Malware Analysis Report

2025-01-22 19:48

Sample ID 240601-s7fsfage73
Target 2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike
SHA256 901c6ac0a6c491a212fc65f2b0d46c9c9889c4b60fad044bdb581d6d7bb94a02
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

901c6ac0a6c491a212fc65f2b0d46c9c9889c4b60fad044bdb581d6d7bb94a02

Threat Level: Known bad

The file 2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:45

Reported

2024-06-01 15:48

Platform

win7-20240221-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wGsnATT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dTpskZN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ITzkBuF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ekDwZVE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vDzQnNE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EytSYpV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FEXpPGa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JUTPhdj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZXMfZpu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AbKeNWG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DpZpLjk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UziJOyJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WzOamGD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzTZTPz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yHlKGdh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\amqItfy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\exouqCV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JlrTebm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CXchmCe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dvOqknK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KeQinmw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTpskZN.exe
PID 2180 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTpskZN.exe
PID 2180 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTpskZN.exe
PID 2180 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXMfZpu.exe
PID 2180 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXMfZpu.exe
PID 2180 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXMfZpu.exe
PID 2180 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JlrTebm.exe
PID 2180 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JlrTebm.exe
PID 2180 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JlrTebm.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHlKGdh.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHlKGdh.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHlKGdh.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ITzkBuF.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ITzkBuF.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ITzkBuF.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekDwZVE.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekDwZVE.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekDwZVE.exe
PID 2180 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AbKeNWG.exe
PID 2180 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AbKeNWG.exe
PID 2180 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AbKeNWG.exe
PID 2180 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vDzQnNE.exe
PID 2180 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vDzQnNE.exe
PID 2180 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vDzQnNE.exe
PID 2180 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\amqItfy.exe
PID 2180 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\amqItfy.exe
PID 2180 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\amqItfy.exe
PID 2180 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CXchmCe.exe
PID 2180 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CXchmCe.exe
PID 2180 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CXchmCe.exe
PID 2180 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EytSYpV.exe
PID 2180 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EytSYpV.exe
PID 2180 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EytSYpV.exe
PID 2180 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpZpLjk.exe
PID 2180 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpZpLjk.exe
PID 2180 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpZpLjk.exe
PID 2180 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FEXpPGa.exe
PID 2180 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FEXpPGa.exe
PID 2180 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FEXpPGa.exe
PID 2180 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUTPhdj.exe
PID 2180 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUTPhdj.exe
PID 2180 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUTPhdj.exe
PID 2180 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\exouqCV.exe
PID 2180 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\exouqCV.exe
PID 2180 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\exouqCV.exe
PID 2180 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UziJOyJ.exe
PID 2180 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UziJOyJ.exe
PID 2180 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UziJOyJ.exe
PID 2180 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGsnATT.exe
PID 2180 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGsnATT.exe
PID 2180 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGsnATT.exe
PID 2180 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WzOamGD.exe
PID 2180 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WzOamGD.exe
PID 2180 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WzOamGD.exe
PID 2180 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvOqknK.exe
PID 2180 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvOqknK.exe
PID 2180 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvOqknK.exe
PID 2180 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\KeQinmw.exe
PID 2180 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\KeQinmw.exe
PID 2180 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\KeQinmw.exe
PID 2180 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzTZTPz.exe
PID 2180 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzTZTPz.exe
PID 2180 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzTZTPz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dTpskZN.exe

C:\Windows\System\dTpskZN.exe

C:\Windows\System\ZXMfZpu.exe

C:\Windows\System\ZXMfZpu.exe

C:\Windows\System\JlrTebm.exe

C:\Windows\System\JlrTebm.exe

C:\Windows\System\yHlKGdh.exe

C:\Windows\System\yHlKGdh.exe

C:\Windows\System\ITzkBuF.exe

C:\Windows\System\ITzkBuF.exe

C:\Windows\System\ekDwZVE.exe

C:\Windows\System\ekDwZVE.exe

C:\Windows\System\AbKeNWG.exe

C:\Windows\System\AbKeNWG.exe

C:\Windows\System\vDzQnNE.exe

C:\Windows\System\vDzQnNE.exe

C:\Windows\System\amqItfy.exe

C:\Windows\System\amqItfy.exe

C:\Windows\System\CXchmCe.exe

C:\Windows\System\CXchmCe.exe

C:\Windows\System\EytSYpV.exe

C:\Windows\System\EytSYpV.exe

C:\Windows\System\DpZpLjk.exe

C:\Windows\System\DpZpLjk.exe

C:\Windows\System\FEXpPGa.exe

C:\Windows\System\FEXpPGa.exe

C:\Windows\System\JUTPhdj.exe

C:\Windows\System\JUTPhdj.exe

C:\Windows\System\exouqCV.exe

C:\Windows\System\exouqCV.exe

C:\Windows\System\UziJOyJ.exe

C:\Windows\System\UziJOyJ.exe

C:\Windows\System\wGsnATT.exe

C:\Windows\System\wGsnATT.exe

C:\Windows\System\WzOamGD.exe

C:\Windows\System\WzOamGD.exe

C:\Windows\System\dvOqknK.exe

C:\Windows\System\dvOqknK.exe

C:\Windows\System\KeQinmw.exe

C:\Windows\System\KeQinmw.exe

C:\Windows\System\BzTZTPz.exe

C:\Windows\System\BzTZTPz.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2180-114-0x0000000002370000-0x00000000026C4000-memory.dmp

\Windows\system\KeQinmw.exe

MD5 9bd07cc9963f1d3b1662affa62f12464
SHA1 26de346589f72a9169df5fb17e038e68d6b24ee7
SHA256 89cc97b16320f785394ef5de4c6c9c4b06b640cb23a1a28c153b8add57f325cb
SHA512 2fb0cbed06707b334cdcc821ff72e86a1241388a142843619d49a5fd9480a438a1ece7c6c5c86564ed06212ac0064de4c8a3f83af394d6e5b3b2c40c7dab64bc

\Windows\system\WzOamGD.exe

MD5 8a3a7eac656e7177b270113d7d692f98
SHA1 ec58106c7690c4e3325f42f379a7b867623f74a8
SHA256 fc622b04c05820dac7cf772a210af030752eda2506d65903bc0fca19b74ce360
SHA512 ac6115ff100163bc791d747aeefdb025a026f3780e2397962c9f37796236491952189c853d1110ddc65bded13f352f17ed0a01e1510e709d54095318e87b063c

memory/2992-95-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2180-94-0x0000000002370000-0x00000000026C4000-memory.dmp

\Windows\system\UziJOyJ.exe

MD5 cb1f1b052ad8263172da46dac27d9d2f
SHA1 b4ecbe6e6c85c2ff8f363f4cf7af5e009e00ac50
SHA256 b0709f2f228cbba5b450c55547daad3b55f36a2aba4b737bd493f860f5a3c1fb
SHA512 01226ef9262f0ad5705f2f4406e78703ba1f4e265a95fe7343d89bd7952fe9e4efb9f56ead3647165e39fbc61b5d6354a0e6b370706553cac55358120ae4c280

memory/2180-84-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2180-135-0x000000013F470000-0x000000013F7C4000-memory.dmp

\Windows\system\JUTPhdj.exe

MD5 4b99ed879e5b7e2b721ce99c015ba243
SHA1 3a136a160b9d6b5108e13528861470aaaf08a8cc
SHA256 983c73b71c988200f239ac173aa11c2ab3ef22722f36ce0718ef926fb4a52e87
SHA512 2de3bb3d013179ce4aaafe310dead9b464577d6817113bfba53ee1f35b88779ed3662cc9ab5f5a34177f8f310a0ca85ede34486e98130dc82f7c85307c068f5d

C:\Windows\system\CXchmCe.exe

MD5 be53e99e19e66d39d3c36f41aa3fec60
SHA1 302425bc50b4e87dae4d8c7406b781638dfcec7b
SHA256 51325830205c2ee0edbce89ef2d57d84dc90d9180d5b30270c20d9bbc587af71
SHA512 a16f4216f9898bef4f12dc7a5afa957ec495575bbf316f9acc6f7861c52c92a5f04d9ee627398f997ca7430c9b4bbb7d4a1cefcb667545821ddc64e32b7712a3

\Windows\system\DpZpLjk.exe

MD5 8c23816eb9b303e305b9552626838883
SHA1 dbaa4e9a0eed60c87c007fcc98bc77a63d2282f5
SHA256 a5a365948750a5991dbbfee8c66a4a5c938f66386b82120730604d3550ec9e8d
SHA512 018330433fd957de02602947765d85992abdeac8c29ff54023643f048b3bf1eba1e3542798185ade7c09b226be34cc6d974e8340e4ec31d6803981e070d909b4

memory/588-62-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2180-121-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2688-120-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2180-51-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/324-136-0x000000013FDB0000-0x0000000140104000-memory.dmp

\Windows\system\vDzQnNE.exe

MD5 c62d1d62d1f0af8cdba6ac8db785dcd3
SHA1 02e041565c734da50a6635b8a91ad004a70e96df
SHA256 5b6fdc09008ec4305717aac1d4a8ae2d30c99b1a2624ab5c73b88e2492aeeef3
SHA512 8b4e27dc1db6b0c0a1758856231bd9b197e4890398a8cabd0ef52fe4c21e8b5710c144f7c557527fa3d783d15979f1b10cfeade32f3abbc0064979bee9160b0e

memory/2180-119-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2180-118-0x000000013F830000-0x000000013FB84000-memory.dmp

C:\Windows\system\BzTZTPz.exe

MD5 af23d849611468cffac4b073fa876298
SHA1 e1fb6b2c12c206a95386f6546974ebcaeec0b157
SHA256 a8bc4c9e997836b2da649a8f6912412fda54c0cf10bb127f879f2050b1a96482
SHA512 844faa7f4a5872c09ff9cb05914db9338d88559e0fa993bcf3a6b3bb0a88ea7f9b2de4711bc874b53a87c53f7d559427a9889a690e3d0f21d4d77a330a21c554

memory/2180-110-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\dvOqknK.exe

MD5 0734ec3e4b2b7e970c132ec475734c14
SHA1 99348a6d85b832b7cde7cd39510cffbad9976950
SHA256 c6be7df3679765c2cddf03fb102dbdd9179c58bb5955a846360ea713420ffb13
SHA512 2b589cb51b25f4e14315d2df33565fb36ca9299e13b6c251c55fda934ee97006401399ec61a8e4e84413206befb06d9b16a399f7f0288dc7d39112f51f74c9d6

memory/2520-102-0x000000013F370000-0x000000013F6C4000-memory.dmp

C:\Windows\system\wGsnATT.exe

MD5 793906678ea48968fc7bcb0a49285aad
SHA1 1ce3bdc039fb880757a3156e3237995d7e430e33
SHA256 f0031a36c4b2a00b39fba7710db387ad82b67ce1c4a919b8efdc9f8b00e68eb0
SHA512 1195ba5b2377749d5ed05c9a3f433c680e5108eae2f432e2fcece6c0e2fb14f5d76a115d50f64e258ab6e986f0dccb14d9e85f8956132025929dcd4f1e354bae

memory/2180-99-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/900-90-0x000000013F640000-0x000000013F994000-memory.dmp

C:\Windows\system\exouqCV.exe

MD5 cea930affc3e29a27cd156d77909ca9d
SHA1 1692b073ba12015effecd9b4271dbfdb4b5b56fe
SHA256 227e3785d1868463194ea1cf6e1a282aaf7ca79f714c947b0cb771e0e82dfdbc
SHA512 b80c46dad9346ba8e1484225bbee43292437eb72b49bd0e4a1b3d1fa256bcbcc2e2aaa75b54db35fdcba308664e14302766916f60242cfc0bb5bf90e721d7d4e

memory/2640-88-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2600-80-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\FEXpPGa.exe

MD5 965b96589472ec4a5e1eb6db24532e4b
SHA1 61abef3909c3f87e126824bd45a50fb6c295b7ef
SHA256 2d7a665f08c6ab52cadfbbeee77bec460dc2eab36106912ac755a37d4c8c7610
SHA512 0666e8a3bd8c66648ee7abdbba0b3814443585d92a465a850e2d61942d1015cc4428670d036c3fb8ab269398115a75a024434557d6402a2fb4b54133ba2570c8

C:\Windows\system\EytSYpV.exe

MD5 0829c4f0e3ed3fb5a1e346e5b60c18cb
SHA1 aef68af101ea32994c6b149b9045c9c7d7b052d0
SHA256 e6b3bdbdd170f438555edf6826638d2b22a0b5120cfeb2a6c792a724aa830a2c
SHA512 ca4a66fc7b00507beeb8e3578df5432784f34048861dd7c511400d53854c59ef07ddf01a3e93de753e905a19cb459d2e09a3be24ad6d07f9e4819fc2fc7a8b0c

C:\Windows\system\amqItfy.exe

MD5 a78000a1433dcd5627c7c68f0f5756b0
SHA1 59a7f0d88e887985db5efdeef0720418f3dbcbdd
SHA256 ea85cc83f38cc7a6700756eb8f9a962ab712f767c95d29f4c81d6bed0b1fcc9f
SHA512 e5bc72e49a1b3293b0089f4e0d4d9e01792536bf2900aec38bf59dc303fa5dea7e91c0aef0b8879865ffb8818ff7134cba589c2adfd40ef5cf7b108a16a85f6f

C:\Windows\system\AbKeNWG.exe

MD5 907e61bdd172441e7408ae40419ec34e
SHA1 6bdfe1bb4ba4c742cd2f6d31a4e385597548503c
SHA256 22be21d76db3226a8039bcea5a0cb24c8c6d7d2681768a74e0a0384ff63403fc
SHA512 49362cb9d893111107d4bcb6c57502cec84e4b76b7e5fb20efe3b6cb5f27ed3e3bfbf191da625d462b7f876117579a73f9bbb8f739c786dcb3f0c1916914a8d0

memory/3012-44-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2180-42-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2860-41-0x000000013F830000-0x000000013FB84000-memory.dmp

\Windows\system\ekDwZVE.exe

MD5 361a8bd03a714598d5018c857040121f
SHA1 614b7db3048a058e83ab46d3c1f046256a3032cc
SHA256 e93849d89c9a568daa7c25edf49f147091385b08c8efa1fe92bfbbde3c4a2b71
SHA512 e793a50d37f4bc365f68a832281744ff988df1f347bf57d54ffaa8e154ba003317c3155351d0fa5eae1b7b4224dac0a393df57cee364e1aae8025c2dc55da4cd

memory/2180-40-0x000000013F830000-0x000000013FB84000-memory.dmp

C:\Windows\system\ITzkBuF.exe

MD5 a88db5b76932f4b2668e366d20367c97
SHA1 c033237328aa505a36bf11f2b369d7f5d949f8b5
SHA256 63fb3f84af6a9a9735b01e0748827124377d0488842dab7d67c64609dd2501e9
SHA512 e882f64ba09de064a4e95af3312ec682f345cad9a0608122d56183572fc3bbf9f9757bee608e60c348959ad6e8255712240d21d7ab3c920f3272bc71cb60e1cb

memory/2180-30-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2876-29-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/284-26-0x000000013F090000-0x000000013F3E4000-memory.dmp

\Windows\system\yHlKGdh.exe

MD5 5374bbdafe2601f9feff8aaa516798d3
SHA1 83a29a47b6112be7872920d017093e3dd39e6f15
SHA256 cfab3e11865f024836f6e253a95fc4503bb96ef939c77cf24212faecb55794ae
SHA512 b7847be652d416d9115722fa4295585c5f29470a1cf0e28ee4c062f1bd5360806efb8b457db9bb4c20ea12ee27526b9bd883db8f6d5a582bc3d49346e9fe8b59

memory/2180-25-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\JlrTebm.exe

MD5 617d0b816799d2d1d82c822785149ca9
SHA1 737ec467492f66dd07997c8783ae723b70f978f1
SHA256 438a939d4f235cae33b4258a31d16c88b0b65a4daf7729402a859151bfca6c12
SHA512 2c82209659e4ca82e9ae048561e11638fbf490f76b9c17c0e02047121f1ac79bbf22cecb07b5ca2ed91041adcb89b52e43b107642a160d3ace07d3f7fc1e6fa2

memory/2180-16-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2956-15-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/324-13-0x000000013FDB0000-0x0000000140104000-memory.dmp

C:\Windows\system\ZXMfZpu.exe

MD5 51dc2a54c24ee8c83e2f841950f176cc
SHA1 5a79b3478f181f7b5a4d14df481c05df0182932a
SHA256 64c2c2fae0bae16d4d21f3911698d63c22cf255f8974582817bb57c125e0e8ce
SHA512 1994b9c18b821dde12ebc335b7cab2b30267523ea87b5040590914e340892757db9cca5c1a95aa696e2f00a54f14fc4b24f6bd3d4b6d5d3240254115f7eef705

memory/2180-7-0x000000013FDB0000-0x0000000140104000-memory.dmp

C:\Windows\system\dTpskZN.exe

MD5 b79c945ff9bff991bfaa43c20318797f
SHA1 a32886b473b08966baf7fdbe82486dae00b5eb87
SHA256 b27eb0432f29b1f811c0715abac88782a0686afca3d28ba305819314adffd096
SHA512 47b3f986d46f7b8fc6f0704045206aee1c515bec8a86bd955604e4c4beb6b3f4754d765ff6c00d04fecc8872655aad2847450178f00af19763a0e65fa3d18f71

memory/2180-1-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2180-0-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2956-137-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2876-138-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2180-139-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/3012-140-0x000000013F520000-0x000000013F874000-memory.dmp

memory/588-141-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2688-142-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/324-143-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2956-144-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/284-145-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2876-146-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2860-147-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/3012-148-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2600-149-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/588-150-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/900-151-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2640-152-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2520-154-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2992-153-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2688-155-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:45

Reported

2024-06-01 15:48

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\amNBlCa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DOdGfBt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gFmwepo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vljErqr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\atIoMRj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QzzzlBn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ssCpgNK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UTZILws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qFTCLMb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZDsaepx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FoTfXGF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cwNUqLi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gCqlNFw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fZEEnnl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qyNCVox.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LbtFzXG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jOOduUl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\arUESyV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qwLRlyB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zvzdvAo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gONlbyN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\arUESyV.exe
PID 2348 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\arUESyV.exe
PID 2348 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FoTfXGF.exe
PID 2348 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FoTfXGF.exe
PID 2348 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\atIoMRj.exe
PID 2348 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\atIoMRj.exe
PID 2348 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzzzlBn.exe
PID 2348 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzzzlBn.exe
PID 2348 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssCpgNK.exe
PID 2348 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssCpgNK.exe
PID 2348 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTZILws.exe
PID 2348 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTZILws.exe
PID 2348 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyNCVox.exe
PID 2348 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyNCVox.exe
PID 2348 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwNUqLi.exe
PID 2348 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwNUqLi.exe
PID 2348 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gCqlNFw.exe
PID 2348 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gCqlNFw.exe
PID 2348 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwLRlyB.exe
PID 2348 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwLRlyB.exe
PID 2348 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\amNBlCa.exe
PID 2348 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\amNBlCa.exe
PID 2348 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOdGfBt.exe
PID 2348 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOdGfBt.exe
PID 2348 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvzdvAo.exe
PID 2348 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvzdvAo.exe
PID 2348 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gONlbyN.exe
PID 2348 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gONlbyN.exe
PID 2348 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\fZEEnnl.exe
PID 2348 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\fZEEnnl.exe
PID 2348 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LbtFzXG.exe
PID 2348 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LbtFzXG.exe
PID 2348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFmwepo.exe
PID 2348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFmwepo.exe
PID 2348 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZDsaepx.exe
PID 2348 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZDsaepx.exe
PID 2348 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\jOOduUl.exe
PID 2348 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\jOOduUl.exe
PID 2348 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vljErqr.exe
PID 2348 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vljErqr.exe
PID 2348 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qFTCLMb.exe
PID 2348 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qFTCLMb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f62a0cbd6a2e34d702fd98d5f39c2e3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\arUESyV.exe

C:\Windows\System\arUESyV.exe

C:\Windows\System\FoTfXGF.exe

C:\Windows\System\FoTfXGF.exe

C:\Windows\System\atIoMRj.exe

C:\Windows\System\atIoMRj.exe

C:\Windows\System\QzzzlBn.exe

C:\Windows\System\QzzzlBn.exe

C:\Windows\System\ssCpgNK.exe

C:\Windows\System\ssCpgNK.exe

C:\Windows\System\UTZILws.exe

C:\Windows\System\UTZILws.exe

C:\Windows\System\qyNCVox.exe

C:\Windows\System\qyNCVox.exe

C:\Windows\System\cwNUqLi.exe

C:\Windows\System\cwNUqLi.exe

C:\Windows\System\gCqlNFw.exe

C:\Windows\System\gCqlNFw.exe

C:\Windows\System\qwLRlyB.exe

C:\Windows\System\qwLRlyB.exe

C:\Windows\System\amNBlCa.exe

C:\Windows\System\amNBlCa.exe

C:\Windows\System\DOdGfBt.exe

C:\Windows\System\DOdGfBt.exe

C:\Windows\System\zvzdvAo.exe

C:\Windows\System\zvzdvAo.exe

C:\Windows\System\gONlbyN.exe

C:\Windows\System\gONlbyN.exe

C:\Windows\System\fZEEnnl.exe

C:\Windows\System\fZEEnnl.exe

C:\Windows\System\LbtFzXG.exe

C:\Windows\System\LbtFzXG.exe

C:\Windows\System\gFmwepo.exe

C:\Windows\System\gFmwepo.exe

C:\Windows\System\ZDsaepx.exe

C:\Windows\System\ZDsaepx.exe

C:\Windows\System\jOOduUl.exe

C:\Windows\System\jOOduUl.exe

C:\Windows\System\vljErqr.exe

C:\Windows\System\vljErqr.exe

C:\Windows\System\qFTCLMb.exe

C:\Windows\System\qFTCLMb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2348-0-0x00007FF743AA0000-0x00007FF743DF4000-memory.dmp

memory/2348-1-0x000001E5A1310000-0x000001E5A1320000-memory.dmp

C:\Windows\System\arUESyV.exe

MD5 1f4ed630a60b160404c0d57d33d69189
SHA1 2000b7f55b8deacc74099590e6d1afe30ab86029
SHA256 0df1f91835585e1ab68783d97c9b029e843bee2b2007593a9ad6c342dc906b43
SHA512 aae1cae39eb64336329c79cc2877458db3fc535d51e5e036bab1fe99d29fcfa61a486cdd909ff0894a05b3487a5500d3930558c08721c5c9cd227c241c21bf4f

memory/264-6-0x00007FF7B93E0000-0x00007FF7B9734000-memory.dmp

C:\Windows\System\FoTfXGF.exe

MD5 bce73dd54312279e69472e7a5711b4b7
SHA1 a65cf6994c929b116fc7dc3c9a71f636ffd155d1
SHA256 bfbf20864cac99d667b9d7f1d25567dc16356a846c030f0a24399c2bb5b815e3
SHA512 56812f58a6f7942bd3ba4dc9e7ab23479deff48da0f157d5bf4e5e9a039797d5e1fcbc54fa700ff3c312b686ba11b02d7c8270d4c07c00c42d12aeb7d8cc8f09

memory/4920-14-0x00007FF711410000-0x00007FF711764000-memory.dmp

C:\Windows\System\atIoMRj.exe

MD5 58ac3650bd9d01dbdc1f934e794a59e3
SHA1 9d9f4cdc52880f2a8b9543494426eb4196b0b268
SHA256 a15b1b2417f24277776f6f0a53e0c5ac8f5bb3e219f2b2a8dc0233544a78b240
SHA512 64f088f3fd72e8a94076c0da1d93d95a738b6ccfe100481599858a44325be17b813177c12bc46e1601506a4f1f3d446fb40cdc74eaf0b7ad0ffcd6f26ab96d49

memory/4624-20-0x00007FF6BB410000-0x00007FF6BB764000-memory.dmp

C:\Windows\System\QzzzlBn.exe

MD5 d38063daf386104370218f7a4e7d7a3b
SHA1 4200cdbb581a783efae6d208213fa5428ff7dda9
SHA256 4fa9fccff8adf568235fdb76767df29c7e22eec7c30d1824a6ac6ba43359348b
SHA512 466fd68aaf83c38951d370100bd3ff7b01e9d8d71bda1d77a77c4f3be4b8df2745e9e653bcd398fd5b87b23163d12d24ddc458c3c638a0cb85a6cb55c153ad6f

memory/1472-26-0x00007FF774970000-0x00007FF774CC4000-memory.dmp

C:\Windows\System\ssCpgNK.exe

MD5 95bfdfb8a3f42c6c55ebe546ee5d9e3d
SHA1 d59bb3408270a365527d2f68e59d8ffd00868ecf
SHA256 b63a280bfeb2e9d4bc6047bcf3ca5aa341732a39eba00c783578da420c535769
SHA512 5e60fcf621009e2347577fc69213edae84370d9eb28c4400a0fea7b8f01f9d7c5e832668dcf2086f80764b6fb9f50dee286a8029e01c5aaba203be96d989e609

C:\Windows\System\UTZILws.exe

MD5 41fc3a02c97ffbb69ea3cad3568435ce
SHA1 172a2d2d71afdb549a7fee978b3cd6508f70dba2
SHA256 a7d3b5633357612df87c52bee42c641051bc8cedf3c28e73aa9406f0238e6329
SHA512 af10b556cde4838da66359ee5a605e289e779a1e8d6fb89e1ba3cab71a57a0b1ae2d2bd4433637c2e3e7d15b68e35603835186d3f05e288193a046a267d55c41

memory/3416-35-0x00007FF672880000-0x00007FF672BD4000-memory.dmp

C:\Windows\System\cwNUqLi.exe

MD5 52374cedbb0c122a95f985d6a4eaf0cb
SHA1 a40b98489040c81b9672feccc2ea662ea3d6e1c6
SHA256 4eda88aa34fc29e333ef97a851fec1972012298a6aa5b71c90e53068818d8ac6
SHA512 2fb88018fba2b813ccbaa92f7255a6e67eea0e169b5081eade674bb3176b60d2380ec50d4b86f3d6cc28022ab140adda9c8fe1094602f03387248304f8c66292

C:\Windows\System\qwLRlyB.exe

MD5 181a395d613f525c6b97ef4ba66a1007
SHA1 4132ed74c51d606dfa1e05c413a48ded69e7f5e6
SHA256 668ec22a441a98c5726669a3ad32f8d2a0b292d23dd3a1453963e5a57ac7ccf7
SHA512 8628b3ea8d1fb660973013ebbaa00c166867706da8467fe577578dab8dc0c7daf78cb1252bf448eab413d5673a9b31a1bcc7446c04c40992a426ae189f171fb4

C:\Windows\System\amNBlCa.exe

MD5 bdc1e5be5b855bdda1ec5a6b8a50f862
SHA1 d119b8169be6ea1cd9244843af359727ef5a5d40
SHA256 92dece39c783cedfa29a028a81b068528bb7d3234964c5eef7c0ab28fe625c05
SHA512 0be71b008877702959d9f7e7439f63241008c2e686669a240670c181813b7538dbb4cfdf807be7ce98c061c1621569804c50e503f6ddea181528c98cbef47c4b

C:\Windows\System\DOdGfBt.exe

MD5 6d2c070204191055042db76135a28713
SHA1 4d1c0c66aa920df7f8406b2ebc2bcc819203ee29
SHA256 70bdf0c236e42e62d58e2f7a0d925e0ef37e97e30c237ac49a58467dec0e5faf
SHA512 64c18bc0b1cb46b3940b83b14434529ad6a78bcff3e3623e245bdc31e6655ddd6ddcadc8584f896c6155ca1e5df575dc6bcfbce7f0609f9b6cb36f87c0d06740

C:\Windows\System\fZEEnnl.exe

MD5 eae541b98d46f75fb9f11fa41b046fc3
SHA1 a8e423065e294d6d7dd601e5006d377afc390bd9
SHA256 a722245fa93849956d66969c3779990eed8a5064c589fa9eccc1bb17393aeab9
SHA512 a34e86e492c0e6e9b567a5447ad4d2fc9f4f6f56d3eacc5f7a575e116e021f7c3b4ffd82ce68f077d1303c75611804fa2a3cfa023ad650564cd7c25a3b2e40c9

C:\Windows\System\ZDsaepx.exe

MD5 c8d00fa33f2aaddb269f7a44b036af52
SHA1 f1af1925071b60c37f19a565e7728a2b582625bd
SHA256 c4b1a3777ba3186ddfddacc819cb153e83c08017c0d845b50035f2c13fd9ff67
SHA512 748db20434f4da4b66ab32ac4c091a428b1395d2e147559e8c76e9199c0cc07365c3a0c3aeb879e8debbde24561126745dc1cbaec688fdff6d868887fcbdfe48

C:\Windows\System\qFTCLMb.exe

MD5 69a0502cc23d739534a28c57fb8d7157
SHA1 ad8a00f803938dc7e9c94dbf61d40b8554dd4f00
SHA256 c1fbee92367f676c515cd02a92bc9a2fc95c071ad35a3217d3eddd87e5f1c5ba
SHA512 d9a38915d355dc3dcbfd9d0ec348d9b03013a7403cfac6af6ede5d81df6edf4880bebe7514b04e7fbf6f296a62b13f66f75905297682c34ede02b97f6880b101

C:\Windows\System\vljErqr.exe

MD5 f6d32408e729bbcf8d732f54f6d7ff1c
SHA1 c9d79e367615597d80e48edb030ddee42535e754
SHA256 d926050e9fb958766acde8ddf2afbd797fd6261855197eda15598ef3bfd56fc2
SHA512 e2ac1b7ab52bc12d5f03ba4ef1d6123e9019a54bf5e242dcedc330d89a974b352aebfeb9b67b443d7df186f679e0447fb52bb38eee08a7469a78ca02e166edde

C:\Windows\System\jOOduUl.exe

MD5 96ee818d5d4e4dc85b46479350888d29
SHA1 5674edf634d766549c5882babe6d3dd4a57762f1
SHA256 40769511374c015f946ef9af9ec3b2c82e540fd8e4257e11a0e8879459f5e8ad
SHA512 3decbc16dfc9bfc05b964f91c1ff0fc7eb18d57e7217a9ee2fdac2c653a2add81a00d5c83b19dd14d10d94f1cddf29d3e4468eaabf2126090020f245a0de763b

C:\Windows\System\gFmwepo.exe

MD5 465c2e1a3b45c820a2cd442959ef86bd
SHA1 e468905eb1426c265ac6c76ce1c9b1912cc1e5c8
SHA256 e42a829c34076ddc44ffc4009297e5c334e19b19b02f647b74d52347e0271c69
SHA512 aa59d67cf40fc42e63226b6d82fa7bbaab0352441e125eec6b1cdb32baf371c4953bd8931cee0f25531859cd1df2558155e2594eee8c4409a0c9cba73ebf877f

C:\Windows\System\LbtFzXG.exe

MD5 743f07d0a5eae6fd8c1eba2e5aa6f138
SHA1 27e2d523be43b42c1110c5a96f4e9f259d08275d
SHA256 dcdb99d719eedf3e6e00452a3ad388a70a3b371a1caf683d300f746df12e09b5
SHA512 b7e8d9a8fead2dcc5ec5918bedfaa34ccfef2ebe004330f41148130f64c7f6c2756b1e5890309aa86e18f33e6ecfde6d8ff67ba0a34e8a3468b174e27a3b8649

C:\Windows\System\gONlbyN.exe

MD5 fce3f3f8a0934e8588e331492a31ee61
SHA1 402557b378c613703b28f83cf85b565cda85f709
SHA256 def91247785b8e4546f06c9d98b5c007336615d7cd156ecc039eb45103e33f60
SHA512 e5eb09e3530b906f853b9a964750ef54678050966f7f02259e66f9df4e98b14317bd59491330e84a4078d2ea9ca76576f514112353e096a87c422d8c82b7ef07

C:\Windows\System\zvzdvAo.exe

MD5 b3411483f9116ed81a8af145d4082f0f
SHA1 d6936375c2bede924b87e820f90a22d657e4997c
SHA256 aabd4ffb6756e01d4edd4b522d482661071fd1ad859c109b9992f0ff49b56362
SHA512 23eb8c78cf6921d56329204c3df72e7e16e2e2330377f40e92460adcbad069dfd8b217f983a37d8e8b8282db28599df502eaef43e7c62a7705808af7a9084ce9

C:\Windows\System\gCqlNFw.exe

MD5 59136a431ca5fbf60773d44f31e3db36
SHA1 74c0841a54059341bc425aa812397bbf8492b677
SHA256 e8ec920553b4767abe5d9e39a4f506ac3811898d38c0cfa3b3b52126d126bbf9
SHA512 ef2bfe3be6fd78ff05da9c90e8de274a9f9dc2859706b20d5ac1e6b180098ad5fc0d432cff586940216a1c0b9b50e5fae48a223bd389e0c7fdb8cf609685415e

C:\Windows\System\qyNCVox.exe

MD5 5b5a6350e842582ea2554b515c364096
SHA1 6358278dea81169ae850e37b03e38111bd7eb32b
SHA256 3cf75a96058a04cc763097fb2625cf467a9249530790695e8a5777614ca82d29
SHA512 d67cf6f0ccac6db80e235c6e6e1ff789cf68950524b7ec0811ffeed077e9bfe24c43573056afbeb79b74095c5c281c8a908403209edce77b63dc8cafdda21c3e

memory/4528-36-0x00007FF7338B0000-0x00007FF733C04000-memory.dmp

memory/3388-113-0x00007FF79AFE0000-0x00007FF79B334000-memory.dmp

memory/932-114-0x00007FF7E4870000-0x00007FF7E4BC4000-memory.dmp

memory/4544-115-0x00007FF756FD0000-0x00007FF757324000-memory.dmp

memory/4852-117-0x00007FF75A0C0000-0x00007FF75A414000-memory.dmp

memory/4340-118-0x00007FF766F20000-0x00007FF767274000-memory.dmp

memory/5024-120-0x00007FF652A30000-0x00007FF652D84000-memory.dmp

memory/4792-121-0x00007FF7F87D0000-0x00007FF7F8B24000-memory.dmp

memory/4080-123-0x00007FF652CD0000-0x00007FF653024000-memory.dmp

memory/5020-125-0x00007FF637D90000-0x00007FF6380E4000-memory.dmp

memory/4168-127-0x00007FF7B7E30000-0x00007FF7B8184000-memory.dmp

memory/4556-126-0x00007FF771770000-0x00007FF771AC4000-memory.dmp

memory/4628-124-0x00007FF677510000-0x00007FF677864000-memory.dmp

memory/1560-122-0x00007FF7BC520000-0x00007FF7BC874000-memory.dmp

memory/3964-119-0x00007FF66D2B0000-0x00007FF66D604000-memory.dmp

memory/3936-116-0x00007FF62BCD0000-0x00007FF62C024000-memory.dmp

memory/2348-128-0x00007FF743AA0000-0x00007FF743DF4000-memory.dmp

memory/264-129-0x00007FF7B93E0000-0x00007FF7B9734000-memory.dmp

memory/4920-130-0x00007FF711410000-0x00007FF711764000-memory.dmp

memory/4528-131-0x00007FF7338B0000-0x00007FF733C04000-memory.dmp

memory/264-132-0x00007FF7B93E0000-0x00007FF7B9734000-memory.dmp

memory/4920-133-0x00007FF711410000-0x00007FF711764000-memory.dmp

memory/4624-134-0x00007FF6BB410000-0x00007FF6BB764000-memory.dmp

memory/1472-135-0x00007FF774970000-0x00007FF774CC4000-memory.dmp

memory/3416-136-0x00007FF672880000-0x00007FF672BD4000-memory.dmp

memory/4528-137-0x00007FF7338B0000-0x00007FF733C04000-memory.dmp

memory/3388-138-0x00007FF79AFE0000-0x00007FF79B334000-memory.dmp

memory/932-139-0x00007FF7E4870000-0x00007FF7E4BC4000-memory.dmp

memory/4544-140-0x00007FF756FD0000-0x00007FF757324000-memory.dmp

memory/4792-142-0x00007FF7F87D0000-0x00007FF7F8B24000-memory.dmp

memory/3964-147-0x00007FF66D2B0000-0x00007FF66D604000-memory.dmp

memory/4080-148-0x00007FF652CD0000-0x00007FF653024000-memory.dmp

memory/4628-149-0x00007FF677510000-0x00007FF677864000-memory.dmp

memory/5024-146-0x00007FF652A30000-0x00007FF652D84000-memory.dmp

memory/4852-144-0x00007FF75A0C0000-0x00007FF75A414000-memory.dmp

memory/4340-143-0x00007FF766F20000-0x00007FF767274000-memory.dmp

memory/1560-145-0x00007FF7BC520000-0x00007FF7BC874000-memory.dmp

memory/3936-141-0x00007FF62BCD0000-0x00007FF62C024000-memory.dmp

memory/5020-152-0x00007FF637D90000-0x00007FF6380E4000-memory.dmp

memory/4556-151-0x00007FF771770000-0x00007FF771AC4000-memory.dmp

memory/4168-150-0x00007FF7B7E30000-0x00007FF7B8184000-memory.dmp