Malware Analysis Report

2025-01-22 19:43

Sample ID 240601-r3y8jseh4t
Target 2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike
SHA256 72f739bdfe9de101b9641897b491ee14e1b9bb1cd5097ac977eb93d17d32b817
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72f739bdfe9de101b9641897b491ee14e1b9bb1cd5097ac977eb93d17d32b817

Threat Level: Known bad

The file 2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

xmrig

Cobaltstrike

Xmrig family

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 14:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 14:43

Reported

2024-06-01 14:46

Platform

win7-20240221-en

Max time kernel

124s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\niGmISK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EPKQywY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HpLncPo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OlTXbBE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lAVtHTW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QsTTAzB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uBimmFm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rTmlVoA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bXHTfnw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QgQBLNl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oXVIeRC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RXaqXbF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gQmHqqk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QTasuve.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CoRfJRN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYYzDok.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SqoKIGV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ngzuARR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PVCdLnJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xOdCWGl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PdpmgCL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\niGmISK.exe
PID 2704 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\niGmISK.exe
PID 2704 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\niGmISK.exe
PID 2704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYYzDok.exe
PID 2704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYYzDok.exe
PID 2704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYYzDok.exe
PID 2704 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqoKIGV.exe
PID 2704 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqoKIGV.exe
PID 2704 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqoKIGV.exe
PID 2704 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\lAVtHTW.exe
PID 2704 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\lAVtHTW.exe
PID 2704 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\lAVtHTW.exe
PID 2704 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgQBLNl.exe
PID 2704 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgQBLNl.exe
PID 2704 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgQBLNl.exe
PID 2704 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QsTTAzB.exe
PID 2704 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QsTTAzB.exe
PID 2704 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QsTTAzB.exe
PID 2704 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EPKQywY.exe
PID 2704 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EPKQywY.exe
PID 2704 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EPKQywY.exe
PID 2704 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ngzuARR.exe
PID 2704 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ngzuARR.exe
PID 2704 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ngzuARR.exe
PID 2704 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uBimmFm.exe
PID 2704 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uBimmFm.exe
PID 2704 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uBimmFm.exe
PID 2704 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVCdLnJ.exe
PID 2704 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVCdLnJ.exe
PID 2704 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVCdLnJ.exe
PID 2704 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xOdCWGl.exe
PID 2704 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xOdCWGl.exe
PID 2704 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xOdCWGl.exe
PID 2704 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gQmHqqk.exe
PID 2704 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gQmHqqk.exe
PID 2704 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gQmHqqk.exe
PID 2704 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTasuve.exe
PID 2704 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTasuve.exe
PID 2704 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTasuve.exe
PID 2704 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTmlVoA.exe
PID 2704 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTmlVoA.exe
PID 2704 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTmlVoA.exe
PID 2704 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpLncPo.exe
PID 2704 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpLncPo.exe
PID 2704 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpLncPo.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oXVIeRC.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oXVIeRC.exe
PID 2704 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oXVIeRC.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CoRfJRN.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CoRfJRN.exe
PID 2704 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CoRfJRN.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RXaqXbF.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RXaqXbF.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RXaqXbF.exe
PID 2704 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\OlTXbBE.exe
PID 2704 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\OlTXbBE.exe
PID 2704 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\OlTXbBE.exe
PID 2704 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXHTfnw.exe
PID 2704 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXHTfnw.exe
PID 2704 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXHTfnw.exe
PID 2704 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdpmgCL.exe
PID 2704 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdpmgCL.exe
PID 2704 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PdpmgCL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\niGmISK.exe

C:\Windows\System\niGmISK.exe

C:\Windows\System\xYYzDok.exe

C:\Windows\System\xYYzDok.exe

C:\Windows\System\SqoKIGV.exe

C:\Windows\System\SqoKIGV.exe

C:\Windows\System\lAVtHTW.exe

C:\Windows\System\lAVtHTW.exe

C:\Windows\System\QgQBLNl.exe

C:\Windows\System\QgQBLNl.exe

C:\Windows\System\QsTTAzB.exe

C:\Windows\System\QsTTAzB.exe

C:\Windows\System\EPKQywY.exe

C:\Windows\System\EPKQywY.exe

C:\Windows\System\ngzuARR.exe

C:\Windows\System\ngzuARR.exe

C:\Windows\System\uBimmFm.exe

C:\Windows\System\uBimmFm.exe

C:\Windows\System\PVCdLnJ.exe

C:\Windows\System\PVCdLnJ.exe

C:\Windows\System\xOdCWGl.exe

C:\Windows\System\xOdCWGl.exe

C:\Windows\System\gQmHqqk.exe

C:\Windows\System\gQmHqqk.exe

C:\Windows\System\QTasuve.exe

C:\Windows\System\QTasuve.exe

C:\Windows\System\rTmlVoA.exe

C:\Windows\System\rTmlVoA.exe

C:\Windows\System\HpLncPo.exe

C:\Windows\System\HpLncPo.exe

C:\Windows\System\oXVIeRC.exe

C:\Windows\System\oXVIeRC.exe

C:\Windows\System\CoRfJRN.exe

C:\Windows\System\CoRfJRN.exe

C:\Windows\System\RXaqXbF.exe

C:\Windows\System\RXaqXbF.exe

C:\Windows\System\OlTXbBE.exe

C:\Windows\System\OlTXbBE.exe

C:\Windows\System\bXHTfnw.exe

C:\Windows\System\bXHTfnw.exe

C:\Windows\System\PdpmgCL.exe

C:\Windows\System\PdpmgCL.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2704-0-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2704-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\niGmISK.exe

MD5 41dd0c7b487938a848d9621e98897e9a
SHA1 23f2be8862c7b79828b78a7d06efdee439c5e517
SHA256 8c8b28b943a8f53456c54988100907972b89f39cc895e37fb6419edd7e69e98c
SHA512 f94c5b1712f2849f45b9c731cce23a5bf3ad8fee360d96cfd35ae317c3911db11489c095701784784bc28c0f3deb2ff731939a2f31fd9d516a7d6efd1a21b7d0

\Windows\system\xYYzDok.exe

MD5 263651351ab1fb80fedbb1af033ffcde
SHA1 49f847e670dfca18f879d2675dd53bc0f7a1fb1d
SHA256 761ad0ec4fb31e98a95144610b831bfaaeb0e572f1554f94ba3178dff1784b32
SHA512 ecb938c71c1d8390b2895b3225013c718dc2498f0767e94eb4887baa59917899b5730bbac0c7123dd8b5b5c6214a249443d0cc5a3b4d1024663d8dbb3409a112

\Windows\system\SqoKIGV.exe

MD5 c2b981e4ae13364b3060cb121c16eb7b
SHA1 be3c9b7b23cecac530c76da8475b6c3b0a63a3ac
SHA256 adecebb4dc931601d6ef99d82bf6d81678a87e2351feb6a2e9df58693aa35b50
SHA512 63c5da616499ffe2b7d787613b7becb148a68e9ee301a9962d948d68eec8ea6d38d1709f0346fd79162043c0e4e27318d02019076bfb070f2f5a2e546540bdee

memory/2308-18-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2504-52-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2912-28-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\PVCdLnJ.exe

MD5 a67bfbed8c330fd66f7004a18c925eda
SHA1 b2d5fc413ab5a245ee4a3be8efe2525380d3c129
SHA256 033ac1abf82a9e1fca94661409b4314c290b9408afb9e9403d5c938c6839f241
SHA512 04941ec5525c53ce4cffd6a943c718f8805655af595998d9de5f1a95964eb3809bf8d64c3e2d260ecd5318fda8dff221caa99d34266e7eb2ba895dc314151fbc

memory/2128-65-0x000000013F660000-0x000000013F9B4000-memory.dmp

\Windows\system\HpLncPo.exe

MD5 cc20d0b2b8c4f11e6c916e97bd188df8
SHA1 3cf0488c3ccf45cc5b8bc50f65858ef3fb4ce219
SHA256 e6393d5c77fbca1c48bfe93827dca9d7b7a898462783d6430cb4a2dd4640f636
SHA512 cb0008b6d6feff3e0cc2378e149c2b72066a027bc8003f196152c124814a04dc7e1384100363c62335e3f66b4338f97c749a44e5869a461899a182309fbaf0e1

memory/2400-126-0x000000013F5B0000-0x000000013F904000-memory.dmp

\Windows\system\oXVIeRC.exe

MD5 25b7622fd985b58b0202436109e91e24
SHA1 23740c99003eee9e189827052b65cb1f0c22aea9
SHA256 300288065311f84e5301cb919954ba204e9cf0521d63a751660c49f40481d054
SHA512 353c1fc1bb5b18b6c2264d1c7c747327ce41ad4def522775ff94d297bc256513a604a21fb309b53e541896e38bf2c2f2cca4616da2967d0b8ef977b8f08ad5ed

\Windows\system\bXHTfnw.exe

MD5 bb203b2cb117f6fec9e0f02fe01c169e
SHA1 e1c2a0b00e3dfa6f6bc8b53d356cc690e31848b4
SHA256 d150399a5fa0903c0f8707086a4fccfe8546b469ef667beaca348ead0387b307
SHA512 9bf77e70f9907fbcc76f393f7863695ee29913c0fd7a028e796d2d517a7ab1448cb73299de5cf546884bfa4e7a0b011a42c40f553b5d41f82a43bc0e92753895

\Windows\system\RXaqXbF.exe

MD5 2e845762c87849ce7d818a049b5af305
SHA1 9d4d64852becd6443477d1ae512ee9d131b4c622
SHA256 726f2faf641b19f9707b970b2cb4560fef590d6c0a37adf0c2dd52c3d305c84d
SHA512 91c2871861d30618cdaf5eba6235f72bb52a97d5c9e692ad4911ad2f13db9c7f246f60fb83322ed51d2acdcc7feaa5fda6dfa0596912bdaa7cb30bdd7d9a9a57

\Windows\system\rTmlVoA.exe

MD5 785b01fc626baf3dfa06d545fc4cb9d2
SHA1 554bcb86b43e9a4e0a186d2bca4d411494381d79
SHA256 b521f9a8403abae855d4c2d8c0674261900c445512c3a523b82af9d8e63b32d4
SHA512 f1742c03a6dbb002662b5ee959e255a78ec628626db28cb57aa91a87461a490c35247f225aae15ed5b39f885bbd0e94f46879ef4d07be9072c3817d92034851a

memory/2704-80-0x0000000002640000-0x0000000002994000-memory.dmp

\Windows\system\gQmHqqk.exe

MD5 47f9ad2bd5f5b111f78aea23105f33b9
SHA1 eae833ea2907da227073865c260e5e89c0c513db
SHA256 5c7171927f7e0f2895ac92648c795f8159ee7dc3023a5233fb87d526eeff3375
SHA512 d32ebd3b8d21d630db249d8652477edd30fa68000887cfc7b9e2a896104b89a34a8633b28ef23a469c4a7a686f974d8f1a41f76c096ed3ece734c3d5b5e118c9

memory/1472-125-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2704-124-0x0000000002640000-0x0000000002994000-memory.dmp

memory/2704-123-0x0000000002640000-0x0000000002994000-memory.dmp

memory/2600-122-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\PdpmgCL.exe

MD5 bf40e5ab2cbde5a208ee365da9079c08
SHA1 0902c20614abcd40bbc61b3b24d9a383ceec4d43
SHA256 1cd1c69f16269b0a382785e76ed0cd34dcaae08ce9408553d367be92d3763b4e
SHA512 0d4265da928da547377085ac77e2192edfc83c4e51d3d94e0c9b6a9dc87794a514866a990649cb98f89cecdb1068c1b8fd5dc43f07cfd14b47dd02f99bdf2987

C:\Windows\system\OlTXbBE.exe

MD5 732cc25aeb7339c28a716c4a49b3ff47
SHA1 286c9f435ddc7082a288a0f5c92fb3fbc134c842
SHA256 0d8fc9d4a70e87dbbd1a2b99076632b0e6739f27b5aa37cf675d921dbe04e67a
SHA512 f8d196a3a49824f5eb1e7ed16ddc532686c97f7b2564c0853f57aef9aa17db166928318cd39551ab15cabeedc085720b10430cc66c6eadabc42b73263144d0d6

C:\Windows\system\CoRfJRN.exe

MD5 b37adff8cd64c4b831c1d0f934f28122
SHA1 e2b3065d8569a29c811a80fea3e7b33ffc175e0b
SHA256 1f086479f07a0d3510ce5af277c76c4c5dcb1ab3bc555cb8089e1ef1724318da
SHA512 a4ddde9a46d0fd687614d0ed2b440b74468c38117c2a90dd1165a2611395ce88bd275f5603f86f606d2aa6a283b785bd0346b43bd30df7dba5709f215dcf95af

memory/2876-137-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2912-136-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\QTasuve.exe

MD5 5965a57c46b4c70f977f47f4b8011221
SHA1 fd0c17614a23644a53050d20093c853cb2dc04b2
SHA256 25099e65fa11ad224e6ce146544981c68855744c5f9bc213ddafcaae9c96cc86
SHA512 8f676478ede16361959116836bc83965540ddf53df5bf467a1c7cee37e50df93ce384045a6c2865a4ab0dee0804294fde0912a06f965214b5bc103ca59ee8c32

memory/2704-85-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2704-84-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2428-83-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2704-82-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2704-76-0x000000013FDE0000-0x0000000140134000-memory.dmp

C:\Windows\system\xOdCWGl.exe

MD5 86e4715266ab3decfd2cc80e2d1c511b
SHA1 870cfede59b46022e4a243ab7bb09050404f634d
SHA256 8ad1e21399ed46e7e56f1a62a621ad8627361616ba34604bc09dfe1a6a9e98ee
SHA512 38c9bfe1cb7cfd8330c60fd8067eef93ba80e7c5d98c761b57eef15bb91486a9098831f57f81021332cad4f9e9ff2f74ce7d4583c2536b62f552a7d058ec7fcf

memory/2560-64-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2588-63-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\ngzuARR.exe

MD5 619b106c21c3bbce6a927e198022cd93
SHA1 4f7acea107d11845c2084af3c13aa16d8a500bc8
SHA256 366fb45febb188074e62c9136a500a9bfeef3c11625383f95fefc3761bd00c3c
SHA512 9f4d750de4d96ed83171aab5f892ca077ba84a33238ef6d650b62d9628ed6abdb6353940a2407611c8d3b33f91ad1a0f8dee3dbd979fafcde7a1cacb057fa68f

C:\Windows\system\QsTTAzB.exe

MD5 8cd1ac0329e4ef7ce856173b66091e02
SHA1 53f5a6b0a09daa36f180d7f01b0669840e825778
SHA256 49bfa9bdbc3fedf15f3c5e7cbde1d58909ab34870905a1eb181e72c401111bc3
SHA512 4d7d64f29648b3a759f07085be34c8b90a774c0e57406d5173194f5d29803b55d8b162c728fa042ad6882cf15d8932483bd2e5dbfbeda351e2a5a7b94ed9add9

memory/2704-59-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2704-58-0x0000000002640000-0x0000000002994000-memory.dmp

memory/2704-57-0x0000000002640000-0x0000000002994000-memory.dmp

memory/2536-55-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2876-37-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2704-51-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\uBimmFm.exe

MD5 c0f15bc8bb9bff95d83b31fb2d4a758c
SHA1 c69797825b3f2c737cad7a177b193b7894128376
SHA256 34de5817ebc616dbe243155b7cf31f48a7b969f0193e449063022e24ae6ef462
SHA512 afc771f3544a981a284a44dfbcd7d33656344d5ea98de12d98a1a52a91cd0cd0dbe7ded15a05d4c4bfe202f707b80566284102eac95d60b9867a165dbe2ed9d3

memory/2504-138-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\EPKQywY.exe

MD5 0ccd60b0e9cc347fbeeeb9f681fb338d
SHA1 29d5312b387295554d34e45edfdf6636d8b2ad8d
SHA256 726878b0615a4a5a3533f7c166f6ab155c111dbcc65200cb2cd6214f95cd3941
SHA512 9c92ccf0a9dc45b0043b307469c601d673687fe83b994107513db312fdd5b9363cb5fe57d1345ee6f93edb2f48ea79dd453353891bdddfd7a506a2d5348fa3db

memory/2704-34-0x0000000002640000-0x0000000002994000-memory.dmp

C:\Windows\system\QgQBLNl.exe

MD5 4af45f41d27815c89a02c08ba7f8d9fa
SHA1 25090d2940bc65c717b4753bdb23272b54dfecbc
SHA256 e8897995c4757c5874da9c43422f722218280c4f2af67d2ae491aa6a12f9fbcc
SHA512 107b9872878ef393482577473ee34442c8750755bf6fb69d1393a4cf89f3de9e7e7b0d50ae10a616a73d8cbd7be05bfba57375ff2c34928099b9dd5f86a457fe

C:\Windows\system\lAVtHTW.exe

MD5 6fe94f48edac15bef9df49236afd5723
SHA1 07048b9bb560fa1107ecda30137f6135e62592a0
SHA256 0924f3bdc3c8399d7d53dc7ee7c0d5ffb5dce73eca650a88ef960df8c39da26f
SHA512 530837adaf61700a4470af094235aacf6f4093c9d478f0c71f3ab1d016c6d87614904b4a85bfced2776628a430d327974fece9691727d7c269b60cad3a2e4d58

memory/2704-26-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2704-25-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/1708-24-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2012-23-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2704-22-0x0000000002640000-0x0000000002994000-memory.dmp

memory/2536-139-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2588-140-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2128-142-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2560-141-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2704-143-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2704-145-0x0000000002640000-0x0000000002994000-memory.dmp

memory/2704-144-0x0000000002640000-0x0000000002994000-memory.dmp

memory/1708-146-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2308-147-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2012-148-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2912-149-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2876-150-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2504-151-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2536-152-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2128-154-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2560-153-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2428-155-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2600-156-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2400-158-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2588-157-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/1472-159-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 14:43

Reported

2024-06-01 14:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vskGxgF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aQSTWjE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bDkyBup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oEzttvg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gxzsqzk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UvZRHZt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EesWnFX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zFblvxx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dlipMph.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZWvVRTE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzgDCKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wueJdXN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LMNCjfs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NwMwsXC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SimjzMf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hwRmRWM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vQrsxmR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XlCDkbb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bWloBdA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KvVxuGB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iKKiqxi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlipMph.exe
PID 1100 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlipMph.exe
PID 1100 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vQrsxmR.exe
PID 1100 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vQrsxmR.exe
PID 1100 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWvVRTE.exe
PID 1100 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWvVRTE.exe
PID 1100 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vskGxgF.exe
PID 1100 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vskGxgF.exe
PID 1100 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvZRHZt.exe
PID 1100 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvZRHZt.exe
PID 1100 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzgDCKQ.exe
PID 1100 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzgDCKQ.exe
PID 1100 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\aQSTWjE.exe
PID 1100 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\aQSTWjE.exe
PID 1100 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDkyBup.exe
PID 1100 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDkyBup.exe
PID 1100 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEzttvg.exe
PID 1100 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEzttvg.exe
PID 1100 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XlCDkbb.exe
PID 1100 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XlCDkbb.exe
PID 1100 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bWloBdA.exe
PID 1100 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bWloBdA.exe
PID 1100 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gxzsqzk.exe
PID 1100 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gxzsqzk.exe
PID 1100 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wueJdXN.exe
PID 1100 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wueJdXN.exe
PID 1100 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KvVxuGB.exe
PID 1100 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KvVxuGB.exe
PID 1100 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMNCjfs.exe
PID 1100 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMNCjfs.exe
PID 1100 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NwMwsXC.exe
PID 1100 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NwMwsXC.exe
PID 1100 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EesWnFX.exe
PID 1100 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EesWnFX.exe
PID 1100 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SimjzMf.exe
PID 1100 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SimjzMf.exe
PID 1100 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFblvxx.exe
PID 1100 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFblvxx.exe
PID 1100 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKKiqxi.exe
PID 1100 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKKiqxi.exe
PID 1100 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwRmRWM.exe
PID 1100 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwRmRWM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dlipMph.exe

C:\Windows\System\dlipMph.exe

C:\Windows\System\vQrsxmR.exe

C:\Windows\System\vQrsxmR.exe

C:\Windows\System\ZWvVRTE.exe

C:\Windows\System\ZWvVRTE.exe

C:\Windows\System\vskGxgF.exe

C:\Windows\System\vskGxgF.exe

C:\Windows\System\UvZRHZt.exe

C:\Windows\System\UvZRHZt.exe

C:\Windows\System\BzgDCKQ.exe

C:\Windows\System\BzgDCKQ.exe

C:\Windows\System\aQSTWjE.exe

C:\Windows\System\aQSTWjE.exe

C:\Windows\System\bDkyBup.exe

C:\Windows\System\bDkyBup.exe

C:\Windows\System\oEzttvg.exe

C:\Windows\System\oEzttvg.exe

C:\Windows\System\XlCDkbb.exe

C:\Windows\System\XlCDkbb.exe

C:\Windows\System\bWloBdA.exe

C:\Windows\System\bWloBdA.exe

C:\Windows\System\gxzsqzk.exe

C:\Windows\System\gxzsqzk.exe

C:\Windows\System\wueJdXN.exe

C:\Windows\System\wueJdXN.exe

C:\Windows\System\KvVxuGB.exe

C:\Windows\System\KvVxuGB.exe

C:\Windows\System\LMNCjfs.exe

C:\Windows\System\LMNCjfs.exe

C:\Windows\System\NwMwsXC.exe

C:\Windows\System\NwMwsXC.exe

C:\Windows\System\EesWnFX.exe

C:\Windows\System\EesWnFX.exe

C:\Windows\System\SimjzMf.exe

C:\Windows\System\SimjzMf.exe

C:\Windows\System\zFblvxx.exe

C:\Windows\System\zFblvxx.exe

C:\Windows\System\iKKiqxi.exe

C:\Windows\System\iKKiqxi.exe

C:\Windows\System\hwRmRWM.exe

C:\Windows\System\hwRmRWM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/1100-0-0x00007FF63A3C0000-0x00007FF63A714000-memory.dmp

memory/1100-1-0x000001E031B10000-0x000001E031B20000-memory.dmp

C:\Windows\System\dlipMph.exe

MD5 24422bb6dd658b744ab3fa9c9f7ebef7
SHA1 4be66d2a3b741b9f6abd8f5c61e4c077ac9de5f0
SHA256 4017ff51f353b284b807ca007702a837120cab5e69e6fb8d0d33906ddf76c1b0
SHA512 dd042e690eb4e58a15a81105aeabb596f2e3cefa54a20874cd2286d4ea6c0a4256e1312fb5956acba789002d2d231200e8465ed7a1868161946a2b90665f005e

C:\Windows\System\ZWvVRTE.exe

MD5 7966207413432cad56419f63a330e5e4
SHA1 e684b6f293df614213157fcb2c81cb8774406f30
SHA256 a10b6b90a6f3e6067578614cdbd53e93702baccc83f6d626c575a86d50899496
SHA512 f71f084f4d6cb70e09a2866acef58c74dbb2cc0decd17be1d0fa19b1b6d92e8bcfbb628864a1f502636f149339227647d164513ef1052f2217f19f4eea22775f

C:\Windows\System\vskGxgF.exe

MD5 876712c4f26ef598d0001a4493f42caa
SHA1 d6cf458716795f0916021b0ca37899cf9a66e99c
SHA256 c8fba1d748e2b747eddbb0bd2f96b82e98407ae5b1c576107a526947bdfce925
SHA512 1b09a73134dfb1c7ee438dd0228937d694d7db22efc4bfa55afc199fa4a85361d196355951d42c9478b6ed6c235e2c36b2d3589fd617d5316f487188494a035d

memory/1020-30-0x00007FF602540000-0x00007FF602894000-memory.dmp

memory/4124-36-0x00007FF628AF0000-0x00007FF628E44000-memory.dmp

C:\Windows\System\aQSTWjE.exe

MD5 f6a8705639d687573f176288ee0b1d4d
SHA1 d60c2a0258d0fe743fc1ad70ac2aa42aa44994c0
SHA256 69d0a45498ee0a2fbdcdab85e3ada3605a925935aa0270ce3dc09329134be043
SHA512 4dde57517827400031f1ddcc37b29a91dec0be00ad882b24eb6717db71b7604038d17b579b4ea4a781258e28422365e8bf8195110ebc5910791a4ee9a490d092

C:\Windows\System\oEzttvg.exe

MD5 71f040db8633b4a862aff799b8fff2a8
SHA1 78ad65c0265e46309f4b298afb6fd2db633524e2
SHA256 51d26e1e2fb756ced352efc74412d916df565532a467a64db8507c533de4efd6
SHA512 8a4895219ab236bc8990544ba0a7e7f616639a134eb4e4129501a7097fa5fcefb36076da81b98310cb5d905c93e727f9f7eb4da1fc6997d1caef29998fa77ac7

C:\Windows\System\KvVxuGB.exe

MD5 352ec3ecf623ece23bdf90dd3dae6ff1
SHA1 746ec874c4040cacb20d3ea17f687dfdc17e0fa9
SHA256 812efe26135cdb50a74edb156501730205965008c5c6663eb32c391f3c465c80
SHA512 842972bc0e23cdc52f74e53dbc2a787e850abb5e2e20bceaec06ea6667a74780ddef653b5d7cc076fc9bd7937afb7e2d1afd8d6740b8c50651d2e97030ac265b

C:\Windows\System\NwMwsXC.exe

MD5 008adacff36cdc9a852cb42a3c4a9d76
SHA1 7f0556a4efc4d9bda4597b2c926b9f82620c6932
SHA256 81a60b1b31009b5ce9c22399c05687e049eb208e1b390507b52f3ee700a78b29
SHA512 5d9b00ca85384f2db11a5654a33d8382196db94c2318a7197192150b4b92985a96d5cbe910170fcb964fa176c0a36fbfedbbeecffd03baa7d86df23b4fc481ff

memory/2436-86-0x00007FF7113C0000-0x00007FF711714000-memory.dmp

memory/2644-93-0x00007FF63EEF0000-0x00007FF63F244000-memory.dmp

memory/1932-96-0x00007FF6B5E20000-0x00007FF6B6174000-memory.dmp

memory/1180-97-0x00007FF70FA70000-0x00007FF70FDC4000-memory.dmp

memory/4600-95-0x00007FF7DBFB0000-0x00007FF7DC304000-memory.dmp

memory/2408-94-0x00007FF636790000-0x00007FF636AE4000-memory.dmp

memory/2016-92-0x00007FF758690000-0x00007FF7589E4000-memory.dmp

memory/4340-91-0x00007FF707DF0000-0x00007FF708144000-memory.dmp

C:\Windows\System\LMNCjfs.exe

MD5 915c39bd40eeb40394caffe555340507
SHA1 1b53b89c13cd38257500adb00eb936318b2e6427
SHA256 316d9a1e19e8c66f3805dd2d45eef18f3887c7e491c15b0b0b6aa7a9a87004bf
SHA512 b2b523532fd5c1ce7d9beb9b03ad08b9e860e676cd02ef4d836cda360ec28076172698469be7a85bd6e06cee50688dc195c2a5ae5b0d73dcfc8a861ca5874076

memory/5028-83-0x00007FF770B40000-0x00007FF770E94000-memory.dmp

memory/4516-82-0x00007FF6AE440000-0x00007FF6AE794000-memory.dmp

C:\Windows\System\wueJdXN.exe

MD5 372817da4607a6b9641344832fce6c82
SHA1 fd112763cf949a65a5a3fce6e61090561d639edb
SHA256 4958db49099f7788dbc3a98b00c20d2fb2bba22d337c2cd8ab1519acbc90387e
SHA512 d450e3e7f84a685e2c0e50b49f69b394aeaba5091f12659b12732251249525f36a18a05868c500000e39ac9df453d7da395f0e463b180b463be6744beef3fab4

C:\Windows\System\gxzsqzk.exe

MD5 8a7d37896c3d6ea9ab2a292867c8f86f
SHA1 4b90dd391496d21eb39bb53a2de619e6c03b5b3d
SHA256 89e8a768668f146f7f2920f51778279250834f68237618b28d2ce8fd82be1839
SHA512 894658838365c37015dd31034b0cb8433667daa978f5e5c5c2209b40fe057bced7b77568f1f81a811318034e11eb57155ead7c27b49aca1008e05604dbddf313

C:\Windows\System\bWloBdA.exe

MD5 8306952167a9a3a4ff2070987ce329a4
SHA1 362543a3d8dd62fcb8fe084765df2ecce11b2359
SHA256 0a70a387d01948c455169daf19612f6217247f26a4dbeb5bdbcfdba7710d594b
SHA512 413af472e3d9f04fc7035380f2ee6667f3d0d6bcaa219843863b81a5234edcc05d99acb182af648bfcf6656f4e25e4b899d861e317b841df6a8bddab1d343ffa

C:\Windows\System\XlCDkbb.exe

MD5 aabed4bf5c20c32d23f5213c385a34ef
SHA1 e7bdc8d2cf927e742ccc6e6010293498e70568da
SHA256 356cc818d33fefae7d7f3930c843f7310f5e4c3f8fd3ae0d69522109c8f27d84
SHA512 cd6bbb90f20c1d92167b05f2a75c2d118a5d3988e1ff13dcab9d310496979e1754a136ac99fdcae53a67b7eaa78781c3e0bafc1d72faade8c57e09bbe63f2ede

C:\Windows\System\bDkyBup.exe

MD5 f124cdafae7756fa42ebb5ebd77df2aa
SHA1 1fb25554e6c22370b156f36bbc450f365307f7a4
SHA256 b927167b537ec47a9728611f0956945365bd126249de8277ed039ee79deadfc3
SHA512 f8b9d5ae5b241152af3e28fe69301f27af7a2a22ea5f824e06985c1d9634df7b7dec084fe2c756ef5d2ad08d5588beee15fec55d24f9f16c2d7ee262ef97bafa

memory/464-43-0x00007FF6AB320000-0x00007FF6AB674000-memory.dmp

C:\Windows\System\BzgDCKQ.exe

MD5 ccba81f1e1d1643a5250002e9ddddd6e
SHA1 6339c3fa398110cb64a78aeb005708cf30fb20a0
SHA256 d1a684e66cbc28c19f6d33d9e4bc26961dd8b9a34229354462af7962eeacbef9
SHA512 892d04d5f52b658e154a45104ae253387c36289dbc9b33d0fa010d84cc9f359ef6c2b94ac62a7ae340d5b3869d94389880d3529467002920b16c27249b4bbfe1

C:\Windows\System\UvZRHZt.exe

MD5 5a4923d02286fc60572ad3c3ba3877f6
SHA1 5f69403da468e8e7b6d005a877df6e6eb10cd765
SHA256 09f5e50ac37153c0752e616ffee48868fa92dfdff14969cb3054eb23b0d2a402
SHA512 eaa856cec432c19a5137c285f1237e61b80a92fa8acd8dab89283c22a1981e0062121a00d8d00336502013cd19ea8d8f393475ce1a7f3e48ef2c23b9616f33af

memory/8-27-0x00007FF62DB40000-0x00007FF62DE94000-memory.dmp

memory/4352-17-0x00007FF666F90000-0x00007FF6672E4000-memory.dmp

C:\Windows\System\vQrsxmR.exe

MD5 b5f561a5dfda91a77ac0d0ecfe5e39f8
SHA1 ca0c84e106bff4e71b5f9504b5ad1c6247d19e89
SHA256 8a3db64eb70adc6fd505dfbb3ef1aecb2fac0bae40f72608e9a2b89660904dbf
SHA512 bfe177fc187de58b6d113b9b48f6c60796dbc0f32a7417d8d93c6b8700c05a0dc2b133b04795380b0675859f1fcfb00daf9a3c92b60978737aed31ff4e146a5d

memory/3908-7-0x00007FF709E40000-0x00007FF70A194000-memory.dmp

C:\Windows\System\EesWnFX.exe

MD5 6b7ea87dd02e3d6393c852824ec29c08
SHA1 078acb499cb835d58cbfe8ad4edabe6a3ea28c60
SHA256 12a2444d6201d935a2c74ca06e3cb4949bc150f0ffda16b623eba80bad1e8f29
SHA512 31fe4c43e639fa923a9df046957dad26802ed96f6e0b15bea7fae29b530e0ddf57bcfa2541e9300377cd6753ea09a797309eb6962cb6b79464af1182c309f4fd

memory/3020-102-0x00007FF6A8D00000-0x00007FF6A9054000-memory.dmp

C:\Windows\System\SimjzMf.exe

MD5 33e24da74fa04c905a72a0658b284ee0
SHA1 cf74f8008a13378a222db5a57a7723f72a905acd
SHA256 acb4a55039c3522577e5ea09f3d5a397be0950d8571e7083022df337da9d55a4
SHA512 9ed43515bf96a908016fb65214f7a9da2319c667164a60d473bf32fe066b7e9b08c679cf448ec29b0c0e2b2f548959cd7c05cbdaac1ba78d56abc1bbc09154ec

C:\Windows\System\iKKiqxi.exe

MD5 c4199dc9f1237147a51f4ad5f0c67662
SHA1 e6a2305f3dd77fac35c0f313fdecea303f30fdd8
SHA256 18ff04c953e9ef6ec169f9f26a1a9d576f74b9f96469dae5313ea9f99f878066
SHA512 d42ca1239db0d587eab67c4ca01dec8f6c3e603902f59845def31fa9c3960f4134f46fce8258861ac580601b3b2b5be6706761bb61bcf4e117ce5f75929b19d7

C:\Windows\System\zFblvxx.exe

MD5 2f444ca8ab4d50be47f03ed4b8ec8b84
SHA1 b33d30c57f0b8f512548266abfed8c764222dd85
SHA256 03d92d0a1951634057bdb10e789bf08706645b9d9a986c3421d97cac4bf96e90
SHA512 e8e979872cd0adba8171995bcab76be06f84130bafb73221573dffb66098c51971f0973bb10184e65b02804ba6be0d2e93c75989bb2641ddb3e90a371599f214

C:\Windows\System\hwRmRWM.exe

MD5 90c3405661f1fac41be6a7e158161d7e
SHA1 fed854b673f0923ecf866f3acb31bdaef314a097
SHA256 03929998d05c42ba1061bcbe8e0c466316124fa778527f4997d286ea1a32890c
SHA512 eb744d32a3cebebf2a081c42d936ed8a113a072c47457a5ca9e6dcbb3e4fd75c440402e8deebd57474a2074bb32e91b6a27bbc0fc3448b38ed3d457628594fce

memory/1304-123-0x00007FF781320000-0x00007FF781674000-memory.dmp

memory/768-114-0x00007FF7E2380000-0x00007FF7E26D4000-memory.dmp

memory/4852-126-0x00007FF644A40000-0x00007FF644D94000-memory.dmp

memory/1428-127-0x00007FF6A2150000-0x00007FF6A24A4000-memory.dmp

memory/1100-128-0x00007FF63A3C0000-0x00007FF63A714000-memory.dmp

memory/3908-129-0x00007FF709E40000-0x00007FF70A194000-memory.dmp

memory/4352-130-0x00007FF666F90000-0x00007FF6672E4000-memory.dmp

memory/1020-131-0x00007FF602540000-0x00007FF602894000-memory.dmp

memory/4124-132-0x00007FF628AF0000-0x00007FF628E44000-memory.dmp

memory/3020-133-0x00007FF6A8D00000-0x00007FF6A9054000-memory.dmp

memory/3908-134-0x00007FF709E40000-0x00007FF70A194000-memory.dmp

memory/4352-135-0x00007FF666F90000-0x00007FF6672E4000-memory.dmp

memory/8-136-0x00007FF62DB40000-0x00007FF62DE94000-memory.dmp

memory/1020-137-0x00007FF602540000-0x00007FF602894000-memory.dmp

memory/464-138-0x00007FF6AB320000-0x00007FF6AB674000-memory.dmp

memory/4124-139-0x00007FF628AF0000-0x00007FF628E44000-memory.dmp

memory/5028-141-0x00007FF770B40000-0x00007FF770E94000-memory.dmp

memory/1932-142-0x00007FF6B5E20000-0x00007FF6B6174000-memory.dmp

memory/4516-140-0x00007FF6AE440000-0x00007FF6AE794000-memory.dmp

memory/2436-144-0x00007FF7113C0000-0x00007FF711714000-memory.dmp

memory/4340-146-0x00007FF707DF0000-0x00007FF708144000-memory.dmp

memory/2644-147-0x00007FF63EEF0000-0x00007FF63F244000-memory.dmp

memory/4600-149-0x00007FF7DBFB0000-0x00007FF7DC304000-memory.dmp

memory/2408-148-0x00007FF636790000-0x00007FF636AE4000-memory.dmp

memory/1180-143-0x00007FF70FA70000-0x00007FF70FDC4000-memory.dmp

memory/2016-145-0x00007FF758690000-0x00007FF7589E4000-memory.dmp

memory/3020-150-0x00007FF6A8D00000-0x00007FF6A9054000-memory.dmp

memory/768-151-0x00007FF7E2380000-0x00007FF7E26D4000-memory.dmp

memory/1304-152-0x00007FF781320000-0x00007FF781674000-memory.dmp

memory/4852-153-0x00007FF644A40000-0x00007FF644D94000-memory.dmp

memory/1428-154-0x00007FF6A2150000-0x00007FF6A24A4000-memory.dmp