Malware Analysis Report

2025-01-22 19:48

Sample ID 240601-swjd7afe7x
Target 2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike
SHA256 95cf25245f009a8c117398e0859834470d605b4af51330a40636e6fc6c1e5cbd
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95cf25245f009a8c117398e0859834470d605b4af51330a40636e6fc6c1e5cbd

Threat Level: Known bad

The file 2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

xmrig

Cobaltstrike

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:28

Reported

2024-06-01 15:31

Platform

win7-20240419-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\clHEfmY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BlNvhJx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xPCPzqk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vltOpvD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pKUyFzb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zqhdbcT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OfVpXLW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tdGAEuu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JCDCXtK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kFKibAA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\noUxRol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aInmIpq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DEwYJML.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGjncAV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ALmUNDC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUyqfEf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FGrdlcs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AAfEPjp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lBMtPcq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qXsXEHG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IRRMABN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALmUNDC.exe
PID 3000 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALmUNDC.exe
PID 3000 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALmUNDC.exe
PID 3000 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUyqfEf.exe
PID 3000 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUyqfEf.exe
PID 3000 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUyqfEf.exe
PID 3000 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGrdlcs.exe
PID 3000 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGrdlcs.exe
PID 3000 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGrdlcs.exe
PID 3000 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kFKibAA.exe
PID 3000 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kFKibAA.exe
PID 3000 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kFKibAA.exe
PID 3000 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEwYJML.exe
PID 3000 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEwYJML.exe
PID 3000 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEwYJML.exe
PID 3000 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lBMtPcq.exe
PID 3000 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lBMtPcq.exe
PID 3000 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lBMtPcq.exe
PID 3000 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xPCPzqk.exe
PID 3000 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xPCPzqk.exe
PID 3000 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xPCPzqk.exe
PID 3000 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\noUxRol.exe
PID 3000 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\noUxRol.exe
PID 3000 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\noUxRol.exe
PID 3000 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aInmIpq.exe
PID 3000 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aInmIpq.exe
PID 3000 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aInmIpq.exe
PID 3000 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXsXEHG.exe
PID 3000 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXsXEHG.exe
PID 3000 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXsXEHG.exe
PID 3000 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqhdbcT.exe
PID 3000 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqhdbcT.exe
PID 3000 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqhdbcT.exe
PID 3000 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRRMABN.exe
PID 3000 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRRMABN.exe
PID 3000 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRRMABN.exe
PID 3000 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGjncAV.exe
PID 3000 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGjncAV.exe
PID 3000 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGjncAV.exe
PID 3000 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfVpXLW.exe
PID 3000 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfVpXLW.exe
PID 3000 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfVpXLW.exe
PID 3000 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAfEPjp.exe
PID 3000 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAfEPjp.exe
PID 3000 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAfEPjp.exe
PID 3000 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdGAEuu.exe
PID 3000 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdGAEuu.exe
PID 3000 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdGAEuu.exe
PID 3000 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vltOpvD.exe
PID 3000 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vltOpvD.exe
PID 3000 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vltOpvD.exe
PID 3000 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKUyFzb.exe
PID 3000 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKUyFzb.exe
PID 3000 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKUyFzb.exe
PID 3000 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\clHEfmY.exe
PID 3000 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\clHEfmY.exe
PID 3000 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\clHEfmY.exe
PID 3000 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlNvhJx.exe
PID 3000 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlNvhJx.exe
PID 3000 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlNvhJx.exe
PID 3000 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCDCXtK.exe
PID 3000 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCDCXtK.exe
PID 3000 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCDCXtK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ALmUNDC.exe

C:\Windows\System\ALmUNDC.exe

C:\Windows\System\eUyqfEf.exe

C:\Windows\System\eUyqfEf.exe

C:\Windows\System\FGrdlcs.exe

C:\Windows\System\FGrdlcs.exe

C:\Windows\System\kFKibAA.exe

C:\Windows\System\kFKibAA.exe

C:\Windows\System\DEwYJML.exe

C:\Windows\System\DEwYJML.exe

C:\Windows\System\lBMtPcq.exe

C:\Windows\System\lBMtPcq.exe

C:\Windows\System\xPCPzqk.exe

C:\Windows\System\xPCPzqk.exe

C:\Windows\System\noUxRol.exe

C:\Windows\System\noUxRol.exe

C:\Windows\System\aInmIpq.exe

C:\Windows\System\aInmIpq.exe

C:\Windows\System\qXsXEHG.exe

C:\Windows\System\qXsXEHG.exe

C:\Windows\System\zqhdbcT.exe

C:\Windows\System\zqhdbcT.exe

C:\Windows\System\IRRMABN.exe

C:\Windows\System\IRRMABN.exe

C:\Windows\System\eGjncAV.exe

C:\Windows\System\eGjncAV.exe

C:\Windows\System\OfVpXLW.exe

C:\Windows\System\OfVpXLW.exe

C:\Windows\System\AAfEPjp.exe

C:\Windows\System\AAfEPjp.exe

C:\Windows\System\tdGAEuu.exe

C:\Windows\System\tdGAEuu.exe

C:\Windows\System\vltOpvD.exe

C:\Windows\System\vltOpvD.exe

C:\Windows\System\pKUyFzb.exe

C:\Windows\System\pKUyFzb.exe

C:\Windows\System\clHEfmY.exe

C:\Windows\System\clHEfmY.exe

C:\Windows\System\BlNvhJx.exe

C:\Windows\System\BlNvhJx.exe

C:\Windows\System\JCDCXtK.exe

C:\Windows\System\JCDCXtK.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3000-0-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/3000-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\ALmUNDC.exe

MD5 95d95f2d19afc4ba790e98f128f0985c
SHA1 dd6b1a2e4b539dfa3a02a2f230cec665f3bbee7e
SHA256 17c74957f46cd9774271c6bd5e4674acb7c5502727cdec92b5e02033959e5c20
SHA512 7dd934718a222bcce308ff498186d735818765553ebe65bdc2e9775620672bec064c3ff64e296fa88c552bf7b432e5480a483eb3787743f67401df5aecb9e07a

memory/1808-8-0x000000013FC80000-0x000000013FFD4000-memory.dmp

\Windows\system\eUyqfEf.exe

MD5 064c3a80abc23401eed863637c76f8aa
SHA1 8ea125f3e421cd0c49a3684b9204d2ffa7b0cc76
SHA256 0cca5f90ea762b8664f776d16f6c2a1db8fba1d8faebface940b471613468771
SHA512 01e0593059d1ad091f32bad40835a4894d27c24c8f7f840fab1a4b8a0cb7081e70e434b452696cd7105cea5eb2ce1df784823126b959bdcd55e704cde4233247

memory/2848-13-0x000000013F0C0000-0x000000013F414000-memory.dmp

C:\Windows\system\FGrdlcs.exe

MD5 e002619c4fa71fc3e07c771c38f5bf7b
SHA1 c34509641fc8f0320ae74c63281e841171d1f2b5
SHA256 b3cf566cdcafbab787f29d562804b7d0e940a8a6ba0b15b0b91d6801de37c603
SHA512 8cf65c9052c2182e22f5213a8c560cfab1a0993bac1f8b0ee03b320ae1ebaf49cea09ba4e9f97e8bb3fd45e6df99da6f750dfb341e02692b2fbdcd50e91b64d5

C:\Windows\system\kFKibAA.exe

MD5 18151fea587948ac50771b70d411d3b1
SHA1 26500eb9fb36608439bf62aea9135af3c2e8cca1
SHA256 aaa659ff5d26ae24ec75ec98e1dfda839e5c9888f07df6e53eb35f472729f000
SHA512 cb6ac3e2ad2d2a92f7bb48b1b81970a0ddc3d650dd4f0f917bb055276e9c95f408f7134229d3c1b8fb4a02955b2d00f214cf00966efb176153001ddfec33bf97

memory/2656-27-0x000000013F440000-0x000000013F794000-memory.dmp

memory/3000-25-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2632-24-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2744-34-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/3000-33-0x000000013FF30000-0x0000000140284000-memory.dmp

C:\Windows\system\DEwYJML.exe

MD5 b5b9359861e45e2d2745efdad23f479b
SHA1 5346724a5a856b2dde3ccfefa2f679bae5bec5d9
SHA256 18f2d4e4cb2d617ad43c5853556576202bc14da93b45ce9a06598e89624ca89a
SHA512 5abdd4d5f21d407d1ec14a4167ed862cb1409798f41df2d082d594707c4d219f482b16db36ee360f7332e4302dee875aca896e3f98567ae49332f83959e90fff

memory/3000-19-0x0000000002220000-0x0000000002574000-memory.dmp

C:\Windows\system\lBMtPcq.exe

MD5 2f54ad6f70511e9c0625ba450d909896
SHA1 40ffb501d367454420381527f9a6ab7b3df5f93c
SHA256 b85f7e31f5edb4425e2bf601d75a1f299d83a9b4be64c67d262407583dec7a11
SHA512 14d1b41fcc78fac7326823e4d81edf19884def76d5d4b521223c07db9793f0ae184b90f34101c179cb6aef548f3710181bca642746abf5702b8d5b5c455b2389

memory/3000-41-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/1796-42-0x000000013F330000-0x000000013F684000-memory.dmp

memory/3000-36-0x0000000002220000-0x0000000002574000-memory.dmp

C:\Windows\system\noUxRol.exe

MD5 5c37f88f7613cb28055b73a8dd27aa3b
SHA1 14e2427cafb6ef53e114570776a71829a6a4501b
SHA256 4156fa849d27e50cbe640c34aa7b70d04732eb3d30e050777a7ae2c196074df3
SHA512 d08c9a829036ecdb47bf79e0148302aebe8840d0e8caa9bbb6b8855b642704a2282aa864cffc7307fc24693cef3701eb3a9f0844ed4c03597c01acb5ffc68dfd

memory/1808-54-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/1028-58-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/3000-55-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2828-48-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/3000-47-0x000000013FC80000-0x000000013FFD4000-memory.dmp

C:\Windows\system\xPCPzqk.exe

MD5 0d120a88e394547ef46b3a045b122d72
SHA1 a5cc0b47f349395aa54b8a59a7ffe5f17e42fa29
SHA256 a3d5612d22a4f163fac3ca88f27d2e1276d94f87076d7807d5b621e395f16556
SHA512 584cd22cc2537e63fb469a2e06d845197e2c4a9bc360006c9bbdbab0416a322201ab8f8fead6ea0a6ed23586ce67fb8695db1cd45b4c3a11d6b6c4bae6130e99

C:\Windows\system\aInmIpq.exe

MD5 67d25966e4dee8f0b23f9fd1235cd072
SHA1 aad3fa0c9b61b77d0fceaddbfde147473b1f4e41
SHA256 27b0c8790d67e64e16d1cc34d3f229060a50c3deb004e16e11c3e3d24853a2b9
SHA512 fe5cf8269e371fbe4a847209e6e671f7d62acce32cdd18d9668169611b4d7b4965f4a87fef8ddffc7ccb2e463231d07903d5ad0fcb63e6b55524bd7be6e97a67

memory/2604-66-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/3000-65-0x0000000002220000-0x0000000002574000-memory.dmp

memory/3000-64-0x000000013F0C0000-0x000000013F414000-memory.dmp

C:\Windows\system\qXsXEHG.exe

MD5 4963ea3ee6c33abfcb27b2eff794b829
SHA1 2328baef7a0555f6c20a15155b2c53ee76c33215
SHA256 d97106e5835f9af78b138546ce3b14db8c99ccbafeb4e12265875d9e78a89d5f
SHA512 ad41a3948de58355adb0397fe8913965aea6849c5853328b253d0d91749f33cf6be4090cb44a404454014de7dc6e7aa23c41d432a4538990a3ef41fdcd09c2cb

memory/3000-86-0x000000013F0D0000-0x000000013F424000-memory.dmp

\Windows\system\IRRMABN.exe

MD5 486bbee03b581f60a4b12eccaf73d234
SHA1 34e56df83e3b70bdf72490888af94c7e0510089c
SHA256 723b97e4511be5d9380658af91f6127a22168dc3dd9450311dad2780c3122b1c
SHA512 4bde8ddbed671dea900544c34e679f2f1f76e6a98ac3cc2d6544ab41ce2f0f6cc60c65a242e0abae24cd5ddf229b25e924aee1d7a42ec0b20b58382c5732d2aa

C:\Windows\system\eGjncAV.exe

MD5 345042ddc66a820ee21c83b50affc24f
SHA1 c6db7b5ecc97ada8a3637351dccd3eb83bb641ee
SHA256 2701a1c9a6a95a2c71dab0e6286f4d278d9aebd792a15463f25a1c31560adb38
SHA512 278f10234a4c3344eb6783d0cbb8ccf4605ad43e7278b96b843c3c177fdad0e8eac7a064b7eaff90b61a37999e80eb03c4c64bc7ff26e00a2187cfd694a1024f

memory/2576-87-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2892-96-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/3000-94-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/3000-93-0x0000000002220000-0x0000000002574000-memory.dmp

memory/3000-92-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2864-91-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2540-90-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2632-82-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2848-76-0x000000013F0C0000-0x000000013F414000-memory.dmp

C:\Windows\system\zqhdbcT.exe

MD5 5c16e676126cdf700786c7abff281df8
SHA1 42bdebee4dbcae20b18cd8beffbb44a0410ae7c9
SHA256 2dadb131c5a3db0addf1d93260e2816fb2b4c8256bae88090676babbce66c68c
SHA512 016fe1f41af889e4bd80da72f081a16ab7e1897ee0315d4818637b639f69cc8c4a568b9e15400e0a2078215cea86175b15f2a49a808a996ee94a901f2893b03a

C:\Windows\system\OfVpXLW.exe

MD5 67468345c2e93cdd8dd479591af7d3a3
SHA1 eed61fe61649b27fa26bb0d1e1ff74c51b3e3f50
SHA256 cda2ea447a4f28f910deeb34a212fc3c36ff3e0ff753f410e7b0c392a534a519
SHA512 23a30fec8c5fe833ee987a2e1a6e361e9c7fc6f54417a1e34dbf52ed12d4d6c96b6cc1c910daa173a5fbdb9e122ab7b5fb151fe49533335df33a93857a1d7482

\Windows\system\BlNvhJx.exe

MD5 058310d529c1acc262c031dbc5e6197a
SHA1 9c183a91e457b25e7dd92579cf23f7d335e9ebe0
SHA256 2ea86784feb7d90fdd74998622c71e87275bb7d438c3e7797f04509f15db3704
SHA512 9857541f61d6d5aeaec4ba15e5763f542d424015352483d0a838ed9cc016fc6f1d5572ed99b94a8a99cc2a4c0173b5b618d0be6c109d4f1b8ccfd6a3e49aff20

\Windows\system\AAfEPjp.exe

MD5 b9d8b854ee7a17fab9e503be708cfa34
SHA1 0a2bb85a26b8e315393ef33b9b30acf78bdbe2ac
SHA256 0420b513f28d390110426f49f7a1cc8cc28d13a15cc71b04cea1b57ab930524b
SHA512 ce5f69544032cb18442fe2c76af39f74c53ccb4e743e2ebb26ed3cd481d1968d4dce311bcea5fd6afc5bf866d87b192822d4e38d8c7156ae89a4d69ea8587d17

\Windows\system\JCDCXtK.exe

MD5 8c3907c68809ac1dcb00d2b0c07f4d4b
SHA1 f8ae79ce75fa8094b9c4dc86536662e9c634f29d
SHA256 8f3305cfb0902f52b4cf9b27c1043f0bf42a90d9d5f773b24e3aed2ba9b34f2b
SHA512 9826c14dff997342f8f3d652f1619d76997a5a325758296d70517413c4c8c58151f1726d1facf7000203308ef2ed98fbd56d00beb38c1c89f045b1620dda1000

memory/3000-137-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\clHEfmY.exe

MD5 f0abbc28a8f954787418846c115a5816
SHA1 ab7474ccfa28f38dcddba9d8e658c2fc2d94f426
SHA256 0f0403582a888029370146cb975dc2453792af3d420df76220909c55468df05e
SHA512 843e347e8d03e44779489f27ab48f60ae299a4b04f735f5b7974b30699b477974b4ab3a23a5b41111d11774f9acb39ed2020b0c76a2b5527594c4fe3058db580

C:\Windows\system\pKUyFzb.exe

MD5 b5857b4b45a310f5ed14380fc9360736
SHA1 62a19ea43254bcbf2e410045b92668dc4d1175e8
SHA256 83741f7ac89b7ff316c5ba0d6fceb44efc48a6f81c4ba9d9315105529f45976b
SHA512 8be5a7d92f8e759c2786a5a55fcbcb56719f5729d1c39939ba0acc609f8c645fbf63b78e30f6259a4f1ab6a8fbcfb8920303554b45b80fb2b35e1c83417803f0

C:\Windows\system\vltOpvD.exe

MD5 79b0af8e483c7eb61526acf3bb5e7721
SHA1 f5bc912b8f25790b94f6a8f7b70a7f4cb6b2a713
SHA256 ea5d809e7c7cb26865c0e8f04ca8c4b0c0a572354af52cd455056d751cbff7a8
SHA512 d3118d137972e0597b6545a3080a05b4e9c5087f2272b65de86a00f936ee1241f4fd053ee09ff52b0ae7975b07befb8a1e8b91cf5f607a744f741ebc475d9d9f

memory/3000-128-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2656-123-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\tdGAEuu.exe

MD5 fa4352292e39e0f4edbfec83cfd31b2b
SHA1 aebed6021afe9bc36b2fec0e006e2ef37d1951be
SHA256 cc1aad1eb14b42a7ae60c48e128a2b366b68a973b46be23cc99d8badab3746aa
SHA512 26aa1d515cd9cf7b53ad6b0f1ec28e29a36a517d3da58b4f9b28f08c4ec9c3dd0fbe9261e190fa65eb8800d0b9af28aff2f50061c3eb3a78edc360686a9051c8

memory/3000-105-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2744-141-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/3000-140-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/3000-142-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2828-143-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/1028-144-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/3000-145-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2864-146-0x000000013F130000-0x000000013F484000-memory.dmp

memory/3000-147-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/3000-148-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/1808-149-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2848-150-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2632-151-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2656-152-0x000000013F440000-0x000000013F794000-memory.dmp

memory/1796-153-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2828-154-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2744-156-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1028-155-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2604-157-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2576-158-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2540-159-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2892-160-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2864-161-0x000000013F130000-0x000000013F484000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:28

Reported

2024-06-01 15:31

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\aInmIpq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JCDCXtK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lBMtPcq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\noUxRol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qXsXEHG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGjncAV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AAfEPjp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FGrdlcs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kFKibAA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DEwYJML.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tdGAEuu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IRRMABN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\clHEfmY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zqhdbcT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OfVpXLW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vltOpvD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pKUyFzb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BlNvhJx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ALmUNDC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUyqfEf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xPCPzqk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALmUNDC.exe
PID 116 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALmUNDC.exe
PID 116 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUyqfEf.exe
PID 116 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUyqfEf.exe
PID 116 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGrdlcs.exe
PID 116 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGrdlcs.exe
PID 116 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kFKibAA.exe
PID 116 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kFKibAA.exe
PID 116 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEwYJML.exe
PID 116 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEwYJML.exe
PID 116 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lBMtPcq.exe
PID 116 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lBMtPcq.exe
PID 116 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xPCPzqk.exe
PID 116 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xPCPzqk.exe
PID 116 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\noUxRol.exe
PID 116 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\noUxRol.exe
PID 116 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aInmIpq.exe
PID 116 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aInmIpq.exe
PID 116 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXsXEHG.exe
PID 116 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXsXEHG.exe
PID 116 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqhdbcT.exe
PID 116 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqhdbcT.exe
PID 116 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRRMABN.exe
PID 116 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRRMABN.exe
PID 116 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGjncAV.exe
PID 116 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGjncAV.exe
PID 116 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfVpXLW.exe
PID 116 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfVpXLW.exe
PID 116 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAfEPjp.exe
PID 116 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAfEPjp.exe
PID 116 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdGAEuu.exe
PID 116 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdGAEuu.exe
PID 116 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vltOpvD.exe
PID 116 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vltOpvD.exe
PID 116 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKUyFzb.exe
PID 116 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKUyFzb.exe
PID 116 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\clHEfmY.exe
PID 116 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\clHEfmY.exe
PID 116 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlNvhJx.exe
PID 116 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlNvhJx.exe
PID 116 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCDCXtK.exe
PID 116 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCDCXtK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ALmUNDC.exe

C:\Windows\System\ALmUNDC.exe

C:\Windows\System\eUyqfEf.exe

C:\Windows\System\eUyqfEf.exe

C:\Windows\System\FGrdlcs.exe

C:\Windows\System\FGrdlcs.exe

C:\Windows\System\kFKibAA.exe

C:\Windows\System\kFKibAA.exe

C:\Windows\System\DEwYJML.exe

C:\Windows\System\DEwYJML.exe

C:\Windows\System\lBMtPcq.exe

C:\Windows\System\lBMtPcq.exe

C:\Windows\System\xPCPzqk.exe

C:\Windows\System\xPCPzqk.exe

C:\Windows\System\noUxRol.exe

C:\Windows\System\noUxRol.exe

C:\Windows\System\aInmIpq.exe

C:\Windows\System\aInmIpq.exe

C:\Windows\System\qXsXEHG.exe

C:\Windows\System\qXsXEHG.exe

C:\Windows\System\zqhdbcT.exe

C:\Windows\System\zqhdbcT.exe

C:\Windows\System\IRRMABN.exe

C:\Windows\System\IRRMABN.exe

C:\Windows\System\eGjncAV.exe

C:\Windows\System\eGjncAV.exe

C:\Windows\System\OfVpXLW.exe

C:\Windows\System\OfVpXLW.exe

C:\Windows\System\AAfEPjp.exe

C:\Windows\System\AAfEPjp.exe

C:\Windows\System\tdGAEuu.exe

C:\Windows\System\tdGAEuu.exe

C:\Windows\System\vltOpvD.exe

C:\Windows\System\vltOpvD.exe

C:\Windows\System\pKUyFzb.exe

C:\Windows\System\pKUyFzb.exe

C:\Windows\System\clHEfmY.exe

C:\Windows\System\clHEfmY.exe

C:\Windows\System\BlNvhJx.exe

C:\Windows\System\BlNvhJx.exe

C:\Windows\System\JCDCXtK.exe

C:\Windows\System\JCDCXtK.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/116-0-0x00007FF736540000-0x00007FF736894000-memory.dmp

memory/116-1-0x000001805F030000-0x000001805F040000-memory.dmp

C:\Windows\System\ALmUNDC.exe

MD5 95d95f2d19afc4ba790e98f128f0985c
SHA1 dd6b1a2e4b539dfa3a02a2f230cec665f3bbee7e
SHA256 17c74957f46cd9774271c6bd5e4674acb7c5502727cdec92b5e02033959e5c20
SHA512 7dd934718a222bcce308ff498186d735818765553ebe65bdc2e9775620672bec064c3ff64e296fa88c552bf7b432e5480a483eb3787743f67401df5aecb9e07a

memory/4392-7-0x00007FF6FFAA0000-0x00007FF6FFDF4000-memory.dmp

C:\Windows\System\eUyqfEf.exe

MD5 064c3a80abc23401eed863637c76f8aa
SHA1 8ea125f3e421cd0c49a3684b9204d2ffa7b0cc76
SHA256 0cca5f90ea762b8664f776d16f6c2a1db8fba1d8faebface940b471613468771
SHA512 01e0593059d1ad091f32bad40835a4894d27c24c8f7f840fab1a4b8a0cb7081e70e434b452696cd7105cea5eb2ce1df784823126b959bdcd55e704cde4233247

C:\Windows\System\FGrdlcs.exe

MD5 e002619c4fa71fc3e07c771c38f5bf7b
SHA1 c34509641fc8f0320ae74c63281e841171d1f2b5
SHA256 b3cf566cdcafbab787f29d562804b7d0e940a8a6ba0b15b0b91d6801de37c603
SHA512 8cf65c9052c2182e22f5213a8c560cfab1a0993bac1f8b0ee03b320ae1ebaf49cea09ba4e9f97e8bb3fd45e6df99da6f750dfb341e02692b2fbdcd50e91b64d5

memory/2676-18-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp

memory/1660-17-0x00007FF7FC910000-0x00007FF7FCC64000-memory.dmp

C:\Windows\System\kFKibAA.exe

MD5 18151fea587948ac50771b70d411d3b1
SHA1 26500eb9fb36608439bf62aea9135af3c2e8cca1
SHA256 aaa659ff5d26ae24ec75ec98e1dfda839e5c9888f07df6e53eb35f472729f000
SHA512 cb6ac3e2ad2d2a92f7bb48b1b81970a0ddc3d650dd4f0f917bb055276e9c95f408f7134229d3c1b8fb4a02955b2d00f214cf00966efb176153001ddfec33bf97

memory/2004-26-0x00007FF7EB440000-0x00007FF7EB794000-memory.dmp

C:\Windows\System\DEwYJML.exe

MD5 b5b9359861e45e2d2745efdad23f479b
SHA1 5346724a5a856b2dde3ccfefa2f679bae5bec5d9
SHA256 18f2d4e4cb2d617ad43c5853556576202bc14da93b45ce9a06598e89624ca89a
SHA512 5abdd4d5f21d407d1ec14a4167ed862cb1409798f41df2d082d594707c4d219f482b16db36ee360f7332e4302dee875aca896e3f98567ae49332f83959e90fff

memory/3124-35-0x00007FF722170000-0x00007FF7224C4000-memory.dmp

C:\Windows\System\lBMtPcq.exe

MD5 2f54ad6f70511e9c0625ba450d909896
SHA1 40ffb501d367454420381527f9a6ab7b3df5f93c
SHA256 b85f7e31f5edb4425e2bf601d75a1f299d83a9b4be64c67d262407583dec7a11
SHA512 14d1b41fcc78fac7326823e4d81edf19884def76d5d4b521223c07db9793f0ae184b90f34101c179cb6aef548f3710181bca642746abf5702b8d5b5c455b2389

C:\Windows\System\noUxRol.exe

MD5 5c37f88f7613cb28055b73a8dd27aa3b
SHA1 14e2427cafb6ef53e114570776a71829a6a4501b
SHA256 4156fa849d27e50cbe640c34aa7b70d04732eb3d30e050777a7ae2c196074df3
SHA512 d08c9a829036ecdb47bf79e0148302aebe8840d0e8caa9bbb6b8855b642704a2282aa864cffc7307fc24693cef3701eb3a9f0844ed4c03597c01acb5ffc68dfd

C:\Windows\System\aInmIpq.exe

MD5 67d25966e4dee8f0b23f9fd1235cd072
SHA1 aad3fa0c9b61b77d0fceaddbfde147473b1f4e41
SHA256 27b0c8790d67e64e16d1cc34d3f229060a50c3deb004e16e11c3e3d24853a2b9
SHA512 fe5cf8269e371fbe4a847209e6e671f7d62acce32cdd18d9668169611b4d7b4965f4a87fef8ddffc7ccb2e463231d07903d5ad0fcb63e6b55524bd7be6e97a67

C:\Windows\System\qXsXEHG.exe

MD5 4963ea3ee6c33abfcb27b2eff794b829
SHA1 2328baef7a0555f6c20a15155b2c53ee76c33215
SHA256 d97106e5835f9af78b138546ce3b14db8c99ccbafeb4e12265875d9e78a89d5f
SHA512 ad41a3948de58355adb0397fe8913965aea6849c5853328b253d0d91749f33cf6be4090cb44a404454014de7dc6e7aa23c41d432a4538990a3ef41fdcd09c2cb

C:\Windows\System\zqhdbcT.exe

MD5 5c16e676126cdf700786c7abff281df8
SHA1 42bdebee4dbcae20b18cd8beffbb44a0410ae7c9
SHA256 2dadb131c5a3db0addf1d93260e2816fb2b4c8256bae88090676babbce66c68c
SHA512 016fe1f41af889e4bd80da72f081a16ab7e1897ee0315d4818637b639f69cc8c4a568b9e15400e0a2078215cea86175b15f2a49a808a996ee94a901f2893b03a

C:\Windows\System\OfVpXLW.exe

MD5 67468345c2e93cdd8dd479591af7d3a3
SHA1 eed61fe61649b27fa26bb0d1e1ff74c51b3e3f50
SHA256 cda2ea447a4f28f910deeb34a212fc3c36ff3e0ff753f410e7b0c392a534a519
SHA512 23a30fec8c5fe833ee987a2e1a6e361e9c7fc6f54417a1e34dbf52ed12d4d6c96b6cc1c910daa173a5fbdb9e122ab7b5fb151fe49533335df33a93857a1d7482

C:\Windows\System\AAfEPjp.exe

MD5 b9d8b854ee7a17fab9e503be708cfa34
SHA1 0a2bb85a26b8e315393ef33b9b30acf78bdbe2ac
SHA256 0420b513f28d390110426f49f7a1cc8cc28d13a15cc71b04cea1b57ab930524b
SHA512 ce5f69544032cb18442fe2c76af39f74c53ccb4e743e2ebb26ed3cd481d1968d4dce311bcea5fd6afc5bf866d87b192822d4e38d8c7156ae89a4d69ea8587d17

C:\Windows\System\vltOpvD.exe

MD5 79b0af8e483c7eb61526acf3bb5e7721
SHA1 f5bc912b8f25790b94f6a8f7b70a7f4cb6b2a713
SHA256 ea5d809e7c7cb26865c0e8f04ca8c4b0c0a572354af52cd455056d751cbff7a8
SHA512 d3118d137972e0597b6545a3080a05b4e9c5087f2272b65de86a00f936ee1241f4fd053ee09ff52b0ae7975b07befb8a1e8b91cf5f607a744f741ebc475d9d9f

C:\Windows\System\pKUyFzb.exe

MD5 b5857b4b45a310f5ed14380fc9360736
SHA1 62a19ea43254bcbf2e410045b92668dc4d1175e8
SHA256 83741f7ac89b7ff316c5ba0d6fceb44efc48a6f81c4ba9d9315105529f45976b
SHA512 8be5a7d92f8e759c2786a5a55fcbcb56719f5729d1c39939ba0acc609f8c645fbf63b78e30f6259a4f1ab6a8fbcfb8920303554b45b80fb2b35e1c83417803f0

C:\Windows\System\JCDCXtK.exe

MD5 8c3907c68809ac1dcb00d2b0c07f4d4b
SHA1 f8ae79ce75fa8094b9c4dc86536662e9c634f29d
SHA256 8f3305cfb0902f52b4cf9b27c1043f0bf42a90d9d5f773b24e3aed2ba9b34f2b
SHA512 9826c14dff997342f8f3d652f1619d76997a5a325758296d70517413c4c8c58151f1726d1facf7000203308ef2ed98fbd56d00beb38c1c89f045b1620dda1000

C:\Windows\System\BlNvhJx.exe

MD5 058310d529c1acc262c031dbc5e6197a
SHA1 9c183a91e457b25e7dd92579cf23f7d335e9ebe0
SHA256 2ea86784feb7d90fdd74998622c71e87275bb7d438c3e7797f04509f15db3704
SHA512 9857541f61d6d5aeaec4ba15e5763f542d424015352483d0a838ed9cc016fc6f1d5572ed99b94a8a99cc2a4c0173b5b618d0be6c109d4f1b8ccfd6a3e49aff20

C:\Windows\System\clHEfmY.exe

MD5 f0abbc28a8f954787418846c115a5816
SHA1 ab7474ccfa28f38dcddba9d8e658c2fc2d94f426
SHA256 0f0403582a888029370146cb975dc2453792af3d420df76220909c55468df05e
SHA512 843e347e8d03e44779489f27ab48f60ae299a4b04f735f5b7974b30699b477974b4ab3a23a5b41111d11774f9acb39ed2020b0c76a2b5527594c4fe3058db580

C:\Windows\System\tdGAEuu.exe

MD5 fa4352292e39e0f4edbfec83cfd31b2b
SHA1 aebed6021afe9bc36b2fec0e006e2ef37d1951be
SHA256 cc1aad1eb14b42a7ae60c48e128a2b366b68a973b46be23cc99d8badab3746aa
SHA512 26aa1d515cd9cf7b53ad6b0f1ec28e29a36a517d3da58b4f9b28f08c4ec9c3dd0fbe9261e190fa65eb8800d0b9af28aff2f50061c3eb3a78edc360686a9051c8

C:\Windows\System\eGjncAV.exe

MD5 345042ddc66a820ee21c83b50affc24f
SHA1 c6db7b5ecc97ada8a3637351dccd3eb83bb641ee
SHA256 2701a1c9a6a95a2c71dab0e6286f4d278d9aebd792a15463f25a1c31560adb38
SHA512 278f10234a4c3344eb6783d0cbb8ccf4605ad43e7278b96b843c3c177fdad0e8eac7a064b7eaff90b61a37999e80eb03c4c64bc7ff26e00a2187cfd694a1024f

C:\Windows\System\IRRMABN.exe

MD5 486bbee03b581f60a4b12eccaf73d234
SHA1 34e56df83e3b70bdf72490888af94c7e0510089c
SHA256 723b97e4511be5d9380658af91f6127a22168dc3dd9450311dad2780c3122b1c
SHA512 4bde8ddbed671dea900544c34e679f2f1f76e6a98ac3cc2d6544ab41ce2f0f6cc60c65a242e0abae24cd5ddf229b25e924aee1d7a42ec0b20b58382c5732d2aa

C:\Windows\System\xPCPzqk.exe

MD5 0d120a88e394547ef46b3a045b122d72
SHA1 a5cc0b47f349395aa54b8a59a7ffe5f17e42fa29
SHA256 a3d5612d22a4f163fac3ca88f27d2e1276d94f87076d7807d5b621e395f16556
SHA512 584cd22cc2537e63fb469a2e06d845197e2c4a9bc360006c9bbdbab0416a322201ab8f8fead6ea0a6ed23586ce67fb8695db1cd45b4c3a11d6b6c4bae6130e99

memory/2508-39-0x00007FF77D470000-0x00007FF77D7C4000-memory.dmp

memory/1288-114-0x00007FF784260000-0x00007FF7845B4000-memory.dmp

memory/264-115-0x00007FF6CBEF0000-0x00007FF6CC244000-memory.dmp

memory/4092-116-0x00007FF7219F0000-0x00007FF721D44000-memory.dmp

memory/5020-113-0x00007FF7B5440000-0x00007FF7B5794000-memory.dmp

memory/4416-117-0x00007FF6A5AD0000-0x00007FF6A5E24000-memory.dmp

memory/1784-118-0x00007FF67AC50000-0x00007FF67AFA4000-memory.dmp

memory/2992-120-0x00007FF703610000-0x00007FF703964000-memory.dmp

memory/2372-121-0x00007FF7AE6A0000-0x00007FF7AE9F4000-memory.dmp

memory/2308-122-0x00007FF7B8D40000-0x00007FF7B9094000-memory.dmp

memory/2412-123-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp

memory/3464-125-0x00007FF77F150000-0x00007FF77F4A4000-memory.dmp

memory/1696-124-0x00007FF7C3BE0000-0x00007FF7C3F34000-memory.dmp

memory/2212-119-0x00007FF7BA9C0000-0x00007FF7BAD14000-memory.dmp

memory/2296-126-0x00007FF674300000-0x00007FF674654000-memory.dmp

memory/852-127-0x00007FF669EA0000-0x00007FF66A1F4000-memory.dmp

memory/116-128-0x00007FF736540000-0x00007FF736894000-memory.dmp

memory/4392-129-0x00007FF6FFAA0000-0x00007FF6FFDF4000-memory.dmp

memory/2676-130-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp

memory/2004-131-0x00007FF7EB440000-0x00007FF7EB794000-memory.dmp

memory/2508-132-0x00007FF77D470000-0x00007FF77D7C4000-memory.dmp

memory/4392-133-0x00007FF6FFAA0000-0x00007FF6FFDF4000-memory.dmp

memory/1660-134-0x00007FF7FC910000-0x00007FF7FCC64000-memory.dmp

memory/2676-135-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp

memory/2004-136-0x00007FF7EB440000-0x00007FF7EB794000-memory.dmp

memory/3124-137-0x00007FF722170000-0x00007FF7224C4000-memory.dmp

memory/2508-138-0x00007FF77D470000-0x00007FF77D7C4000-memory.dmp

memory/5020-139-0x00007FF7B5440000-0x00007FF7B5794000-memory.dmp

memory/264-141-0x00007FF6CBEF0000-0x00007FF6CC244000-memory.dmp

memory/1288-140-0x00007FF784260000-0x00007FF7845B4000-memory.dmp

memory/4416-142-0x00007FF6A5AD0000-0x00007FF6A5E24000-memory.dmp

memory/4092-143-0x00007FF7219F0000-0x00007FF721D44000-memory.dmp

memory/1784-144-0x00007FF67AC50000-0x00007FF67AFA4000-memory.dmp

memory/2212-145-0x00007FF7BA9C0000-0x00007FF7BAD14000-memory.dmp

memory/2372-146-0x00007FF7AE6A0000-0x00007FF7AE9F4000-memory.dmp

memory/2308-148-0x00007FF7B8D40000-0x00007FF7B9094000-memory.dmp

memory/2296-150-0x00007FF674300000-0x00007FF674654000-memory.dmp

memory/2412-153-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp

memory/1696-152-0x00007FF7C3BE0000-0x00007FF7C3F34000-memory.dmp

memory/3464-151-0x00007FF77F150000-0x00007FF77F4A4000-memory.dmp

memory/2992-149-0x00007FF703610000-0x00007FF703964000-memory.dmp

memory/852-147-0x00007FF669EA0000-0x00007FF66A1F4000-memory.dmp