Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-rvlmgsgd56
Target 2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike
SHA256 3e368ff3e96eb93578430d1c8fcb6320c3fa8088577b494827648de625c78a15
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e368ff3e96eb93578430d1c8fcb6320c3fa8088577b494827648de625c78a15

Threat Level: Known bad

The file 2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike

XMRig Miner payload

Xmrig family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 14:30

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 14:30

Reported

2024-06-06 14:33

Platform

win7-20240221-en

Max time kernel

138s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bLPatrj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BHCjaVH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mgbccqq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Rstiyqx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tyjRIwu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EYjFFXB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IkCflYo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\alDTIJD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cgVcpwe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BBFRDHC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KQgiXDT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tjfpqAs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vOTkTgZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cuyUwJq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mpxHDYa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FWJESZa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ItbkGfr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tQBXCAE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GRgXyxC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AxsZdZI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SmxUJTR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHCjaVH.exe
PID 1692 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHCjaVH.exe
PID 1692 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHCjaVH.exe
PID 1692 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjfpqAs.exe
PID 1692 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjfpqAs.exe
PID 1692 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjfpqAs.exe
PID 1692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgbccqq.exe
PID 1692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgbccqq.exe
PID 1692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgbccqq.exe
PID 1692 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\Rstiyqx.exe
PID 1692 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\Rstiyqx.exe
PID 1692 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\Rstiyqx.exe
PID 1692 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyjRIwu.exe
PID 1692 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyjRIwu.exe
PID 1692 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyjRIwu.exe
PID 1692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYjFFXB.exe
PID 1692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYjFFXB.exe
PID 1692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYjFFXB.exe
PID 1692 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\mpxHDYa.exe
PID 1692 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\mpxHDYa.exe
PID 1692 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\mpxHDYa.exe
PID 1692 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWJESZa.exe
PID 1692 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWJESZa.exe
PID 1692 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWJESZa.exe
PID 1692 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOTkTgZ.exe
PID 1692 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOTkTgZ.exe
PID 1692 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOTkTgZ.exe
PID 1692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBFRDHC.exe
PID 1692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBFRDHC.exe
PID 1692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBFRDHC.exe
PID 1692 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\IkCflYo.exe
PID 1692 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\IkCflYo.exe
PID 1692 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\IkCflYo.exe
PID 1692 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuyUwJq.exe
PID 1692 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuyUwJq.exe
PID 1692 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuyUwJq.exe
PID 1692 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItbkGfr.exe
PID 1692 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItbkGfr.exe
PID 1692 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItbkGfr.exe
PID 1692 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\alDTIJD.exe
PID 1692 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\alDTIJD.exe
PID 1692 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\alDTIJD.exe
PID 1692 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQBXCAE.exe
PID 1692 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQBXCAE.exe
PID 1692 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQBXCAE.exe
PID 1692 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRgXyxC.exe
PID 1692 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRgXyxC.exe
PID 1692 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRgXyxC.exe
PID 1692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLPatrj.exe
PID 1692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLPatrj.exe
PID 1692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLPatrj.exe
PID 1692 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgVcpwe.exe
PID 1692 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgVcpwe.exe
PID 1692 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgVcpwe.exe
PID 1692 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\KQgiXDT.exe
PID 1692 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\KQgiXDT.exe
PID 1692 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\KQgiXDT.exe
PID 1692 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxsZdZI.exe
PID 1692 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxsZdZI.exe
PID 1692 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxsZdZI.exe
PID 1692 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\SmxUJTR.exe
PID 1692 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\SmxUJTR.exe
PID 1692 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\SmxUJTR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BHCjaVH.exe

C:\Windows\System\BHCjaVH.exe

C:\Windows\System\tjfpqAs.exe

C:\Windows\System\tjfpqAs.exe

C:\Windows\System\mgbccqq.exe

C:\Windows\System\mgbccqq.exe

C:\Windows\System\Rstiyqx.exe

C:\Windows\System\Rstiyqx.exe

C:\Windows\System\tyjRIwu.exe

C:\Windows\System\tyjRIwu.exe

C:\Windows\System\EYjFFXB.exe

C:\Windows\System\EYjFFXB.exe

C:\Windows\System\mpxHDYa.exe

C:\Windows\System\mpxHDYa.exe

C:\Windows\System\FWJESZa.exe

C:\Windows\System\FWJESZa.exe

C:\Windows\System\vOTkTgZ.exe

C:\Windows\System\vOTkTgZ.exe

C:\Windows\System\BBFRDHC.exe

C:\Windows\System\BBFRDHC.exe

C:\Windows\System\IkCflYo.exe

C:\Windows\System\IkCflYo.exe

C:\Windows\System\cuyUwJq.exe

C:\Windows\System\cuyUwJq.exe

C:\Windows\System\ItbkGfr.exe

C:\Windows\System\ItbkGfr.exe

C:\Windows\System\alDTIJD.exe

C:\Windows\System\alDTIJD.exe

C:\Windows\System\tQBXCAE.exe

C:\Windows\System\tQBXCAE.exe

C:\Windows\System\GRgXyxC.exe

C:\Windows\System\GRgXyxC.exe

C:\Windows\System\bLPatrj.exe

C:\Windows\System\bLPatrj.exe

C:\Windows\System\cgVcpwe.exe

C:\Windows\System\cgVcpwe.exe

C:\Windows\System\KQgiXDT.exe

C:\Windows\System\KQgiXDT.exe

C:\Windows\System\AxsZdZI.exe

C:\Windows\System\AxsZdZI.exe

C:\Windows\System\SmxUJTR.exe

C:\Windows\System\SmxUJTR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1692-0-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/1692-1-0x0000000000190000-0x00000000001A0000-memory.dmp

C:\Windows\system\BHCjaVH.exe

MD5 0917ba49b21219ba280aa056ade32ef8
SHA1 14e656c6619adccf65a6b1b041b586b7895bb73e
SHA256 cdbcafbfb60abc3d86277494b8c3634046f01b74c739bd65ce495a3812f879b2
SHA512 352574114d2b9a435f08030c250ac05b439b8ee5e1e9b1ca98aa49a322c129f06223e01ec3de5e3779463b94da48f3092ab53b720027387fab30f5a6428109ba

C:\Windows\system\tjfpqAs.exe

MD5 ee941557df3ce6ceebf1c7114f663a72
SHA1 8552c83041ba1467fee03c53578681b15ea2723e
SHA256 376f22e287e220ff46fb0961fb0fc8ec07380c4c6db5c3bf32a9c0a5c93e633d
SHA512 f71f609b517f9d39a01b6ff4859bac2e914cadd7db9dd182c30296fa17f5dc35385c1df2eac6fcb15b739e8d3263894f5babd9949fbc947e1952a047512db732

C:\Windows\system\mgbccqq.exe

MD5 d64a7d64b7c42e75d9ab75f040304498
SHA1 7893d070e854d5645edbf342a53efe007a088ba8
SHA256 372cb93bdaf27631a3d127e5fb30c58a516f9ed75a345eca5b02a64a4cde6065
SHA512 4e85dcd25fe54e06152728bb58b47d70ec7a817356e6d63ef0107eba1571b0cd9253631867ee4a820744c4adb937f758a0f36fd3d2847ed05395cd41a1f9005a

\Windows\system\Rstiyqx.exe

MD5 2920ead5ef63e300aa80af029ac579b4
SHA1 b8ce5aeb01753328e4998a40462b844a6b784493
SHA256 568999708a15f74cedc6ac4d519a79096c39d9bc7e933a09dea051c04d341732
SHA512 b7b574ae82b0addda31a84a267e17e952d19ef11f95e75f83c8db6cef1ba5b411bfb82619e41a89ca6724e13548734816314b3f34ca2ad9b4f0ba561eac4fe41

C:\Windows\system\tyjRIwu.exe

MD5 be059e47d333b7f78ba1ff824b7ec9cb
SHA1 c2e42caf56eb8ec4bbccfe3b6efb176af9bd8457
SHA256 ede5ffc777e2e79f905856c72bf27890bf98f64809c46edb27996aca66cea1fa
SHA512 e3fd0bac49729bf6cc602c9c3d5a8949cce8cf1e7afa43fc59168fce6af5628fc8d002346d704ab4dc1a41a447c44b0fa0ccb3943298ea6fd08321826515e98b

C:\Windows\system\mpxHDYa.exe

MD5 c10e5c16efc15178ed97d4bb2a39d99c
SHA1 225f7ed74eaa154e2bcbe4ecc2a138fa3644138f
SHA256 72dca3017fce89f6be7478b3e5f5456afd1b5c18b40590680c404b4d0d88d28e
SHA512 5bd5401ce603b6db79da6262edaaca5c5bf2827b9cff7c0d9a7eafb2862ff43d99bdd33bb9b2ed4c9fb66c0882c08fd8f286c007f0a776ad33717ec9fe76df7b

C:\Windows\system\FWJESZa.exe

MD5 41773d419968bee8345cd4aafa51f0ab
SHA1 a7d9f3a751d8ca24da4b734bf7066a6e2d553af5
SHA256 42ebc6895128b97db509008952ff621411c684d321bd9636ef89bffdd34a373f
SHA512 62a0ed8d53afeeb2940f84c9296744d92f130d11d388c0bba83b5a95babe4c6a0b0cbc734445a93b730a2c39ef98ea07d4235141181f6d697e74c58fd55ca9f0

memory/2468-118-0x000000013F840000-0x000000013FB94000-memory.dmp

C:\Windows\system\cgVcpwe.exe

MD5 1db5ceeda4bbaa42bf4f2613ac955c32
SHA1 833d1adf03b2110556e76d775e78960366f47aaa
SHA256 def0020a27bbd1f29511c82d58f93ae041c1103824f0bbeb98bce2fe07583d33
SHA512 c60916df98dcd62110817fc396ca851dd0e9324bdce5e07087811335e6829e2f108e7c65b6cc7aca3c008d5e38dd16cd9003853511d104010f3a582bb55bd925

\Windows\system\AxsZdZI.exe

MD5 7a4e34dc32e86b37800983294c7ba17a
SHA1 5482f4138cc16869012d546ad1b4be0fc040c217
SHA256 20a7aba8ceca471b02a6b6385f81a5aab0f38c614eafbfee37304e1e47c5bac3
SHA512 b328121cf333c6bd27878cb20afc2d0fa22f207bfa15244bc2850956b0c32e3adb037a9906909738f2ff4d12e4354177beb1dbb11000af1d09b31768eed5f7a9

C:\Windows\system\BBFRDHC.exe

MD5 99cfe365a3d64a035139c025943142d8
SHA1 a23d50491b473af3e5afb79b80fa5fab50efaf0d
SHA256 42c7953080c019a2cdb77a1cfe8a4f8b472865e3d4244a52f4dcf993b139e481
SHA512 e30accad7e454d1a067b92ef3aee1c37cea26916d72d89907e05c4fc0138510b5de2d0d27e7adec6ff55d4ae3d1ad15d49ac37fc94434a020ddee23416021f34

\Windows\system\GRgXyxC.exe

MD5 5f506ed223e8444211ffc3c7aa0f47d1
SHA1 304b7347494b982ccb9efa6e202b0921457c8ae2
SHA256 bfd30658d0396ca351814fb07bbafdd3feefe4f31aa4da9e65dcb5c38ad42d16
SHA512 86ee7a11d84845d5eb661766b4144cd2b80b7cb71d0ba342cfcb4806810b37aa0e8c181dbc45d5066526fa969ff0ec5b4ae1ba0052ffce3e99a9b1cbbdfc8f07

\Windows\system\alDTIJD.exe

MD5 5e798ac0b209c975cedf9993b0217707
SHA1 8dbcd0dbecc8736ce049af55235dc5c4116f8a51
SHA256 eaf170c56a56ffb6d866b7027f3ba2e132b38a3be13ec1107a441d98661b6b06
SHA512 4b772b81b53537042d828b4e77c87987a9c1418e1a2aeae3aa6e21a3b33e42db3df0629675ef2b7bd3a7092d04f3798c9d1df3cbd8997636e4b08be5fefbbf52

C:\Windows\system\IkCflYo.exe

MD5 d39b27d70a35cd6f5401cf4a4947b209
SHA1 7ad9853d74f702f6f8b738c42f5964f646532401
SHA256 e9f560cfb432ae1238329df86fd956231d7b49ff09a6174a6fcdba3298b52b90
SHA512 b179458f1d560712e5ca5aa7f6e9d797225ea39f0d1602dabffef205761041fc9962d5a1baf23e6baea3ca686734a9f7b8538738085e534defaacb718ef3d24e

\Windows\system\cuyUwJq.exe

MD5 bc80f29969fcac10d8bebdc5277c31b5
SHA1 f87cc909ec491bba2b6fd0e27d6f5346edbfaebd
SHA256 afc76091f893aded2e61f09cd337d8d9db9759d447a5ff8f56a68dd57e82e737
SHA512 a8091ad9eefdbac6a71c61392aca5019ef1a26482ffade3897d94960cff78c45528759f7d5fd141f59a2e72ee85d1cdead653c504165f8e2837def17eb9d2fd3

memory/2704-119-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/1692-117-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/816-116-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/1692-115-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/1692-114-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2996-113-0x000000013F420000-0x000000013F774000-memory.dmp

memory/1692-112-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2604-111-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1692-110-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/1692-109-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1692-108-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2448-107-0x000000013F310000-0x000000013F664000-memory.dmp

memory/1692-106-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2576-105-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1692-104-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2440-103-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/1692-102-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2524-101-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/1692-100-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2540-99-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/1692-98-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2460-97-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1692-96-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2144-95-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1692-94-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\SmxUJTR.exe

MD5 11058c2ce6ec0ef88bb88b0d76df64ea
SHA1 c88712ae26ea2265be5afa8b11575eb3e75170cb
SHA256 abef12f4d87250e4dcaeab1c5ff9d995680a95fcf56f7b0af18524c208d57047
SHA512 261e86d4e87a8b33b32faededc46874d5795bd9000c132e096c126a5e9c377982ce2a9a30bc9445e2b4c351618648b01e11fde1d99b7ca5e0437ff36662d202e

memory/2784-92-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/1692-86-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/1692-84-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\KQgiXDT.exe

MD5 08554496a32f211b3fdbeaab117b0313
SHA1 74191895e9f3029a1e3a0dc5b51121b7b8019b00
SHA256 aff800f24b107524b50a8c0cc4c28d8efb20fbd68d902d3f219b377ba4a00fff
SHA512 33706e80b8831773b36f604db868648602b0597686f36fdab118d069d5ccedca4654c818afb1dc5d8e44c576ae02f71ac515ae88213f546ce3c0750d3bd6041d

C:\Windows\system\bLPatrj.exe

MD5 313d35fbeb284bf86bac438f81c628d4
SHA1 5dca6160bd7053294676f9ad65ca2828f3377bcd
SHA256 9fd83cb09076d2efbd499a9b827535495010294a101337b3fbb1d8ea35c3edf9
SHA512 9a0aba025019c600fdf935c3f5409ae43e8a09cf538681680fc0b3f49a1360ad3f640458c3942f63e7f42a081732aa9598fa5a026bae54dc17777246ca22917d

C:\Windows\system\tQBXCAE.exe

MD5 9b734ea0d448dfc2df02c88b481a83b9
SHA1 b71ff3bd548abd5bc0f59721a13fdb187e8332b7
SHA256 3a5c4375380d4635d4faa0ff368c764bb7f85f8c5611a5c633b2a1b72b74d7e1
SHA512 8fcb65fe35efafe5310b6aa9b907c99a52b0f136311533177200cc97fd161358f7d73d29e38c2bfbd3bc4ef8443e3fb42864ee4d289fabff52ea7dfbe7d7ccb2

C:\Windows\system\ItbkGfr.exe

MD5 604f1b891a2456d3470bce79b0db40a4
SHA1 242d38a40a8236362608c75e5635da947a56989a
SHA256 4616af2651d9812bea50723358acc155e5a3a323dd92028cbe66acd1c2d0e009
SHA512 3b3b4b4735eec6e8ae169aed3c09e400009096407aa1abffb91d117ffe1b943222fa44178192cd5f97ed05ed5a50afc6614911388f4595f5223805b8cac0b261

C:\Windows\system\vOTkTgZ.exe

MD5 62ef0941444eef27eac5dc7f319bb681
SHA1 3f71567701bee32ea458958b31b077da3ab37420
SHA256 ea094f80c8c10019b6a00e491e35c3c18a736a4d1a864575ce4b569ba9d77129
SHA512 d32e231e8b1fd956b62ce79edfbe30f7c49a742e15867b8fe5dc789afe0d8102aabafd07bb5dbb4dac847cfa735df5b32bd1a8cb27100b30f4e5eea7a824cc20

C:\Windows\system\EYjFFXB.exe

MD5 93408af1daea67f3cfc6a1840c716151
SHA1 7f3da42a346c881f6eef29383bc49761ad9f7488
SHA256 38626beca2ae2cb27fb56e1b5245f28f1dfef863696b2c3453ef44672091b9f6
SHA512 b50d8638d82a095316d1b07663675515c236a4e4c7d38440e88d2197e59436bd051a116aa3dfef45a70f2bb2f9108ff451f5c238f2f7eebba7259c1b3ff9e38e

memory/1692-136-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/1692-137-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/1692-138-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2996-139-0x000000013F420000-0x000000013F774000-memory.dmp

memory/816-140-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2468-141-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2704-142-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2604-151-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2440-150-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2784-149-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2576-148-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2460-146-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2540-145-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2524-144-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2144-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2448-147-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2468-152-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/816-154-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2996-153-0x000000013F420000-0x000000013F774000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 14:30

Reported

2024-06-06 14:33

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CttRTDF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JSNjkuT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rKltete.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sayhkHR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tFqnlDZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jkIunKh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNAoEIC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xnvpPiR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ccLFwSj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ubnwrrM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kFhUtvL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ltKRQvE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BNneqTE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\droVJZE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PkvwvkB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IqFKbLG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pRkqSWT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xoDnIQR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fhXLUDC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pUWtyOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dBpJXft.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\rKltete.exe
PID 4492 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\rKltete.exe
PID 4492 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\sayhkHR.exe
PID 4492 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\sayhkHR.exe
PID 4492 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFqnlDZ.exe
PID 4492 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFqnlDZ.exe
PID 4492 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkIunKh.exe
PID 4492 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkIunKh.exe
PID 4492 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNAoEIC.exe
PID 4492 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNAoEIC.exe
PID 4492 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnvpPiR.exe
PID 4492 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnvpPiR.exe
PID 4492 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\IqFKbLG.exe
PID 4492 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\IqFKbLG.exe
PID 4492 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\CttRTDF.exe
PID 4492 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\CttRTDF.exe
PID 4492 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRkqSWT.exe
PID 4492 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRkqSWT.exe
PID 4492 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSNjkuT.exe
PID 4492 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSNjkuT.exe
PID 4492 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltKRQvE.exe
PID 4492 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltKRQvE.exe
PID 4492 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccLFwSj.exe
PID 4492 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccLFwSj.exe
PID 4492 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUWtyOZ.exe
PID 4492 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUWtyOZ.exe
PID 4492 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNneqTE.exe
PID 4492 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNneqTE.exe
PID 4492 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\xoDnIQR.exe
PID 4492 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\xoDnIQR.exe
PID 4492 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\fhXLUDC.exe
PID 4492 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\fhXLUDC.exe
PID 4492 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBpJXft.exe
PID 4492 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBpJXft.exe
PID 4492 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\droVJZE.exe
PID 4492 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\droVJZE.exe
PID 4492 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\ubnwrrM.exe
PID 4492 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\ubnwrrM.exe
PID 4492 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkvwvkB.exe
PID 4492 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkvwvkB.exe
PID 4492 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\kFhUtvL.exe
PID 4492 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe C:\Windows\System\kFhUtvL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_957bf82f65b2acb17162d3c4b09dd156_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rKltete.exe

C:\Windows\System\rKltete.exe

C:\Windows\System\sayhkHR.exe

C:\Windows\System\sayhkHR.exe

C:\Windows\System\tFqnlDZ.exe

C:\Windows\System\tFqnlDZ.exe

C:\Windows\System\jkIunKh.exe

C:\Windows\System\jkIunKh.exe

C:\Windows\System\pNAoEIC.exe

C:\Windows\System\pNAoEIC.exe

C:\Windows\System\xnvpPiR.exe

C:\Windows\System\xnvpPiR.exe

C:\Windows\System\IqFKbLG.exe

C:\Windows\System\IqFKbLG.exe

C:\Windows\System\CttRTDF.exe

C:\Windows\System\CttRTDF.exe

C:\Windows\System\pRkqSWT.exe

C:\Windows\System\pRkqSWT.exe

C:\Windows\System\JSNjkuT.exe

C:\Windows\System\JSNjkuT.exe

C:\Windows\System\ltKRQvE.exe

C:\Windows\System\ltKRQvE.exe

C:\Windows\System\ccLFwSj.exe

C:\Windows\System\ccLFwSj.exe

C:\Windows\System\pUWtyOZ.exe

C:\Windows\System\pUWtyOZ.exe

C:\Windows\System\BNneqTE.exe

C:\Windows\System\BNneqTE.exe

C:\Windows\System\xoDnIQR.exe

C:\Windows\System\xoDnIQR.exe

C:\Windows\System\fhXLUDC.exe

C:\Windows\System\fhXLUDC.exe

C:\Windows\System\dBpJXft.exe

C:\Windows\System\dBpJXft.exe

C:\Windows\System\droVJZE.exe

C:\Windows\System\droVJZE.exe

C:\Windows\System\ubnwrrM.exe

C:\Windows\System\ubnwrrM.exe

C:\Windows\System\PkvwvkB.exe

C:\Windows\System\PkvwvkB.exe

C:\Windows\System\kFhUtvL.exe

C:\Windows\System\kFhUtvL.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4492-0-0x00007FF69BD20000-0x00007FF69C074000-memory.dmp

memory/4492-1-0x0000018CF77D0000-0x0000018CF77E0000-memory.dmp

C:\Windows\System\rKltete.exe

MD5 47a338578379579e94cbcca9c2e0d0af
SHA1 ab2ad4b82c9a37e41f82bc12dad54c1b0028cf43
SHA256 74293dce66a23c2e10cf04cebc962d70a6cfb7d1b0f1216d4226b958dff4bc2d
SHA512 649a011be0f4c837cb5a283a0bd5a457f18bce60068bc2338bf59fd0116839b449347edd5271dc83b2c0c84a84ed129d7a0a42085a10551533728ee45c294bc9

memory/1280-8-0x00007FF72FF90000-0x00007FF7302E4000-memory.dmp

C:\Windows\System\sayhkHR.exe

MD5 c54f703e8c34e11dffcf7bd3a88fb23b
SHA1 dde78ddb69571f7e194122920bc01e9890534e57
SHA256 33da098a4a70249f7b4cd2a71ecd813f76b615cb0b87fde63cca96352b813d36
SHA512 7d963f54ab840553d3ce7a7783901f1fffc40d4495f2bf128a731ed5544419192719aa3d758439b1acbddd85b5ce17df31b19c00cd94b8292b9377d92d127230

C:\Windows\System\tFqnlDZ.exe

MD5 9dd7c577d12ff69814910a7d41f8e449
SHA1 3e37ac7abec610d72ac7d1d75d8e0096ed568cc6
SHA256 cb68fab9c55dce1b7ef521f675b80f9aa7c90cbae82d6e10a30829b1b79fa526
SHA512 a528212e589c0d07a3d215979755779ad4d29e9d78b1af0fa693b7f1600690718bda277e620e6b91af2baa31762d3b7e456f3751b7f9be7741e2208ae94ce3ab

memory/4200-14-0x00007FF752770000-0x00007FF752AC4000-memory.dmp

memory/4652-20-0x00007FF6A96F0000-0x00007FF6A9A44000-memory.dmp

C:\Windows\System\jkIunKh.exe

MD5 b0b49edc433b768502e2b37eb3cd7577
SHA1 17c053c1dfc81d74ea2cee52d089c4a77fdc56ca
SHA256 ef5c30557342fcfa13fae23b98687657d31eccdb8f5b6802f111131e7760d377
SHA512 818fdbda0b16f4b286a1a533b4df1b9a4f4588adb6e04fa8e6d58224f0c12f8ef8f2c3b399e01837f9e446116641427b8b83dc294e3151bd06a0840872bc4672

memory/3880-26-0x00007FF6F7B90000-0x00007FF6F7EE4000-memory.dmp

C:\Windows\System\pNAoEIC.exe

MD5 e40459ab5b674a4694708aded5b31bfd
SHA1 0ce2f7be5cfdf46b36eba7ab340d69767e16bd31
SHA256 548b1179b7c572ef7ca0d7e893785a7ec401a52661ea7c5ccb95e1a278fba0f8
SHA512 a694e0d3f413c3dae2c0ee5d41bd331fd282ab4a11982d83e3d9dc257225f4fc6edd3ccb35246f2af15705ec1848f1e69d10f3ac9afd7a014526c067fa2ae2ce

C:\Windows\System\xnvpPiR.exe

MD5 cb32c9a3100111686250cdd6da189a87
SHA1 55a67acb56983f1e28e0d5ded88a34d1f0906dd9
SHA256 b3e4c0a32d3da3ba47a716add644ba635a7657844c516c84eaad84dcb227bef8
SHA512 57522cf8dcbef4f566b05e9a107ed81c9e9e9adf0892b0b3b8830cd5bcde38a430d55328135e6c8b84e4bc10f9678e1ce79cdb70409356763a2a4bd14ad06eef

memory/4180-38-0x00007FF7353F0000-0x00007FF735744000-memory.dmp

C:\Windows\System\IqFKbLG.exe

MD5 9f61eba254e253e98b6afd345a484c35
SHA1 0a41967502e8ed516f493cf098d00ee76e53dc52
SHA256 715bda86f6e6b74a4d438e22056598049f2ed64dacad7ba91299b6922f35b9cf
SHA512 d0d525d67454a67ad579a207fe916ca5e120dbe1597fa4c8b1edb1bb2b14d7dfa094a293bdc9e756ef5e742bab8bf64561646b87b7eae546f86ac9b4c8a39a87

memory/2724-32-0x00007FF7CC500000-0x00007FF7CC854000-memory.dmp

memory/4332-44-0x00007FF65BA00000-0x00007FF65BD54000-memory.dmp

C:\Windows\System\CttRTDF.exe

MD5 35ce8c41e6f67f820cf31b3e5d9b0ea5
SHA1 6ba2ccf6c13a17fe2b6dd5c3ca1750928b9f8fe7
SHA256 4c640e04dd89974163e981a2230270daac17926ce36b90b5c17067629fb47ede
SHA512 ff380e825a9de2905fed74a8f488f3f1b2364cb96608a1a98ab22c49c2b45e692fa45ffe1ffadbd173dbd45c55d67941ca9ad465091387d017a08ee13156e369

memory/1196-50-0x00007FF719F50000-0x00007FF71A2A4000-memory.dmp

C:\Windows\System\pRkqSWT.exe

MD5 cbf15f59ffdc85b89713820566300fbb
SHA1 66505a3aedd75e1414c958ed5029f43fbe667587
SHA256 b3356a73d1edf37f2ce9c267d3cc59a3c535c7ea4eb82e4d4e734c97d86a2054
SHA512 3dab3e10e318551140c7ce920cd42dd881dc047e6b811163e0ed69191b1231cd783d5f22bdc0e2d147d00f92a1fb1a9983efa3d115a2d8c642cffd0a9de323ff

C:\Windows\System\JSNjkuT.exe

MD5 ad78a8823b67f4bd7478956e58988f9f
SHA1 96d5623e1f5773a272ca8b49afd13c40507a5343
SHA256 d7b18b53cc6ea26886d525dbd0bd96913dd33d0b68417ea0687d82f9d54c8b72
SHA512 b3e41d07b4edb30ab6d8a0a3710a9afee78428571d703598bf5eace5c115ff40f40738c7d3934e69cbdb1d83e1d56e3db64dd544a7f740d6a17bf768eab88243

memory/4420-62-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp

memory/4492-61-0x00007FF69BD20000-0x00007FF69C074000-memory.dmp

memory/1908-56-0x00007FF7FEF90000-0x00007FF7FF2E4000-memory.dmp

memory/1280-71-0x00007FF72FF90000-0x00007FF7302E4000-memory.dmp

C:\Windows\System\ccLFwSj.exe

MD5 1b3ada09b5f140b0a0fe272a37385f94
SHA1 9d3aee1034e82849984c0a5141298fb520e2ab8b
SHA256 65fbc44e1f1e11fb8a178be9800fafcbdf61ba9b5d1b12bd17de8b315634af37
SHA512 6d9fc8337a2b291960426986ba86e9338db729406b79d656e5908a15b41f496e237be25d9a453c12de6bebbac7ce662b10bc407e4dade0a9929c5cce7f1be835

memory/4988-72-0x00007FF7D1F50000-0x00007FF7D22A4000-memory.dmp

C:\Windows\System\ltKRQvE.exe

MD5 7b5731d1ad2853417e8af9179c8ea581
SHA1 f30521882ad86cffcacec8060a95c1477c3db873
SHA256 750f96cc2c493315f734b992c67d7285d03e93f3009bada4e3205abd12bc4a97
SHA512 33b909ba4185dc23959eaf02600c2446fef4d1994c62038ec62834c5f1337987faf67a7052a06bfd7cffb23bb23dfe141aa27165ddda7b9824e4457b32f9fabb

memory/1620-79-0x00007FF7C91E0000-0x00007FF7C9534000-memory.dmp

C:\Windows\System\pUWtyOZ.exe

MD5 be770b048b6960c13d35b2dbce9b58f6
SHA1 df42b480d9bf8997a38ea4b5ef68048fcf909ebc
SHA256 96dc230508667d27567eda136d2af946aee579cc02fb3949f96ac1daee2fe2c5
SHA512 068b06c16302b3df5795551d2c03acdf822fd5ee3488ce3fdd025c33172e0886c1709a801ca340f74066037b480a3495fa999049164d02116d494d15b01419f8

memory/1696-80-0x00007FF759D70000-0x00007FF75A0C4000-memory.dmp

C:\Windows\System\BNneqTE.exe

MD5 ce0fb0af943df76e93758da63348f49c
SHA1 4366bc205fd77e0a11a0de12d950ebd7be9eb228
SHA256 da57a99a2b2b84118cd1136ebc33232e7c4ccdf9e33e480f501f2bb530985097
SHA512 c3511d5d7d8097c68d21ae88659b9af1b2d16d086e16187b51d624547ee836bf5c6de0ea396d7183b3f1d03b84fa39870b49f1601eb0f7ffb6c3883957079c00

memory/1452-88-0x00007FF658560000-0x00007FF6588B4000-memory.dmp

C:\Windows\System\xoDnIQR.exe

MD5 5d23cd642acd5aaf7b0a5fb71e06d297
SHA1 7a8efb4beb97c6255f102a8e86cb07a342cd02c2
SHA256 6a578df76ab7be6edc3b8b97782170dc7f817532a615cd788ab23c86240620a6
SHA512 21c6b1a065b3200892a8ec6be0587c9869b43d61cec06b8bc2ee0910c24df931836dbc59ea779f3e01d8dddfb0062c275470bd43e29fe511d320fe859e9ae58a

C:\Windows\System\fhXLUDC.exe

MD5 dcaec5743b7d702540a33425e0d4a4fb
SHA1 dbee39835fe9c8f133aa268a842ed9df698090a1
SHA256 5196784d13b7cc63ffb0a681b5134e6dcb33c493bc48fbb893ade21f6356cdab
SHA512 f1fbb2151e4f0384749fc1a4aa5ed519775e156aa227c3b92741a1ef25c10f3c8509cbcc61e351929455bb985e70cce2ab112f1418f3a152a93022e28bfcf1c2

memory/4020-100-0x00007FF6E75D0000-0x00007FF6E7924000-memory.dmp

memory/4164-94-0x00007FF786B90000-0x00007FF786EE4000-memory.dmp

memory/1360-106-0x00007FF6ADD50000-0x00007FF6AE0A4000-memory.dmp

C:\Windows\System\dBpJXft.exe

MD5 fa6109772dee9c65913715e33041969b
SHA1 d1cf9e38a55f1dcd94bcc9597230d73dd69573fd
SHA256 7fccaae6137acc43f1f5491e31cdad25fdb35465c88873cfaa1fcdac1ef40050
SHA512 db85d5351c0a933967909395c20f733a82bb7b79e0e54669ee6272788bd6ee34087a2a86a59996451e88eac373738020950229933f957a99fa2aa4ca897d3fe9

C:\Windows\System\droVJZE.exe

MD5 e946bf5b35025a526595a46e310f9798
SHA1 8bd0d6910f6eef926eadcb0abf31b3137922d125
SHA256 a06e8e51da3888cda1084a0746bcb7565c38ec5da777e95f82150a844a6a1ef4
SHA512 c5ce05e28d06ab60cb0df50ebc7d64f4e19163660af7db91395d3ebee102c430ff8df301c915bce8a602512dfda16d3c020a3aecaf44ae9cb81adf87e921954d

C:\Windows\System\ubnwrrM.exe

MD5 f35b6ef561ffdb6086146c2f25888869
SHA1 4efe7c7d1efb0c159a1c86d8cec6329446a3cdf3
SHA256 cf1ade4e3c34f1ea05c93472785a0bbf8e98e1df96fcc05f1a954e34791cb676
SHA512 18e37bc6905346e9da22ec3bf16a77397a520c07c1d582933480b39e9e7a721965f150b8a88f7cf1c1a0b000dab0ee0c047f2bb8998fb866b9730fdef3a38d6c

C:\Windows\System\PkvwvkB.exe

MD5 47e5116cb60499ce0bceba30a9d80b51
SHA1 1e277d9e9335cd09af3562b23f13a68c4271af2c
SHA256 1b43c3a9e29da2e3f1c7dd76ceef708b5285b0ce386820c11561519010b8b436
SHA512 aed04f6cc4e3ec44c1d227d42ff471d02769db7063de8db2754f3a911ed96d7f4c0ddaefa5bce8c58d69b4657b4d67b49c898e6126d85e63089b0d466fd828c3

C:\Windows\System\kFhUtvL.exe

MD5 93dea7fa1c3a32eead1b17728086f3e2
SHA1 68d40816a8577e9f20d50280346c7c265d3dd334
SHA256 73d68a519381bb320a75551a550314b9cb99a6ccaed7e7142fc12b75b4ae6e8c
SHA512 eab157bc5ed41ad3f1113e5c0b7458135f87fd9fc01f76297c341b92d058e1711690b8d978ae862a2997d797fd9c540b4138dc8fc2c459622e8a0c0660482298

memory/3864-123-0x00007FF6BD2F0000-0x00007FF6BD644000-memory.dmp

memory/4420-122-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp

memory/2028-118-0x00007FF79BEB0000-0x00007FF79C204000-memory.dmp

memory/4124-111-0x00007FF660140000-0x00007FF660494000-memory.dmp

memory/2444-130-0x00007FF74FF10000-0x00007FF750264000-memory.dmp

memory/1696-131-0x00007FF759D70000-0x00007FF75A0C4000-memory.dmp

memory/4124-132-0x00007FF660140000-0x00007FF660494000-memory.dmp

memory/3864-133-0x00007FF6BD2F0000-0x00007FF6BD644000-memory.dmp

memory/1280-134-0x00007FF72FF90000-0x00007FF7302E4000-memory.dmp

memory/4200-135-0x00007FF752770000-0x00007FF752AC4000-memory.dmp

memory/4652-136-0x00007FF6A96F0000-0x00007FF6A9A44000-memory.dmp

memory/3880-137-0x00007FF6F7B90000-0x00007FF6F7EE4000-memory.dmp

memory/2724-138-0x00007FF7CC500000-0x00007FF7CC854000-memory.dmp

memory/4180-139-0x00007FF7353F0000-0x00007FF735744000-memory.dmp

memory/4332-140-0x00007FF65BA00000-0x00007FF65BD54000-memory.dmp

memory/1196-141-0x00007FF719F50000-0x00007FF71A2A4000-memory.dmp

memory/1908-142-0x00007FF7FEF90000-0x00007FF7FF2E4000-memory.dmp

memory/4420-143-0x00007FF7FEB50000-0x00007FF7FEEA4000-memory.dmp

memory/4988-144-0x00007FF7D1F50000-0x00007FF7D22A4000-memory.dmp

memory/1620-145-0x00007FF7C91E0000-0x00007FF7C9534000-memory.dmp

memory/1696-146-0x00007FF759D70000-0x00007FF75A0C4000-memory.dmp

memory/1452-147-0x00007FF658560000-0x00007FF6588B4000-memory.dmp

memory/4164-148-0x00007FF786B90000-0x00007FF786EE4000-memory.dmp

memory/4020-149-0x00007FF6E75D0000-0x00007FF6E7924000-memory.dmp

memory/1360-150-0x00007FF6ADD50000-0x00007FF6AE0A4000-memory.dmp

memory/4124-151-0x00007FF660140000-0x00007FF660494000-memory.dmp

memory/2028-152-0x00007FF79BEB0000-0x00007FF79C204000-memory.dmp

memory/3864-153-0x00007FF6BD2F0000-0x00007FF6BD644000-memory.dmp

memory/2444-154-0x00007FF74FF10000-0x00007FF750264000-memory.dmp