Malware Analysis Report

2025-03-15 08:12

Sample ID 240529-xwkpgaee6s
Target 2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike
SHA256 60656031502c4feeedcd375ac611cdad0c6dccd8c245a35efeef82a08d8860e5
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60656031502c4feeedcd375ac611cdad0c6dccd8c245a35efeef82a08d8860e5

Threat Level: Known bad

The file 2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

Xmrig family

xmrig

Cobalt Strike reflective loader

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 19:12

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 19:12

Reported

2024-05-29 19:14

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OzRomeW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kZZsRnS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BxRIfXz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MjrUzNr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YxwRsqs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TTRSbes.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GPoTZwZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FdldROP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ytCLAla.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XrYASWo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lqOLpBZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tAmUKhK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CdKMVAM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HcLDNVt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jHgbosR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ebgLSRe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kRBfHhT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\emRbESm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YfTsrgf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JHWveGt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DRYJXVf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPoTZwZ.exe
PID 1808 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPoTZwZ.exe
PID 1808 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPoTZwZ.exe
PID 1808 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzRomeW.exe
PID 1808 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzRomeW.exe
PID 1808 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzRomeW.exe
PID 1808 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\FdldROP.exe
PID 1808 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\FdldROP.exe
PID 1808 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\FdldROP.exe
PID 1808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZZsRnS.exe
PID 1808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZZsRnS.exe
PID 1808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZZsRnS.exe
PID 1808 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ebgLSRe.exe
PID 1808 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ebgLSRe.exe
PID 1808 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ebgLSRe.exe
PID 1808 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRBfHhT.exe
PID 1808 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRBfHhT.exe
PID 1808 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRBfHhT.exe
PID 1808 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\emRbESm.exe
PID 1808 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\emRbESm.exe
PID 1808 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\emRbESm.exe
PID 1808 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxRIfXz.exe
PID 1808 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxRIfXz.exe
PID 1808 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxRIfXz.exe
PID 1808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytCLAla.exe
PID 1808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytCLAla.exe
PID 1808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytCLAla.exe
PID 1808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\YfTsrgf.exe
PID 1808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\YfTsrgf.exe
PID 1808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\YfTsrgf.exe
PID 1808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHWveGt.exe
PID 1808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHWveGt.exe
PID 1808 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHWveGt.exe
PID 1808 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\MjrUzNr.exe
PID 1808 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\MjrUzNr.exe
PID 1808 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\MjrUzNr.exe
PID 1808 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\DRYJXVf.exe
PID 1808 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\DRYJXVf.exe
PID 1808 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\DRYJXVf.exe
PID 1808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAmUKhK.exe
PID 1808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAmUKhK.exe
PID 1808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAmUKhK.exe
PID 1808 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrYASWo.exe
PID 1808 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrYASWo.exe
PID 1808 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrYASWo.exe
PID 1808 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\CdKMVAM.exe
PID 1808 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\CdKMVAM.exe
PID 1808 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\CdKMVAM.exe
PID 1808 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\YxwRsqs.exe
PID 1808 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\YxwRsqs.exe
PID 1808 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\YxwRsqs.exe
PID 1808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\TTRSbes.exe
PID 1808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\TTRSbes.exe
PID 1808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\TTRSbes.exe
PID 1808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\HcLDNVt.exe
PID 1808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\HcLDNVt.exe
PID 1808 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\HcLDNVt.exe
PID 1808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqOLpBZ.exe
PID 1808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqOLpBZ.exe
PID 1808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqOLpBZ.exe
PID 1808 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\jHgbosR.exe
PID 1808 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\jHgbosR.exe
PID 1808 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\jHgbosR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\GPoTZwZ.exe

C:\Windows\System\GPoTZwZ.exe

C:\Windows\System\OzRomeW.exe

C:\Windows\System\OzRomeW.exe

C:\Windows\System\FdldROP.exe

C:\Windows\System\FdldROP.exe

C:\Windows\System\kZZsRnS.exe

C:\Windows\System\kZZsRnS.exe

C:\Windows\System\ebgLSRe.exe

C:\Windows\System\ebgLSRe.exe

C:\Windows\System\kRBfHhT.exe

C:\Windows\System\kRBfHhT.exe

C:\Windows\System\emRbESm.exe

C:\Windows\System\emRbESm.exe

C:\Windows\System\BxRIfXz.exe

C:\Windows\System\BxRIfXz.exe

C:\Windows\System\ytCLAla.exe

C:\Windows\System\ytCLAla.exe

C:\Windows\System\YfTsrgf.exe

C:\Windows\System\YfTsrgf.exe

C:\Windows\System\JHWveGt.exe

C:\Windows\System\JHWveGt.exe

C:\Windows\System\MjrUzNr.exe

C:\Windows\System\MjrUzNr.exe

C:\Windows\System\DRYJXVf.exe

C:\Windows\System\DRYJXVf.exe

C:\Windows\System\tAmUKhK.exe

C:\Windows\System\tAmUKhK.exe

C:\Windows\System\XrYASWo.exe

C:\Windows\System\XrYASWo.exe

C:\Windows\System\CdKMVAM.exe

C:\Windows\System\CdKMVAM.exe

C:\Windows\System\YxwRsqs.exe

C:\Windows\System\YxwRsqs.exe

C:\Windows\System\TTRSbes.exe

C:\Windows\System\TTRSbes.exe

C:\Windows\System\HcLDNVt.exe

C:\Windows\System\HcLDNVt.exe

C:\Windows\System\lqOLpBZ.exe

C:\Windows\System\lqOLpBZ.exe

C:\Windows\System\jHgbosR.exe

C:\Windows\System\jHgbosR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1808-0-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1808-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\GPoTZwZ.exe

MD5 c200ea265e277303742dd41a6ab45743
SHA1 c30320750b02187ccdba341b26810647a460cb92
SHA256 d3cce61f793417a1feefc0ddec91fea17d37c674fa1a9de28ab4d016b2e5206d
SHA512 dee0655b23b3e6c58b197d414876b0f39b7c802ecf32a2deed16623d398a6d88796ba76d241b25bde97824e2432a17b39e80f0d5cf559cd0ab6313e926447117

memory/2256-9-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1808-8-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\OzRomeW.exe

MD5 380db07920cfb69bd37cc94581b6c8a3
SHA1 3305bb54e7bfeb4bea733a885b556427874d19ff
SHA256 bfe9455491209d22589b7a44de2893b82a19219b6378168ec5a3ba8137585651
SHA512 0142a73bf6d860d1fa1a98601a9139e7a193be32500367d0fd4f0169c06a247e37fc36b97adcb6f7e14851b8bdc76e313203c1477ef621fd9a5370bbde94ac76

memory/1112-14-0x000000013FCE0000-0x0000000140034000-memory.dmp

C:\Windows\system\FdldROP.exe

MD5 cd14a1a278013b2fb62e3ce49639545f
SHA1 f3b644815b92b688f9f78404d2f32da714922e05
SHA256 fd13f80b42254103fc9cc1be36c83abf27eef9e003355fdc8f58c38cddd77328
SHA512 ac143a55426e47e178430d759b1f418ff8fe5603e919e20506a09433971c59d64aab37623da01050eb22f76910226a6f875db6d9df1d7008e0080be8c7cc570f

C:\Windows\system\kZZsRnS.exe

MD5 d6bbc1dac5f9b8de213fb2904f18577d
SHA1 8716be35f68bd3345d151c541bc44c1aa6e949da
SHA256 87585fcd1e93e0a64d3e691b4696ad66d33d67167c11ba2fb112287cda34091f
SHA512 b92deaa70f08956114b0bd4551cf62803ffd4ed60048f74b08c235dbf3ae323ef813bf5a04c30f91c904eb2bfe628185fc64a4f82f2084852c6f309b10a12416

memory/1808-27-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2640-28-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2576-26-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\ebgLSRe.exe

MD5 16ff9866bb4230c01d610ce84e46b8a5
SHA1 9f78a690c0144fac6660aaf1de9ae02a64142a1b
SHA256 d3946e477b88391271e36cda46c140087f16c9f79021db8294f7bb4f24bd0421
SHA512 7a24b789e3f27208d2679bd7d41cdf0a6134763b1babac8775234c391b2120fb7d2b2f89513d3b8032caf4953887c4b80e4c18d42abce790c0802e5ae26855d7

C:\Windows\system\kRBfHhT.exe

MD5 06e33224405ce8605bf64f2e679bb697
SHA1 72d4be68c3eb705f5abaff3b58d0bca758b46d12
SHA256 a14558806e1653a4915ebcfe779b804bdee45c5673b0690130e7e97abcc6a2bf
SHA512 c0c81f7b0758740d33e2d7bd91c6496a6a811fed21f522611d40600fe32c3cdf180cb1cd6580f9538a22caafb544aed57005b3e5d817149d6bd01bf7634d59d1

memory/1808-40-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2552-42-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2580-35-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/1808-34-0x000000013F5C0000-0x000000013F914000-memory.dmp

C:\Windows\system\emRbESm.exe

MD5 e265057478a7f7b35dd78ebc3a47ceaa
SHA1 a7d6500a9cb83f531aebc8a39187630d7cd22a12
SHA256 cd3c20e797f5b3deb0b42d315b7330004b9433ff8ba488d0f93f1855658a5a69
SHA512 b6fe635fc24c44a325c0ba2c1bd8e1d531fcaa0517e0c117cb4e7044507e93fe962f2493b530c7cc7d0fc7c5359f66ba41394acdf221079bd15549a590067e2d

memory/2536-48-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1808-47-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

\Windows\system\BxRIfXz.exe

MD5 fa97fe678a0e25a59f94d4ebc3c02b99
SHA1 2da139a12e328652825511894b0cfd59f716e0f1
SHA256 0b229033f6689c3f50214392457142d1ca8fa7348c128114c63333b89c829543
SHA512 0ffef361f53ad767b87ea64095d5fa636767e0e14c627aaf7c49c63a08a57877e78cc65c3c6f947815ff0723e3f83dc74e9e3ce93cd20aecb35954fac96294cc

memory/2428-56-0x000000013F890000-0x000000013FBE4000-memory.dmp

\Windows\system\ytCLAla.exe

MD5 91eb3e93720e193024ccd31c483bd1d9
SHA1 09ee8b8681ac82eadad6fbe62671d234843c2c29
SHA256 50004630db95e032e7cbde689b026ce4350f1d74a5a4284beba352d4d6f59ba5
SHA512 0248c586cb686fff8f992b09c9a8c4feba6eb2313b9b4268d92fcac9ef5fdee4884928e276ba695c059de318326b19e21306c6e09e2b0bd616f23c9e64b3324b

memory/1808-60-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2500-64-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1808-63-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1808-55-0x000000013F890000-0x000000013FBE4000-memory.dmp

C:\Windows\system\YfTsrgf.exe

MD5 f4a59af062573c3fd8cbb042ca90cdfb
SHA1 87ab5c93c3250c975342e94c506eb57f6df2b6a8
SHA256 875f449fe096ee8d947ca804a2729341f5c27b8187cf85efdfa3742602655851
SHA512 892e4d52c686d8d1adc7eec89211431cb6ded42a3437013f54ed387b759253139ae44d5f795df315266a668c0e8b932869836b6bca149f683fb105bcd1e07c1d

memory/1808-70-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/1232-71-0x000000013F860000-0x000000013FBB4000-memory.dmp

\Windows\system\JHWveGt.exe

MD5 e6f620fb3e944a925081d7165fd05a91
SHA1 7532830aebb190922e065fa62982df57b7b640ed
SHA256 367ea63f76e4da729fcf1ca9935845aacc2615afdfa827c669db1e15f1a497a3
SHA512 086d2f6786212d37a21d5a27a2ca2dc3eaeb94addad4a6820a1e57cb943f6da55661ba9610d9820a8fec50c70111dbd75752ce06855c297f9647cda64a1573bd

memory/1808-81-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1112-78-0x000000013FCE0000-0x0000000140034000-memory.dmp

\Windows\system\MjrUzNr.exe

MD5 682b9184d5ee2ff0120a18e84cabb6c4
SHA1 f834055d1f9a71ded59136916415355931a32384
SHA256 d4417ca2304fe995818a37aa785b5c03b5c5d62b406f118f90e0bd953d55e4db
SHA512 93bcbec1cb17b7ce669eee207246044384de33373da0029fc171b6e30c26b7ed26e82b8102da99f8f282b927a12a78111b058aecf63c60a870076950156078ce

memory/2576-92-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\DRYJXVf.exe

MD5 444fe516735e3a07d22a1cfa5c38842d
SHA1 980f0f770a845ad1d38e2a43f98e9b53aea97ab2
SHA256 25ee02b576153020e5a46e3c55ef5f478b26b38ffa65cae2898c95fb62cebf99
SHA512 1f1a27fc4880112b521c2087b0a86636091b386b3263e8126455e967bfa7287909b2f1de1d36d1197b86ef7f3c7b4fec69e5e14b6ec219dd504defb3b40e760a

memory/2492-94-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1808-90-0x000000013F930000-0x000000013FC84000-memory.dmp

C:\Windows\system\tAmUKhK.exe

MD5 d8096d49dd45b06cd973dcc01dea3643
SHA1 3fa6e7da62f386a2db0981bf608d999b30da0a30
SHA256 c6a62d760fe9a4ac3cabd7a54dbbb938a13a4a7290d3dcd8edd0cfd0c6439b39
SHA512 ad3d37d695b2948c59da755a757336f58974db2e92eb6a238893a0f2499c1b07b26e0d40150f025548c9be4ecd6df4e54dd287b18b1953a34ef63fc3393dcc71

\Windows\system\CdKMVAM.exe

MD5 cf7e65957db0f5c4d548f0cf1cb8f804
SHA1 c53ea581e25439b15c82b9b9df7744c11aae07c9
SHA256 3d28a380fb5a32849180541d96bfc2e34cdbb712f802b79353e4f5a19efe8578
SHA512 9f84376288651bdcc0bef5420b7c88608f48cb7ea21111222a980476cb7a9cf71b696344e2e5ec3e6f4ea8041a15194dcc7d370d6cf00a3ce697017914949fdf

C:\Windows\system\XrYASWo.exe

MD5 16f6d7e642750c32dd5a3d1584bee400
SHA1 434bc0114c1f349f9975fbf00bfb97e6af028f37
SHA256 e523d1c1aa920dd3b0a8324b5056e3a64c72fc2fefd477b330eccc1f735b4de2
SHA512 ac209d7871d20f5d8050c36f3f35147c86b4bf951b923791965b3abf2a7c96a51f266280758ba8097c6b1a2a9cd5fc9bda872a24d18d8e46df10a72ec29acde6

C:\Windows\system\lqOLpBZ.exe

MD5 0a4f618a0440795fdea56904ce85dd6f
SHA1 065585ea31c07de423c82af4ed112cedd925fb3a
SHA256 7208ef0fb1e60cbb11e29d08c60439c2b6936a55b31eaa8f8670d91ba3e38a55
SHA512 23bace17201bb084f42a8b3bb9f94e54c20c9ac7be129386868fc3f3e41ce49ea20387986eddfbeb2a477763b6afe365c3702ad29dfe5951528a2023efc544e0

\Windows\system\jHgbosR.exe

MD5 b3f347b285ae59e6195f4297680d9aae
SHA1 f300d097473437ce0d5b4d197a4f9dac50887adb
SHA256 c0d5855bb44f8f6c11d643feec2a78b424c060aeec8ae5136ec83f5f99748070
SHA512 bd54e66dc5fe3090a58c8c99ecd2327f01359c7489438e8ecabe73a9b75123abeb1d8d117c3012a02a8364d932c5177d800b6da460837c89d069e1bc7a280803

C:\Windows\system\HcLDNVt.exe

MD5 ffcad429098f9a28a9f298bb171d201d
SHA1 8ed5291d5e6972d9d882ee7821ff3e7bbe673e24
SHA256 1fd5e970bfbb817af6d224c9b377416d7570a2b70d3e49d8f5746573773d8371
SHA512 fa9826332cddb4885f75f562cc26a2978b7b9e2bcbd308d7f014f498372ea4a52e77b694c185903fa3016ddc7eef6e66370bd3195236232472554aa7d9098a8c

C:\Windows\system\TTRSbes.exe

MD5 9c78e335eee14f22cb224a9073c59e72
SHA1 212450672bbce09ac19aad30b06bd9324ae73719
SHA256 6586474d5d8ad14c4aa896b8a3de70367804ea0b64aa2a3cc4617d2e96b3bd7a
SHA512 10a2cf3bafcb3dcc626a565d05ed99e752b674cf8cb5844dea092b45d029eacd1fbee41c317f37dd7d1e8a5836296b76d80a41c277e07a4597bb4c9b8ade3746

C:\Windows\system\YxwRsqs.exe

MD5 0ff6a831f510b16bcb0de173469dfc6f
SHA1 e80d9f954f8d100d90a59ace14a0a1551f33e120
SHA256 0fb388b67e3f56bc43ac6eaf9ac35dfffd6220f69ee9da2da31186f901a3d027
SHA512 0f61928f1e47c328aaa0b12ff58a73401d5f3d5b34a9bd571090fbd7356800dbc860b06ca10f9e864234cf2ab122a441af5169925a332b70af0f9f1be993c05a

memory/2160-104-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1808-111-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2552-109-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/1808-100-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1808-89-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/1568-85-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/888-84-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2536-138-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1808-139-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/1808-140-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1568-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/1808-142-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2492-143-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1808-144-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1808-145-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2256-146-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2640-148-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2576-147-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1112-149-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2580-150-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2552-151-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2536-152-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2428-153-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2500-154-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1232-155-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/888-156-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1568-157-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2492-158-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2160-159-0x000000013F760000-0x000000013FAB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 19:12

Reported

2024-05-29 19:14

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oPGExzn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oyBAOLX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WPApVkY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YQnSjvy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oVNIaZS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\migTdPn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NGrzQMh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sJLPEwK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Aawpdxe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uAoqoDi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uCdGnqh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UMCEciV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KZDDmOM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sduagDc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sFcBskH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fTCTZBo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EJmCfoa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JZoVrbZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JrIysXR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bqKwpGL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LJrQkjP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 680 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrIysXR.exe
PID 680 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrIysXR.exe
PID 680 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\bqKwpGL.exe
PID 680 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\bqKwpGL.exe
PID 680 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\oVNIaZS.exe
PID 680 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\oVNIaZS.exe
PID 680 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZDDmOM.exe
PID 680 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZDDmOM.exe
PID 680 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCdGnqh.exe
PID 680 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCdGnqh.exe
PID 680 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\migTdPn.exe
PID 680 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\migTdPn.exe
PID 680 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPGExzn.exe
PID 680 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPGExzn.exe
PID 680 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMCEciV.exe
PID 680 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMCEciV.exe
PID 680 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\sduagDc.exe
PID 680 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\sduagDc.exe
PID 680 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\sFcBskH.exe
PID 680 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\sFcBskH.exe
PID 680 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTCTZBo.exe
PID 680 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTCTZBo.exe
PID 680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJmCfoa.exe
PID 680 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJmCfoa.exe
PID 680 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\JZoVrbZ.exe
PID 680 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\JZoVrbZ.exe
PID 680 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGrzQMh.exe
PID 680 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGrzQMh.exe
PID 680 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\WPApVkY.exe
PID 680 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\WPApVkY.exe
PID 680 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\LJrQkjP.exe
PID 680 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\LJrQkjP.exe
PID 680 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\oyBAOLX.exe
PID 680 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\oyBAOLX.exe
PID 680 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\YQnSjvy.exe
PID 680 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\YQnSjvy.exe
PID 680 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJLPEwK.exe
PID 680 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJLPEwK.exe
PID 680 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\Aawpdxe.exe
PID 680 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\Aawpdxe.exe
PID 680 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\uAoqoDi.exe
PID 680 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe C:\Windows\System\uAoqoDi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\JrIysXR.exe

C:\Windows\System\JrIysXR.exe

C:\Windows\System\bqKwpGL.exe

C:\Windows\System\bqKwpGL.exe

C:\Windows\System\oVNIaZS.exe

C:\Windows\System\oVNIaZS.exe

C:\Windows\System\KZDDmOM.exe

C:\Windows\System\KZDDmOM.exe

C:\Windows\System\uCdGnqh.exe

C:\Windows\System\uCdGnqh.exe

C:\Windows\System\migTdPn.exe

C:\Windows\System\migTdPn.exe

C:\Windows\System\oPGExzn.exe

C:\Windows\System\oPGExzn.exe

C:\Windows\System\UMCEciV.exe

C:\Windows\System\UMCEciV.exe

C:\Windows\System\sduagDc.exe

C:\Windows\System\sduagDc.exe

C:\Windows\System\sFcBskH.exe

C:\Windows\System\sFcBskH.exe

C:\Windows\System\fTCTZBo.exe

C:\Windows\System\fTCTZBo.exe

C:\Windows\System\EJmCfoa.exe

C:\Windows\System\EJmCfoa.exe

C:\Windows\System\JZoVrbZ.exe

C:\Windows\System\JZoVrbZ.exe

C:\Windows\System\NGrzQMh.exe

C:\Windows\System\NGrzQMh.exe

C:\Windows\System\WPApVkY.exe

C:\Windows\System\WPApVkY.exe

C:\Windows\System\LJrQkjP.exe

C:\Windows\System\LJrQkjP.exe

C:\Windows\System\oyBAOLX.exe

C:\Windows\System\oyBAOLX.exe

C:\Windows\System\YQnSjvy.exe

C:\Windows\System\YQnSjvy.exe

C:\Windows\System\sJLPEwK.exe

C:\Windows\System\sJLPEwK.exe

C:\Windows\System\Aawpdxe.exe

C:\Windows\System\Aawpdxe.exe

C:\Windows\System\uAoqoDi.exe

C:\Windows\System\uAoqoDi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 156.133.100.95.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 137.126.19.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/680-0-0x00007FF6EA390000-0x00007FF6EA6E4000-memory.dmp

memory/680-1-0x00000245E5840000-0x00000245E5850000-memory.dmp

C:\Windows\System\JrIysXR.exe

MD5 ed6a7e51ecb631c754dcb964320ca463
SHA1 cc628f5109514c9b8fd9a28ee7de527fd5842a3b
SHA256 b52036f5c1c999d48be7040335f3b8ebd8846d9254a48417d5fa04555e472014
SHA512 3348752b1ba795e73b5d13deaf1cf585e41d07a2fcb885a919dac230ef7701a5918b24b95b21a99400f0dcd24fe6ca79235c1f744bcc43c1c6b7facff8ae8e4d

C:\Windows\System\bqKwpGL.exe

MD5 2272b0ae1a2094663fc78a2c36749afa
SHA1 2d974d3d44c695507cdebd3071cfe9f664de2242
SHA256 358c21447dc9ca6a749052b78e6bf712015164a48b619380ac8045a521ae20d3
SHA512 e1ad7a7cf14e0d9519a414db626dc8d4c69fdc9a9854e412f9d68090ea803992ad0013f1e72beb24a7758f0841dee67d669038ed3daa68e88725e1778d0e28bc

memory/4256-11-0x00007FF632460000-0x00007FF6327B4000-memory.dmp

C:\Windows\System\oVNIaZS.exe

MD5 2782128d1fea03269402f1e52b14d78c
SHA1 ca027b7f199c0ea8bb7a65f33df7fa01c5979db6
SHA256 8fee02373d81536a3196622d2f9f800e8e64f0f366951caaae6728adfa259163
SHA512 7759219e932c5f351bdb5458c303fb3c43cdfce684a27fd050dfa003db3ba83a48a14153548f6ad726da18025aafaf2f70bac7ef9331b3e9dbd555695fd94c8e

C:\Windows\System\KZDDmOM.exe

MD5 d8b478c8c16c45d21315751706fab285
SHA1 fb2cb769dcb2bd831a0ca13aeac6d0314274c169
SHA256 d62611452cecb1d51092c3478dab659d2e723c9453641938cafb4252dbfd132b
SHA512 de71181aa5d23bbbcb605c55bf2e28eed00d9988f8e52899fd2a067ee3295ce5c87e13db26f6ff3934a2d4757e4ceb91bb93c9641b6b36a18a917d092ab5b4a6

C:\Windows\System\UMCEciV.exe

MD5 4e23209b6f525d461622ed3869d19caf
SHA1 64164f9b5602f543cd1f1e4cca9a924022050b72
SHA256 86d17e25f5598b103415cb36b07d6ce4808ed139d5f879fa03b830aeb204e4f8
SHA512 d18edf24e5b6c96c6af2c9b04537dbff046c5668ad53dea9633e59c46c82bf3850d2e548eedffd2cfe84ce5a5ad9a423ae8d546a1aa9aabc1a9c526beb37825c

C:\Windows\System\oPGExzn.exe

MD5 db0450d3ee74cc1d849ada87e70360cf
SHA1 baff138558fa066a659c095aa19dd6df8d248ae8
SHA256 cc345f3e5c047736cb948936ed9d65337d81ddc5ad34a5c741622037536e5f32
SHA512 1f162c9eb879b76b7fdb425f824c69179c919bc8b4471c84b98a41ef34cd6203c33451c3e56519fc2e34d576459b563ef9117d620e74dfed44977770db3cd722

C:\Windows\System\sFcBskH.exe

MD5 7a0860b0fae17248543abd137af4bc46
SHA1 5221577629113d42b28d4fdac062da58812fc533
SHA256 b949da3146bc3ceaba1ca4568070cbd940d9ccdd697e986b37bfe2fe20daf62e
SHA512 2e3f94864bb5dcd98bfbbb2467438b320e88b29ff90b7d5739fb6d664be2ff71ead3f7292569d5cd0972c19f88cf54b5b057b1d3e916516e06d0eaaf187a82b4

C:\Windows\System\NGrzQMh.exe

MD5 5fe0e146d4139862fd46efdf8586d546
SHA1 aadeba824b2a4ae4455d171bd6b118d3a2707e98
SHA256 20637d7a50702b8e9b3c5713b243e14bcf38b2bfdef2a335dbd22f671caa9353
SHA512 7f4de776e8360b5fc00bec13d2a36dbc772b35af17692593f33c7a6257994cb135be3c4d3f2dfe3f9aa5ffa75c3426461d76645004ca8db90ce8afd88ffdf246

memory/432-81-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp

memory/2364-87-0x00007FF727B40000-0x00007FF727E94000-memory.dmp

memory/4064-91-0x00007FF7A2320000-0x00007FF7A2674000-memory.dmp

memory/5012-90-0x00007FF665D60000-0x00007FF6660B4000-memory.dmp

C:\Windows\System\WPApVkY.exe

MD5 0264f71b176a3d493865ccb5d0329bc9
SHA1 5ce17ff137fcda70511ed4a2a39ae96fb1d467f0
SHA256 0ae82ea35b9d5e447cc3bbc6ab9799eb72c94253f2ff52611442ea53b23e80e8
SHA512 c4d26c5620c3bf115b27c87ed6a80d81f26a6d268aca146d116a7e298b89db11f706cb848b53e470d653c647a9c7a38b031afa4ce91f1ec23c338d7f8f0acc8f

C:\Windows\System\JZoVrbZ.exe

MD5 4f5b835e578363e224c767164d330dc1
SHA1 2205b348880e62e43faa1528cabb9dd499c04e36
SHA256 728d36e6188839a91d797b3a640b764bef3605e9304c674d12f4279c88ac2dd0
SHA512 a8e51793e7b231b26fdb0533f2a66be279f9906cc1bb74ee3714ed300ff6a76ef6e61b51d789715164d33aa73eda6c3b894ac84deb1754bf1d9e0aa57158da00

memory/3928-82-0x00007FF672490000-0x00007FF6727E4000-memory.dmp

C:\Windows\System\fTCTZBo.exe

MD5 ee015bdb8d4317a225e9b67874b62bc1
SHA1 6c673a61bf4b0035024455fe1ff0e85ccc6646be
SHA256 dcbf417196cc92f62d08eaff6363ca2b2a256ad8d35f7c1fa35a8eb5812d5ac2
SHA512 a9dc792e54d880e5a0a302a8864413fccf8199f2123219cf68f821ad46fceb330b3193621d89aa72e806c1ec33a82f44ebe83c503149496e4ab1fa45b9bb2b47

C:\Windows\System\EJmCfoa.exe

MD5 5a54533c21b69e493e7569ed0319d175
SHA1 344c185e724826fef107f0cbf7f62dfb7dedae8b
SHA256 05d0290313333fa8a36e5537cdefac97d9a1ea53884fb9ea031762b0b2dd6de2
SHA512 ea930e4219ef7156a33b021d5b9388a9fcb0ee6b76eb863f35d82944538c619d4b360c5417942e8c7d960148ba915ee954da9d0636f14c91a0cc12556cf2b982

memory/4792-75-0x00007FF756B20000-0x00007FF756E74000-memory.dmp

memory/2236-69-0x00007FF60C6F0000-0x00007FF60CA44000-memory.dmp

C:\Windows\System\sduagDc.exe

MD5 6bf00e20dd0e9dfb143b618ebe110ecf
SHA1 f03794ed28d5cc24603e553de5ae398005694860
SHA256 a7fcb5e150112d6c30bece0d9eab065491948dd6c8f164eb5fd6cc11dcf64c85
SHA512 70e08c58d2f28a3edace63ae26d298471d1dc9a762f7749046561a6b85c3cb0b11871058c304d4de327613047b9a11b3f5944e4b3830441a8be965b5959e64c3

C:\Windows\System\migTdPn.exe

MD5 50189b91c5dc8f2422421b3daf0de381
SHA1 75c110d4fb74fafdef43825598c772b0672b86e3
SHA256 83acf065be083efff06654d64497d25e51b26371abb4d6fd4ef61672b914ee6a
SHA512 6f23c5a74065ffd19c968dc3177a166e9b220c5af426fde62b5033ae0c6219cc698412722352cbfa61d3c12194b8673a93dfb8edb9c91eff9d7ab5264d867923

memory/3272-51-0x00007FF737310000-0x00007FF737664000-memory.dmp

memory/4684-48-0x00007FF64AB90000-0x00007FF64AEE4000-memory.dmp

memory/1968-46-0x00007FF753C10000-0x00007FF753F64000-memory.dmp

C:\Windows\System\uCdGnqh.exe

MD5 dd6d7330b9237e0b8c74574a5a9a2d64
SHA1 d0709ce2192fb9b3fcff083910bacf0130b9474f
SHA256 ef24defb15798a2f2bd5bca3d1a7ed7c719a457bea9968e8acaa0d2706047356
SHA512 88779d64eb2fa933c60bb343b0b5215eb5ea715db263ea007191a8954345defd1312d5c93d8467a6953b99eb360c2429e61c9bc784f055014e030f034a0cf30d

memory/2376-35-0x00007FF6BDCE0000-0x00007FF6BE034000-memory.dmp

memory/3232-26-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp

memory/2576-23-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp

memory/3324-15-0x00007FF6ED360000-0x00007FF6ED6B4000-memory.dmp

C:\Windows\System\LJrQkjP.exe

MD5 f830b06e839d5125f3763045192ddf09
SHA1 e594b0b7f0c620f6fc41a5514a263719b726b13d
SHA256 214e4169b13545467c6c82c7cd2d814ab5a58ec4da322917ac926a33a1b6b360
SHA512 c9ca609b04db5c6e02d7c3dc018d2ad53e51276f9bf0f5245633ad52592b2e5fa45182406f3d54e3ac88958fb32c502ef1b06cc44a3341d364da30507ffe20b5

C:\Windows\System\oyBAOLX.exe

MD5 4320c78dd59b557ea4ff24e68b2b0167
SHA1 932a6637b03c158fc5e0a5c62bd0b52f7ee11981
SHA256 9698cb3f82b8e66beccfc2d22bb85875b160b010e7bc495d88a9a1609e02f50b
SHA512 ff791e15a013b1470c97c56d234925e0fdb10cb88b90d049c2ce584d1ba95cddfd41337d044810e5001ee293ccfa01aee31c76617c420f9071a777e25e0f6403

C:\Windows\System\sJLPEwK.exe

MD5 5d32f6a8545db3df7a37df0d3f1a16c4
SHA1 b2eda805b2f89499afdbb974cd034e0e2497b335
SHA256 46ca1902ba8ce1e9c4757762416dec1841de4d892e6480c361f445d844e755a8
SHA512 b18652193d64d79b3b8fa30a00d6b22dba3c0250f07baac049155055b190e6fb8a92bdd04596470d9fde8d0af3b5f9365f8c6cd43a66eec3a89cafe86f1b8418

memory/2600-112-0x00007FF70E6E0000-0x00007FF70EA34000-memory.dmp

C:\Windows\System\YQnSjvy.exe

MD5 58aab2ca284dab165cbd528a2a8debd3
SHA1 8e0568949ccf775d3319a8568d6f1758b6773721
SHA256 f29b59d2c62f3aeb5c01bc1d16d449bbcc62359bf0533fa6ddcfefa7795bf5e5
SHA512 65501573c41521ac8587d1199d7fe50e72b88b47f06d40f9b73c3d2f4218ccd4597f463d4b154c04b2db7223537d3b50862a0c550957cce7e0271fb5a7e376ad

C:\Windows\System\Aawpdxe.exe

MD5 572c66fa45805a73896e72b693b5a7a8
SHA1 333f8bf6e71c7e8e9923c5033664e5cfa85bbc04
SHA256 d0e056a57278918147fe67ed48d28cc0868681d0655b93ffcaf79276a952d101
SHA512 1a53d8f0761f18b9ba0e6bf4d8d17784cdd9571cef1dff3264fa11cef8185a371f7d66eacdcfe59e73b1828f9da8769114718e41fdacaad8df7c09e4874299f1

C:\Windows\System\uAoqoDi.exe

MD5 b99c7556630e688f12c8f7f737e3f730
SHA1 df3585ebb245cec5c1d680f33fc26e0c52372dff
SHA256 8be43e6a01bb39f2845704c9ec0c442ac38926d5e09d0a64e3574cc1893be021
SHA512 dfc807b609bba7ab1540eeee91f7799459ad1c4c946d7de8cc3fe828730a87efa13c35daf375bf01884c35cc0a58e78f350bf3ddef56ee9ee5b8414767179565

memory/2960-128-0x00007FF789910000-0x00007FF789C64000-memory.dmp

memory/3324-127-0x00007FF6ED360000-0x00007FF6ED6B4000-memory.dmp

memory/2988-125-0x00007FF614670000-0x00007FF6149C4000-memory.dmp

memory/4368-123-0x00007FF69FF00000-0x00007FF6A0254000-memory.dmp

memory/3868-120-0x00007FF78B280000-0x00007FF78B5D4000-memory.dmp

memory/4256-118-0x00007FF632460000-0x00007FF6327B4000-memory.dmp

memory/680-117-0x00007FF6EA390000-0x00007FF6EA6E4000-memory.dmp

memory/3880-100-0x00007FF627720000-0x00007FF627A74000-memory.dmp

memory/3232-131-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp

memory/2376-132-0x00007FF6BDCE0000-0x00007FF6BE034000-memory.dmp

memory/1968-133-0x00007FF753C10000-0x00007FF753F64000-memory.dmp

memory/3272-134-0x00007FF737310000-0x00007FF737664000-memory.dmp

memory/4684-135-0x00007FF64AB90000-0x00007FF64AEE4000-memory.dmp

memory/4792-136-0x00007FF756B20000-0x00007FF756E74000-memory.dmp

memory/432-137-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp

memory/3928-138-0x00007FF672490000-0x00007FF6727E4000-memory.dmp

memory/2960-139-0x00007FF789910000-0x00007FF789C64000-memory.dmp

memory/4256-140-0x00007FF632460000-0x00007FF6327B4000-memory.dmp

memory/2576-141-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp

memory/3324-142-0x00007FF6ED360000-0x00007FF6ED6B4000-memory.dmp

memory/3232-143-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp

memory/1968-144-0x00007FF753C10000-0x00007FF753F64000-memory.dmp

memory/2376-145-0x00007FF6BDCE0000-0x00007FF6BE034000-memory.dmp

memory/2236-146-0x00007FF60C6F0000-0x00007FF60CA44000-memory.dmp

memory/3272-147-0x00007FF737310000-0x00007FF737664000-memory.dmp

memory/4684-148-0x00007FF64AB90000-0x00007FF64AEE4000-memory.dmp

memory/2364-149-0x00007FF727B40000-0x00007FF727E94000-memory.dmp

memory/4792-150-0x00007FF756B20000-0x00007FF756E74000-memory.dmp

memory/432-151-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp

memory/3928-152-0x00007FF672490000-0x00007FF6727E4000-memory.dmp

memory/5012-154-0x00007FF665D60000-0x00007FF6660B4000-memory.dmp

memory/4064-153-0x00007FF7A2320000-0x00007FF7A2674000-memory.dmp

memory/3880-155-0x00007FF627720000-0x00007FF627A74000-memory.dmp

memory/2600-156-0x00007FF70E6E0000-0x00007FF70EA34000-memory.dmp

memory/4368-158-0x00007FF69FF00000-0x00007FF6A0254000-memory.dmp

memory/3868-157-0x00007FF78B280000-0x00007FF78B5D4000-memory.dmp

memory/2960-159-0x00007FF789910000-0x00007FF789C64000-memory.dmp

memory/2988-160-0x00007FF614670000-0x00007FF6149C4000-memory.dmp