Malware Analysis Report

2025-03-15 08:10

Sample ID 240529-1mcjaabg32
Target 2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike
SHA256 2f16c643beee07be92c48a208324ee02e17aa5e38a6a9931bcfd1a275ee32977
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f16c643beee07be92c48a208324ee02e17aa5e38a6a9931bcfd1a275ee32977

Threat Level: Known bad

The file 2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

Detects Reflective DLL injection artifacts

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 21:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 21:45

Reported

2024-05-29 21:48

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SoEXCvd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vmtzApb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qDMqUHX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wbNqUFW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EZLTpAv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MFAgQKN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gTzXEYg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MgDWUfp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jttpHAZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\emtOngR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LEsqsYi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PeDtEwB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wfHsJaL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xwJTuny.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hinXZZY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KRCHzLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\djVYptz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FkiohBG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NJItCUk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GnGCYWs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KUsRHJc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\GnGCYWs.exe
PID 1252 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\GnGCYWs.exe
PID 1252 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\GnGCYWs.exe
PID 1252 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\jttpHAZ.exe
PID 1252 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\jttpHAZ.exe
PID 1252 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\jttpHAZ.exe
PID 1252 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\emtOngR.exe
PID 1252 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\emtOngR.exe
PID 1252 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\emtOngR.exe
PID 1252 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\KUsRHJc.exe
PID 1252 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\KUsRHJc.exe
PID 1252 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\KUsRHJc.exe
PID 1252 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwJTuny.exe
PID 1252 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwJTuny.exe
PID 1252 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwJTuny.exe
PID 1252 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbNqUFW.exe
PID 1252 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbNqUFW.exe
PID 1252 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbNqUFW.exe
PID 1252 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\EZLTpAv.exe
PID 1252 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\EZLTpAv.exe
PID 1252 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\EZLTpAv.exe
PID 1252 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\PeDtEwB.exe
PID 1252 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\PeDtEwB.exe
PID 1252 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\PeDtEwB.exe
PID 1252 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfHsJaL.exe
PID 1252 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfHsJaL.exe
PID 1252 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfHsJaL.exe
PID 1252 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFAgQKN.exe
PID 1252 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFAgQKN.exe
PID 1252 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFAgQKN.exe
PID 1252 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\hinXZZY.exe
PID 1252 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\hinXZZY.exe
PID 1252 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\hinXZZY.exe
PID 1252 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRCHzLZ.exe
PID 1252 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRCHzLZ.exe
PID 1252 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRCHzLZ.exe
PID 1252 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\gTzXEYg.exe
PID 1252 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\gTzXEYg.exe
PID 1252 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\gTzXEYg.exe
PID 1252 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\SoEXCvd.exe
PID 1252 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\SoEXCvd.exe
PID 1252 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\SoEXCvd.exe
PID 1252 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\djVYptz.exe
PID 1252 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\djVYptz.exe
PID 1252 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\djVYptz.exe
PID 1252 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkiohBG.exe
PID 1252 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkiohBG.exe
PID 1252 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkiohBG.exe
PID 1252 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgDWUfp.exe
PID 1252 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgDWUfp.exe
PID 1252 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgDWUfp.exe
PID 1252 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmtzApb.exe
PID 1252 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmtzApb.exe
PID 1252 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmtzApb.exe
PID 1252 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJItCUk.exe
PID 1252 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJItCUk.exe
PID 1252 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJItCUk.exe
PID 1252 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEsqsYi.exe
PID 1252 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEsqsYi.exe
PID 1252 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEsqsYi.exe
PID 1252 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDMqUHX.exe
PID 1252 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDMqUHX.exe
PID 1252 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDMqUHX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\GnGCYWs.exe

C:\Windows\System\GnGCYWs.exe

C:\Windows\System\jttpHAZ.exe

C:\Windows\System\jttpHAZ.exe

C:\Windows\System\emtOngR.exe

C:\Windows\System\emtOngR.exe

C:\Windows\System\KUsRHJc.exe

C:\Windows\System\KUsRHJc.exe

C:\Windows\System\xwJTuny.exe

C:\Windows\System\xwJTuny.exe

C:\Windows\System\wbNqUFW.exe

C:\Windows\System\wbNqUFW.exe

C:\Windows\System\EZLTpAv.exe

C:\Windows\System\EZLTpAv.exe

C:\Windows\System\PeDtEwB.exe

C:\Windows\System\PeDtEwB.exe

C:\Windows\System\wfHsJaL.exe

C:\Windows\System\wfHsJaL.exe

C:\Windows\System\MFAgQKN.exe

C:\Windows\System\MFAgQKN.exe

C:\Windows\System\hinXZZY.exe

C:\Windows\System\hinXZZY.exe

C:\Windows\System\KRCHzLZ.exe

C:\Windows\System\KRCHzLZ.exe

C:\Windows\System\gTzXEYg.exe

C:\Windows\System\gTzXEYg.exe

C:\Windows\System\SoEXCvd.exe

C:\Windows\System\SoEXCvd.exe

C:\Windows\System\djVYptz.exe

C:\Windows\System\djVYptz.exe

C:\Windows\System\FkiohBG.exe

C:\Windows\System\FkiohBG.exe

C:\Windows\System\MgDWUfp.exe

C:\Windows\System\MgDWUfp.exe

C:\Windows\System\vmtzApb.exe

C:\Windows\System\vmtzApb.exe

C:\Windows\System\NJItCUk.exe

C:\Windows\System\NJItCUk.exe

C:\Windows\System\LEsqsYi.exe

C:\Windows\System\LEsqsYi.exe

C:\Windows\System\qDMqUHX.exe

C:\Windows\System\qDMqUHX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1252-0-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1252-1-0x0000000000090000-0x00000000000A0000-memory.dmp

\Windows\system\GnGCYWs.exe

MD5 e861091ef84186e08a967ef890b6fc13
SHA1 4e9dd0123682796e59f90b9a8bc771a03be30f7b
SHA256 10f306836ac7f6c833e5c1dd03734b2cd2ec32560563e856f8f006ebcfd783e1
SHA512 409c9756bd0c367d1d47f9da53d98c09c1c547dd195ac571ed636d0123f9eb8c0ece929d89e5c80e1245983786755d60adc684fd8d374539945002e1afb51ec9

C:\Windows\system\KUsRHJc.exe

MD5 cb186589855eb6188729041d8b5641d1
SHA1 efebf6823850a767597f7afce1e678295a714b50
SHA256 e434958ae30385dc9cb916d90f01bff43fd7a9d0e7555c092d93d3163c3ab011
SHA512 b62f0d0413a2bc18fd575043d5bd453fac9ad6ab5eaa738c2b2806cfb71f71f8b3ee841d188bac2fd2181fa8ed1534cc2b4b5eacc91a69859929d8f2098329b6

memory/1252-27-0x000000013F6C0000-0x000000013FA11000-memory.dmp

C:\Windows\system\emtOngR.exe

MD5 6c90c9072bf479b5e5de39169f97e960
SHA1 cddfe588574202d1e73733732f23855e83a491ef
SHA256 d23c7c1a551f8a99c19411f9b3285f1967361daf0c06f488c2b3035e8f70690b
SHA512 3bf3fdd3e7ee028048f73805d10e43ae192785c92ca57bf4bfc2c1bac458820b0cfd45ddff2e558c22c4548ac5404dcb8d7ebb92bf05d304fbee391edc73a2cb

C:\Windows\system\xwJTuny.exe

MD5 96b521dfb34e4f74f66f4ab7c4df4503
SHA1 fa00b3d21c9d863bd114f686e5a73c4e3149b39f
SHA256 551cb1fbe3b3506104d1711a1d50b6e2a07dbe12a195d28a95000e4dbca1507b
SHA512 a93b8c41f6bf659474175f0026128cb472ff4ab39fc362bab62a6554782d49bc221ac3ec5c8de95f4a81a26d63f5ea17c13de7435e0dc5759ff6bc3b9918d565

memory/1252-30-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2064-35-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2744-42-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2612-49-0x000000013FD70000-0x00000001400C1000-memory.dmp

C:\Windows\system\wfHsJaL.exe

MD5 6a54268f0547773ac1572ff516f99f04
SHA1 c5c705a2fded03cb3fab0d5d935d65decdac8890
SHA256 ac30665c9d67c37fe882c0a61f356b36e4d61cb092ef1234db2cbbde5bf56e0d
SHA512 ff6be585b54d56b037f412d871ec778c379684e19445314c111e484f515e575df5e33b93791fb8adf8a5f5d898b7d4163ca25e01ab06bdd602600aef29220186

\Windows\system\MFAgQKN.exe

MD5 90923b89b44995040afd9d172cd62f8d
SHA1 bbdba5e0a0be7c5fd8a61ac6437f558b88add459
SHA256 384a6cbcd74fe2547260bac80e25c7f788d029072a67010aa5aa505b40c5ce8a
SHA512 9748d688d7209461d376b5144f3bf450fbe9bfcb4ee1eed838355ba34eec938e1ac969bf3e27c4ce9dfc58d11b5626d3acd781f47c7b6c0a0b3f9929ef4fb2a2

memory/2560-76-0x000000013F730000-0x000000013FA81000-memory.dmp

C:\Windows\system\KRCHzLZ.exe

MD5 a0ad246459131dfa14fd899f45130725
SHA1 509b89a3853687a7e5f3cfd8db303b266a0542af
SHA256 4b4acfb0ee265190e9a2e595c8d56f75d19d72c82bb03782dd3a1550ca6edf5f
SHA512 d6cbd6322cce80325121bc572c536f4b7167a2fe643f80c36af65cc7eb55dacf9bc9b1490d5d13ce64d5c4414a496b325c5e0336aab86be5d35cf03432558e6a

memory/2536-82-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1252-87-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1676-89-0x000000013FD20000-0x0000000140071000-memory.dmp

C:\Windows\system\vmtzApb.exe

MD5 8b3deca2ceed77f1ca7e1269f3bf5577
SHA1 f44d779f08f086b26235b7051945af62dfa5fbce
SHA256 82e4087b77d34b796815680fb564ca523213a5619df96c9d47c72942a5b67286
SHA512 513bdd7bab68144605c16547d479b2dba3d56c63990883c943411e8c16a6505d141141b1f702e815e1dd648727a252d2f42e915c73918070b4b0cf9d481626cf

C:\Windows\system\LEsqsYi.exe

MD5 4e24520f00643fc6bba2dae573d02d3d
SHA1 f78b51a582b95f5deef3cce4a87ab68764b1f57d
SHA256 5bd802b731ae45c640dd126eecbf5fde78f71a1ec7790ac7b2bd1de9b1a9b350
SHA512 f174f014a01d0d33eb47980d04d49e3b4b4f5621f9a5c6bb039ebb4bcd20ab6f0b18a38016dffc6bc63bd66e38933c2389cb6c12fbc9e7dddf03acd877eb92c8

C:\Windows\system\qDMqUHX.exe

MD5 032523dd4718165a569df02309f714b7
SHA1 2aa551e8f67c26909c09fb696b4dd02a409d6b06
SHA256 5e7c44dda2aa24566b114850a65b8daeb01b7b9d977761b6039a22bc58cdd879
SHA512 3ddf5e6a422cac00f98c88ed4d9351e1fa19eb953ebdf1db1c0922ed435361b171a4c177190511433e2445aff83dc45210a65527e5a53dd33c610ed435418058

C:\Windows\system\FkiohBG.exe

MD5 c93c34b9e9b7f02208da3bf6f58a9bfc
SHA1 0f2a8b1fb66eb2aa34b716192ccba8c12a86b0db
SHA256 edf9a853e4ee40454c00d81bf8ebaed78830bd6e74ae0f9d2229a460ca0333e5
SHA512 e31f7c79b72cee09386913085e6d2577d751ada967182159f2e82df4df457ef09e53a8fee5e1445fb00377c892143d7b25957e28609e7dfd0aec489ca311b3dc

C:\Windows\system\NJItCUk.exe

MD5 ee833c586776418ac338e8a9ecabf8f4
SHA1 ef18ebcaf7b6bb2b212c7513dad077f970b2ed7c
SHA256 367f82808926099952e0d2e8803f5541a7d299e361407d023cce3b79b0140053
SHA512 43a3108df02862e62ce0beef7047bbdc18f24b9317d507e5fb3d275aa69b7b1a3ce7084d91f14a1dbee09bae07dbe638420a14f68690b1d43ddc68bd6bab3901

C:\Windows\system\MgDWUfp.exe

MD5 c431f60866b4cdf896dc45959e5e159a
SHA1 428c037051e7e1b85d7994ff65966e41b6fa525c
SHA256 a23e06423960a92e4ae614923c3bbdb4b0393c06d27093ea5c3c7a443a65efdf
SHA512 c8369063e81786f457c1952af7150d2baf0d170e9ff10bdffbe7c5e741ac408a4cbd3f7ae06b2a491f16ad0d1ef86fdcb01e8181ceec229a140346eacb7d8f5f

memory/1252-102-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2744-132-0x000000013FC40000-0x000000013FF91000-memory.dmp

C:\Windows\system\djVYptz.exe

MD5 53ff5dfc2889a6bdadfc151afbc9c86b
SHA1 5b7af84da1846e47f16cd65c508051994d8b2603
SHA256 81c7b67b8736505949d34694acea8884367909758e09a601253efa6d83f2dd8c
SHA512 0407faee73e2f5a0f183ad64023abf07d35978cf475bc2814f7aa7611b818bb9f17c87cca95bc74868a8f3fa3f271e3d7ec1c3c2e4923ff1908db15d785c8975

memory/1908-96-0x000000013FFA0000-0x00000001402F1000-memory.dmp

C:\Windows\system\SoEXCvd.exe

MD5 dbd1424acbb0efdf1d48c7b2de5e5b75
SHA1 86b80a1fa62b6ab718686278f0024712ae0f7f8e
SHA256 c097c021523dd0ca5385d0f8b43650287320c2b0443cf17f0739811b6d68a43b
SHA512 8d8c9af3b4294ba95f8fc9b72552868669859d64334bb8905e5a60c34c3c2af235ea0f5049de551c415e3a486cb62b04d465bd501c290ba0a8f0ccf1c900e7d2

memory/1252-88-0x0000000002170000-0x00000000024C1000-memory.dmp

C:\Windows\system\gTzXEYg.exe

MD5 dcdc9a9c61f9f1014b39d47597b96edb
SHA1 0be7e0f06a31abbef8647d1649ee7720811e2637
SHA256 ff3f31aecee078a72ae0e267de5195f118e556a79f9649ec96302d506ce3f51a
SHA512 49b716919dad6f2ff24d95e4ec53ded3962ed32f29b149895724bc207fa755d42b799c71b85cf85f1c74aa8df02c0dfd119424f3ad46f1c7b541d7022f14f91b

memory/1252-75-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/1568-69-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/1252-66-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2592-65-0x000000013FE90000-0x00000001401E1000-memory.dmp

C:\Windows\system\hinXZZY.exe

MD5 3cc8cdc3cc95cc162ad2b2e7c7fd5ea5
SHA1 a000892888f121e0e664e5b89ea0781ac27aad86
SHA256 f02e99d7a543bc0bd64e4f99d699a69596b7a2e4f9c48fcbbdc346697636827a
SHA512 92a0137e5330ab6bfa88e85ade4c7c5a6e1d029944a8d8fe4dcab1eaab0a512e311c97cd347c005996b034f73f3126bd560b4ee8bde70b3d951fd800106b118d

memory/2788-54-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/1252-53-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

C:\Windows\system\PeDtEwB.exe

MD5 88a4e47f7e810d6dc1244a491a4fe546
SHA1 2670b89b43b4f0f07917bcf61fb80092437d3c28
SHA256 ccc90e9bed4288f77943e311e352c15e82660a0eaa16fb3ac986240f4a9af5e5
SHA512 60e69e40da98c8e391517caaad2fc455d3b947b830a5a05294a6d1b2d04623abfb0fc72d123acd7b57daa0842163241e2469cf8603f510a98eb835231c0c6cdb

memory/2788-133-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

C:\Windows\system\wbNqUFW.exe

MD5 9aa62b984f19a9e5c7706e30775c352c
SHA1 3f38719db8f99f5cc36b5cfafa58934b82dd8801
SHA256 4b9e017a3414e4e8109b8959018a4b8080e82c7191b07943ba975d6558dda19e
SHA512 6cdfe0df1e048feb2dc378ff5347a42c16771dd1418e91bf8c1f45e823572bc59e5b3c10129fdc3e8b090ee3455addc34eabb1f6d16fcb75aa32f1f14f55d966

memory/1252-40-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2112-39-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2016-38-0x000000013F470000-0x000000013F7C1000-memory.dmp

C:\Windows\system\EZLTpAv.exe

MD5 2c2e89dcbd1b9e85d2211920630f60b3
SHA1 b5034183e0a2a48f9aba11e4e34f083a9690bfa7
SHA256 d1a3854407d3a1c2da2517efe475efc2120f01c25fe4c02aba1f20905979ee2f
SHA512 7af99cbb81429e5a82aedc729ab4be3b4530a3ecb9256d816008582b875ce09c40683dd1e9e17f50b86522ec1c3acaaad8a37c17bb4d8b08428aa4b70246e0c7

memory/2828-37-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/1252-36-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/1252-34-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2140-29-0x000000013F6C0000-0x000000013FA11000-memory.dmp

C:\Windows\system\jttpHAZ.exe

MD5 ed522e29008ae423d191facccfc7f0df
SHA1 48346f0cb7db1fc85742ddd115e1d7bcfb4476a1
SHA256 c198ad6ad0789efcca761f97675a4201332baffb538bf869f039d489b6940251
SHA512 6511cf2915da743c459fccb9b7cf481d96052e1b81fc74d72539bbe16ea34f61016e3b64d9758d8b0b79538b45495818b6e46b8530225276166c51f77a4ae103

memory/1252-134-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1676-147-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2572-154-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/544-155-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/1804-153-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/1800-151-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1028-150-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1484-149-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2208-152-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/1252-156-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1252-171-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/1252-179-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2016-209-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2064-213-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2828-215-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2140-212-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2112-217-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2612-219-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2788-223-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2744-221-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2592-225-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/1568-227-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2560-229-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2536-231-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1676-233-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/1908-235-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 21:45

Reported

2024-05-29 21:48

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GCIDiqE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hmopByX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DuToMMT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CjyxfmH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cPGVsHb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tiQHIGp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KQbhrxk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NeVtEqU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BxMNUKw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EcmxJbO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ggRpZPq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uBJCIar.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WPWsplJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dhJFyBV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HrIGsmB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zlrmqni.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mbQjYeS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yIyPxzF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\apaUoUf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kUWcckO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VfGOPMt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\KQbhrxk.exe
PID 3872 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\KQbhrxk.exe
PID 3872 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\EcmxJbO.exe
PID 3872 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\EcmxJbO.exe
PID 3872 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\NeVtEqU.exe
PID 3872 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\NeVtEqU.exe
PID 3872 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUWcckO.exe
PID 3872 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUWcckO.exe
PID 3872 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\VfGOPMt.exe
PID 3872 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\VfGOPMt.exe
PID 3872 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlrmqni.exe
PID 3872 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlrmqni.exe
PID 3872 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCIDiqE.exe
PID 3872 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCIDiqE.exe
PID 3872 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmopByX.exe
PID 3872 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmopByX.exe
PID 3872 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\yIyPxzF.exe
PID 3872 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\yIyPxzF.exe
PID 3872 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\ggRpZPq.exe
PID 3872 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\ggRpZPq.exe
PID 3872 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\DuToMMT.exe
PID 3872 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\DuToMMT.exe
PID 3872 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjyxfmH.exe
PID 3872 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjyxfmH.exe
PID 3872 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\mbQjYeS.exe
PID 3872 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\mbQjYeS.exe
PID 3872 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\uBJCIar.exe
PID 3872 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\uBJCIar.exe
PID 3872 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPGVsHb.exe
PID 3872 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPGVsHb.exe
PID 3872 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\WPWsplJ.exe
PID 3872 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\WPWsplJ.exe
PID 3872 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\dhJFyBV.exe
PID 3872 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\dhJFyBV.exe
PID 3872 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\tiQHIGp.exe
PID 3872 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\tiQHIGp.exe
PID 3872 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\HrIGsmB.exe
PID 3872 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\HrIGsmB.exe
PID 3872 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\apaUoUf.exe
PID 3872 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\apaUoUf.exe
PID 3872 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxMNUKw.exe
PID 3872 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxMNUKw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_106d8d5245cad37402bcd9fa4881f141_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KQbhrxk.exe

C:\Windows\System\KQbhrxk.exe

C:\Windows\System\EcmxJbO.exe

C:\Windows\System\EcmxJbO.exe

C:\Windows\System\NeVtEqU.exe

C:\Windows\System\NeVtEqU.exe

C:\Windows\System\kUWcckO.exe

C:\Windows\System\kUWcckO.exe

C:\Windows\System\VfGOPMt.exe

C:\Windows\System\VfGOPMt.exe

C:\Windows\System\zlrmqni.exe

C:\Windows\System\zlrmqni.exe

C:\Windows\System\GCIDiqE.exe

C:\Windows\System\GCIDiqE.exe

C:\Windows\System\hmopByX.exe

C:\Windows\System\hmopByX.exe

C:\Windows\System\yIyPxzF.exe

C:\Windows\System\yIyPxzF.exe

C:\Windows\System\ggRpZPq.exe

C:\Windows\System\ggRpZPq.exe

C:\Windows\System\DuToMMT.exe

C:\Windows\System\DuToMMT.exe

C:\Windows\System\CjyxfmH.exe

C:\Windows\System\CjyxfmH.exe

C:\Windows\System\mbQjYeS.exe

C:\Windows\System\mbQjYeS.exe

C:\Windows\System\uBJCIar.exe

C:\Windows\System\uBJCIar.exe

C:\Windows\System\cPGVsHb.exe

C:\Windows\System\cPGVsHb.exe

C:\Windows\System\WPWsplJ.exe

C:\Windows\System\WPWsplJ.exe

C:\Windows\System\dhJFyBV.exe

C:\Windows\System\dhJFyBV.exe

C:\Windows\System\tiQHIGp.exe

C:\Windows\System\tiQHIGp.exe

C:\Windows\System\HrIGsmB.exe

C:\Windows\System\HrIGsmB.exe

C:\Windows\System\apaUoUf.exe

C:\Windows\System\apaUoUf.exe

C:\Windows\System\BxMNUKw.exe

C:\Windows\System\BxMNUKw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3872-0-0x00007FF7157B0000-0x00007FF715B01000-memory.dmp

memory/3872-1-0x0000027EC6CD0000-0x0000027EC6CE0000-memory.dmp

C:\Windows\System\KQbhrxk.exe

MD5 6c218defd608b557e9be8b1f762277f9
SHA1 6b50e1d431ea00038fcfde6c39a1d1969d5475d0
SHA256 3dc169b9b8d2dcdec2bc22ccb5de4b0fc1fbf0468d1d929bdb162705f78cd2f2
SHA512 749f3edeb744f89e8c4d33693e90cfdc353c6686b5bdd567d6face79b54b019814d00f39d4e48d83d923ece03757fa8d8c58c50612fc9dc82fcb135b0cd352aa

memory/2816-7-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp

C:\Windows\System\EcmxJbO.exe

MD5 93cbf72946e9e5749b239d34a7409f36
SHA1 9d5de17fdefbae6041a6428798e8841d1ce62274
SHA256 ddf3795d47bd4f515c37088796b344c3df04aacb1cfb725f06d024de19a47d40
SHA512 5c8d7020d4a985727a040c488b2954fc08b825f05d355b16c0bfa1646944bd42a762c6e585cc60b4947f633602b1f5ac11ef33e725949d46a3c35fa44128e177

C:\Windows\System\NeVtEqU.exe

MD5 6828ef454ba0724c83c1ce5f20201610
SHA1 3072fca735624c38f554a4e9089c5c7f0cb488f5
SHA256 e86a29fb4852f6584492206ef75eb395bf76a7df8683fc990399c1cee1c38ecb
SHA512 2d665a4dde9ce28e66001ac1869a5524c76751352d9166bde42efc22ac6cefd028422ec4d10c2da3f57d1017d022836c4531d8f3008768bc6d1e3af7a496fdd2

memory/4252-14-0x00007FF730900000-0x00007FF730C51000-memory.dmp

C:\Windows\System\kUWcckO.exe

MD5 3b2cf6cfa6ca584814261d5578b001ee
SHA1 0de865417d8cd15e9a445cfa4d15365423fecd50
SHA256 26f5f19270f738374ed631af135ea3e60c74a7233ec9d413b1f79743f3d75cf9
SHA512 b4d3fca10ebad44e376c1549988ef145ce8c7e821b6b48b286cb94fd243e6410604a08257531876c56ed1b6478abbbb3bf7f55f0ee0856d506b2835386a28130

C:\Windows\System\VfGOPMt.exe

MD5 bb6bfffb4b3b4d75bf33bbfaac58c597
SHA1 5c2d59e39e23a1a014d173424109b0ae914f7190
SHA256 5055067983c9498a91c39175f046020ed68831771418ea6d9008f0a37ecec4c0
SHA512 648ad2ec5ae4394f7fd7e3e2a4b625be247f8a6a612735501d6be8157b9a19e2ea1d8e9bcf5adbab06e1e9c96c7b57958e7df7bed1a56c72ef06551d73a11968

C:\Windows\System\zlrmqni.exe

MD5 cd53c6a84fd65d786961b0777eb05f27
SHA1 d502ff5d1ebb2e78ce12b1206cd2c02d78b8edc4
SHA256 ae2bff5517c83a0dc79cef869d473ff181c9121bb6067e51b9426ff088c0f0d3
SHA512 06405c53cd437baf966ae4d1be8d1f65050ee82969618b7a45d28e8fb4747553d087c4006a8770c7c96c4165f2738b8a329837d0f33789127aa2dc5ba11af863

C:\Windows\System\GCIDiqE.exe

MD5 d3f7aa0e69bfddeff3719b352b5b6075
SHA1 adfc720ad0f27c9997e5a5c504ff95db3618181e
SHA256 b2fddb4ed80b9030c172321d486e2cdeb46cfa507cef1a9ab34ae80fe2a5ab5c
SHA512 5744d7f0c7eba54d2216ecba175d014f2c03e7f194ee2ef6b31fb8bd584f6a062410dc47ee232eeef8ff95337edd88b489e25b9825797b4c6e0ec86708459555

C:\Windows\System\hmopByX.exe

MD5 f8e07867ca19afe78f06f609ae907ada
SHA1 1423f46dd5e4bffede7eaf78ff83a18e90cea6d4
SHA256 449f8a1bf732a4263974a5470c15f72c775846edb08177ea71b420042ac45a72
SHA512 83c834d1f4b50365ce834579f370327f81815800198716b842a5abb39000b7bbf642dddac4f009c8b5ac5f627ee09b42b7b584c756bf3c7a4216c5a14f353638

memory/4372-52-0x00007FF6172E0000-0x00007FF617631000-memory.dmp

C:\Windows\System\DuToMMT.exe

MD5 0aac4b7d32e5b65a50bb74fbb9a7e99e
SHA1 c8c5d91795a2acd0af93dfd7bf52f81c1b319ed0
SHA256 d68379583eb3a22eea3ce2d827a696bc5b775928aa240d3281c1f0d791019b0f
SHA512 5dfe71b3b95f9e86218e3355bed52e837d3a9da7f4b1a87e42254c464d3eca0cbb58e149307ec3cbacb4b8d0a426de2720e695e9b9cc9e3630c7e57e461cedac

C:\Windows\System\CjyxfmH.exe

MD5 ae9d6da4e29a955da1a3a19d2663b547
SHA1 2899a0eadd7ca782d745f398fd561725a4f41607
SHA256 762b9b2c21a591bf3b7f4486c1b0bfea40137acb53309381b9ab3c7626147606
SHA512 b0e69b980c1e8d074d9dedb7b149c4e3bc9d7d9348b4950e9b77e6859843afaee30a1abf273787184c891ce899819e798740b84badff30d19492c850451a309c

memory/2988-79-0x00007FF786D50000-0x00007FF7870A1000-memory.dmp

memory/4852-86-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp

C:\Windows\System\tiQHIGp.exe

MD5 b7fa25e3a5e9e1a252e344c5e4f72a59
SHA1 f99c914488ed2face49e2692949448fe069f052f
SHA256 da40cf9de70c3f1775a491590c09b7ebd39f6676809dbb6cf887fd3f4157c8be
SHA512 6d8e06bfc98431505e0dfad6d56a0ba202b7f85b3f6d945e0932e20a8bec0322bd633b43ff15cb6237f1600b68f20b619b4d1845085b27b1d6f9e10871a4374a

C:\Windows\System\WPWsplJ.exe

MD5 d2f73f20f3579cc259f150145df88b8a
SHA1 86ac7669ca874c9c4c97f235ad45290f4f97f0b7
SHA256 a30a1279c17a40060d9036321f3a088ccf36a4c8f6f3892041b1cc3e26b8c5c1
SHA512 6cd7a96b5b32de12b7149f8b22ae8262463dd5429521992756115e7aa0b4fe7b04b3bdc6186b33142a2b3bb182b0b31032c98e0be37911aa1c7dabf61f16d5fb

C:\Windows\System\BxMNUKw.exe

MD5 a81d343f92e7220435c65396c19530ac
SHA1 4b9ffba4b37fa5be8fe91d38d12869b574bde06c
SHA256 c1b49105037d85310ad3f7111bffd446729492ae1b82482f8526d6921a053d8b
SHA512 87e41200b2cfe07ac9ddfcace61b22be328dc56747abd8017ada074a4556b3dd202c29b76c749d9956a1162c3587cacd0c46e8be93467ea353a5061804a0868c

C:\Windows\System\HrIGsmB.exe

MD5 06a63bba548b165f0989125044be671a
SHA1 f7610203dc8891f34eb90b895c84a76d379d315d
SHA256 1e7e3b1b7781b53dc274df67a46a5afa3c99bc0a394028fa5d461ac7ba506b67
SHA512 0c0282e82bd6493dd2b1f1547c8ad39001b65c758dcf989b2c3fd2a09be9d999967918f9efa78fc54501694a73b2071eefcf699e529687f1041f0b945a226336

memory/1376-127-0x00007FF794FD0000-0x00007FF795321000-memory.dmp

memory/2032-126-0x00007FF62A7C0000-0x00007FF62AB11000-memory.dmp

C:\Windows\System\apaUoUf.exe

MD5 c0b14e2f413ee990974dc121db77ac88
SHA1 d130e3f5b8458e879eacf4af38673a93f32c8bfa
SHA256 76399fccd6faeb24769de880f302066bdaf2143880d7acea12e8d331bb88f577
SHA512 b1c4346d750e8b64d4c2fe544f5957fc7d34fd74970ce6a8b33033a1fb7b94068baf1ee2379ce0b351f0cad4f2407c517dde19d4f8141c1acf7bb08435a7fed1

memory/1432-121-0x00007FF721260000-0x00007FF7215B1000-memory.dmp

memory/3736-117-0x00007FF6BA840000-0x00007FF6BAB91000-memory.dmp

C:\Windows\System\dhJFyBV.exe

MD5 2ed8157a7c39e4bc21e94fec389a9b7c
SHA1 741eafc94f1e368c1b917fceb00e01f203b417a8
SHA256 dff811aac871acda7fce14634a1622751cf9700c3117d7591a75345e226bfa2d
SHA512 7a560c38bf35f941005d7472e1d7965b5db55f5e6c957fb6a9ba2f2abe3d91771a09cf7928c6200afeb9d8dfb41bd3844040b8c52dc97f958740ce072b458dfa

memory/3572-120-0x00007FF7E43A0000-0x00007FF7E46F1000-memory.dmp

memory/2984-105-0x00007FF6AE450000-0x00007FF6AE7A1000-memory.dmp

C:\Windows\System\cPGVsHb.exe

MD5 a689f9991acb25cc725587ca75f61aec
SHA1 0d1044a7364ba63d82f4ceb5b951a8dba859bdbd
SHA256 923914b3a70f6e9dd9748eb454cbb5f572874c978eec23b166c8ed93a343db8d
SHA512 16bf7e95618c59d0e3d7df68bd07b13ddf8ca072b35ceb86981fd1e358b23a61b941035d973a0e1138618ade5b30520276ff3b271d5609b534c6fa7d38793b2b

memory/812-98-0x00007FF7A4250000-0x00007FF7A45A1000-memory.dmp

C:\Windows\System\uBJCIar.exe

MD5 7b7edd81e7012ae57f62068f74464676
SHA1 480c38901d8346a39b82dbbfbd974d2763efda68
SHA256 746d225371594fa5d5d9e73b3b7f47d21982e6b488b74421b00549755c22f9d3
SHA512 e5cb98754cff915eec93528f012f6caeb0d104c3c95f9c2d4706cdba5fb23c4339cd54c0ece42d170acdf31311e28b9ed4339b7d7206a5c11a47467298e8c4e9

memory/3052-91-0x00007FF66A420000-0x00007FF66A771000-memory.dmp

C:\Windows\System\mbQjYeS.exe

MD5 be01081b3abf781341faa8dc02655a4e
SHA1 1afe4eb00fb92d3ec9ec6d819dcbb9a03a4028bc
SHA256 777a7ef2629d3dce42215522f5b2779a3b09760b5401b7cf55c4b6fe2e42e7ca
SHA512 0010a0394daf2e377450d152989337f4d45624b1c376d1ed48bfadf64cb7461aa023039a881fac4cf6f6c8ea36de7671f14ec55329850991534c554eafad02b7

memory/2816-80-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp

memory/1628-76-0x00007FF658EF0000-0x00007FF659241000-memory.dmp

memory/3872-71-0x00007FF7157B0000-0x00007FF715B01000-memory.dmp

memory/2528-70-0x00007FF7E3C20000-0x00007FF7E3F71000-memory.dmp

C:\Windows\System\ggRpZPq.exe

MD5 c7bc7eb8d5784de2eb80faebe9349d8e
SHA1 d676dec04043d07446f85002fe26efd5d82f717d
SHA256 0afecd25b755c9bb89feaa625805abab3e10bc6547e54f6d19e5a7ec42a7f65b
SHA512 8ae28944cb9593358d0cd7b239322642fa2772c81c020a12116d28d1e91534be37078bd6bf0c0572ec4c7367a05b4806bec7574b39eeb30fd2940d25a71bbe57

memory/5108-64-0x00007FF73FC60000-0x00007FF73FFB1000-memory.dmp

memory/3976-59-0x00007FF658400000-0x00007FF658751000-memory.dmp

memory/1404-51-0x00007FF6ED2B0000-0x00007FF6ED601000-memory.dmp

C:\Windows\System\yIyPxzF.exe

MD5 26e61cbfeb1668e805882cc95ac9b464
SHA1 4ca1bb83f3ac7bb171eb09613c413527cdf833d0
SHA256 8cccac7e10efcdc1196383d3d3fdd44d0f334fddf6f74f0932fb230ae587760f
SHA512 27253a776aa4942b79e342581ec0af13811a48030726757adc2527b9c1687e9d137fa3bcb04f315c1574fa0c3e60312301e59d18cca85e77071e1306014105b5

memory/1888-38-0x00007FF7E4BA0000-0x00007FF7E4EF1000-memory.dmp

memory/1360-34-0x00007FF738340000-0x00007FF738691000-memory.dmp

memory/1168-31-0x00007FF6E10F0000-0x00007FF6E1441000-memory.dmp

memory/2984-22-0x00007FF6AE450000-0x00007FF6AE7A1000-memory.dmp

memory/1888-131-0x00007FF7E4BA0000-0x00007FF7E4EF1000-memory.dmp

memory/3872-132-0x00007FF7157B0000-0x00007FF715B01000-memory.dmp

memory/2528-143-0x00007FF7E3C20000-0x00007FF7E3F71000-memory.dmp

memory/3052-147-0x00007FF66A420000-0x00007FF66A771000-memory.dmp

memory/4852-145-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp

memory/812-148-0x00007FF7A4250000-0x00007FF7A45A1000-memory.dmp

memory/2988-146-0x00007FF786D50000-0x00007FF7870A1000-memory.dmp

memory/1628-144-0x00007FF658EF0000-0x00007FF659241000-memory.dmp

memory/5108-142-0x00007FF73FC60000-0x00007FF73FFB1000-memory.dmp

memory/3976-141-0x00007FF658400000-0x00007FF658751000-memory.dmp

memory/4372-140-0x00007FF6172E0000-0x00007FF617631000-memory.dmp

memory/1432-152-0x00007FF721260000-0x00007FF7215B1000-memory.dmp

memory/1376-153-0x00007FF794FD0000-0x00007FF795321000-memory.dmp

memory/3572-150-0x00007FF7E43A0000-0x00007FF7E46F1000-memory.dmp

memory/3872-154-0x00007FF7157B0000-0x00007FF715B01000-memory.dmp

memory/2816-203-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp

memory/4252-205-0x00007FF730900000-0x00007FF730C51000-memory.dmp

memory/2984-207-0x00007FF6AE450000-0x00007FF6AE7A1000-memory.dmp

memory/1168-209-0x00007FF6E10F0000-0x00007FF6E1441000-memory.dmp

memory/1360-211-0x00007FF738340000-0x00007FF738691000-memory.dmp

memory/1404-215-0x00007FF6ED2B0000-0x00007FF6ED601000-memory.dmp

memory/1888-214-0x00007FF7E4BA0000-0x00007FF7E4EF1000-memory.dmp

memory/3976-218-0x00007FF658400000-0x00007FF658751000-memory.dmp

memory/4372-219-0x00007FF6172E0000-0x00007FF617631000-memory.dmp

memory/5108-221-0x00007FF73FC60000-0x00007FF73FFB1000-memory.dmp

memory/2528-223-0x00007FF7E3C20000-0x00007FF7E3F71000-memory.dmp

memory/4852-225-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp

memory/1628-227-0x00007FF658EF0000-0x00007FF659241000-memory.dmp

memory/2988-229-0x00007FF786D50000-0x00007FF7870A1000-memory.dmp

memory/3052-231-0x00007FF66A420000-0x00007FF66A771000-memory.dmp

memory/3736-235-0x00007FF6BA840000-0x00007FF6BAB91000-memory.dmp

memory/812-233-0x00007FF7A4250000-0x00007FF7A45A1000-memory.dmp

memory/2032-237-0x00007FF62A7C0000-0x00007FF62AB11000-memory.dmp

memory/3572-242-0x00007FF7E43A0000-0x00007FF7E46F1000-memory.dmp

memory/1432-244-0x00007FF721260000-0x00007FF7215B1000-memory.dmp

memory/1376-246-0x00007FF794FD0000-0x00007FF795321000-memory.dmp