff3558875bed42
SHA512 b83ae2f6380e480b874c6e0e7ba66e03d69a404e4f102d7d8c9b04e219fd080843b7a17a066834e14f8375c7f5bef6b7fbdaa9e3ad3732a4e0cd28cc418c15ad

memory/2744-80-0x00007FF7CCF60000-0x00007FF7CD2B1000-memory.dmp

C:\Windows\System\DAjSMTr.exe

MD5 0c7a3ce0494d6f4199f16f1dfaf10b8d
SHA1 ebb21bd1f093b3634b10706748c6ebc8d0f14673
SHA256 090c881d5d587cea423434250ad644c30cf7e74ff441e2aa07d3d36bdc35935d
SHA512 8ce064d9272bfe17d6e1cd39aaafa7b415bd95f4069b239a6e5c7827c2ec49fe36606703b9805786908918b756b6a3e640df06b835e875e75174bd47a2be82c7

memory/3036-90-0x00007FF7628B0000-0x00007FF762C01000-memory.dmp

memory/1992-88-0x00007FF6D8BD0000-0x00007FF6D8F21000-memory.dmp

memory/1836-83-0x00007FF71E830000-0x00007FF71EB81000-memory.dmp

C:\Windows\System\NuTagyu.exe

MD5 fda6f64d8f2081cfe898b53d76e626a8
SHA1 40ed5c80cb904c84336ca1e522e571fc0e5ca2db
SHA256 d0845614df89bb8bac59def5ceb91fa9ea899bc7967e07f34ecaecb6f880b235
SHA512 4c51f1dc1659539367aa7fba54f385a168e58ede053d8e8bbe54ec85655d0f697db4051fb67c676689074b6b6a7ed35d1a89b01a39488be0348dca3394f92991

memory/3216-103-0x00007FF757910000-0x00007FF757C61000-memory.dmp

memory/2396-108-0x00007FF7B4D90000-0x00007FF7B50E1000-memory.dmp

C:\Windows\System\pNruAIC.exe

MD5 d97f0eb24648ec1248b0a075fd09c0e9
SHA1 442f7bcf50f4ced3a7044ae23f89f6cad8305a53
SHA256 6feb8bf54336807246844ea2d466fcf78f58f4ffab6394732c42cc220ed93c06
SHA512 f7d42e6aa79ab6c10f63f8d472a727fe597cde708b228cb9bce18d4bbcc75a1ee15848b11ea0ac5bede1220211d753b338726505a45c91ad30467e807d95b667

C:\Windows\System\mQZpjaC.exe

MD5 0d7d6fc7b5e4302c499432538aceb0c2
SHA1 50bd7bb62252b871ecd272935b15f47223e1da6d
SHA256 56ef132390c9303dbaa07ee0d613560da553b5d81e7404d288d0452cf93373dd
SHA512 58ea1aeed0d0a52f3311bf1a42a5411d62ce5840c8ec48e5caf9fb180e8d5eec753747b2ef17962685c3286d4d7aa6d32d50627624c5bea1ae483aad0c010fb2

C:\Windows\System\neUMNxu.exe

MD5 bbd8cdd389c39c104afebe203936bbf9
SHA1 2cc6aac21b97956aa0482dc372b264428851bba9
SHA256 6dc6d9359319830a2aa234be2cc8e8bd6d56ef7b8ec934d0dc6e3f3b88a1430d
SHA512 540a55581ff11a1e9d1672fd37e711bd23f1ddbca515b516c13ec1ec5b5f53fc5c1886b04327b3053e25b9af1f86218e9fc5ef4d8bfce0de919cb0bea911796e

C:\Windows\System\YtVfnRI.exe

MD5 9b87604336fb1c07b3d7d19d5ee801d2
SHA1 b6633bd2cb6e630b95fa71e1bc621071ed39401a
SHA256 de8404ffcc90a2268dfc33430b6c252aa86e7e111eedd618633808901ddb8087
SHA512 f7954c39e182a931bea0ea6ed25016a982a43b993b121d1b0e207ce62e20ef8e8ede396d17fb305b20fbe4f45915da68df5aaec80be774893460c3e35cb211f8

memory/996-135-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp

memory/2680-131-0x00007FF673550000-0x00007FF6738A1000-memory.dmp

memory/4944-129-0x00007FF6EEA70000-0x00007FF6EEDC1000-memory.dmp

memory/4920-128-0x00007FF67A570000-0x00007FF67A8C1000-memory.dmp

C:\Windows\System\nnykvCw.exe

MD5 10c0a28674633b79d795139ae71488f9
SHA1 b804968a84f2827e08f09bb61506daa0eb341e02
SHA256 9486f8f04961287ade0766fe500a8bde7db9ec04ef56fd6c20b1ebad05a59d8c
SHA512 f9d88356c3d39c1d2b1291acf9a14ae5d8673a8ade8cf489e3a7337ec8819916a12d308e3d9c669fa8201fad058df1c989883b8114629ddaa790928b4b583c41

C:\Windows\System\oCgPtrD.exe

MD5 875d7a58ae0a042c9390dd933c5a7710
SHA1 c9fc940780c76568137ba1abe8c233a0542def55
SHA256 713505b63f896a19d4ac986ae460f3222017d6f78c0fb1e60553bd1113c4e48f
SHA512 bc4ebcb41377fd2f82aaebd6fb620cd119a17eb1f6a6c4f124c6401d5b010c5ebbf805c32ee394e07c497eb8fe318fddb8fa7a76ec2e1585c082f39e853989d3

memory/4216-122-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp

memory/3672-109-0x00007FF66E250000-0x00007FF66E5A1000-memory.dmp

memory/2924-143-0x00007FF67FEE0000-0x00007FF680231000-memory.dmp

memory/2372-141-0x00007FF77FF40000-0x00007FF780291000-memory.dmp

memory/4828-144-0x00007FF6C3E40000-0x00007FF6C4191000-memory.dmp

memory/2444-145-0x00007FF7884A0000-0x00007FF7887F1000-memory.dmp

memory/1836-148-0x00007FF71E830000-0x00007FF71EB81000-memory.dmp

memory/1856-149-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp

memory/3216-159-0x00007FF757910000-0x00007FF757C61000-memory.dmp

memory/4216-160-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp

memory/996-163-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp

memory/3036-158-0x00007FF7628B0000-0x00007FF762C01000-memory.dmp

memory/1856-171-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp

memory/1984-211-0x00007FF7C3B30000-0x00007FF7C3E81000-memory.dmp

memory/2744-213-0x00007FF7CCF60000-0x00007FF7CD2B1000-memory.dmp

memory/1992-215-0x00007FF6D8BD0000-0x00007FF6D8F21000-memory.dmp

memory/1020-217-0x00007FF7E55C0000-0x00007FF7E5911000-memory.dmp

memory/2396-219-0x00007FF7B4D90000-0x00007FF7B50E1000-memory.dmp

memory/3672-221-0x00007FF66E250000-0x00007FF66E5A1000-memory.dmp

memory/4912-223-0x00007FF73D7F0000-0x00007FF73DB41000-memory.dmp

memory/4944-230-0x00007FF6EEA70000-0x00007FF6EEDC1000-memory.dmp

memory/2372-232-0x00007FF77FF40000-0x00007FF780291000-memory.dmp

memory/2308-234-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp

memory/2444-236-0x00007FF7884A0000-0x00007FF7887F1000-memory.dmp

memory/4184-238-0x00007FF715590000-0x00007FF7158E1000-memory.dmp

memory/1836-240-0x00007FF71E830000-0x00007FF71EB81000-memory.dmp

memory/3036-242-0x00007FF7628B0000-0x00007FF762C01000-memory.dmp

memory/3216-252-0x00007FF757910000-0x00007FF757C61000-memory.dmp

memory/4920-254-0x00007FF67A570000-0x00007FF67A8C1000-memory.dmp

memory/2680-256-0x00007FF673550000-0x00007FF6738A1000-memory.dmp

memory/4216-258-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp

memory/2924-260-0x00007FF67FEE0000-0x00007FF680231000-memory.dmp

memory/996-264-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp

memory/4828-263-0x00007FF6C3E40000-0x00007FF6C4191000-memory.dmp