Malware Analysis Report

2024-10-24 18:15

Sample ID 240607-bzqt1age23
Target 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike
SHA256 22ae0182924e0e496ff9ac822afbe6a212d4a4be1d924f577ca85a4f929718f6
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22ae0182924e0e496ff9ac822afbe6a212d4a4be1d924f577ca85a4f929718f6

Threat Level: Known bad

The file 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 01:36

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 01:35

Reported

2024-06-07 01:39

Platform

win7-20240508-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uzDUBiC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iaknlkg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BXdiMgd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JQvaiOw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ShZsdNR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\emgdVmp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jXJyUoy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jZnCOcN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aWbSfiG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QnEWNCZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bIcdnCV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tdrmdbl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DZJxehs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ltLBRrp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iRYDJQr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QtDLmpy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rDXFENw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ruHHgMU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XPJNcIx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HiWtivX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLyJTGX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QnEWNCZ.exe
PID 2188 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QnEWNCZ.exe
PID 2188 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QnEWNCZ.exe
PID 2188 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzDUBiC.exe
PID 2188 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzDUBiC.exe
PID 2188 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzDUBiC.exe
PID 2188 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIcdnCV.exe
PID 2188 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIcdnCV.exe
PID 2188 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIcdnCV.exe
PID 2188 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\rDXFENw.exe
PID 2188 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\rDXFENw.exe
PID 2188 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\rDXFENw.exe
PID 2188 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruHHgMU.exe
PID 2188 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruHHgMU.exe
PID 2188 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruHHgMU.exe
PID 2188 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\iaknlkg.exe
PID 2188 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\iaknlkg.exe
PID 2188 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\iaknlkg.exe
PID 2188 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdrmdbl.exe
PID 2188 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdrmdbl.exe
PID 2188 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdrmdbl.exe
PID 2188 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXJyUoy.exe
PID 2188 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXJyUoy.exe
PID 2188 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXJyUoy.exe
PID 2188 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXdiMgd.exe
PID 2188 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXdiMgd.exe
PID 2188 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXdiMgd.exe
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQvaiOw.exe
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQvaiOw.exe
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQvaiOw.exe
PID 2188 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPJNcIx.exe
PID 2188 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPJNcIx.exe
PID 2188 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPJNcIx.exe
PID 2188 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZJxehs.exe
PID 2188 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZJxehs.exe
PID 2188 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZJxehs.exe
PID 2188 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShZsdNR.exe
PID 2188 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShZsdNR.exe
PID 2188 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShZsdNR.exe
PID 2188 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltLBRrp.exe
PID 2188 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltLBRrp.exe
PID 2188 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltLBRrp.exe
PID 2188 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\jZnCOcN.exe
PID 2188 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\jZnCOcN.exe
PID 2188 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\jZnCOcN.exe
PID 2188 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\aWbSfiG.exe
PID 2188 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\aWbSfiG.exe
PID 2188 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\aWbSfiG.exe
PID 2188 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRYDJQr.exe
PID 2188 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRYDJQr.exe
PID 2188 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRYDJQr.exe
PID 2188 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtDLmpy.exe
PID 2188 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtDLmpy.exe
PID 2188 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtDLmpy.exe
PID 2188 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiWtivX.exe
PID 2188 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiWtivX.exe
PID 2188 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiWtivX.exe
PID 2188 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\emgdVmp.exe
PID 2188 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\emgdVmp.exe
PID 2188 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\emgdVmp.exe
PID 2188 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLyJTGX.exe
PID 2188 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLyJTGX.exe
PID 2188 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLyJTGX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\QnEWNCZ.exe

C:\Windows\System\QnEWNCZ.exe

C:\Windows\System\uzDUBiC.exe

C:\Windows\System\uzDUBiC.exe

C:\Windows\System\bIcdnCV.exe

C:\Windows\System\bIcdnCV.exe

C:\Windows\System\rDXFENw.exe

C:\Windows\System\rDXFENw.exe

C:\Windows\System\ruHHgMU.exe

C:\Windows\System\ruHHgMU.exe

C:\Windows\System\iaknlkg.exe

C:\Windows\System\iaknlkg.exe

C:\Windows\System\tdrmdbl.exe

C:\Windows\System\tdrmdbl.exe

C:\Windows\System\jXJyUoy.exe

C:\Windows\System\jXJyUoy.exe

C:\Windows\System\BXdiMgd.exe

C:\Windows\System\BXdiMgd.exe

C:\Windows\System\JQvaiOw.exe

C:\Windows\System\JQvaiOw.exe

C:\Windows\System\XPJNcIx.exe

C:\Windows\System\XPJNcIx.exe

C:\Windows\System\DZJxehs.exe

C:\Windows\System\DZJxehs.exe

C:\Windows\System\ShZsdNR.exe

C:\Windows\System\ShZsdNR.exe

C:\Windows\System\ltLBRrp.exe

C:\Windows\System\ltLBRrp.exe

C:\Windows\System\jZnCOcN.exe

C:\Windows\System\jZnCOcN.exe

C:\Windows\System\aWbSfiG.exe

C:\Windows\System\aWbSfiG.exe

C:\Windows\System\iRYDJQr.exe

C:\Windows\System\iRYDJQr.exe

C:\Windows\System\QtDLmpy.exe

C:\Windows\System\QtDLmpy.exe

C:\Windows\System\HiWtivX.exe

C:\Windows\System\HiWtivX.exe

C:\Windows\System\emgdVmp.exe

C:\Windows\System\emgdVmp.exe

C:\Windows\System\JLyJTGX.exe

C:\Windows\System\JLyJTGX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2188-0-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2188-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\QnEWNCZ.exe

MD5 2f98881cfc990f1b2cf09753ea386c26
SHA1 5d54e2d771587c7897d7c81d5f1c63570e1cbaf0
SHA256 afce25f9cc130e20c6607660476f3c9deb74966f800bbe9b70439af43b0388f4
SHA512 a8d5f9d1aeabf1dfbd6c23daba0e8e28bfee31f5c9133f6d1a26e0758c8b2bf3ab52b9cc4426982a29b44347e45712ea2e28b2cbd7375653d863738a3d428b13

memory/2188-6-0x000000013FD70000-0x00000001400C4000-memory.dmp

\Windows\system\uzDUBiC.exe

MD5 c74d441a4f44ac1204b8ed5e1e27862d
SHA1 816d542d9cbac1d5c157384690360bd22b95c4f8
SHA256 f96f8099c4b485b9ecf84e822ffcf2e9ba4aae1c2ad310862eb162001e78d18b
SHA512 b23b5341ab94eb2c1838817c71168c7b2fb0a43eda23c7ddc19aaf2718ef71a2ceea9939aa58a7846a24fadd1e0e3f3e306d1609c90facef4e89f20042b03c79

memory/2580-14-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2188-13-0x000000013FA80000-0x000000013FDD4000-memory.dmp

\Windows\system\bIcdnCV.exe

MD5 bfcf09f83c2a775831bb56d43cec5116
SHA1 0edaf821032e58c77b9bc50f9069f0c215e909ea
SHA256 192b0e166251c18baf7a0337a9d580f3eb21a13992e4dac88ee3d8dabb0abf96
SHA512 ce17518b652efe729f833d99b7e190adbaa0069310c6639edb8f9dbac0a9a60ac99a7d5286017d703ed711ee849663cdca4443d59a0db1e29365e947f725686d

memory/2688-21-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

C:\Windows\system\rDXFENw.exe

MD5 6fc1d2a6aa4e5fec1598640195150caa
SHA1 163971d08fea512c74e8dc6194438875b3a4e2dd
SHA256 c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b
SHA512 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4

\Windows\system\rDXFENw.exe

MD5 75b056ed26af3dd8175f087453210e07
SHA1 01ec4420ddf81a3aa40efe58b4fd95ac05074785
SHA256 c4a3e2d0d64d8057e975a002c9bbbeea9ac085879a454bbbcb7e77be9e565aa0
SHA512 21b7f49530894fa75253ba677395d4d87aad8207b9e86919a14ece6188cd9894bb462d89bdce3e7bfbcd82a57316f9e27b5e3045241bb38c0970c740b55cc720

memory/2616-28-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2188-27-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\ruHHgMU.exe

MD5 9f44562c257f67d1a2ffe2263147667c
SHA1 bf94f63c4e98258e1de0c2b4a1660f5dce9e5a46
SHA256 7f54c2f94cc5a831aba0fafe9e2c552f6088500473085697b72b89f2880b8ac8
SHA512 6272a6226fb2ed4f4df04a10a82dbb4d7c7460fcdb440466e5eeb8108cb023dc1dd5ca7a2fb5c453de850d4c363f116b864a00ec0200d8ff14ff6a6d8df02d5c

memory/2188-34-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2768-40-0x000000013F5C0000-0x000000013F914000-memory.dmp

C:\Windows\system\iaknlkg.exe

MD5 d27fbca55fdf93d34ffc9e6b0a189308
SHA1 bc09d89f2565019abffcd23e80018e794f9ae340
SHA256 89dad0f69137c63f0db6b79c59d7aab10fe49e5156208022a8663297126aafca
SHA512 067204cf6f10e7c89897d6a4d4026fa8523b70497cc02d0284f1de41d2a3a2692b0ff2b0a2a93824e00fe003a34335b12b612531fcec384fed77a5da02acd30d

C:\Windows\system\tdrmdbl.exe

MD5 5f0d1e340dbab0a99ef8f234ca52982b
SHA1 0a66ed143533c563519f5b6f43eff6174f409321
SHA256 80b125d2da7f82b737b90eadf69c3d5f2cc89e96ab792b6fbb7190753a631cc4
SHA512 2ed6e509fd4bc361d11a8e07c5c40efd04fd988fd521eda76ed805767d20ddb37af23eaac6aba9efc6689705c7713f3a97e277afc92e44cc087b6b1d3796c7cf

memory/2772-47-0x000000013F6E0000-0x000000013FA34000-memory.dmp

C:\Windows\system\jXJyUoy.exe

MD5 1fc0ec112fff99898da4260928ee6e5b
SHA1 ef56b99dabd5c58f33898c2ab4e477d1735b0cdc
SHA256 eecbe80f971badca9103556b4edddb5944770b772770dcffeec9dc97f98804ac
SHA512 b94ac5db4b4f08866c9e2729a7247a93bd88941ed81a96c3492981f8d3686f3794a0dea7199814b57ac20f4102f15f17fc334364a22bb92920812841cd27987d

memory/2468-54-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\JQvaiOw.exe

MD5 5f14a23df7a5fb0b758d823e83ebf77b
SHA1 f91c6106fcc1d15ffa95e55ab8736d47b0737eee
SHA256 c28b4757468f2f6e48573184889695e504d309bc388c48220c11c56073389f20
SHA512 890bbf049d2252c523e9d17dbaac81fb27a692b1422be3ee8124e387967d4d490b10ad41e79fb6a4d9f38aad21236074922162f7e2e3eb4d53b8a62eb65fc2ee

memory/2580-65-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2928-67-0x000000013FC20000-0x000000013FF74000-memory.dmp

C:\Windows\system\XPJNcIx.exe

MD5 cf853a651c7bfe656ba9989cd09c205d
SHA1 ff8bb95a2ff9626be6197a384e1bdefaf3707c1b
SHA256 5ec65aeb845878d4ff0c19961b8703eb8626445b3522f158881b49226e1547cf
SHA512 a01de9280df84f5fd01fffee8e734b78b5d41dd805ee783f7eb5d6e3ef57f2bac353b2c47e02e620166be8647923d2b2847a927ca9b90032335b2227ab0fafaa

memory/2532-83-0x000000013FE60000-0x00000001401B4000-memory.dmp

\Windows\system\ShZsdNR.exe

MD5 0c4fa25607b4370165ec346f1ab5cf33
SHA1 e793a93cf0e5f3e380ba686a46b04e292ac07498
SHA256 f680fd2e7e49c6829b698cc5e2e48b3f3ec8ee78dfde1c28c492f9f7a1d1aa8a
SHA512 57cf1299c34833ccdb24babcc7aeb948098cf922afcd315f5a5058d132d8d7c108e23a581403cea07290b7bffcfee0f7a4aa118bae4b90c90b7ccd5b4bd86e46

memory/1220-89-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

C:\Windows\system\emgdVmp.exe

MD5 03686cfd6bbb43c8ac4dc50889b137b9
SHA1 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee
SHA256 ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471
SHA512 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2

\Windows\system\JLyJTGX.exe

MD5 6e20c1464f2f11359d03740e39e646c8
SHA1 e90209ae46e403e71a97b0f056c5611d8850af0f
SHA256 e9593ce32c1f94db36680e392134bf6ea24ae6d0ede4ec413f37566a5f2d14d1
SHA512 3c5d83e738534c4ac0713b5c116bdf631b564cab66985488e774409d89d4217b15f7b4d1125192155a4943ff3a81fa41e606de408ffb1a46a6a0a426634ea7fe

C:\Windows\system\JLyJTGX.exe

MD5 da49f1b1f2b96b49705866203751f59f
SHA1 1fb490e694febd4abb5609eba7058906c7c62fc1
SHA256 db17ce16538e3104d76c2865f6043929089867615332842fb4539363fa1e158f
SHA512 64230d121060a4ecf7e8546c8f3f841eea180c2377add458625a54155c0dd3d899c021538950ea3047fd426aed50dfc97cdf1f7e2bcab143f2777fd079bf8bf0

\Windows\system\emgdVmp.exe

MD5 51c3be54698bae34dd22c5833ed27085
SHA1 6c9f3d2ab47c8eb8b8dc993166a353e75dc2899a
SHA256 f13d717ad42883dd299204fdebca36fd0ab0debd3d47577dd9ab295718198ba2
SHA512 fa27b8ec98c577763e831feb9ec37dc43f024bb8e7678afaeba089ac4e3cdc83aca81e417a6f9e900a2b4b1ca409f1b778fb4856a0c26573a88dad58c2d1a8f9

C:\Windows\system\HiWtivX.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

\Windows\system\HiWtivX.exe

MD5 520306f0af217a723b94881629ed2c1f
SHA1 edfebe61571cd3958f1312a9985e7616d97f5058
SHA256 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40
SHA512 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e

C:\Windows\system\QtDLmpy.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

\Windows\system\QtDLmpy.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

C:\Windows\system\iRYDJQr.exe

MD5 19e6e210ca2246e2be55acb25719f830
SHA1 5a2e0f6788591a265faa9e44f498b03fd3de145f
SHA256 0643848649217009ea5912837c2301db5fc1ad1347c922926313c273164a866e
SHA512 c310ba292e81a19c16bb7133e3b95ce7f0182cd5c81cd8761a5e391c1814b6d2f54bdc39edfc5835b48a1632273865321109bde234482f132fa88a12c94d4019

memory/2188-102-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\jZnCOcN.exe

MD5 0488d3462c87a424b0d6a8fb2b58a726
SHA1 c704a2c0e57b930e44e41faad5c0301618b3bdb3
SHA256 43808e419b8ec73c0c078b8f0d7a80937b886505b6893e435bcffdede828c212
SHA512 810d33792c56e10f69f1173958d89cd47588f9e6aab99d864f966683595eda049b46e6d88073abaddee1e1cb6a18915bb4eb4713712ce74a268c2f1b5e03bf3d

C:\Windows\system\aWbSfiG.exe

MD5 16c173122c2e25b513000a08ba6380d7
SHA1 9d68c32c49066d08434b12ca1639dc9b9bf972fc
SHA256 47c59a769a38bb433bc0e5c9aad00d466a6bcebbc5fc50c9e86fc35c5325f657
SHA512 9f54dc357e4431f6ae077c90a30bf07bda9ea598605faeccad1e02b00658934ab36b2be9b810fdf1f1d09f0f89121dcffab9b83811e76e910b3cfa7f07094ea5

\Windows\system\aWbSfiG.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

memory/1616-97-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2188-96-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2188-88-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

C:\Windows\system\ShZsdNR.exe

MD5 e0c400b12d5be3783dd5d2957c470185
SHA1 5084bad14945d89bce9e7a1ad1d415ff32ea3236
SHA256 f4b56b4ca4eca8834ec83aab5401fa22e308f7a8d4f333b51be3c2e7d6890025
SHA512 88d67ad4bf7fd966314012acfd0705a7aa95b1b3ac18088f50e7d969177f6c38e4a25ef1a08c5ccdb05b37b296a28010502d2c6fef1efafdddce509cd45a8a09

memory/2768-133-0x000000013F5C0000-0x000000013F914000-memory.dmp

C:\Windows\system\ltLBRrp.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

\Windows\system\ltLBRrp.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/2188-82-0x000000013FE60000-0x00000001401B4000-memory.dmp

\Windows\system\DZJxehs.exe

MD5 dcba41eaf5e259e434c061c7cefc88dd
SHA1 5b914e18c259b1f5c8a0911020498534a3b9d548
SHA256 544bbcea79ba4fc79521639175d4326516295527e7cd39c6f66fd391bd10ec8f
SHA512 a24358d891815ff7ed9fe489c507bac23fc68ed149f6a85a3a8720f9055c1654efce8a81a64b0a7b30622658c4645f9fb709ab6acec28124b429a35a68b7285f

memory/2152-73-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2548-61-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2188-66-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/3016-60-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\BXdiMgd.exe

MD5 170c48e4cbe032ecd65ebbd5c279cde5
SHA1 850de190cb8ff1c9fdedf664432cb4df366c35b5
SHA256 fe533e2709cc5f15bec1d29d86b3e4c7b13f3ad322c183105c8202b9223401f9
SHA512 2739caab4ee557a828a191a2250074c6d2175aac3674e7cb3750ba796e80a1376326b13a6a1a05756b242b18ab9b74a3884c3b822b0a07e3e190c82d8eb6c715

memory/2188-53-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2188-46-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2844-37-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2548-134-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2928-136-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2188-135-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2152-137-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2188-138-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/1220-139-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2188-140-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2188-141-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/3016-142-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2688-144-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2580-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2616-145-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2844-146-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2772-147-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2468-148-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2768-149-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2548-151-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2532-153-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2152-152-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/1220-154-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/1616-155-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2928-150-0x000000013FC20000-0x000000013FF74000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 01:35

Reported

2024-06-07 01:39

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pLWLluZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LlNLCeS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lsmnVXb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MrdGOGw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uAtOVzE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xkUUgYh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DZBWypS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZdJpNGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QasVIHB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IHvkGfr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRqcGBg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fwtxXTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\paVrAXC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fyNQaYx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\epWSXoF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XAApyEK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VlnxWAo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AaEaBtE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gyGvbcF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zLmilRb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QnVDKyn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\XAApyEK.exe
PID 1064 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\XAApyEK.exe
PID 1064 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRqcGBg.exe
PID 1064 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRqcGBg.exe
PID 1064 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsmnVXb.exe
PID 1064 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsmnVXb.exe
PID 1064 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\zLmilRb.exe
PID 1064 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\zLmilRb.exe
PID 1064 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\fwtxXTS.exe
PID 1064 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\fwtxXTS.exe
PID 1064 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\uAtOVzE.exe
PID 1064 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\uAtOVzE.exe
PID 1064 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrdGOGw.exe
PID 1064 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrdGOGw.exe
PID 1064 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlnxWAo.exe
PID 1064 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlnxWAo.exe
PID 1064 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkUUgYh.exe
PID 1064 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkUUgYh.exe
PID 1064 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\paVrAXC.exe
PID 1064 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\paVrAXC.exe
PID 1064 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QnVDKyn.exe
PID 1064 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QnVDKyn.exe
PID 1064 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZBWypS.exe
PID 1064 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZBWypS.exe
PID 1064 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyNQaYx.exe
PID 1064 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyNQaYx.exe
PID 1064 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLWLluZ.exe
PID 1064 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLWLluZ.exe
PID 1064 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZdJpNGZ.exe
PID 1064 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZdJpNGZ.exe
PID 1064 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\AaEaBtE.exe
PID 1064 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\AaEaBtE.exe
PID 1064 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QasVIHB.exe
PID 1064 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\QasVIHB.exe
PID 1064 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LlNLCeS.exe
PID 1064 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LlNLCeS.exe
PID 1064 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\epWSXoF.exe
PID 1064 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\epWSXoF.exe
PID 1064 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHvkGfr.exe
PID 1064 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHvkGfr.exe
PID 1064 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\gyGvbcF.exe
PID 1064 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe C:\Windows\System\gyGvbcF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\XAApyEK.exe

C:\Windows\System\XAApyEK.exe

C:\Windows\System\bRqcGBg.exe

C:\Windows\System\bRqcGBg.exe

C:\Windows\System\lsmnVXb.exe

C:\Windows\System\lsmnVXb.exe

C:\Windows\System\zLmilRb.exe

C:\Windows\System\zLmilRb.exe

C:\Windows\System\fwtxXTS.exe

C:\Windows\System\fwtxXTS.exe

C:\Windows\System\uAtOVzE.exe

C:\Windows\System\uAtOVzE.exe

C:\Windows\System\MrdGOGw.exe

C:\Windows\System\MrdGOGw.exe

C:\Windows\System\VlnxWAo.exe

C:\Windows\System\VlnxWAo.exe

C:\Windows\System\xkUUgYh.exe

C:\Windows\System\xkUUgYh.exe

C:\Windows\System\paVrAXC.exe

C:\Windows\System\paVrAXC.exe

C:\Windows\System\QnVDKyn.exe

C:\Windows\System\QnVDKyn.exe

C:\Windows\System\DZBWypS.exe

C:\Windows\System\DZBWypS.exe

C:\Windows\System\fyNQaYx.exe

C:\Windows\System\fyNQaYx.exe

C:\Windows\System\pLWLluZ.exe

C:\Windows\System\pLWLluZ.exe

C:\Windows\System\ZdJpNGZ.exe

C:\Windows\System\ZdJpNGZ.exe

C:\Windows\System\AaEaBtE.exe

C:\Windows\System\AaEaBtE.exe

C:\Windows\System\QasVIHB.exe

C:\Windows\System\QasVIHB.exe

C:\Windows\System\LlNLCeS.exe

C:\Windows\System\LlNLCeS.exe

C:\Windows\System\epWSXoF.exe

C:\Windows\System\epWSXoF.exe

C:\Windows\System\IHvkGfr.exe

C:\Windows\System\IHvkGfr.exe

C:\Windows\System\gyGvbcF.exe

C:\Windows\System\gyGvbcF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/1064-0-0x00007FF611700000-0x00007FF611A54000-memory.dmp

memory/1064-1-0x000001C6CB880000-0x000001C6CB890000-memory.dmp

C:\Windows\System\XAApyEK.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

memory/3056-8-0x00007FF6743B0000-0x00007FF674704000-memory.dmp

C:\Windows\System\bRqcGBg.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

C:\Windows\System\bRqcGBg.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/1880-14-0x00007FF680E60000-0x00007FF6811B4000-memory.dmp

memory/4804-20-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp

C:\Windows\System\lsmnVXb.exe

MD5 77671172f7ce39fbac5dee833603eeb4
SHA1 b6efc4c5702bc17a65da0a050b8439a8e901b2a2
SHA256 60bb6732a28f20f84d03ce56d84db8cfd88ce5797554645f75ac7dfe59070545
SHA512 4fa255e6a83c6d1e0ab12aca2ef29576a5d4b818456edf8542902b0cf3bfa08e86c8fc4a823479b6d2f9b4230442ba67e81b29d730c85843726ee60c3f75b032

C:\Windows\System\zLmilRb.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

C:\Windows\System\uAtOVzE.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/1120-30-0x00007FF751520000-0x00007FF751874000-memory.dmp

C:\Windows\System\MrdGOGw.exe

MD5 c665d55523745ebd550a2c4296ad8ec9
SHA1 43f72a8e93454ded742dbec7a7c84f59cb0d6520
SHA256 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b
SHA512 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

C:\Windows\System\VlnxWAo.exe

MD5 ffafad94c04d076c16e861ff07a4cb57
SHA1 c3501d64aef8c1b093200710a06e749c69db782a
SHA256 8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295
SHA512 64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700

C:\Windows\System\xkUUgYh.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/1384-72-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp

memory/3016-68-0x00007FF653950000-0x00007FF653CA4000-memory.dmp

C:\Windows\System\QnVDKyn.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

C:\Windows\System\paVrAXC.exe

MD5 3ed5a609fc99609f477b127cb1075f8e
SHA1 efbe9eae011603d0818e0ea87d848f4505a8ca00
SHA256 f5c7ed548f4ba98079252e02c14f981d3b1b5468313f0be262b25ccc06a1f939
SHA512 adf3c7526c8d008f32ef1391728203330e532d5ab3157f9a2a7fe21b8a1324527c1ba05f5b2198a9d7b1cc621dddfe091207ec334b309442cd5608fc15d0fd18

memory/1928-61-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp

memory/1064-60-0x00007FF611700000-0x00007FF611A54000-memory.dmp

memory/2440-56-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp

memory/4804-80-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp

C:\Windows\System\LlNLCeS.exe

MD5 7d9f1099f6b47550fd37adb914ba896f
SHA1 73597804426883357ebb880f6c0164793f40ad60
SHA256 66cd4cd4af8f630e7f196e1d09756e078751dfa9bcc54e0d14fae0ccbe492285
SHA512 e8add13893f4c014a42f0f57f95da110b546828bbf0b90c6e45d275710a9847ff130353175caa02a22132a7aec183fbbcda6a7a954c359f2b63e3b3f4a4cba77

memory/4252-119-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp

C:\Windows\System\LlNLCeS.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

C:\Windows\System\gyGvbcF.exe

MD5 2e820f8af7aa3bf225d37608a0a87341
SHA1 b813ceb09756bee341a57c9525bd3abdbe863ab8
SHA256 de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa
SHA512 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4

memory/4812-127-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp

memory/2440-122-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp

memory/4136-121-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp

memory/4348-116-0x00007FF614700000-0x00007FF614A54000-memory.dmp

memory/5088-112-0x00007FF689960000-0x00007FF689CB4000-memory.dmp

memory/2920-110-0x00007FF793120000-0x00007FF793474000-memory.dmp

memory/4448-107-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp

C:\Windows\System\QasVIHB.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/1824-101-0x00007FF67F1F0000-0x00007FF67F544000-memory.dmp

memory/1120-97-0x00007FF751520000-0x00007FF751874000-memory.dmp

memory/4988-90-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp

memory/372-86-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp

memory/2412-85-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp

C:\Windows\System\pLWLluZ.exe

MD5 03686cfd6bbb43c8ac4dc50889b137b9
SHA1 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee
SHA256 ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471
SHA512 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2

memory/2220-136-0x00007FF79A7B0000-0x00007FF79AB04000-memory.dmp

memory/3016-135-0x00007FF653950000-0x00007FF653CA4000-memory.dmp

memory/1928-134-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp

memory/4252-48-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp

memory/1492-46-0x00007FF755930000-0x00007FF755C84000-memory.dmp

memory/4448-38-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp

C:\Windows\System\uAtOVzE.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

memory/372-24-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp

memory/2412-138-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp

memory/1384-137-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp

memory/4988-139-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp

memory/4348-140-0x00007FF614700000-0x00007FF614A54000-memory.dmp

memory/4812-142-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp

memory/4136-141-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp

memory/3056-143-0x00007FF6743B0000-0x00007FF674704000-memory.dmp

memory/1880-144-0x00007FF680E60000-0x00007FF6811B4000-memory.dmp

memory/4804-145-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp

memory/372-146-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp

memory/1120-147-0x00007FF751520000-0x00007FF751874000-memory.dmp

memory/4448-148-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp

memory/1492-149-0x00007FF755930000-0x00007FF755C84000-memory.dmp

memory/4252-150-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp

memory/2440-151-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp

memory/1928-152-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp

memory/3016-153-0x00007FF653950000-0x00007FF653CA4000-memory.dmp

memory/1384-154-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp

memory/2412-155-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp

memory/1824-157-0x00007FF67F1F0000-0x00007FF67F544000-memory.dmp

memory/4988-156-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp

memory/5088-159-0x00007FF689960000-0x00007FF689CB4000-memory.dmp

memory/2920-158-0x00007FF793120000-0x00007FF793474000-memory.dmp

memory/2220-163-0x00007FF79A7B0000-0x00007FF79AB04000-memory.dmp

memory/4348-162-0x00007FF614700000-0x00007FF614A54000-memory.dmp

memory/4812-161-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp

memory/4136-160-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp