Malware Analysis Report

2025-03-15 08:11

Sample ID 240529-xxbsysee9v
Target 2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike
SHA256 a31e6f960916f228578c969131c3e6b02c3ef93319df8f9d056bc00d3feec737
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a31e6f960916f228578c969131c3e6b02c3ef93319df8f9d056bc00d3feec737

Threat Level: Known bad

The file 2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobaltstrike

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Xmrig family

XMRig Miner payload

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 19:13

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 19:13

Reported

2024-05-29 19:16

Platform

win7-20240419-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dbBnTYb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CwvXqCB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AZJWuML.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pKNYenw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fOyrXMf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LIaAMTu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oBHYyHG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ueidQnl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZYlYTcg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aRlgFON.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zeFBNHw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qaDnzMp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VKVPcSZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cEtqLun.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BvWdihE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZxwTWuW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YsPSorj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yxapqKY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oHFPZMH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kZRiRVi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mFzUZsO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvWdihE.exe
PID 2976 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvWdihE.exe
PID 2976 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvWdihE.exe
PID 2976 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ueidQnl.exe
PID 2976 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ueidQnl.exe
PID 2976 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ueidQnl.exe
PID 2976 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZxwTWuW.exe
PID 2976 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZxwTWuW.exe
PID 2976 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZxwTWuW.exe
PID 2976 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\YsPSorj.exe
PID 2976 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\YsPSorj.exe
PID 2976 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\YsPSorj.exe
PID 2976 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOyrXMf.exe
PID 2976 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOyrXMf.exe
PID 2976 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOyrXMf.exe
PID 2976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYlYTcg.exe
PID 2976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYlYTcg.exe
PID 2976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYlYTcg.exe
PID 2976 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\aRlgFON.exe
PID 2976 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\aRlgFON.exe
PID 2976 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\aRlgFON.exe
PID 2976 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIaAMTu.exe
PID 2976 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIaAMTu.exe
PID 2976 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIaAMTu.exe
PID 2976 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbBnTYb.exe
PID 2976 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbBnTYb.exe
PID 2976 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbBnTYb.exe
PID 2976 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxapqKY.exe
PID 2976 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxapqKY.exe
PID 2976 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxapqKY.exe
PID 2976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\oHFPZMH.exe
PID 2976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\oHFPZMH.exe
PID 2976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\oHFPZMH.exe
PID 2976 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\zeFBNHw.exe
PID 2976 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\zeFBNHw.exe
PID 2976 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\zeFBNHw.exe
PID 2976 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\qaDnzMp.exe
PID 2976 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\qaDnzMp.exe
PID 2976 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\qaDnzMp.exe
PID 2976 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKVPcSZ.exe
PID 2976 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKVPcSZ.exe
PID 2976 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKVPcSZ.exe
PID 2976 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwvXqCB.exe
PID 2976 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwvXqCB.exe
PID 2976 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwvXqCB.exe
PID 2976 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\AZJWuML.exe
PID 2976 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\AZJWuML.exe
PID 2976 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\AZJWuML.exe
PID 2976 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\cEtqLun.exe
PID 2976 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\cEtqLun.exe
PID 2976 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\cEtqLun.exe
PID 2976 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKNYenw.exe
PID 2976 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKNYenw.exe
PID 2976 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKNYenw.exe
PID 2976 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\oBHYyHG.exe
PID 2976 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\oBHYyHG.exe
PID 2976 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\oBHYyHG.exe
PID 2976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZRiRVi.exe
PID 2976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZRiRVi.exe
PID 2976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZRiRVi.exe
PID 2976 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFzUZsO.exe
PID 2976 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFzUZsO.exe
PID 2976 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFzUZsO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BvWdihE.exe

C:\Windows\System\BvWdihE.exe

C:\Windows\System\ueidQnl.exe

C:\Windows\System\ueidQnl.exe

C:\Windows\System\ZxwTWuW.exe

C:\Windows\System\ZxwTWuW.exe

C:\Windows\System\YsPSorj.exe

C:\Windows\System\YsPSorj.exe

C:\Windows\System\fOyrXMf.exe

C:\Windows\System\fOyrXMf.exe

C:\Windows\System\ZYlYTcg.exe

C:\Windows\System\ZYlYTcg.exe

C:\Windows\System\aRlgFON.exe

C:\Windows\System\aRlgFON.exe

C:\Windows\System\LIaAMTu.exe

C:\Windows\System\LIaAMTu.exe

C:\Windows\System\dbBnTYb.exe

C:\Windows\System\dbBnTYb.exe

C:\Windows\System\yxapqKY.exe

C:\Windows\System\yxapqKY.exe

C:\Windows\System\oHFPZMH.exe

C:\Windows\System\oHFPZMH.exe

C:\Windows\System\zeFBNHw.exe

C:\Windows\System\zeFBNHw.exe

C:\Windows\System\qaDnzMp.exe

C:\Windows\System\qaDnzMp.exe

C:\Windows\System\VKVPcSZ.exe

C:\Windows\System\VKVPcSZ.exe

C:\Windows\System\CwvXqCB.exe

C:\Windows\System\CwvXqCB.exe

C:\Windows\System\AZJWuML.exe

C:\Windows\System\AZJWuML.exe

C:\Windows\System\cEtqLun.exe

C:\Windows\System\cEtqLun.exe

C:\Windows\System\pKNYenw.exe

C:\Windows\System\pKNYenw.exe

C:\Windows\System\oBHYyHG.exe

C:\Windows\System\oBHYyHG.exe

C:\Windows\System\kZRiRVi.exe

C:\Windows\System\kZRiRVi.exe

C:\Windows\System\mFzUZsO.exe

C:\Windows\System\mFzUZsO.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2976-0-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2976-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\BvWdihE.exe

MD5 26b5b9871e359895c99b2436e17de504
SHA1 336788a19b16d5dfd877325465dead1399a7b6d5
SHA256 d352d73fbe736ad85bb154c5cde59352ff77696ee96a937109c870375cc0545f
SHA512 f9f7b2cf99ad116d43e628fc33120a278357722b31ab3c91471bbef5838e3b277916f0489665ff0c8db7d06ef93fb19d904d4b1c63add45d21bc5178190f9ecb

memory/1656-8-0x000000013F680000-0x000000013F9D1000-memory.dmp

C:\Windows\system\ueidQnl.exe

MD5 b4aa0be30467a948c19b252179e77f0c
SHA1 fb841e74d3acceccc36078fdd4c2bcfee5ebbdb4
SHA256 aec672678b979839cb5f2de9901cb889d3b6500f8112159ae4f7f548f91a17ed
SHA512 144d913409cc7f4498a74a6ab14097bd04e2f04c458e7089ec3114a188ca1b24aa32921bee89a93cbf7086f6d03489f416dbe07fa9bc6bd74986a5ff1e3c84be

memory/2976-14-0x000000013F100000-0x000000013F451000-memory.dmp

C:\Windows\system\ZxwTWuW.exe

MD5 ec97579da2cead9678de7182839652f1
SHA1 47aa75257311f67245a232d51590d0fa529e16d2
SHA256 eeff442a114e96650dcf3bbe638c1932fb80e8093bb0c451aa111fde45ad82bb
SHA512 c247e7b1024699191372c61278e09d55bd24b3d3aac1ae5369a3fa485310ba419f90e2c1e9b174297e2572c10b1b0a9015c21c9b856a94c598aa880f9887223f

memory/2648-21-0x000000013F0E0000-0x000000013F431000-memory.dmp

C:\Windows\system\YsPSorj.exe

MD5 2f5583617c1445d828569ab67a10fcd8
SHA1 fedddfb07d6b39930d826a56569bd41fd6f57cbc
SHA256 da7955a7dd7aa090749ce74dedd3d55ce52c4c3a5b15da4c364b67030778573c
SHA512 4a16e48b3940ad6183110dacf581406d1eed80538e769406c858ca2240dc045337340365590a5dc1554a6f677ddec101444fb7b4cc48cbcf673674787b95fc7c

memory/2740-28-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2976-26-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2976-20-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2808-15-0x000000013F100000-0x000000013F451000-memory.dmp

C:\Windows\system\ZYlYTcg.exe

MD5 656b12c62169556f5575ee65cb2b4f81
SHA1 2060f7dd9f0622ee4156ef673767bb81b1762acd
SHA256 c3361b61c55ffa695e1df0734e50e08a07859b07b6f53b2358dee50383000a31
SHA512 193acbc0c61c7f9f20f5c7466dac8646118dfed7a36d425b2b192593acd7bbf38bbaa9dfe7fddddd20862fb0e5cc0d676a659700a33602868398f088e7ace6e4

C:\Windows\system\dbBnTYb.exe

MD5 c1a10250220a2c70132b2498f047a4ab
SHA1 9b870f29e08cd29f863b13e79857591d4ff8b1bf
SHA256 6d3c1ae532cb8fe73630b6b650bd8298dd24f88a9bd0c3cc89d5cc859484a942
SHA512 d3a71530e800b854b30677279bdb860e9bcb422c84c8ef63cd6d38dfb8338c3081750d5af3802346921bda881ae6de094d616531385f901384756d9ebe8c4102

C:\Windows\system\LIaAMTu.exe

MD5 2c44afb24f357e48a97b6043c3705041
SHA1 3beeeaa0c4571c2713d991ecf1270b6a9633fdf2
SHA256 0244265bf71cec90192a849ef895802bc9ed9a2b19f52877c19d2fda811a7eb5
SHA512 6bc7182ff5ff7707000dfda055cd2cd9c45de0ffb9c318afbabbde8c94cb813a25f5cd1108392d10b9318d7e6b636dc0af933925022f6c36a4c791cd0ddc613d

C:\Windows\system\aRlgFON.exe

MD5 a70447b68f7bf20766c7bda329901761
SHA1 16a4f6a3b6bf91f3abe9e9fb0b8194257b60ddc9
SHA256 cb765b3ac5458640e4e73b097eacec8e9d06aa66e1d7db4445b14d0e360322b1
SHA512 6f592af70da0b6c184da38b1d7b7effe573796944f844285583fc847c57a3dbe224a68d44f6ab3c7fc2f32b66eea7acd7735ea618c41ea915e20da4e934f599a

memory/2540-64-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2976-63-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2552-62-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2976-61-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2784-60-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2976-58-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2804-57-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2976-56-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2664-54-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2976-53-0x000000013F920000-0x000000013FC71000-memory.dmp

C:\Windows\system\fOyrXMf.exe

MD5 c13879cde72f8855f80e590d4a94064f
SHA1 3b3f2be21a78932147b1d4625f6d73caa89b56dd
SHA256 a9ad9b3f800591e829aa804c86d737c3daca3ec39ff7c9719b6b868b078269b9
SHA512 41e1deb13766487d81b983fbc638137f781f2b4dea18bd646639c8ff06fd647c9604c59caf25bcf6aaf503a1bc6d35e6519f470fa2b231faa71e8da54f0a1d78

C:\Windows\system\yxapqKY.exe

MD5 99cbe63b53593238bae1d3ba63ba1101
SHA1 2c00402fe790c50cb96ada02727c8947cf56d511
SHA256 cab619bfbe35c31070f305e1c5c9922f3e53031e34f672ceb088b98c36af6d11
SHA512 7c08a3e621633e260bf5db0c5103062f49ea0839ccbe60b6477f2f9a47c3aba42a4a4dee6e4ee7496a5ff2c97e83fd1d3374a402e3f9c7d1d5be723cc2cdbf0a

\Windows\system\VKVPcSZ.exe

MD5 980a8ffd27ee9fbd06b56a1779fe727d
SHA1 bc3e44b761e0651284b0ae114014772299f85264
SHA256 58d702923b32586f3b9a2e247fbdf002b618279334b8ebeac193011553571299
SHA512 0cf87b8dd063793f0add035238a26c332d090ac33873529da560aa0bc011909082e3cf655a582a3b2e9102bae15b230ebf25b30c16939b1781239ccf4a2257b4

C:\Windows\system\AZJWuML.exe

MD5 e621b7e600f5c30a500af0f1fca67ef4
SHA1 b180e9f438baa6e04de8e7246ebdeadd86f0a596
SHA256 8ea275fb5f9facdb6da582d1620ea91cb23e0a4a32541d1cd6244015ecd53c90
SHA512 c5da3b0108aed70c425d79370e63ed0965acaaf211ff94de10df8fcb747039908c5c70cec5f57411cec6c1fa3ca71e175712eb090e8cb64a69fd5639a9727129

C:\Windows\system\oBHYyHG.exe

MD5 30f9d2d29153dd48f66c6b163daeb99c
SHA1 53a22911b487a7204d12e01d101763f438813562
SHA256 14b65af129b7bf5e855027713e1eab6eba03355008a2a528181d38d61a1db86c
SHA512 09bbe46f1acb77895642e14bfa02fd61991b1820748ce87b92691b7cf5a628d07ae29f741c0763b0f939ea92a51e8c5fa152a98d83fdb0b12a1ec3f92fe0903f

\Windows\system\mFzUZsO.exe

MD5 044fbe1835b9c469dad695f51e16d9d7
SHA1 38957319f790d17ab12408ffa6fe567e29e8d93a
SHA256 b59c1413ef4ec4748207a2792f29ffff4912527d4c0792bb5b84bce32503a57a
SHA512 c7e3681a81e977f349a9265f6bd22e3e8cfa7687cd4758cd7f0f3b34df31e99756ae4341badf8c0b327ca3725194bc3880316ba454296f2e1a034820b8555ccf

C:\Windows\system\kZRiRVi.exe

MD5 2811415cfea8454a0cbd8e6bdab27ecb
SHA1 d65b396facc61ba8212fa84bf0bb6094bc2a6dcc
SHA256 3e7ad48afac69b2e4eaee0f3d133dac580818a092f9f71a479b13e8d29b0aaa0
SHA512 777cd1ce13aa6927192dfda74912dda5350caa473fc6905516c2838816429a4582586ae040a3649036ca75aa26a992eac1d7462a01d8bc99bcff0e22fd60136f

C:\Windows\system\cEtqLun.exe

MD5 2ab409dc6abc71ec74ca53ece846cd96
SHA1 b2d89209aa2051c15be965063225fd859518ba61
SHA256 c4f0b477325d316ee4233f64bd54e8870c6d8cab549f4d14ca9c042122e5ddec
SHA512 180fc9d5871f0d236a433fa420d061d2d174a9d32f35b6bd457952fdcc19a9fc507f6504caae3ab88f43b91469d12c1dc2e6f4940a864381c43aef3736a879e3

C:\Windows\system\pKNYenw.exe

MD5 ad1a0b0e00c35c6b8da0b5c7056ba2fe
SHA1 c29fc9b71c72728f839c8c6fac29da8d133214c0
SHA256 f340346b7e05f8053453e59f3b4e907db6b49d4b005522715cc35d60ca347322
SHA512 3f77591afa121617da8a7130cb92bf310a06f0f6b2b64acb0a1d4817eb653fdc71ae194d7b519fe290e078637f81aa15e5a10ef99725a5f5f87740b548478930

memory/2976-134-0x000000013F100000-0x000000013F451000-memory.dmp

memory/1656-103-0x000000013F680000-0x000000013F9D1000-memory.dmp

C:\Windows\system\CwvXqCB.exe

MD5 9fd06a9b35154695fdfff3ceb7d2212a
SHA1 29b569de5069b841ae50ce2cbb038a8314df59c1
SHA256 be8537418cf7fda915a7bf149c4da34bb23753c6070699444b4128489e13a4e9
SHA512 1d6e2d106ca44db5345d515e026058cc053e6591ef49cf400819ba68af36f189dadaa1ca5b5021fc89109649e8608470c7ac6d20e0468c4eb65128ce6a48f04f

memory/792-97-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2620-91-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2976-90-0x000000013FF20000-0x0000000140271000-memory.dmp

C:\Windows\system\qaDnzMp.exe

MD5 45489847445a233cf5b91ea2c752fe12
SHA1 71eff237865f16f211e4dd7a4e2c9a4bccf70af8
SHA256 128a97534a1251957e86547901a83fba87dac0d2f12f54bc469203adfe3e8788
SHA512 c3988c19f625361a93dbfce71f5baa144f4976d87be34b6072658f130aa02ebb07fc55533913809cae913b5e1201d45c14cdae79dcf73bcac1c6172f82c4b0c9

memory/2864-84-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2976-83-0x000000013F660000-0x000000013F9B1000-memory.dmp

C:\Windows\system\zeFBNHw.exe

MD5 bc6a156cb64e80344aa55e581f7d03e1
SHA1 830f7f16329226dad20c3d83b7806de533ef34f6
SHA256 c8066300a7d7188445a17ad31156c2b3404428c349a8de816def0aa424cb66dc
SHA512 4e7b7bf53093a626fbd53b9dfe4fbb60cb3672b865943a187cf3824395ccb2c523d13d4f06471c1c0969bf5f20f3c539a412aab7719e8a0136d936010ce98ae3

memory/2648-135-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2780-77-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2976-76-0x000000013F710000-0x000000013FA61000-memory.dmp

C:\Windows\system\oHFPZMH.exe

MD5 c35c4a8fedf878a9545deb65e1530b9c
SHA1 93b5bdf5f73b80a5ff3429b3533dce55d2aef182
SHA256 c5dd22165d4ab980912a53b7c9d21048b95611ccf964093ee5c68e05bf7265d2
SHA512 884b973cff10ac32cdc5a2ac9bc4b4f465fb3ef5b646dddf131d9767a25f10a058de8f42dc313655819b489cd6fe239f57b5d95e03ccf6435066e6f74311326e

memory/1252-70-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2976-69-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2976-136-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2740-137-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2780-148-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2864-149-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/1252-147-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2620-150-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/792-151-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/788-153-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/1276-152-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/760-155-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/1844-154-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1604-156-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/756-158-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1416-157-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2976-159-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2976-173-0x0000000002480000-0x00000000027D1000-memory.dmp

memory/1656-205-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2808-207-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2648-217-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2740-219-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2552-223-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2664-225-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2804-224-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2784-227-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2540-229-0x000000013F030000-0x000000013F381000-memory.dmp

memory/1252-231-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2780-233-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2864-235-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2620-237-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/792-239-0x000000013F370000-0x000000013F6C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 19:13

Reported

2024-05-29 19:16

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dPLwJVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KXjxzPB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JxpjJoG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sFzZhQS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IpXynEh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cpQMhBs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sdgVuJl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EfyIBAx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zEAstpe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rKzMNSn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xyHjZDf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xiTyTSj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yXauqxo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HNcdTWa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GstcBTc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vpvmsuh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kCiQxEX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XDtKHxd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KTlgMHC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mGsYmEJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZaHlpaY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3968 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfyIBAx.exe
PID 3968 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfyIBAx.exe
PID 3968 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNcdTWa.exe
PID 3968 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNcdTWa.exe
PID 3968 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\IpXynEh.exe
PID 3968 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\IpXynEh.exe
PID 3968 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\GstcBTc.exe
PID 3968 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\GstcBTc.exe
PID 3968 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\vpvmsuh.exe
PID 3968 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\vpvmsuh.exe
PID 3968 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\cpQMhBs.exe
PID 3968 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\cpQMhBs.exe
PID 3968 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\kCiQxEX.exe
PID 3968 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\kCiQxEX.exe
PID 3968 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\dPLwJVQ.exe
PID 3968 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\dPLwJVQ.exe
PID 3968 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\XDtKHxd.exe
PID 3968 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\XDtKHxd.exe
PID 3968 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXjxzPB.exe
PID 3968 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXjxzPB.exe
PID 3968 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTlgMHC.exe
PID 3968 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTlgMHC.exe
PID 3968 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\zEAstpe.exe
PID 3968 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\zEAstpe.exe
PID 3968 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\xiTyTSj.exe
PID 3968 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\xiTyTSj.exe
PID 3968 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXauqxo.exe
PID 3968 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXauqxo.exe
PID 3968 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdgVuJl.exe
PID 3968 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdgVuJl.exe
PID 3968 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxpjJoG.exe
PID 3968 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxpjJoG.exe
PID 3968 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\sFzZhQS.exe
PID 3968 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\sFzZhQS.exe
PID 3968 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGsYmEJ.exe
PID 3968 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\mGsYmEJ.exe
PID 3968 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZaHlpaY.exe
PID 3968 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZaHlpaY.exe
PID 3968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\rKzMNSn.exe
PID 3968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\rKzMNSn.exe
PID 3968 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\xyHjZDf.exe
PID 3968 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe C:\Windows\System\xyHjZDf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\EfyIBAx.exe

C:\Windows\System\EfyIBAx.exe

C:\Windows\System\HNcdTWa.exe

C:\Windows\System\HNcdTWa.exe

C:\Windows\System\IpXynEh.exe

C:\Windows\System\IpXynEh.exe

C:\Windows\System\GstcBTc.exe

C:\Windows\System\GstcBTc.exe

C:\Windows\System\vpvmsuh.exe

C:\Windows\System\vpvmsuh.exe

C:\Windows\System\cpQMhBs.exe

C:\Windows\System\cpQMhBs.exe

C:\Windows\System\kCiQxEX.exe

C:\Windows\System\kCiQxEX.exe

C:\Windows\System\dPLwJVQ.exe

C:\Windows\System\dPLwJVQ.exe

C:\Windows\System\XDtKHxd.exe

C:\Windows\System\XDtKHxd.exe

C:\Windows\System\KXjxzPB.exe

C:\Windows\System\KXjxzPB.exe

C:\Windows\System\KTlgMHC.exe

C:\Windows\System\KTlgMHC.exe

C:\Windows\System\zEAstpe.exe

C:\Windows\System\zEAstpe.exe

C:\Windows\System\xiTyTSj.exe

C:\Windows\System\xiTyTSj.exe

C:\Windows\System\yXauqxo.exe

C:\Windows\System\yXauqxo.exe

C:\Windows\System\sdgVuJl.exe

C:\Windows\System\sdgVuJl.exe

C:\Windows\System\JxpjJoG.exe

C:\Windows\System\JxpjJoG.exe

C:\Windows\System\sFzZhQS.exe

C:\Windows\System\sFzZhQS.exe

C:\Windows\System\mGsYmEJ.exe

C:\Windows\System\mGsYmEJ.exe

C:\Windows\System\ZaHlpaY.exe

C:\Windows\System\ZaHlpaY.exe

C:\Windows\System\rKzMNSn.exe

C:\Windows\System\rKzMNSn.exe

C:\Windows\System\xyHjZDf.exe

C:\Windows\System\xyHjZDf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 151.133.100.95.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 163.126.19.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3968-0-0x00007FF701EA0000-0x00007FF7021F1000-memory.dmp

memory/3968-1-0x0000016178F30000-0x0000016178F40000-memory.dmp

C:\Windows\System\EfyIBAx.exe

MD5 48573d70f3a5ffa08b133989a82c75f6
SHA1 61e9b45dbf7b87cb13534766afc7fa5b94d21321
SHA256 6f6a785131dbe0f1f23a925804cd5f333472e0d16929fb3247d362e989592ead
SHA512 d69a124c8c0c3c396381544639c4b9484dd6e5e92dd0d7eb32da5b3d42ceb4a35c805fab89f1113486be50f0225ad1a45800ad2d50700873e259142174cf7e6f

C:\Windows\System\HNcdTWa.exe

MD5 354cf1fe2e182266fb11951799f65e14
SHA1 43f67f90223d708139ab17a6c0df549bd82f6257
SHA256 d990c8fe93bb75cc2c9f7b1ff424d7653e281b052616c7422df8f702ce83aff8
SHA512 9880622b50bf60fe30dd2ba04d8d548f068aa6f755eea807d821107fb069928cb058d6d40f725988cc8568899193855d62d649eb9375444fd02f54af56bf9c1c

memory/4744-8-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp

C:\Windows\System\IpXynEh.exe

MD5 29082e1fc238a298e49046a4fcb86dd5
SHA1 8bc6c0122de1a8147594608499550068dd25a27a
SHA256 f844b0e9274a7fd9fc5bc0f2ed0d7e9e73a51e5c30394e29fceafb9121a33af7
SHA512 830a5f5ee3c3bdbb9607ec1d6eff54626df0cb3e02d6f5a0deb90225936d5a3919e64783fcbf3d367446de1a3c979886450198104d7b70d50ebd85cc8a555f03

memory/1636-18-0x00007FF67E3A0000-0x00007FF67E6F1000-memory.dmp

memory/4552-17-0x00007FF743A60000-0x00007FF743DB1000-memory.dmp

C:\Windows\System\GstcBTc.exe

MD5 c6405e50eedd4d146f2e87622ee24e5e
SHA1 049ba33ce77eff12e08b5ffe35f632f5f14fe3b5
SHA256 5b9e0fd8a96b4eb73988439eecfaffc944ae055077945d0a00a14489ab9fca24
SHA512 6017cc445b8b21e7be91bc2395a78c028925f5f4bd11814f013b17e79bc6a31d103fa9d9b18be7b6da8ef137ea3f8cd6877f9bd3babedd92cdcdc18f9e290aca

memory/3340-26-0x00007FF6D3770000-0x00007FF6D3AC1000-memory.dmp

C:\Windows\System\vpvmsuh.exe

MD5 9bf1674b0a9d87b73cd4e4b9a9d2d601
SHA1 64d401cd2759c7bdeb04f5f68dc72ba14c3fcb81
SHA256 3ee673f2b3df1ab3e4eb15f3572d52a7204c41e0860b39b68c11bf7e84caa193
SHA512 c72854f6b75b93a63cba965a019e99150ecf8451623faa2da7160d3a42961e90100fdc01533fb824601cd568add57ede5cd4ca48a9a47d5534a46bc2cc299c01

C:\Windows\System\cpQMhBs.exe

MD5 089df0051435fa7bf3a0df639a1312b9
SHA1 6763df5bf161fdd94740faf786789233b362e053
SHA256 02742d6ed106cb88c291b62f544ef0dff93031f33ed18db651adbeac72123600
SHA512 c62c7c4baa3b7b5f926738f75dec1829c96781790d7036f6f809bacaf6b7a11aa1b9f9226117387d178fd85683bfa3f69ae578fc7d8ac7d7aa43e75bcabcd5c7

memory/2176-38-0x00007FF7718A0000-0x00007FF771BF1000-memory.dmp

C:\Windows\System\kCiQxEX.exe

MD5 0095fd13162ff2a9e2c9a8c5fde54521
SHA1 242fafe4427b422e5a7346ba3a22fca9bd497589
SHA256 6b5befb509d4b6124e85565524c8d27aaef429faab95b848adb78863b8a0f91e
SHA512 6583edf64ef6bddadb3c10dcb2f5b99f0e1626c06a257c9e618076c2c82306669e107aee3a0885cbd5688248c1a6f5ff74ca9c8234e288368286342ab4523ad9

C:\Windows\System\xiTyTSj.exe

MD5 a81aaecec24dd6f789b2810427488303
SHA1 3385d6bb57bcf48901dc38007a85c5035a4e1207
SHA256 b8090c5ae310ec100149b8ba15dd775bd2430314d6ec0c2d1a568b5db7b60084
SHA512 cf704e47518fda321fc8c860369a78685784c5d9afeb305d3095c31ea80c51da1348f02ba031bfe99a28194624e1ab5d7337e45289ccaac650d49803a2fdcdc3

C:\Windows\System\yXauqxo.exe

MD5 c1c82a237edfb43fca15ca9d46e4f447
SHA1 924430a5356de1a834407eefb2cefd67d247f9b0
SHA256 f15cee2ef8c94b16b4d2cbcc67eb6d17c8605e4aeb8bc01efd0ac1a649699b72
SHA512 18efd3f4f27fbe4d3a65c61f9b208f4ca2e702fccbaed8c187fd7990a556ff8145cc55b38aa34dc8a6fe7abe9fae91456946d0145986eabfe97f585be3b20dfd

C:\Windows\System\JxpjJoG.exe

MD5 4b41db534805d6427691cd503ca25257
SHA1 2d3ffd562d5a0b12c738ce85bdeb3b93537f7387
SHA256 62173e412a5cf5abb1ad6136518a04e4522a694fa27193766690f8d933353cef
SHA512 7565baa91bc2e014279aa3d3b765c6864ab821da9dba629510c51289860af73432d077bb600882618d4e2781c521c559076fad792053db5a9d6b2d2e3d736db4

C:\Windows\System\mGsYmEJ.exe

MD5 663dc9130aed7d5f0ec3ff638fcf88df
SHA1 0560ca5dd399eddd38566b70e228c0c4d30a4cc2
SHA256 45eca7f98589ddaba885402143a3a0bfb83f97bfde8afad1a773e7a0aaa5899c
SHA512 c6b48c90637508c74a39dc8ceac796687874c099ac02c73fe61e4a6defe3a61305566c6f81385b53565aec62ab163450d0900392eedae4fcf4215172eeb38b95

C:\Windows\System\rKzMNSn.exe

MD5 46cc25a61b4ee3051539bc13f251a492
SHA1 7678ca6c2d24b50f95641e07f1b18593f2ca4072
SHA256 88d4e0cfee1568310d35599c8329ecbd4fe20df45cdd50defca35a80d42f7272
SHA512 8cd0283062f7308eff47b361dbc277d2751e1fafb6f7f295ff485291d68d5509f0e1d1c93a8b3d1b3091b2be2b943da15d2bf7bf84b10a2f41e5f8847e07de6f

C:\Windows\System\xyHjZDf.exe

MD5 745403f0e0218b44a640930d96d2050a
SHA1 250f72aee2b17b0130917f110479a2a972de2502
SHA256 4ba2a99f3437fbf8fd0e45313eaa41887f18a1ae19f1e0d1dcb9347b7c20c274
SHA512 a43ea1bc76b843b3f27d630930efd5fffc9a2395c7861f565f44f5185d7ebc0e2c11a341291eec39e111578ced1321638806287f7424d0f638764fca26df720e

C:\Windows\System\ZaHlpaY.exe

MD5 4bf021db857b3eb08713c593ddb30d6d
SHA1 e9711c142d32015865a263a9645fb3a60e0554d0
SHA256 6ced2260d06f84fe74dd657846d0b10ff8b9648d31632a1012adbe368b3ea761
SHA512 3f5a8b542851c1f79f5a6066d593a7a399a3175b0e193b842ea9b80cc36729e0cdaeeb00aea5039de7e800a546536a4d3c2cdef670d0623a796ef47c86f61f4d

C:\Windows\System\sFzZhQS.exe

MD5 0d8e336d30dd5cb88a56683fed71a9c2
SHA1 534adeed634e0c6d8ab41346c9a346608786f671
SHA256 8c710019cbc0f6ee48c7a4d14e7962f4254041bd8906d520f56c04f9d723ff47
SHA512 7bf6dd6cab6c0a138d55b5fa2c92b437170467a4125637be7bfe44c50992db22543f6c0a5abfa692fe81afe243f1d57a67f244c1ae220c556a08a7ef032bf171

C:\Windows\System\sdgVuJl.exe

MD5 56345fc73ed4c798afdadd44663e5455
SHA1 f8f337dfc521bdf4d8ca7516b07904bef60e53af
SHA256 6eee89480e8c56c4f258d79ae958f58b70c9d26d4a99fe30fd28d378e2059ca0
SHA512 a95d4466f209574990e887d5076cb74f0c5eea8b75eaa97366f1d834f9fdb62131c4460617dbb992b00bafab5b0bcd2b89ef776c69a41b0827ad75df776ca990

C:\Windows\System\zEAstpe.exe

MD5 cc63e2363d654dfb3a4703c3e6a273d3
SHA1 de7eef1120489a593ee9d39feebd510ed1ff110b
SHA256 037c6ebd317f12af91897bee489922492e38b5b0690435fae8fb808c3f7d2c05
SHA512 09ba6d713b56336d2d925850d59a56a585e8453eb5a4f58825862fbae2fbaac6f515079db14b83a7313452bc422a6ded039a4c53b1ff15a0e28ac5fbfdd54298

C:\Windows\System\KTlgMHC.exe

MD5 cbcfeb2417d3edfe97d978c81480dbb6
SHA1 efa8b4ee560117ccb390e0bdbba402e8f400d73f
SHA256 62c79046a7a7d753b2701e625b6d61c95b22c6e088896069063922203263a932
SHA512 f26a1bd91e315d3add6fa60339c67f800b4388265b8cee4aa1a88c78fc34494dadcd3485e52c198881ed30e44b97423f5fdbcafc504907618099b6005cd6b7c2

C:\Windows\System\KXjxzPB.exe

MD5 6068364602d9ba621572f92918bb21d8
SHA1 7f8f45ce31e904ab826b4f3cc52173838fa710a5
SHA256 46c2448adaf081051e9ce4b6394f841bec0b1f2cff77bbf7c9fc78746915f8a6
SHA512 3e1931043eda482c98efe55aaf0fa55dec60f0245dd19242d3b9d37257a1fb70b6b43cd93b4282a83ae8ad45137f101b9dd782452fd7a73f0fb8fa7a879f1d4a

C:\Windows\System\XDtKHxd.exe

MD5 e8a2f18bf65b04d574aa6cf9d0fca142
SHA1 31fa975a4bd60ab9cd9623f4a8a9f6330bb7215d
SHA256 d0f6ae35f952c700bb4eeb72631b1e5083baa79952cbd14f87b1b6177ffc3e35
SHA512 950e40074a784bd81c119a1c3c36fff0c9f31a9933fd7771cb28cf2d7d0199f981f20d674a187bd1aa27a3a41cf6ce7e745c83f3b5b16fa7cdcb10c4fde338ad

C:\Windows\System\dPLwJVQ.exe

MD5 2328caeaabbccecdb9e682bc40ea7491
SHA1 3a25968a5eba555b9d5c1d4ec7a0a61cf34f0d6f
SHA256 28d2445edde920a23bf7eb6e725d3398716d463fe7821534cfbcc2c5f47e008e
SHA512 2f0d82e20d9fac620b6ba3d2893cf2bc6599794d7a244596272645df0e5fdacf388f406b958e349e0fc6b6d06cfaca5b78cc9b2ec2256906aa1da6d518da95f1

memory/716-31-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp

memory/2500-113-0x00007FF7E96A0000-0x00007FF7E99F1000-memory.dmp

memory/1148-115-0x00007FF7C3910000-0x00007FF7C3C61000-memory.dmp

memory/4356-114-0x00007FF763230000-0x00007FF763581000-memory.dmp

memory/400-116-0x00007FF637D50000-0x00007FF6380A1000-memory.dmp

memory/2096-117-0x00007FF643600000-0x00007FF643951000-memory.dmp

memory/2448-120-0x00007FF61E130000-0x00007FF61E481000-memory.dmp

memory/3968-121-0x00007FF701EA0000-0x00007FF7021F1000-memory.dmp

memory/4808-119-0x00007FF735FD0000-0x00007FF736321000-memory.dmp

memory/1616-118-0x00007FF698B00000-0x00007FF698E51000-memory.dmp

memory/4552-124-0x00007FF743A60000-0x00007FF743DB1000-memory.dmp

memory/4296-127-0x00007FF645EA0000-0x00007FF6461F1000-memory.dmp

memory/2436-128-0x00007FF709D80000-0x00007FF70A0D1000-memory.dmp

memory/2488-131-0x00007FF66E640000-0x00007FF66E991000-memory.dmp

memory/3340-130-0x00007FF6D3770000-0x00007FF6D3AC1000-memory.dmp

memory/224-132-0x00007FF7121B0000-0x00007FF712501000-memory.dmp

memory/1624-129-0x00007FF7A4540000-0x00007FF7A4891000-memory.dmp

memory/1636-126-0x00007FF67E3A0000-0x00007FF67E6F1000-memory.dmp

memory/5104-125-0x00007FF60FB30000-0x00007FF60FE81000-memory.dmp

memory/4744-123-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp

memory/1360-122-0x00007FF75F3A0000-0x00007FF75F6F1000-memory.dmp

memory/2176-134-0x00007FF7718A0000-0x00007FF771BF1000-memory.dmp

memory/716-133-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp

memory/3968-150-0x00007FF701EA0000-0x00007FF7021F1000-memory.dmp

memory/3968-151-0x00007FF701EA0000-0x00007FF7021F1000-memory.dmp

memory/4744-196-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp

memory/4552-198-0x00007FF743A60000-0x00007FF743DB1000-memory.dmp

memory/1636-200-0x00007FF67E3A0000-0x00007FF67E6F1000-memory.dmp

memory/3340-207-0x00007FF6D3770000-0x00007FF6D3AC1000-memory.dmp

memory/2176-210-0x00007FF7718A0000-0x00007FF771BF1000-memory.dmp

memory/716-211-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp

memory/2500-213-0x00007FF7E96A0000-0x00007FF7E99F1000-memory.dmp

memory/4356-215-0x00007FF763230000-0x00007FF763581000-memory.dmp

memory/1148-217-0x00007FF7C3910000-0x00007FF7C3C61000-memory.dmp

memory/400-219-0x00007FF637D50000-0x00007FF6380A1000-memory.dmp

memory/2096-221-0x00007FF643600000-0x00007FF643951000-memory.dmp

memory/1616-223-0x00007FF698B00000-0x00007FF698E51000-memory.dmp

memory/4808-225-0x00007FF735FD0000-0x00007FF736321000-memory.dmp

memory/2448-227-0x00007FF61E130000-0x00007FF61E481000-memory.dmp

memory/1360-229-0x00007FF75F3A0000-0x00007FF75F6F1000-memory.dmp

memory/5104-231-0x00007FF60FB30000-0x00007FF60FE81000-memory.dmp

memory/4296-233-0x00007FF645EA0000-0x00007FF6461F1000-memory.dmp

memory/2436-241-0x00007FF709D80000-0x00007FF70A0D1000-memory.dmp

memory/1624-240-0x00007FF7A4540000-0x00007FF7A4891000-memory.dmp

memory/2488-238-0x00007FF66E640000-0x00007FF66E991000-memory.dmp

memory/224-236-0x00007FF7121B0000-0x00007FF712501000-memory.dmp