Malware Analysis Report

2025-03-15 08:11

Sample ID 240529-zj8xmsab42
Target 2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike
SHA256 1aa8b57da2a6a4bbdd6dcaaf1f3eb358046bcb27da475e4a1dac513ae096c078
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1aa8b57da2a6a4bbdd6dcaaf1f3eb358046bcb27da475e4a1dac513ae096c078

Threat Level: Known bad

The file 2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 20:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 20:45

Reported

2024-05-29 20:48

Platform

win7-20240221-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kTqVaZP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rkFgYLg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ulwFruR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RbCAmnD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bbslQCI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GrhYwwZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PEFsJCB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jWEysbB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qGqPKDw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FRvSJQt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fPlKHhT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hEzHtQP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ieUQYdq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LcAeCIS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GerMiTp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PWBQaiY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ckAgqrE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\buaTQQS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\orzWCnv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXFEGdd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\depYSMP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\depYSMP.exe
PID 2104 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\depYSMP.exe
PID 2104 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\depYSMP.exe
PID 2104 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWBQaiY.exe
PID 2104 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWBQaiY.exe
PID 2104 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWBQaiY.exe
PID 2104 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\FRvSJQt.exe
PID 2104 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\FRvSJQt.exe
PID 2104 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\FRvSJQt.exe
PID 2104 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\bbslQCI.exe
PID 2104 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\bbslQCI.exe
PID 2104 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\bbslQCI.exe
PID 2104 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbCAmnD.exe
PID 2104 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbCAmnD.exe
PID 2104 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbCAmnD.exe
PID 2104 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kTqVaZP.exe
PID 2104 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kTqVaZP.exe
PID 2104 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kTqVaZP.exe
PID 2104 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrhYwwZ.exe
PID 2104 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrhYwwZ.exe
PID 2104 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrhYwwZ.exe
PID 2104 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GerMiTp.exe
PID 2104 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GerMiTp.exe
PID 2104 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GerMiTp.exe
PID 2104 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PEFsJCB.exe
PID 2104 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PEFsJCB.exe
PID 2104 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PEFsJCB.exe
PID 2104 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkFgYLg.exe
PID 2104 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkFgYLg.exe
PID 2104 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkFgYLg.exe
PID 2104 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\jWEysbB.exe
PID 2104 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\jWEysbB.exe
PID 2104 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\jWEysbB.exe
PID 2104 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPlKHhT.exe
PID 2104 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPlKHhT.exe
PID 2104 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPlKHhT.exe
PID 2104 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckAgqrE.exe
PID 2104 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckAgqrE.exe
PID 2104 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckAgqrE.exe
PID 2104 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\buaTQQS.exe
PID 2104 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\buaTQQS.exe
PID 2104 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\buaTQQS.exe
PID 2104 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\hEzHtQP.exe
PID 2104 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\hEzHtQP.exe
PID 2104 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\hEzHtQP.exe
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\qGqPKDw.exe
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\qGqPKDw.exe
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\qGqPKDw.exe
PID 2104 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\orzWCnv.exe
PID 2104 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\orzWCnv.exe
PID 2104 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\orzWCnv.exe
PID 2104 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXFEGdd.exe
PID 2104 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXFEGdd.exe
PID 2104 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXFEGdd.exe
PID 2104 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieUQYdq.exe
PID 2104 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieUQYdq.exe
PID 2104 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieUQYdq.exe
PID 2104 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ulwFruR.exe
PID 2104 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ulwFruR.exe
PID 2104 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ulwFruR.exe
PID 2104 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcAeCIS.exe
PID 2104 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcAeCIS.exe
PID 2104 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcAeCIS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\depYSMP.exe

C:\Windows\System\depYSMP.exe

C:\Windows\System\PWBQaiY.exe

C:\Windows\System\PWBQaiY.exe

C:\Windows\System\FRvSJQt.exe

C:\Windows\System\FRvSJQt.exe

C:\Windows\System\bbslQCI.exe

C:\Windows\System\bbslQCI.exe

C:\Windows\System\RbCAmnD.exe

C:\Windows\System\RbCAmnD.exe

C:\Windows\System\kTqVaZP.exe

C:\Windows\System\kTqVaZP.exe

C:\Windows\System\GrhYwwZ.exe

C:\Windows\System\GrhYwwZ.exe

C:\Windows\System\GerMiTp.exe

C:\Windows\System\GerMiTp.exe

C:\Windows\System\PEFsJCB.exe

C:\Windows\System\PEFsJCB.exe

C:\Windows\System\rkFgYLg.exe

C:\Windows\System\rkFgYLg.exe

C:\Windows\System\jWEysbB.exe

C:\Windows\System\jWEysbB.exe

C:\Windows\System\fPlKHhT.exe

C:\Windows\System\fPlKHhT.exe

C:\Windows\System\ckAgqrE.exe

C:\Windows\System\ckAgqrE.exe

C:\Windows\System\buaTQQS.exe

C:\Windows\System\buaTQQS.exe

C:\Windows\System\hEzHtQP.exe

C:\Windows\System\hEzHtQP.exe

C:\Windows\System\qGqPKDw.exe

C:\Windows\System\qGqPKDw.exe

C:\Windows\System\orzWCnv.exe

C:\Windows\System\orzWCnv.exe

C:\Windows\System\kXFEGdd.exe

C:\Windows\System\kXFEGdd.exe

C:\Windows\System\ieUQYdq.exe

C:\Windows\System\ieUQYdq.exe

C:\Windows\System\ulwFruR.exe

C:\Windows\System\ulwFruR.exe

C:\Windows\System\LcAeCIS.exe

C:\Windows\System\LcAeCIS.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2104-0-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2104-1-0x00000000003F0000-0x0000000000400000-memory.dmp

\Windows\system\depYSMP.exe

MD5 3b52287b629aa21ce36cb88bc2fb847d
SHA1 3ea1a9488225432231372575b24acf37b8cbcb78
SHA256 6c66db6dd23e2b56ad916962873a1c0be167315f787cc94634bb13ceb489c37a
SHA512 b8c406a23e40747bd8d75fd79acf8ddab7553f4b381cb845364c80018e59494b3bd40dd300d3792619e6199100c773a4ab5510c1cc54961b27ac915b0644490f

memory/1280-8-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2104-6-0x000000013FD20000-0x0000000140071000-memory.dmp

\Windows\system\FRvSJQt.exe

MD5 4364237905b73aa08e3c6de5ef6ec0ba
SHA1 88f31a49f7413e6b7cb19343f344a0f0c0df158f
SHA256 1263f774474586beba557437875ff5d9b28513f105d3af8707e1d7d7e67bff21
SHA512 79f85fadd38fc6fe402ed7ac76f25b6f31783a90d02e975bf6c2a8728c92fa11e974961f043f24c1aa22fa2a8325d9f268dc2debdd26344de551ad8dba325eb2

\Windows\system\PWBQaiY.exe

MD5 188956f89a1d76464b5cd3580c939054
SHA1 745963b23d9b7eb26cf15613098f45b7b7577880
SHA256 95a64aad484dad60069638691743539f20c9f8b85fa54e86d5e39ddb47e40e73
SHA512 d557c48406169ac91e986fa1725cbc2ca766cbc7f183a36d521c478f1a44561c92d10eb770def435652d19932ff1e57c1b5e2011b2fbfb4526352b53561d2549

C:\Windows\system\bbslQCI.exe

MD5 13112d0319c85a71320b4ae7d48150bf
SHA1 04ba9bda68d6297a069bed9eda7d2c1f4c40b7d6
SHA256 3a8049a02be678405e4a08298d895845829c541d839dfa7b2c5f51bc63c6235c
SHA512 8da36d6fd6ddf58be74503ca3629227d35577f4759a06c5b1ed74fdc83e77c4e175aa59aca71f5f178b23ddb043c203b99aaa79dc09078a313794f1f29f2c4ba

memory/2104-17-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2072-26-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2568-28-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2756-18-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2104-24-0x000000013F8D0000-0x000000013FC21000-memory.dmp

\Windows\system\kTqVaZP.exe

MD5 8652ecb9c1d960be0bd33787b5ec011b
SHA1 812122a3674cc4db289cd3560fa58dabc7554103
SHA256 11df86af99703a335b965d47fd6d681afbefd3960f053ba6fca89d5cd515d3c7
SHA512 b239c133a120532010f28cffac5c9f42eb0911382080092941019a66ff9b8b7f3952dc91119f4a9c6fc658907c9301c6beda1deb352d3e178b75f91e53c94173

memory/2728-41-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2104-38-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2616-50-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/1280-49-0x000000013FD20000-0x0000000140071000-memory.dmp

C:\Windows\system\GrhYwwZ.exe

MD5 1ae89a05497fad62aa5aa9365a3021e1
SHA1 c79cbdbe03ee734d78f39c14ad7eb8275965d0b0
SHA256 79d9e26cdc65133446f1602f2d9d865e3e11937a8ec4847f4213977a24f47d85
SHA512 784c09fca7de6017c98be6b1f428230576da4a7e079018d095d664c6813ddab46002d07210cf9aeb984357ea19c7608f36cf043792e65911fa8631df175afd95

memory/2104-35-0x0000000002140000-0x0000000002491000-memory.dmp

C:\Windows\system\RbCAmnD.exe

MD5 1ca7929025cd40819ad40592b1f460c5
SHA1 40e6a4062ff98f0d935c4bfe65df91b18cc77e39
SHA256 be7c4ca3fa2d8ddf31cc21a1c9de446aea0c70b0de44143febb04f737db193be
SHA512 5fc23b90c4b8961e44dd4419263c660d081e2442ab154b77a4d11d8b4969fdb7967ba38c83c1aa4d93ab166add7e9ecd3d9253bf6bed9e4c1b922ce7c7902a43

memory/2104-22-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/1860-57-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\rkFgYLg.exe

MD5 bd187dd3596d90df131b57e21beac632
SHA1 ae1e0f8303185396d0e3b04a2f9423a659869902
SHA256 8a7680e40b02123817f3fc8a7d6ce7a0313894425c2656155a7d6a6041621f77
SHA512 03ab50952685251f8936e6ac35a774a7db50b82cad13ba6c6ed4478a013ba7a4f6eb26b81725dc8a39d540602652f597e1875508eabc3b50182f3be84726a3e9

memory/1032-72-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2432-65-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2984-97-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\qGqPKDw.exe

MD5 dad1c3db718030dc5935c828008f5bd4
SHA1 63f9c229e049b2bbdd61683fba0162efb7f21106
SHA256 e89508042238c361f9a677047bdc0ce28bf4cf622fd5dc9a25001345cc77739a
SHA512 86ef616da809cc3de4a137874e4fe4e14cd86131dea75753bd47df8a8c25b57ddef77534538ee480ddc287a8690ef559755429c41b1dbf5a15bc86f965587e2f

C:\Windows\system\hEzHtQP.exe

MD5 5d7e1f13279bdde705f235d9b8bf567d
SHA1 6e29cec5a7352109adad934fadc3e83eb61d9a38
SHA256 12d7bfdaf54d275d3b579c545ed57eb6c06ca1ed336a25cc46542cec2e5acd59
SHA512 7070a17950385e5d35e280b92b14885b725d66c95933ce7bb16d01bbeccf9b41d84cba8b615c0b08b2d8386af702e42a4bb5b96c6f9d08583e65d4749a573427

\Windows\system\LcAeCIS.exe

MD5 c937e2fdf61c35c4e54e3743671a55b5
SHA1 2b9d7960531907d07d720e83cf7ed43167b572b7
SHA256 884bf5d8327645d4ee34ad06f55b0fe2bd71fc3cb96f7ea70eb6ac6c82f06b1c
SHA512 7d1cfef6884672cfec858e0e3f957379b02b731052c9e9af3ff6df9160efdf80f263f5c346d5a3690d3df1f5819e90141f6511096ed87f21bc558491e54180d9

C:\Windows\system\ieUQYdq.exe

MD5 08db4fa1bd6b9e3a12476b1ebc11dd94
SHA1 5442cbc34c237a1e47563014c0425937523d470a
SHA256 88e56f88b064c77c20402a5c87e8c0b54ec785babecd9c17e5d043d3d9f8a246
SHA512 ad5e30af5653e296c5a16eb67a254bc2b26be7256bd7b3980e73ec7a25366bddc620f66068488f81107f7c07dc745fa8fa2c215cb41b9f0ff6e30b578b762e4c

C:\Windows\system\orzWCnv.exe

MD5 aef84ebf123a8340b123e3b44ffb165a
SHA1 c5023500bc50c55a7b8e90bd728bd5e6f5be2721
SHA256 9f41320259d67e217655df88d0dd612624b4376191ee035d709e938f07503c5d
SHA512 286237049fad0d26b02f2e644a4bf8bdaa9a54b7423629a2123a29abfd9df4be702351d982016f2ed52bb52b0d088429f7b6f2de660a659e300b493d757dd2b4

C:\Windows\system\ulwFruR.exe

MD5 2fc4b824a78de1a09ee18e42dbc3db88
SHA1 9d6772109dfe61ea3a5f765d77517133511f1755
SHA256 efdd3ecf615b930eab0a5b96fac9c6779791a7933dc2f76a0ce28bc3f529b902
SHA512 bd2dafbb22aa02d444c7370b94b6b47133fa5ddd21824d1d4fdf8cedfd2c13a32074a43d1ccb081e9082e295c409b179c9604a3c6babe82ced30dd5916cbece9

C:\Windows\system\ckAgqrE.exe

MD5 19fc917b0d2c52911de9afc1cc5f5630
SHA1 4b8ddc5ff92d1b69f100b40a0d5071c022f65fbb
SHA256 b3fd6dde2eaf17da3f61598cae653e4f4436ef5976c3884e64037e81d8e95594
SHA512 030c5e8684fc8a4fb2e0536dc4d57bb1e06c885f450e5e5dbc314355d2428bb49acae340fb9f3f280a5d5afc5647850a63dd308ebb8e97ce25adba9594f6f7f3

memory/2104-101-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2104-100-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\kXFEGdd.exe

MD5 cac275d058eeb0b91fa6a4035e608a3a
SHA1 c88c717aa6da6c0fe4501d27d1b067318569c19a
SHA256 c8d9eafc2c0d2c53e9b2ff677289d945422d24e01b2d046e352c39cef4f4c0c4
SHA512 79543d49a3e87dcb345942ea9685f6739416ebeeaf6f56f6bb72c8c58d14f536fc69bacbe8ba02bc1c57447fc54187815dbb100e508b22632f5b9bb156055142

memory/2060-92-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\jWEysbB.exe

MD5 ee0e921e93d43e1f4c843fc7e4625f11
SHA1 c3964c1fa725ab2f3f21f0ae810368f1b2f40e58
SHA256 88d0e0365401f108aa7137eaf7ee8821cd76e420e4901fd76badede23a7f6df9
SHA512 b5e5b741dd032da707a36888b032664940f95a4308dc2918b6b6dd645369355496d8c5b69ff1c700ed25f110e2d8beda8605c8eacb3b77c54b95b03351e21960

memory/2104-88-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2728-87-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2104-75-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2852-74-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2932-108-0x000000013F200000-0x000000013F551000-memory.dmp

memory/1860-107-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\buaTQQS.exe

MD5 595a608e5ea6bb0972f0e29d9ac9c352
SHA1 7b8afaf97637d92f092d5235b4e9d27e9a3ce34f
SHA256 80a105faeae66160f67b4bd6075a60cb5f3bb6934f88e8009b0c560fe38c6d5e
SHA512 62483820705d3ba9c9db43cbe5e79e51c01e669abaf9ba6e157f7af188fe199f5b3c2878c880c5e913c6e2e158783d8930689d1ad25c1bc1714b31e409e50bff

memory/2072-64-0x000000013FB90000-0x000000013FEE1000-memory.dmp

C:\Windows\system\PEFsJCB.exe

MD5 eb7c73e00a45af36031d32dd05ffe3eb
SHA1 d48ae138adf8048f4d1d78a8a4d71c410644fbf0
SHA256 cf80da28fed88e2654e4d5c3411f8993cc9ec5d413640010dfa342321a97387a
SHA512 bed98203cebb74b0ffa931780f5171ed162368bba66b290768b2a6d4488c751f4d6a670d18606c350fcfb76f73afc2d0ea9742ea6fdc76274e63710ca9aa8082

memory/2104-59-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/808-84-0x000000013FC10000-0x000000013FF61000-memory.dmp

C:\Windows\system\fPlKHhT.exe

MD5 8f00d419472e8ebc85a027952120fc00
SHA1 13b0aec0c74ba1da98084ded82475996e24fc5b1
SHA256 09a883114024e5a266dde6279bd8023810f308651a25968f814906d3d476797e
SHA512 2c398e719802ccfc0daeeba387db95d9f7a849203fe4d77eee1cab86614408f53bbbedf1b5e616d92c8f059c51940690aa47e28e8a876127a3da6f8f4e54a97d

memory/2104-71-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2568-70-0x000000013F8D0000-0x000000013FC21000-memory.dmp

C:\Windows\system\GerMiTp.exe

MD5 ff101100430cf6a588c6135bd67caf30
SHA1 c22ec489a742a793c3ade28be724db9207c26dc4
SHA256 738744c9f825c84d3ce58cf64d11cb8e28653dc6760d44112186a67a0826327e
SHA512 d15b65cd36d0a8d1f852b107486d7d0ed8da82f9d8b6bbaf3ce312ac0b0e8764e25b9232d387071f953e9725cf87952cc022af6a0128fc76bb5268dc4ee691df

memory/2104-55-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2756-54-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2432-140-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1032-142-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2104-141-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2104-152-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2104-143-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2984-158-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2932-157-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2812-165-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2676-163-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/1916-161-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/2380-159-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/808-166-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2060-155-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2768-164-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/272-162-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2424-160-0x000000013F330000-0x000000013F681000-memory.dmp

memory/2104-167-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2104-168-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2104-190-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/1280-216-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2072-218-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2756-220-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2568-222-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2852-224-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2728-226-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2616-228-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/1860-242-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/1032-244-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2432-246-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/808-248-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2060-252-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2932-255-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2984-250-0x000000013FD40000-0x0000000140091000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 20:45

Reported

2024-05-29 20:48

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PWBQaiY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kTqVaZP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GerMiTp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jWEysbB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXFEGdd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qGqPKDw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ulwFruR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\depYSMP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RbCAmnD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PEFsJCB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rkFgYLg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ckAgqrE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hEzHtQP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LcAeCIS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GrhYwwZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fPlKHhT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ieUQYdq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FRvSJQt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bbslQCI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\buaTQQS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\orzWCnv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\depYSMP.exe
PID 1112 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\depYSMP.exe
PID 1112 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWBQaiY.exe
PID 1112 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWBQaiY.exe
PID 1112 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\FRvSJQt.exe
PID 1112 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\FRvSJQt.exe
PID 1112 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\bbslQCI.exe
PID 1112 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\bbslQCI.exe
PID 1112 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbCAmnD.exe
PID 1112 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbCAmnD.exe
PID 1112 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kTqVaZP.exe
PID 1112 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kTqVaZP.exe
PID 1112 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrhYwwZ.exe
PID 1112 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrhYwwZ.exe
PID 1112 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GerMiTp.exe
PID 1112 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\GerMiTp.exe
PID 1112 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PEFsJCB.exe
PID 1112 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\PEFsJCB.exe
PID 1112 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkFgYLg.exe
PID 1112 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkFgYLg.exe
PID 1112 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\jWEysbB.exe
PID 1112 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\jWEysbB.exe
PID 1112 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPlKHhT.exe
PID 1112 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPlKHhT.exe
PID 1112 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckAgqrE.exe
PID 1112 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckAgqrE.exe
PID 1112 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\buaTQQS.exe
PID 1112 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\buaTQQS.exe
PID 1112 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\hEzHtQP.exe
PID 1112 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\hEzHtQP.exe
PID 1112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\qGqPKDw.exe
PID 1112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\qGqPKDw.exe
PID 1112 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\orzWCnv.exe
PID 1112 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\orzWCnv.exe
PID 1112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXFEGdd.exe
PID 1112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXFEGdd.exe
PID 1112 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieUQYdq.exe
PID 1112 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieUQYdq.exe
PID 1112 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ulwFruR.exe
PID 1112 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\ulwFruR.exe
PID 1112 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcAeCIS.exe
PID 1112 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcAeCIS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\depYSMP.exe

C:\Windows\System\depYSMP.exe

C:\Windows\System\PWBQaiY.exe

C:\Windows\System\PWBQaiY.exe

C:\Windows\System\FRvSJQt.exe

C:\Windows\System\FRvSJQt.exe

C:\Windows\System\bbslQCI.exe

C:\Windows\System\bbslQCI.exe

C:\Windows\System\RbCAmnD.exe

C:\Windows\System\RbCAmnD.exe

C:\Windows\System\kTqVaZP.exe

C:\Windows\System\kTqVaZP.exe

C:\Windows\System\GrhYwwZ.exe

C:\Windows\System\GrhYwwZ.exe

C:\Windows\System\GerMiTp.exe

C:\Windows\System\GerMiTp.exe

C:\Windows\System\PEFsJCB.exe

C:\Windows\System\PEFsJCB.exe

C:\Windows\System\rkFgYLg.exe

C:\Windows\System\rkFgYLg.exe

C:\Windows\System\jWEysbB.exe

C:\Windows\System\jWEysbB.exe

C:\Windows\System\fPlKHhT.exe

C:\Windows\System\fPlKHhT.exe

C:\Windows\System\ckAgqrE.exe

C:\Windows\System\ckAgqrE.exe

C:\Windows\System\buaTQQS.exe

C:\Windows\System\buaTQQS.exe

C:\Windows\System\hEzHtQP.exe

C:\Windows\System\hEzHtQP.exe

C:\Windows\System\qGqPKDw.exe

C:\Windows\System\qGqPKDw.exe

C:\Windows\System\orzWCnv.exe

C:\Windows\System\orzWCnv.exe

C:\Windows\System\kXFEGdd.exe

C:\Windows\System\kXFEGdd.exe

C:\Windows\System\ieUQYdq.exe

C:\Windows\System\ieUQYdq.exe

C:\Windows\System\ulwFruR.exe

C:\Windows\System\ulwFruR.exe

C:\Windows\System\LcAeCIS.exe

C:\Windows\System\LcAeCIS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1112-0-0x00007FF7DF740000-0x00007FF7DFA91000-memory.dmp

memory/1112-1-0x0000027788180000-0x0000027788190000-memory.dmp

C:\Windows\System\depYSMP.exe

MD5 3b52287b629aa21ce36cb88bc2fb847d
SHA1 3ea1a9488225432231372575b24acf37b8cbcb78
SHA256 6c66db6dd23e2b56ad916962873a1c0be167315f787cc94634bb13ceb489c37a
SHA512 b8c406a23e40747bd8d75fd79acf8ddab7553f4b381cb845364c80018e59494b3bd40dd300d3792619e6199100c773a4ab5510c1cc54961b27ac915b0644490f

C:\Windows\System\FRvSJQt.exe

MD5 4364237905b73aa08e3c6de5ef6ec0ba
SHA1 88f31a49f7413e6b7cb19343f344a0f0c0df158f
SHA256 1263f774474586beba557437875ff5d9b28513f105d3af8707e1d7d7e67bff21
SHA512 79f85fadd38fc6fe402ed7ac76f25b6f31783a90d02e975bf6c2a8728c92fa11e974961f043f24c1aa22fa2a8325d9f268dc2debdd26344de551ad8dba325eb2

C:\Windows\System\bbslQCI.exe

MD5 13112d0319c85a71320b4ae7d48150bf
SHA1 04ba9bda68d6297a069bed9eda7d2c1f4c40b7d6
SHA256 3a8049a02be678405e4a08298d895845829c541d839dfa7b2c5f51bc63c6235c
SHA512 8da36d6fd6ddf58be74503ca3629227d35577f4759a06c5b1ed74fdc83e77c4e175aa59aca71f5f178b23ddb043c203b99aaa79dc09078a313794f1f29f2c4ba

C:\Windows\System\GrhYwwZ.exe

MD5 1ae89a05497fad62aa5aa9365a3021e1
SHA1 c79cbdbe03ee734d78f39c14ad7eb8275965d0b0
SHA256 79d9e26cdc65133446f1602f2d9d865e3e11937a8ec4847f4213977a24f47d85
SHA512 784c09fca7de6017c98be6b1f428230576da4a7e079018d095d664c6813ddab46002d07210cf9aeb984357ea19c7608f36cf043792e65911fa8631df175afd95

memory/1120-42-0x00007FF6A5590000-0x00007FF6A58E1000-memory.dmp

C:\Windows\System\GerMiTp.exe

MD5 ff101100430cf6a588c6135bd67caf30
SHA1 c22ec489a742a793c3ade28be724db9207c26dc4
SHA256 738744c9f825c84d3ce58cf64d11cb8e28653dc6760d44112186a67a0826327e
SHA512 d15b65cd36d0a8d1f852b107486d7d0ed8da82f9d8b6bbaf3ce312ac0b0e8764e25b9232d387071f953e9725cf87952cc022af6a0128fc76bb5268dc4ee691df

C:\Windows\System\PEFsJCB.exe

MD5 eb7c73e00a45af36031d32dd05ffe3eb
SHA1 d48ae138adf8048f4d1d78a8a4d71c410644fbf0
SHA256 cf80da28fed88e2654e4d5c3411f8993cc9ec5d413640010dfa342321a97387a
SHA512 bed98203cebb74b0ffa931780f5171ed162368bba66b290768b2a6d4488c751f4d6a670d18606c350fcfb76f73afc2d0ea9742ea6fdc76274e63710ca9aa8082

C:\Windows\System\jWEysbB.exe

MD5 ee0e921e93d43e1f4c843fc7e4625f11
SHA1 c3964c1fa725ab2f3f21f0ae810368f1b2f40e58
SHA256 88d0e0365401f108aa7137eaf7ee8821cd76e420e4901fd76badede23a7f6df9
SHA512 b5e5b741dd032da707a36888b032664940f95a4308dc2918b6b6dd645369355496d8c5b69ff1c700ed25f110e2d8beda8605c8eacb3b77c54b95b03351e21960

C:\Windows\System\fPlKHhT.exe

MD5 8f00d419472e8ebc85a027952120fc00
SHA1 13b0aec0c74ba1da98084ded82475996e24fc5b1
SHA256 09a883114024e5a266dde6279bd8023810f308651a25968f814906d3d476797e
SHA512 2c398e719802ccfc0daeeba387db95d9f7a849203fe4d77eee1cab86614408f53bbbedf1b5e616d92c8f059c51940690aa47e28e8a876127a3da6f8f4e54a97d

memory/4684-84-0x00007FF791360000-0x00007FF7916B1000-memory.dmp

C:\Windows\System\qGqPKDw.exe

MD5 dad1c3db718030dc5935c828008f5bd4
SHA1 63f9c229e049b2bbdd61683fba0162efb7f21106
SHA256 e89508042238c361f9a677047bdc0ce28bf4cf622fd5dc9a25001345cc77739a
SHA512 86ef616da809cc3de4a137874e4fe4e14cd86131dea75753bd47df8a8c25b57ddef77534538ee480ddc287a8690ef559755429c41b1dbf5a15bc86f965587e2f

C:\Windows\System\orzWCnv.exe

MD5 aef84ebf123a8340b123e3b44ffb165a
SHA1 c5023500bc50c55a7b8e90bd728bd5e6f5be2721
SHA256 9f41320259d67e217655df88d0dd612624b4376191ee035d709e938f07503c5d
SHA512 286237049fad0d26b02f2e644a4bf8bdaa9a54b7423629a2123a29abfd9df4be702351d982016f2ed52bb52b0d088429f7b6f2de660a659e300b493d757dd2b4

C:\Windows\System\ieUQYdq.exe

MD5 08db4fa1bd6b9e3a12476b1ebc11dd94
SHA1 5442cbc34c237a1e47563014c0425937523d470a
SHA256 88e56f88b064c77c20402a5c87e8c0b54ec785babecd9c17e5d043d3d9f8a246
SHA512 ad5e30af5653e296c5a16eb67a254bc2b26be7256bd7b3980e73ec7a25366bddc620f66068488f81107f7c07dc745fa8fa2c215cb41b9f0ff6e30b578b762e4c

memory/2660-121-0x00007FF664C00000-0x00007FF664F51000-memory.dmp

C:\Windows\System\LcAeCIS.exe

MD5 c937e2fdf61c35c4e54e3743671a55b5
SHA1 2b9d7960531907d07d720e83cf7ed43167b572b7
SHA256 884bf5d8327645d4ee34ad06f55b0fe2bd71fc3cb96f7ea70eb6ac6c82f06b1c
SHA512 7d1cfef6884672cfec858e0e3f957379b02b731052c9e9af3ff6df9160efdf80f263f5c346d5a3690d3df1f5819e90141f6511096ed87f21bc558491e54180d9

C:\Windows\System\ulwFruR.exe

MD5 2fc4b824a78de1a09ee18e42dbc3db88
SHA1 9d6772109dfe61ea3a5f765d77517133511f1755
SHA256 efdd3ecf615b930eab0a5b96fac9c6779791a7933dc2f76a0ce28bc3f529b902
SHA512 bd2dafbb22aa02d444c7370b94b6b47133fa5ddd21824d1d4fdf8cedfd2c13a32074a43d1ccb081e9082e295c409b179c9604a3c6babe82ced30dd5916cbece9

memory/2412-124-0x00007FF654BB0000-0x00007FF654F01000-memory.dmp

memory/2744-123-0x00007FF627F30000-0x00007FF628281000-memory.dmp

memory/764-122-0x00007FF7078A0000-0x00007FF707BF1000-memory.dmp

memory/2968-120-0x00007FF757800000-0x00007FF757B51000-memory.dmp

C:\Windows\System\kXFEGdd.exe

MD5 cac275d058eeb0b91fa6a4035e608a3a
SHA1 c88c717aa6da6c0fe4501d27d1b067318569c19a
SHA256 c8d9eafc2c0d2c53e9b2ff677289d945422d24e01b2d046e352c39cef4f4c0c4
SHA512 79543d49a3e87dcb345942ea9685f6739416ebeeaf6f56f6bb72c8c58d14f536fc69bacbe8ba02bc1c57447fc54187815dbb100e508b22632f5b9bb156055142

memory/1112-113-0x00007FF7DF740000-0x00007FF7DFA91000-memory.dmp

memory/2928-112-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp

memory/2012-104-0x00007FF779710000-0x00007FF779A61000-memory.dmp

C:\Windows\System\buaTQQS.exe

MD5 595a608e5ea6bb0972f0e29d9ac9c352
SHA1 7b8afaf97637d92f092d5235b4e9d27e9a3ce34f
SHA256 80a105faeae66160f67b4bd6075a60cb5f3bb6934f88e8009b0c560fe38c6d5e
SHA512 62483820705d3ba9c9db43cbe5e79e51c01e669abaf9ba6e157f7af188fe199f5b3c2878c880c5e913c6e2e158783d8930689d1ad25c1bc1714b31e409e50bff

C:\Windows\System\hEzHtQP.exe

MD5 5d7e1f13279bdde705f235d9b8bf567d
SHA1 6e29cec5a7352109adad934fadc3e83eb61d9a38
SHA256 12d7bfdaf54d275d3b579c545ed57eb6c06ca1ed336a25cc46542cec2e5acd59
SHA512 7070a17950385e5d35e280b92b14885b725d66c95933ce7bb16d01bbeccf9b41d84cba8b615c0b08b2d8386af702e42a4bb5b96c6f9d08583e65d4749a573427

memory/1564-97-0x00007FF7A2880000-0x00007FF7A2BD1000-memory.dmp

memory/3160-91-0x00007FF6BA080000-0x00007FF6BA3D1000-memory.dmp

memory/2620-89-0x00007FF689040000-0x00007FF689391000-memory.dmp

memory/2032-85-0x00007FF6F1DC0000-0x00007FF6F2111000-memory.dmp

memory/2712-77-0x00007FF7B4CF0000-0x00007FF7B5041000-memory.dmp

C:\Windows\System\ckAgqrE.exe

MD5 19fc917b0d2c52911de9afc1cc5f5630
SHA1 4b8ddc5ff92d1b69f100b40a0d5071c022f65fbb
SHA256 b3fd6dde2eaf17da3f61598cae653e4f4436ef5976c3884e64037e81d8e95594
SHA512 030c5e8684fc8a4fb2e0536dc4d57bb1e06c885f450e5e5dbc314355d2428bb49acae340fb9f3f280a5d5afc5647850a63dd308ebb8e97ce25adba9594f6f7f3

C:\Windows\System\rkFgYLg.exe

MD5 bd187dd3596d90df131b57e21beac632
SHA1 ae1e0f8303185396d0e3b04a2f9423a659869902
SHA256 8a7680e40b02123817f3fc8a7d6ce7a0313894425c2656155a7d6a6041621f77
SHA512 03ab50952685251f8936e6ac35a774a7db50b82cad13ba6c6ed4478a013ba7a4f6eb26b81725dc8a39d540602652f597e1875508eabc3b50182f3be84726a3e9

memory/1900-58-0x00007FF62B980000-0x00007FF62BCD1000-memory.dmp

memory/1848-46-0x00007FF7DF260000-0x00007FF7DF5B1000-memory.dmp

memory/2072-45-0x00007FF78A4D0000-0x00007FF78A821000-memory.dmp

C:\Windows\System\kTqVaZP.exe

MD5 8652ecb9c1d960be0bd33787b5ec011b
SHA1 812122a3674cc4db289cd3560fa58dabc7554103
SHA256 11df86af99703a335b965d47fd6d681afbefd3960f053ba6fca89d5cd515d3c7
SHA512 b239c133a120532010f28cffac5c9f42eb0911382080092941019a66ff9b8b7f3952dc91119f4a9c6fc658907c9301c6beda1deb352d3e178b75f91e53c94173

memory/3092-35-0x00007FF7127E0000-0x00007FF712B31000-memory.dmp

C:\Windows\System\RbCAmnD.exe

MD5 1ca7929025cd40819ad40592b1f460c5
SHA1 40e6a4062ff98f0d935c4bfe65df91b18cc77e39
SHA256 be7c4ca3fa2d8ddf31cc21a1c9de446aea0c70b0de44143febb04f737db193be
SHA512 5fc23b90c4b8961e44dd4419263c660d081e2442ab154b77a4d11d8b4969fdb7967ba38c83c1aa4d93ab166add7e9ecd3d9253bf6bed9e4c1b922ce7c7902a43

memory/4728-26-0x00007FF662670000-0x00007FF6629C1000-memory.dmp

memory/2912-25-0x00007FF7A0E90000-0x00007FF7A11E1000-memory.dmp

memory/4504-18-0x00007FF707590000-0x00007FF7078E1000-memory.dmp

C:\Windows\System\PWBQaiY.exe

MD5 188956f89a1d76464b5cd3580c939054
SHA1 745963b23d9b7eb26cf15613098f45b7b7577880
SHA256 95a64aad484dad60069638691743539f20c9f8b85fa54e86d5e39ddb47e40e73
SHA512 d557c48406169ac91e986fa1725cbc2ca766cbc7f183a36d521c478f1a44561c92d10eb770def435652d19932ff1e57c1b5e2011b2fbfb4526352b53561d2549

memory/2744-8-0x00007FF627F30000-0x00007FF628281000-memory.dmp

memory/4504-130-0x00007FF707590000-0x00007FF7078E1000-memory.dmp

memory/2968-148-0x00007FF757800000-0x00007FF757B51000-memory.dmp

memory/764-151-0x00007FF7078A0000-0x00007FF707BF1000-memory.dmp

memory/2012-147-0x00007FF779710000-0x00007FF779A61000-memory.dmp

memory/1564-145-0x00007FF7A2880000-0x00007FF7A2BD1000-memory.dmp

memory/2412-152-0x00007FF654BB0000-0x00007FF654F01000-memory.dmp

memory/2928-150-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp

memory/3160-146-0x00007FF6BA080000-0x00007FF6BA3D1000-memory.dmp

memory/2620-144-0x00007FF689040000-0x00007FF689391000-memory.dmp

memory/1900-140-0x00007FF62B980000-0x00007FF62BCD1000-memory.dmp

memory/2072-138-0x00007FF78A4D0000-0x00007FF78A821000-memory.dmp

memory/2912-134-0x00007FF7A0E90000-0x00007FF7A11E1000-memory.dmp

memory/1848-139-0x00007FF7DF260000-0x00007FF7DF5B1000-memory.dmp

memory/1112-131-0x00007FF7DF740000-0x00007FF7DFA91000-memory.dmp

memory/1120-137-0x00007FF6A5590000-0x00007FF6A58E1000-memory.dmp

memory/1112-153-0x00007FF7DF740000-0x00007FF7DFA91000-memory.dmp

memory/2744-210-0x00007FF627F30000-0x00007FF628281000-memory.dmp

memory/4504-212-0x00007FF707590000-0x00007FF7078E1000-memory.dmp

memory/4728-214-0x00007FF662670000-0x00007FF6629C1000-memory.dmp

memory/2912-216-0x00007FF7A0E90000-0x00007FF7A11E1000-memory.dmp

memory/3092-218-0x00007FF7127E0000-0x00007FF712B31000-memory.dmp

memory/1120-220-0x00007FF6A5590000-0x00007FF6A58E1000-memory.dmp

memory/2072-222-0x00007FF78A4D0000-0x00007FF78A821000-memory.dmp

memory/1848-224-0x00007FF7DF260000-0x00007FF7DF5B1000-memory.dmp

memory/1900-226-0x00007FF62B980000-0x00007FF62BCD1000-memory.dmp

memory/4684-230-0x00007FF791360000-0x00007FF7916B1000-memory.dmp

memory/2712-229-0x00007FF7B4CF0000-0x00007FF7B5041000-memory.dmp

memory/2032-232-0x00007FF6F1DC0000-0x00007FF6F2111000-memory.dmp

memory/2620-234-0x00007FF689040000-0x00007FF689391000-memory.dmp

memory/1564-236-0x00007FF7A2880000-0x00007FF7A2BD1000-memory.dmp

memory/3160-238-0x00007FF6BA080000-0x00007FF6BA3D1000-memory.dmp

memory/2968-244-0x00007FF757800000-0x00007FF757B51000-memory.dmp

memory/2660-242-0x00007FF664C00000-0x00007FF664F51000-memory.dmp

memory/2012-241-0x00007FF779710000-0x00007FF779A61000-memory.dmp

memory/764-246-0x00007FF7078A0000-0x00007FF707BF1000-memory.dmp

memory/2412-248-0x00007FF654BB0000-0x00007FF654F01000-memory.dmp

memory/2928-251-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp