Malware Analysis Report

2025-01-22 19:41

Sample ID 240601-d1ejgagc5w
Target 2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike
SHA256 73c0ff2cba8d8d646ea9782acf4da254bbfa48aac60efcafc09d8da6a87a59d2
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73c0ff2cba8d8d646ea9782acf4da254bbfa48aac60efcafc09d8da6a87a59d2

Threat Level: Known bad

The file 2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobaltstrike family

UPX dump on OEP (original entry point)

Xmrig family

Detects Reflective DLL injection artifacts

xmrig

Cobalt Strike reflective loader

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:30

Platform

win7-20240221-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WkVwaGl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\inELLjQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vXbKGHn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wcUQtrO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AUGDyMP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SdrJQFE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LiAXgFs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nwZeEzz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qYbtAMl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FhFsAyq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PPxEWNK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dnWoPfp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jMmKOHk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KPXJxvU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CsVgYBd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FDBhfkT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UwXWWsJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zwMUrhp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BJLLOem.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DTHtdzq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JxbCjjD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 640 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FDBhfkT.exe
PID 640 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FDBhfkT.exe
PID 640 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FDBhfkT.exe
PID 640 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\dnWoPfp.exe
PID 640 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\dnWoPfp.exe
PID 640 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\dnWoPfp.exe
PID 640 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwXWWsJ.exe
PID 640 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwXWWsJ.exe
PID 640 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwXWWsJ.exe
PID 640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WkVwaGl.exe
PID 640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WkVwaGl.exe
PID 640 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WkVwaGl.exe
PID 640 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jMmKOHk.exe
PID 640 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jMmKOHk.exe
PID 640 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jMmKOHk.exe
PID 640 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\inELLjQ.exe
PID 640 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\inELLjQ.exe
PID 640 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\inELLjQ.exe
PID 640 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdrJQFE.exe
PID 640 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdrJQFE.exe
PID 640 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdrJQFE.exe
PID 640 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vXbKGHn.exe
PID 640 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vXbKGHn.exe
PID 640 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vXbKGHn.exe
PID 640 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LiAXgFs.exe
PID 640 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LiAXgFs.exe
PID 640 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LiAXgFs.exe
PID 640 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wcUQtrO.exe
PID 640 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wcUQtrO.exe
PID 640 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wcUQtrO.exe
PID 640 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwMUrhp.exe
PID 640 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwMUrhp.exe
PID 640 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwMUrhp.exe
PID 640 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BJLLOem.exe
PID 640 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BJLLOem.exe
PID 640 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BJLLOem.exe
PID 640 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTHtdzq.exe
PID 640 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTHtdzq.exe
PID 640 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTHtdzq.exe
PID 640 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUGDyMP.exe
PID 640 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUGDyMP.exe
PID 640 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUGDyMP.exe
PID 640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwZeEzz.exe
PID 640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwZeEzz.exe
PID 640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwZeEzz.exe
PID 640 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KPXJxvU.exe
PID 640 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KPXJxvU.exe
PID 640 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KPXJxvU.exe
PID 640 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qYbtAMl.exe
PID 640 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qYbtAMl.exe
PID 640 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qYbtAMl.exe
PID 640 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CsVgYBd.exe
PID 640 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CsVgYBd.exe
PID 640 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CsVgYBd.exe
PID 640 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FhFsAyq.exe
PID 640 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FhFsAyq.exe
PID 640 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FhFsAyq.exe
PID 640 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxbCjjD.exe
PID 640 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxbCjjD.exe
PID 640 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxbCjjD.exe
PID 640 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPxEWNK.exe
PID 640 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPxEWNK.exe
PID 640 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPxEWNK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\FDBhfkT.exe

C:\Windows\System\FDBhfkT.exe

C:\Windows\System\dnWoPfp.exe

C:\Windows\System\dnWoPfp.exe

C:\Windows\System\UwXWWsJ.exe

C:\Windows\System\UwXWWsJ.exe

C:\Windows\System\WkVwaGl.exe

C:\Windows\System\WkVwaGl.exe

C:\Windows\System\jMmKOHk.exe

C:\Windows\System\jMmKOHk.exe

C:\Windows\System\inELLjQ.exe

C:\Windows\System\inELLjQ.exe

C:\Windows\System\SdrJQFE.exe

C:\Windows\System\SdrJQFE.exe

C:\Windows\System\vXbKGHn.exe

C:\Windows\System\vXbKGHn.exe

C:\Windows\System\LiAXgFs.exe

C:\Windows\System\LiAXgFs.exe

C:\Windows\System\wcUQtrO.exe

C:\Windows\System\wcUQtrO.exe

C:\Windows\System\zwMUrhp.exe

C:\Windows\System\zwMUrhp.exe

C:\Windows\System\BJLLOem.exe

C:\Windows\System\BJLLOem.exe

C:\Windows\System\DTHtdzq.exe

C:\Windows\System\DTHtdzq.exe

C:\Windows\System\AUGDyMP.exe

C:\Windows\System\AUGDyMP.exe

C:\Windows\System\nwZeEzz.exe

C:\Windows\System\nwZeEzz.exe

C:\Windows\System\KPXJxvU.exe

C:\Windows\System\KPXJxvU.exe

C:\Windows\System\qYbtAMl.exe

C:\Windows\System\qYbtAMl.exe

C:\Windows\System\CsVgYBd.exe

C:\Windows\System\CsVgYBd.exe

C:\Windows\System\FhFsAyq.exe

C:\Windows\System\FhFsAyq.exe

C:\Windows\System\JxbCjjD.exe

C:\Windows\System\JxbCjjD.exe

C:\Windows\System\PPxEWNK.exe

C:\Windows\System\PPxEWNK.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/640-0-0x000000013F200000-0x000000013F554000-memory.dmp

memory/640-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\FDBhfkT.exe

MD5 2e4f7ca272c332f76211663954e60227
SHA1 be77d0bdd41a4f8acb0370b3e729255af842785b
SHA256 2c4baeb752a4bc6702d5ecbff1247e8381d641e9c58c68311527997ee6a68073
SHA512 0dcaf7fcd63070584b591b519a6d719c883a9f2b2557f5c454056986cf132a65771eaeb31cbcc2a9c3a799748371065785a88a04f021efc368b395f1bb6ddd43

memory/640-6-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2088-9-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\UwXWWsJ.exe

MD5 cd701b09557da359ce8f35551f6ef9e8
SHA1 49c2332dfae95d6aefacb0427af37847b59e2343
SHA256 27776d8873384c104f6d268b79fe5f14928c16a6791cee5350193b34653bc737
SHA512 e378ecbfbeedf972787074fcf5e07ba6c11fe30a8d99e50584250967a7c395cbbb235982f18ccec3777c2662fc450278e307b33622f569f8145dfa1928209951

C:\Windows\system\WkVwaGl.exe

MD5 7d988542faa4d6fe11c99f8308678121
SHA1 2a2e9e3f2bc4fa002a3a0a84c597b4ef24f80219
SHA256 978e5a598f29939671c0c96d82616ac954ef81203f7fa56b27b915314e05af4e
SHA512 fd12e92bf34602d5fbefb3d594d43da525086eb46de37b67b8a5109e4d37d4c2b2dd19a1fe36164d5d9f54b2d55666f2169cc9b4be26d711b35682188567a82e

memory/2496-27-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2588-28-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

C:\Windows\system\jMmKOHk.exe

MD5 c4dd6e0d953f53aed54a58c6662b74c2
SHA1 c6a9568747b5d3b9e3b4198f2f78b3ba2487ae3d
SHA256 c49fdce9fd9467f0935a81aa2c6c0db915084d97363f9c876c68f0299773f254
SHA512 9b98b5387edf3bca7ff0c09f3de0744e13700c26a88fa93f2f444815310471e9566009a2f38fd3723f860b2998f5a8c3b5eb8148446be3541becbf220dad5448

\Windows\system\inELLjQ.exe

MD5 eb6ad9369defa90f741e956aff49b541
SHA1 54e07fa345ddf4911124af690d9124f31650d904
SHA256 e688c2688ec94c8509fce1c33053fa021f60e7cc6ee166f6daf693174676535b
SHA512 01efaf7c1bfedc019c14f8405f80c0790ef11ae4073e47628bf05c9257c09a8f0fca18fc7da2cc9f0c65d14d9de39f3542f3a3d4f7e2d249bfc72d7db58127cd

C:\Windows\system\SdrJQFE.exe

MD5 01deb48e49d803d8d9f4f59e02f8bcdf
SHA1 e11ea1a340c1007a8e5f43f510fc88cb526d549b
SHA256 8d685dcb984e3d10e3d8709c0f4db15b06fc9060247a7d61dd4bc193874231c0
SHA512 b1b76f7293fcfb4c8c64ccb530fd563e7931e072a445428b1a5ac337ef42ed12a6a54bb92ed99ee0c324bc9c74ada76ae1814aa27321bb7d96c6f1b4182bb01a

\Windows\system\wcUQtrO.exe

MD5 16a2abdad12ea3576525c5fa468c4e92
SHA1 2cf16a2510edada866f4e26ca99a00e5f3ec3843
SHA256 144a46315dbf92e9fa480dfb7104982bc089997bd9911236aa21a1d6f4763bd5
SHA512 515e567c60bb9476536ad5718dbe77c9ed74a79d25586e79727f2503b5e5586741a5b410b9cde15e9f90e2df9851152fb0a19698e2353bdec536722e0379335a

memory/2712-56-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/640-65-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2524-68-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/640-69-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2232-70-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2612-73-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/640-76-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/2356-78-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2876-82-0x000000013F1E0000-0x000000013F534000-memory.dmp

C:\Windows\system\AUGDyMP.exe

MD5 58d26233c99e0350fca6638cdbfa81af
SHA1 099d72a8cab39d1a82ab2dbc69dd6455a2aa73fc
SHA256 b3aad025cc583a4610180f1457c56ce88602f63212f5e66eb28b5bfe690a3a7c
SHA512 f6bef4aec93e6e776029ff62878391650cd3f18602e6bf8be67358faaae623603254c107462cce51ea135be52e4c51204c6a9cf603f2d28fdd5749a255aeeb06

memory/372-98-0x000000013FDD0000-0x0000000140124000-memory.dmp

C:\Windows\system\PPxEWNK.exe

MD5 a8c634d41f96144526b72a7750b10a74
SHA1 73f24e0a7e25b36a5b8dfe812c23a7d54574a2fa
SHA256 5ba2afac0ee407d0cce5ef27ff00b26823e00b99cfafd06bafa2c8c751e7f121
SHA512 8782eeb64e31bc4cf52b7a3716b1f98e1d2f9d074faef6dfa8d2bf1c9c6421c511f2aa388a906ed94367e55a42b3af4d593d6ddb6b2a18fb0875cf66cfa7ccab

C:\Windows\system\JxbCjjD.exe

MD5 42829c0390cda4b80ba6b7cb9f4a244b
SHA1 a9674fb5ece359e510e34bcec6436f7450cde524
SHA256 4ea096502c78cb02720db49498433d990868da735af97880fa2b8744e02e58b2
SHA512 1b39611d5a418f6c3f60bd7aa68deb096cba6652fee50fabef91f70418f4433b4010f70b84c776d6e952f96c4452e09344adb1caa9bce2fc09f190fe5de28f87

C:\Windows\system\FhFsAyq.exe

MD5 8f92708ce209058e559324d1168f2699
SHA1 0a86fe35f3f63ce470f8b2d0efd8bc61cdee5fc8
SHA256 7e07e7e54ed5bf89aca9742dfaba7624327bc6b17bc6ded842c044e1e993d340
SHA512 1337e6e657df2fe8712700bf0bd048703d680876353bcca3f9713cad55c3a48cbd6fc66235af5be47c057c63916361576f3db703103c98931c12cbec6ae06ece

C:\Windows\system\CsVgYBd.exe

MD5 ade000cb4555b43b1d29916e7f393120
SHA1 6d77d13fb88a9294207da2e15e9e87c4cc4830b3
SHA256 00dba35949e0a68f5deb89201378017bd488f324ad2f2bfbae88b2d2287f02a3
SHA512 e734e91da8582c5d46be74f913b2832b5ad11340553ced72607cca9108e14dc5607a715a96089f6751915440e47bb77f6df99500e3efc9681cbcc966c81bea63

C:\Windows\system\qYbtAMl.exe

MD5 a42c6205ebd93cb14b423aaec7fb41cb
SHA1 99a98200470ea2f07ddab4574c204ef3046d451e
SHA256 bfffcfd1cbf63fff634e78bc8093e68ebfd25649a6b0d9c1cf9d88522a81a757
SHA512 31c2610d7fa98f96469898b554671500fb953e569aee83507fe663583f52fce59059db6a761b1e6160725d8604f9df4d4302896b360348048c99c5556183e0aa

C:\Windows\system\KPXJxvU.exe

MD5 21384b67dc80db9209f6e9e73ae7b446
SHA1 18859ba6577c292891ea0356e42439b83ec09614
SHA256 1821656b98766eb7cd6b9a1da7da339596f2b9a4ce66b4dec18489353b0ab90d
SHA512 f953992f7d36319748095dd874e9fe41296d574c2150b589088c652d6effd6d1e3723874f931f803c4d1c245f515978c40cba702cbb156dc6b9d34e9e6495531

memory/640-103-0x0000000002480000-0x00000000027D4000-memory.dmp

C:\Windows\system\nwZeEzz.exe

MD5 c6d7f801ec22ed2608a7067c379be689
SHA1 cb6440130728d6a3894ee2e2fe8a8eb1ec9f9b67
SHA256 a31173ada79646ad30258fc488c9d82a3ed7f0799ddcc98bd34a72e95a933284
SHA512 07ff053788bb4f8d81623a014f0ab4927e9b3d2aad933fff2134f40dd9cc7017a1bbddac9119dea130a337cbe1a98be48f55ea705610bc5e6924c096b0701c74

memory/584-91-0x000000013FC60000-0x000000013FFB4000-memory.dmp

C:\Windows\system\DTHtdzq.exe

MD5 3c7dc9b004a7625e73225e769f536e89
SHA1 56ff725818e4f3bb9fef91f2586a51f0f9586ea0
SHA256 da7f29596edc1a2e7b375d1b5cf9db0def633ca559cb1180b68de59ad877de86
SHA512 1875855b6ceaef92b77b63e1f7d42a42e8e14d077a99d602c9e0f3ae76400afca38b85302b215cc334384fa21fa77edc4e024626f158333977456767ab12f14a

memory/640-86-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/640-85-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2088-94-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\BJLLOem.exe

MD5 113d0a0977ab2f4736cd9b79d06c0581
SHA1 468725296d8e9e7069b9a048441f9ca1f0a94a26
SHA256 636a7a5bb931af741350f782dffa557db89efbefc15369347606dd742df5e117
SHA512 f15acaf10a20abf9e9eeb5ecdc63055e238d3c9852500b75a26b9fdabddf6df7a5c413b609c9df4978066c2fa9dca51572cbd6f6b777bc82d3db24e9a5790796

memory/1760-79-0x000000013F140000-0x000000013F494000-memory.dmp

\Windows\system\zwMUrhp.exe

MD5 6d815a6147654a8cb8ae840bccda3d3a
SHA1 cc52a77a417bd63c29742d6dfff46c8629f329c3
SHA256 0ebe1a39fef56232ef39fe9cb6ea299aaa6f9dbae7fa8c01ef1518a9e1a992dc
SHA512 f7b5fa072b4a8708794081d8a08d764619f918bf174cc99524acc539e02f708de928aa0837617bdc9b13233899c8db897e29b561c473e9d43b5701d13b9f22e0

memory/640-74-0x000000013F810000-0x000000013FB64000-memory.dmp

C:\Windows\system\vXbKGHn.exe

MD5 47df4a8592fc118c0d203abe977fd980
SHA1 642ea7c953b56417db6eb8fc33f353f7537504f4
SHA256 6c08f12ac8140b2ff0dc50f0d683a44873de47f4dec788bc5f239d9956013d88
SHA512 5eccdc4fc4a06b820755a3d041799909901bd4d646cf99b4e2f9bf2dff4ff723248e714c9878e94538036166aab64d67d2e20dcd32956edc89ffec322cd6e48e

memory/640-72-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/640-67-0x0000000002480000-0x00000000027D4000-memory.dmp

\Windows\system\LiAXgFs.exe

MD5 f51536fab7b10cf9ff17ffc621f990f5
SHA1 14327da1a7fe789640f068119e8c4d7f2eb11764
SHA256 82a905d6f4d6ec5efb493efc490cac4faee998a0eeba095443d45481fbdc49c9
SHA512 bc9e678481b75fc46e664f6c66198b8668c89cb187a35442247dd07fcef91f1fc1f456279bbb19f99eacca7565c8faafcd4dbc54b85647b6b10691f06c653285

memory/2636-66-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/640-63-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/640-46-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/640-26-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2884-20-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\dnWoPfp.exe

MD5 c0f156991e3897ef242cfd047e98a6ec
SHA1 2927bd3db27945c2dcf4b0e1a9218d9efc3c21f5
SHA256 15511c080f3341f499ea7a0ac06427e26c7961104c0c3e0f77528157925a489f
SHA512 cdc82d290eabaf99a14a58d428fb707053953ee4c28d83b6de8fb894c1e7da4a10fb514bdad476646bb25822934b1bb441d738ff6f14a24572cdd18950fc35c6

memory/2876-135-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/584-136-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/372-137-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/640-138-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/2088-139-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2884-140-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2588-141-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2612-143-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2496-144-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2636-145-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2712-142-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2524-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2232-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/1760-148-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2356-149-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2876-150-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/584-151-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/372-152-0x000000013FDD0000-0x0000000140124000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:28

Reported

2024-06-01 03:30

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sWIDQhx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mBKdDKj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NsohjJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AopvIAc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VoaYzdn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FGJZrNz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PvwgHKh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PsGmgtx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LBZGzVs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JQkFiFv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\elnytdm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SRZtESR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Odyquzb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QmmIzNT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lRLaRbC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FLMuWUS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BAwmNps.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tdCCNCw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QmaTKip.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zqkkaAC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bNwAJfI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWIDQhx.exe
PID 2240 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWIDQhx.exe
PID 2240 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PvwgHKh.exe
PID 2240 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PvwgHKh.exe
PID 2240 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdCCNCw.exe
PID 2240 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdCCNCw.exe
PID 2240 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\Odyquzb.exe
PID 2240 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\Odyquzb.exe
PID 2240 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PsGmgtx.exe
PID 2240 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PsGmgtx.exe
PID 2240 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QmmIzNT.exe
PID 2240 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QmmIzNT.exe
PID 2240 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mBKdDKj.exe
PID 2240 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mBKdDKj.exe
PID 2240 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QmaTKip.exe
PID 2240 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QmaTKip.exe
PID 2240 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LBZGzVs.exe
PID 2240 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LBZGzVs.exe
PID 2240 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRLaRbC.exe
PID 2240 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRLaRbC.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsohjJJ.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsohjJJ.exe
PID 2240 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQkFiFv.exe
PID 2240 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQkFiFv.exe
PID 2240 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\elnytdm.exe
PID 2240 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\elnytdm.exe
PID 2240 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqkkaAC.exe
PID 2240 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqkkaAC.exe
PID 2240 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AopvIAc.exe
PID 2240 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AopvIAc.exe
PID 2240 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRZtESR.exe
PID 2240 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRZtESR.exe
PID 2240 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bNwAJfI.exe
PID 2240 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bNwAJfI.exe
PID 2240 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGJZrNz.exe
PID 2240 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGJZrNz.exe
PID 2240 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLMuWUS.exe
PID 2240 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLMuWUS.exe
PID 2240 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAwmNps.exe
PID 2240 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAwmNps.exe
PID 2240 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VoaYzdn.exe
PID 2240 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VoaYzdn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\sWIDQhx.exe

C:\Windows\System\sWIDQhx.exe

C:\Windows\System\PvwgHKh.exe

C:\Windows\System\PvwgHKh.exe

C:\Windows\System\tdCCNCw.exe

C:\Windows\System\tdCCNCw.exe

C:\Windows\System\Odyquzb.exe

C:\Windows\System\Odyquzb.exe

C:\Windows\System\PsGmgtx.exe

C:\Windows\System\PsGmgtx.exe

C:\Windows\System\QmmIzNT.exe

C:\Windows\System\QmmIzNT.exe

C:\Windows\System\mBKdDKj.exe

C:\Windows\System\mBKdDKj.exe

C:\Windows\System\QmaTKip.exe

C:\Windows\System\QmaTKip.exe

C:\Windows\System\LBZGzVs.exe

C:\Windows\System\LBZGzVs.exe

C:\Windows\System\lRLaRbC.exe

C:\Windows\System\lRLaRbC.exe

C:\Windows\System\NsohjJJ.exe

C:\Windows\System\NsohjJJ.exe

C:\Windows\System\JQkFiFv.exe

C:\Windows\System\JQkFiFv.exe

C:\Windows\System\elnytdm.exe

C:\Windows\System\elnytdm.exe

C:\Windows\System\zqkkaAC.exe

C:\Windows\System\zqkkaAC.exe

C:\Windows\System\AopvIAc.exe

C:\Windows\System\AopvIAc.exe

C:\Windows\System\SRZtESR.exe

C:\Windows\System\SRZtESR.exe

C:\Windows\System\bNwAJfI.exe

C:\Windows\System\bNwAJfI.exe

C:\Windows\System\FGJZrNz.exe

C:\Windows\System\FGJZrNz.exe

C:\Windows\System\FLMuWUS.exe

C:\Windows\System\FLMuWUS.exe

C:\Windows\System\BAwmNps.exe

C:\Windows\System\BAwmNps.exe

C:\Windows\System\VoaYzdn.exe

C:\Windows\System\VoaYzdn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2240-0-0x00007FF718300000-0x00007FF718654000-memory.dmp

memory/2240-1-0x000001A4759B0000-0x000001A4759C0000-memory.dmp

C:\Windows\System\sWIDQhx.exe

MD5 6b02ca5fb697db2de21c4aab62acd466
SHA1 429764ee88c96e0372afce507aad9404d8375b3d
SHA256 4877c3a3bc48b23934684860cbf5dee44841b2c2a8a7ff48e35b566252fd0134
SHA512 921da7853832de17b0213be83c41997347adf20ee3aeaa315fbb9b0bdd2cb01205c79944df7700178da01170e374de16e636501c24ffa012fd453062d9ef2cee

C:\Windows\System\PvwgHKh.exe

MD5 7c5d0726052a5a84ef5bebed83b85798
SHA1 4a826767b5f1e3cda59bc8cc44e75974263b2281
SHA256 b01d4af7d65ccc81315ae6aa213d455ba6c21ffe93c26e7922ba28ac1e5ce124
SHA512 e126f3acaa98afa7c77d32801a92a0cbf1789d16f554ca8fdd832a9f0cfdea35fc7c61c73de2a68dba065924e371b53d8eef9037acec6c3c0856f8e92b4b2f8e

memory/880-8-0x00007FF6ED2F0000-0x00007FF6ED644000-memory.dmp

C:\Windows\System\tdCCNCw.exe

MD5 b869f234b288849801863930f303f154
SHA1 fdcddf3a8374531031273833c83032cb9f391b72
SHA256 326f5d401c8d5555cbd45b0e3cc1349c929210e525e9cc01674ea77a07a953f7
SHA512 25db2db8d5aa7b07eee8e4ffd7aa96f9d00013e6152ed753535ad1229a11932ff7ea9abe0384e840f74fd68f251154c8e833e7d69cd7747e4ceeaf51cd0b68b0

memory/4424-20-0x00007FF74A000000-0x00007FF74A354000-memory.dmp

memory/688-16-0x00007FF72EF70000-0x00007FF72F2C4000-memory.dmp

C:\Windows\System\Odyquzb.exe

MD5 0f3bcf4670792e8b6efe533d86170665
SHA1 ec97e14b5c8f2642b209f7ac09821568fec25110
SHA256 a4aad3ba6be511728d1a83507b3bc615a6a6f6f6f5efc5404489b056d8ecaf52
SHA512 ab853c81e36a8e4b4cc788c2317644b1e76ec00b2efd90fe72c53dc330ff25e875bb02a81da7607fc1acc6f522960349cb057d77796b866150d9feb89dad907b

C:\Windows\System\PsGmgtx.exe

MD5 d6f91c46d3f349827761adc79eb7bf5c
SHA1 87bf4998031367762ff9295fd575019d887aee37
SHA256 9b213fd79a84b6fa3747f71761d2ca62f9ee98e8264ebd81dad7bd5d47e468ac
SHA512 28b7abca2956ce64dac7c63070231761e9e75c7c2808436d616abb3d4ffa265d94ab59c499d5025a164f6f8119ef53f61fcec9fa0e4a33a7d4feb7e3300bcf07

memory/1364-31-0x00007FF7F9620000-0x00007FF7F9974000-memory.dmp

memory/3156-34-0x00007FF7D6E00000-0x00007FF7D7154000-memory.dmp

memory/3628-36-0x00007FF7B5FF0000-0x00007FF7B6344000-memory.dmp

C:\Windows\System\mBKdDKj.exe

MD5 95df2872bb41d03d22c8c32c9e99b6b8
SHA1 d3956d09fb19c9ca3b245719be0b090b416b7203
SHA256 c51a833ab976f6e8b1562bffe7f3eb9e7aeea16be6376e122d248813b65174a8
SHA512 91fb63d671c7ddb5e883374c8fa260ace486ff8f80ccf7207d213b21a7a662bed97c95fcb317695afbf40c319c7e440f8eb093f3f4fe647d379b20402c5d8707

C:\Windows\System\QmmIzNT.exe

MD5 ec2902cfc9060c78f94d4be2650d810e
SHA1 50cf44e2b2f483e6fe88c4d53892337f569ce36f
SHA256 2cfcfc66e6ce727acdb8c32f27f60dba21dbaa3e6aa388b5893ad6eda94d8a9e
SHA512 afd5c5e8ef64d28554c91a6ede30dd6e4a9f1b5752f0159432ff0fe53f0661ab952c62dd295bfca94bd6736ba1ea6d05d45cc2d15560dad61478577797d6b1ad

C:\Windows\System\QmaTKip.exe

MD5 62c003995e86debf105623c930da5910
SHA1 8e766c03f457ebd10f97862976968d1d53afd9f5
SHA256 b791757238fdd998008ce54751d445ab50d41616db0ac34ca9e20b7b2e782535
SHA512 49ee9d6b7883f31edbb9124fdc039764925a78fca0dc10e95b5e9bfd94fa5a75e61a13d0aa9b0433604f40d306a76e83713fc6737a1094b6f683e91fbb432114

memory/2976-50-0x00007FF75F700000-0x00007FF75FA54000-memory.dmp

memory/1724-42-0x00007FF64B330000-0x00007FF64B684000-memory.dmp

C:\Windows\System\LBZGzVs.exe

MD5 96e4ffd915dc77b03c8db80b81437a1d
SHA1 62e3c21ca1c2366ce0434a226b252c9854c52dcc
SHA256 6c96b30674ee113f3d56f4b19c3622fb121030afc823952bd778d1b0617c72d7
SHA512 10a74fb1d37f378f1de113942c6c46a665c2610a439765ae03e3525317807dd3f38b8f3b2bf3345c48cee1889d6d69bcf82594058204e75450fa7925d63cda73

memory/808-56-0x00007FF658A00000-0x00007FF658D54000-memory.dmp

memory/2240-61-0x00007FF718300000-0x00007FF718654000-memory.dmp

C:\Windows\System\lRLaRbC.exe

MD5 0a652e6d4e404732fc29e3b50a811b91
SHA1 3909d9e916001e27a5fb563982ad66e00966ace0
SHA256 354ae0d56a09ef9878e8d0f7fa1289cdfea7c2db9727271dfe1279beb3938e54
SHA512 4a27265895c40b775f196148a011890e73fca5778fd4079964348d7dcd7d745fe22bbef2e21f21460c3a9d7132f1440b3f285a4c4c66d16374f492afe88c570e

C:\Windows\System\NsohjJJ.exe

MD5 306ecae17a16bcbc080f1debd368f58b
SHA1 64f316d66777aef097082e6c0f951a2dbf1c1ca8
SHA256 5f60eb97862d5ed67d5d4978f1a11f10d39334c8fb2cb2e0a9eb3d4d812b1274
SHA512 a899b12dd82ee0fa7a4474e71786f7ab79fa54f9bc17ee751dabde47036a80aa401d08142e8bca57773c9ce4daabe6da2174a0c4144ad5fa7360ff5353e26a40

C:\Windows\System\JQkFiFv.exe

MD5 6ce8946faa602cd26704538288bd45c9
SHA1 fc7cb8a95081b5be1d349f63394a41a939793cef
SHA256 69975980135a0ac2d28da0fcefe78ed08160cb9aceaa83a35cfa794ad474b1f4
SHA512 7f90fc3c9fca078feb50269c837e9021942cb77095c88bad91048aff1e727e610f67f52a0c05891faf9c71caabd7416a43764b15de025a8dbbe3b053e168b364

memory/2916-70-0x00007FF6DEE00000-0x00007FF6DF154000-memory.dmp

memory/880-69-0x00007FF6ED2F0000-0x00007FF6ED644000-memory.dmp

memory/1992-62-0x00007FF76EAA0000-0x00007FF76EDF4000-memory.dmp

C:\Windows\System\elnytdm.exe

MD5 1c3b30bdce9080f04323253eab216ccf
SHA1 f1f32e0c50fd71f129db7f06e9dd855bd9fa3ac9
SHA256 c5ba76fdbe0c518b35769c9efcd2dbe24e1994ab1962caa1da4af7434f14dfb7
SHA512 72874f29bfb77aabc3cc7356809285ad7a43344d7564bfc2fa281af50e8cfe4815a469a277f415dd8a43167c93bce6d47370e3534e643905f41094605ab80b91

memory/3108-78-0x00007FF6DD430000-0x00007FF6DD784000-memory.dmp

C:\Windows\System\zqkkaAC.exe

MD5 5eb64f70260d25148f8f564fa33d4344
SHA1 dabe3c976cdbe7b3fbd49e8f6a1bf1d0f6ca537f
SHA256 05549446001bd940967e94f81e40e418cd6c2b584b1729aabec3d78f9f2c9373
SHA512 96ccc61def1b818f51a2a47e6a2051c756852e1891f85abbb7321777d9a8d232f6602afccc791e25f52ecbc9999652c29c7c338ab22306f669128f52b9fbfe10

memory/3768-84-0x00007FF7A4A90000-0x00007FF7A4DE4000-memory.dmp

memory/4404-83-0x00007FF6BF810000-0x00007FF6BFB64000-memory.dmp

C:\Windows\System\AopvIAc.exe

MD5 102d37023418d1db47daaa5f10afa6ab
SHA1 298dfaba3339747cae5380642674f7f11bd9c1d3
SHA256 a7eb15de80e780ac5ac8a350b012e721bac4f96139c1e2fdb02ad79a04947ff8
SHA512 8355a408555b09a49c9f20c7eaf45a0aa19ea6323dc45e096f653684220e57d668c6df1f69eca7444cc60c7ab4453e96a46280572c40e4b03ec898bff971a907

memory/1284-94-0x00007FF74C030000-0x00007FF74C384000-memory.dmp

C:\Windows\System\SRZtESR.exe

MD5 cef7b3f11ae00930a8d2ee2e44a5eab8
SHA1 287b9ba81de1f22948410a47cc0fedb55b17ccca
SHA256 34e731437b2a5e2f11298344e73daa3e160e673c5877cfffc002ea7e06f0e822
SHA512 2796209349f5cc8bf487157dd666b6f9d649373cf8861d566445b13990cb077ba0dc704fccaa8583325b4c78b7baf66991097165471fc94c91ca21c85a7ddbce

C:\Windows\System\bNwAJfI.exe

MD5 b4a69e455e2af9b4ee04798d983464d8
SHA1 dae22661ab54d1adf24bc5a31631d88890bba307
SHA256 eec53169d5bf4496e9fa9f832f3253f3cc8b3e0c29a11a20b3a28b7b0ae81f82
SHA512 cea2ea2cfe126f7413c3aad8ebc82056ec9164863400d120c11e4e613d0c723bce9a793dba63ef88c9bbdbd42fca991f7a1998d724cf2abd4ad36e41ed08d1fb

memory/828-102-0x00007FF6C2E70000-0x00007FF6C31C4000-memory.dmp

memory/228-108-0x00007FF6F0380000-0x00007FF6F06D4000-memory.dmp

memory/1724-107-0x00007FF64B330000-0x00007FF64B684000-memory.dmp

memory/3628-99-0x00007FF7B5FF0000-0x00007FF7B6344000-memory.dmp

C:\Windows\System\FGJZrNz.exe

MD5 8da6da70c3650a1b677d9143eac3220e
SHA1 c007fb66261d410dc1c19bb5f9568c392bfd7d9c
SHA256 7f3e74c8623ea74d108e9759e4db83a3674443e0816f2d896c674bb6c6a09183
SHA512 5ee1fecbbf72210db5429449a36d769f6193c0cbc38bcfa35446a96e97f9fe0030bc926149947cb520e8e1cb4f5cbfb64eb0e18d9fd967bb29ea4d4a20984909

memory/1076-112-0x00007FF7864A0000-0x00007FF7867F4000-memory.dmp

memory/3164-122-0x00007FF77C740000-0x00007FF77CA94000-memory.dmp

memory/1992-126-0x00007FF76EAA0000-0x00007FF76EDF4000-memory.dmp

C:\Windows\System\VoaYzdn.exe

MD5 d59e73609a4e46cc9db534cec7e726cc
SHA1 99f8e7788b452e82e1e7b39545381e79fc4473b9
SHA256 0836cd01c64e981b719776a55e0e42ef5de5eeb289a024cecbc434e1f09bc5b6
SHA512 7059d888798bf8b0ad4bb5fe7382c7163dd52a4a923bcec9766e1806318eff2c7bfb7f96ad848e6e4d5ddefc8a72806381bb234b6baa7faf0d44bc133cae487b

C:\Windows\System\BAwmNps.exe

MD5 f4dbe909ea6013ca7de7d0783e145a2f
SHA1 f5db34b6d8580c9e33d4428034624436a7c75878
SHA256 2d005d9f230f7a5e20bee861f918cb0f70a33ac0e1d225d5daf8890c2931666c
SHA512 b028fc119546e0af2f2012abc389aa18b278b9729c4c7e4bc9bf1aa5328ddfce35363b0a36b0794dd9a09b2cb3bf84c129c856add486ed37639e989ea59368b1

C:\Windows\System\FLMuWUS.exe

MD5 6711b3961c5339b4d855b35ecf744c82
SHA1 fc059d24e650985d1e4062aacc9196b8eb4ff128
SHA256 a784f4015d612f725bab34dcd0e670eb66edc736dc9e5b8840c95fa4455ae200
SHA512 423be7b2f358a1e513586a2d6fdade43ade0eb4a4c989da473f8196214b49c82b2305d503076adce0fb2b2f882f9541df7a43822303e157625d2774988ca0bb9

memory/2320-131-0x00007FF7F8830000-0x00007FF7F8B84000-memory.dmp

memory/884-132-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp

memory/4404-133-0x00007FF6BF810000-0x00007FF6BFB64000-memory.dmp

memory/3768-134-0x00007FF7A4A90000-0x00007FF7A4DE4000-memory.dmp

memory/828-135-0x00007FF6C2E70000-0x00007FF6C31C4000-memory.dmp

memory/1076-136-0x00007FF7864A0000-0x00007FF7867F4000-memory.dmp

memory/880-137-0x00007FF6ED2F0000-0x00007FF6ED644000-memory.dmp

memory/688-138-0x00007FF72EF70000-0x00007FF72F2C4000-memory.dmp

memory/4424-139-0x00007FF74A000000-0x00007FF74A354000-memory.dmp

memory/1364-140-0x00007FF7F9620000-0x00007FF7F9974000-memory.dmp

memory/3156-141-0x00007FF7D6E00000-0x00007FF7D7154000-memory.dmp

memory/3628-142-0x00007FF7B5FF0000-0x00007FF7B6344000-memory.dmp

memory/1724-143-0x00007FF64B330000-0x00007FF64B684000-memory.dmp

memory/2976-144-0x00007FF75F700000-0x00007FF75FA54000-memory.dmp

memory/808-145-0x00007FF658A00000-0x00007FF658D54000-memory.dmp

memory/1992-146-0x00007FF76EAA0000-0x00007FF76EDF4000-memory.dmp

memory/2916-147-0x00007FF6DEE00000-0x00007FF6DF154000-memory.dmp

memory/3108-148-0x00007FF6DD430000-0x00007FF6DD784000-memory.dmp

memory/4404-149-0x00007FF6BF810000-0x00007FF6BFB64000-memory.dmp

memory/3768-150-0x00007FF7A4A90000-0x00007FF7A4DE4000-memory.dmp

memory/1284-151-0x00007FF74C030000-0x00007FF74C384000-memory.dmp

memory/228-152-0x00007FF6F0380000-0x00007FF6F06D4000-memory.dmp

memory/828-153-0x00007FF6C2E70000-0x00007FF6C31C4000-memory.dmp

memory/1076-154-0x00007FF7864A0000-0x00007FF7867F4000-memory.dmp

memory/3164-155-0x00007FF77C740000-0x00007FF77CA94000-memory.dmp

memory/2320-156-0x00007FF7F8830000-0x00007FF7F8B84000-memory.dmp

memory/884-157-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp