Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-gsnzqahf2x
Target 2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike
SHA256 4dfd92a55eac8ea306b9c7927b6c5dc995e0ceafe794bc57d06073f4b5cc52c5
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4dfd92a55eac8ea306b9c7927b6c5dc995e0ceafe794bc57d06073f4b5cc52c5

Threat Level: Known bad

The file 2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 06:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 06:04

Reported

2024-06-08 06:06

Platform

win7-20231129-en

Max time kernel

136s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kDDATMa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sRsrnYP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DSvPgHE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mfsqTiT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jwLXAGy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xNzeUrI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bMWYaTm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LRVfIDs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NkDvgOW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\icWZrGh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BlJlSfJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GupLWpW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SkqBvTB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FchxZct.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kVOWQjr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nEhtEFy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXgbDsm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ElMcmSa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wCuNEVN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\spzJwKW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PBkHohF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\SkqBvTB.exe
PID 1372 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\SkqBvTB.exe
PID 1372 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\SkqBvTB.exe
PID 1372 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\FchxZct.exe
PID 1372 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\FchxZct.exe
PID 1372 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\FchxZct.exe
PID 1372 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\spzJwKW.exe
PID 1372 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\spzJwKW.exe
PID 1372 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\spzJwKW.exe
PID 1372 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMWYaTm.exe
PID 1372 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMWYaTm.exe
PID 1372 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMWYaTm.exe
PID 1372 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRsrnYP.exe
PID 1372 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRsrnYP.exe
PID 1372 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRsrnYP.exe
PID 1372 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\PBkHohF.exe
PID 1372 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\PBkHohF.exe
PID 1372 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\PBkHohF.exe
PID 1372 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEhtEFy.exe
PID 1372 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEhtEFy.exe
PID 1372 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEhtEFy.exe
PID 1372 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\jwLXAGy.exe
PID 1372 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\jwLXAGy.exe
PID 1372 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\jwLXAGy.exe
PID 1372 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSvPgHE.exe
PID 1372 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSvPgHE.exe
PID 1372 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSvPgHE.exe
PID 1372 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNzeUrI.exe
PID 1372 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNzeUrI.exe
PID 1372 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNzeUrI.exe
PID 1372 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kDDATMa.exe
PID 1372 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kDDATMa.exe
PID 1372 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kDDATMa.exe
PID 1372 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRVfIDs.exe
PID 1372 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRVfIDs.exe
PID 1372 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRVfIDs.exe
PID 1372 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkDvgOW.exe
PID 1372 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkDvgOW.exe
PID 1372 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkDvgOW.exe
PID 1372 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\icWZrGh.exe
PID 1372 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\icWZrGh.exe
PID 1372 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\icWZrGh.exe
PID 1372 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlJlSfJ.exe
PID 1372 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlJlSfJ.exe
PID 1372 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlJlSfJ.exe
PID 1372 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXgbDsm.exe
PID 1372 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXgbDsm.exe
PID 1372 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXgbDsm.exe
PID 1372 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\GupLWpW.exe
PID 1372 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\GupLWpW.exe
PID 1372 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\GupLWpW.exe
PID 1372 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElMcmSa.exe
PID 1372 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElMcmSa.exe
PID 1372 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElMcmSa.exe
PID 1372 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCuNEVN.exe
PID 1372 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCuNEVN.exe
PID 1372 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCuNEVN.exe
PID 1372 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\mfsqTiT.exe
PID 1372 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\mfsqTiT.exe
PID 1372 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\mfsqTiT.exe
PID 1372 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVOWQjr.exe
PID 1372 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVOWQjr.exe
PID 1372 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVOWQjr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SkqBvTB.exe

C:\Windows\System\SkqBvTB.exe

C:\Windows\System\FchxZct.exe

C:\Windows\System\FchxZct.exe

C:\Windows\System\spzJwKW.exe

C:\Windows\System\spzJwKW.exe

C:\Windows\System\bMWYaTm.exe

C:\Windows\System\bMWYaTm.exe

C:\Windows\System\sRsrnYP.exe

C:\Windows\System\sRsrnYP.exe

C:\Windows\System\PBkHohF.exe

C:\Windows\System\PBkHohF.exe

C:\Windows\System\nEhtEFy.exe

C:\Windows\System\nEhtEFy.exe

C:\Windows\System\jwLXAGy.exe

C:\Windows\System\jwLXAGy.exe

C:\Windows\System\DSvPgHE.exe

C:\Windows\System\DSvPgHE.exe

C:\Windows\System\xNzeUrI.exe

C:\Windows\System\xNzeUrI.exe

C:\Windows\System\kDDATMa.exe

C:\Windows\System\kDDATMa.exe

C:\Windows\System\LRVfIDs.exe

C:\Windows\System\LRVfIDs.exe

C:\Windows\System\NkDvgOW.exe

C:\Windows\System\NkDvgOW.exe

C:\Windows\System\icWZrGh.exe

C:\Windows\System\icWZrGh.exe

C:\Windows\System\BlJlSfJ.exe

C:\Windows\System\BlJlSfJ.exe

C:\Windows\System\kXgbDsm.exe

C:\Windows\System\kXgbDsm.exe

C:\Windows\System\GupLWpW.exe

C:\Windows\System\GupLWpW.exe

C:\Windows\System\ElMcmSa.exe

C:\Windows\System\ElMcmSa.exe

C:\Windows\System\wCuNEVN.exe

C:\Windows\System\wCuNEVN.exe

C:\Windows\System\mfsqTiT.exe

C:\Windows\System\mfsqTiT.exe

C:\Windows\System\kVOWQjr.exe

C:\Windows\System\kVOWQjr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1372-0-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1372-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\SkqBvTB.exe

MD5 3b53248ba8c70e5d77f81f1db49d9a99
SHA1 aebf0b8f45b29d1103100807ac33351acb945165
SHA256 70bc8fbada8f0ee7291b59d0610f5fa5d61729ec9576e7dcffe46035d94b7083
SHA512 7f0cdd9dd2f1a8fc9487a4e827832c3c86e7ce76b05820e4a3bc0a7cfa10378064d2b0027412e540375d50c6fdbfe530e0ecad9dfd4e95b3120e164c9a5727a5

memory/1372-8-0x000000013F7E0000-0x000000013FB34000-memory.dmp

C:\Windows\system\FchxZct.exe

MD5 3c80dcc88cc1ba2276555f99f3e17134
SHA1 279a6a4da31c7fea94b1a5e127d1ed56047c9589
SHA256 909d3de24927b36fd03bc6a9ae63058f013170b78a5f51b21d361a0d025825ec
SHA512 7161318da75618902a68aaf63c89448077ee1f20ea71691c8911a52730b454627eb39ee6752c7d4ccb41808978bb573707b2e583693ea3e0730844fa04799bc3

memory/2992-11-0x000000013F7E0000-0x000000013FB34000-memory.dmp

C:\Windows\system\spzJwKW.exe

MD5 33f5a01ff9d2d0a7c15ce3a09908cb5f
SHA1 fe352ba4dad3c751c0e46e0d508576132b074bde
SHA256 6f92e7b62ac0b75ba40a2824189a07479f74fdff0b0c17369302035a001addfc
SHA512 cc30f5cb8a2d6033b888bb039925fdcb73db838441128a7e6846b4329d9b0608fce5f1ce2169cd538d38da88b5e6f40968d7f0227519bdabb6193ad900a7c152

memory/3056-20-0x000000013F940000-0x000000013FC94000-memory.dmp

C:\Windows\system\bMWYaTm.exe

MD5 7fa25992288e4f5c38c68e3933d74561
SHA1 f4b960eb849248e2fdc2bea6cc0e86a8bc3bd2fc
SHA256 f9760f908a931843ce4a198889f795a3a30109e9e9424ce4fd0c013ff1d97ee0
SHA512 c27c03d2d6365d26185391993ffcb8428b750ed38af73eea83ac1023d8af0c4636fd1c8063d6858703aea134bcafde98f80bc9218c7617ad0c1fcb9c1194329d

memory/2928-29-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/1372-28-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/1372-26-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/1372-24-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2668-23-0x000000013F1D0000-0x000000013F524000-memory.dmp

\Windows\system\sRsrnYP.exe

MD5 b77a66d41ca8a668a5ed185e4e990917
SHA1 019210efbef1a351240e50296aa3fd30f8fae7f1
SHA256 7252d80400f91fdfb9eda1772231ebdba1b63b7458be06640d03729443a81bca
SHA512 4295ebca6d833f1317dbb1c7b77b247d0caed2f6b0883b1a172b0e5ed5d3c0c402661ff7057a0f3ea4bb5adcd1998866176eb78c8b52146fce390bc6d5f96383

memory/2656-36-0x000000013F330000-0x000000013F684000-memory.dmp

memory/1372-34-0x000000013F330000-0x000000013F684000-memory.dmp

C:\Windows\system\PBkHohF.exe

MD5 4e5ad1f07e4ecf6eff54cbf41dfdedd3
SHA1 cbe5a8fb0c7a104364c0b7f6903c65eee8613737
SHA256 d45b50891e988d120c74da28d4c6cc6a4a8bb7cc455ea11007a42f2743a212e0
SHA512 b1bf1efb9778e484669e6232534aeff73045114c6bfd2ef5dcea907b0f719ba6b9a33678779b23fafc35c40734f7f6e8e4a5f914ce9a82813d8258e16ba20317

memory/2612-44-0x000000013FA10000-0x000000013FD64000-memory.dmp

C:\Windows\system\nEhtEFy.exe

MD5 d2bc4986b5900b2496fe583033fa1b61
SHA1 4ec7b284bb4b56f17dddf098c07b637a03fbf9b9
SHA256 c886018d965b6c293a42b2ac84445ac56a034cb575910b8c12fe9e7b71983d65
SHA512 2642b1138ab9c5310ecfdc90320ecd40800d4b38e3cbc3894f50d7ce9196b13e8c7bb6b54caba4375b545022284de5f7fbb466f3150c84c1e9f9399cc05b5323

memory/2572-50-0x000000013FDE0000-0x0000000140134000-memory.dmp

C:\Windows\system\jwLXAGy.exe

MD5 f48d42e39cde0ed5646565c975d15400
SHA1 528be1164902c0b405cf620b9b93e6ba921294b6
SHA256 d72000aa611688e33d81475b5fead0d833743d063e693b4dd14616205567d49a
SHA512 22c4fa9307b4ff653c81e942493940972153be7ddcafb41a4100e3ea0167999c62bab976022354505eb3695aa20d3945258e7653e42112cddea715b7cfd1ca4d

memory/2736-57-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/1372-56-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/1372-43-0x000000013FA10000-0x000000013FD64000-memory.dmp

C:\Windows\system\DSvPgHE.exe

MD5 622c96c822566f074ec2625dea1d4e97
SHA1 97c08e2cefbcc85c393d307e8e8e8918f536bbea
SHA256 89b34158465eb40671cc6c53c11161f4f35d8c10febb225b787cbeae1cf2ca36
SHA512 4c765e0c4c3a70ddf8b8c7a9d75a6a64eafadb5ae4b5cfad2f0f1c6e8609b9e5264f299e869d76ca2e5a09c70bb08ea089377d0dfe07ba19da3317035d3c8433

C:\Windows\system\xNzeUrI.exe

MD5 bfba51f2fd3e4f8f2c1a47fe748d073f
SHA1 94992f8bf2b650dffcbf9c1bd4175f9bf1492b34
SHA256 a343e2fdf4a2757fbf6a14743377d0e52873679764a0720252a85c37fe0ec857
SHA512 218080a5136411bc3ddbabe7d3c7059cb1dcbef45f6789e72b407bc99f03e24087b34c75c9deb3058d8b3c524104cb57f5472cba6ee6417d4e7fbaa8199015df

memory/3056-70-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2516-71-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1372-69-0x000000013FE40000-0x0000000140194000-memory.dmp

\Windows\system\icWZrGh.exe

MD5 73f1015adb8fc89e0cc6aadb0d15b57d
SHA1 dd5d5d642353ff7cced16bb0d518a657fac70bf3
SHA256 f26238445aa10a530048ffd0a90bc0e5fc0c09bc6b9899fe176c8b8eafc00504
SHA512 ad384529042c8f6d851568b3db0a4070fddcabbf2378962173730473176f25bc9619b571b84206dcb6a008fa7f5778b7f2e2c3d832a115e123c808ddcf776198

C:\Windows\system\NkDvgOW.exe

MD5 852376b91d06738a116d4acc676da2df
SHA1 21981bd518d4d4981f92c1c1dbd3a7883506589c
SHA256 d4ef1a4038bc7ae3bad99f6449542485bd9292e9404e82699277c2afca4aff39
SHA512 acac0578091e5bc5a4bebabbab8e6075bbc5e65ffdbd29e00fd0172383e8075f42aed3e58d8f1650ad95819965ecd725b21c6a01e823760562912b4cecffa9a0

memory/1372-94-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/1372-95-0x000000013F8B0000-0x000000013FC04000-memory.dmp

\Windows\system\kXgbDsm.exe

MD5 9bedd372e3e63f88aaee31df21b4a15a
SHA1 30673c8afab952b32ade1b4974248102a3cec3a5
SHA256 194f4815c9cf46bd8967ed35e7d5c550a457210a0b30418627e40975da82f277
SHA512 9c4377d880d59c21ccd0a763c4ed9bb1c4ed5b19bde3351d23bf18f541a462e23d7665e82e3ce5ef0dbd21c54f85cc962120122c498d45b48d222fa9f66ae482

C:\Windows\system\ElMcmSa.exe

MD5 d0e8738baf71d1d89326d9ad54094127
SHA1 696793693aaaf1f6eac01a24408cda676230fb2e
SHA256 8d2c8d3ca0f226d73be8d08e3b75199e50d5eab6396f1149c1e65d9d6f6b3be9
SHA512 456afff01590badfc1cfd853a33911a85447eee6be2848b7d27457f7a6c932580c5d7922261bf0e0a73428b97b6d456a2fe002ab18a90601b82fd56f17f9ca74

\Windows\system\kVOWQjr.exe

MD5 720480bede1f55d724b2a4a752190e2e
SHA1 5cba1bf30ebb3bd592a2a314d290c641fc6870e6
SHA256 f7a22a9e742b1cd5cf9d5f059daff36bf962317601f54afeddf22ec66e3047b1
SHA512 fb62701c55f5a1c254290bc8e0c4628b3545c1a1297a566448cb100532bf0a14a7602777e4eba5e8792a23f04b0267bab186e5322d9acdf72f0674823a55d428

C:\Windows\system\wCuNEVN.exe

MD5 35dfc89b9df80b180107e5efd3c95991
SHA1 30af2369691dfca28199ea623be9efb59027e0ca
SHA256 8b59cf3dfb198fd377608ef81e9a7a1d3996949a90b287dc2b51d1fb30ade3f8
SHA512 478e0dffbd1377e8c59427f782b1eca9f9c7a3d3d5b1c05b949bd428eedcd4b9a4551483d6443789db167c1891d782041fa7ec440591cb2f9f84c8ec80e0b3de

C:\Windows\system\GupLWpW.exe

MD5 17ee2d62482477147e0134c9d41e7c5b
SHA1 56fb257132e9caf0e07ac64a315517f37cae4fb3
SHA256 ecf57e75f4db9b7ad3180a67e3ceb6aee35ef66e571470ca77ba937b38bf7fea
SHA512 59cb0a658323a67891eb698efd68d5580bf16610f944aae26fed7cea0f1ceaee13847d41143fa2be888e765ce05b1eb00a0de03864f3ba99163fa2f51cf2e71e

memory/2928-107-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2064-99-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

C:\Windows\system\mfsqTiT.exe

MD5 b5979aabb373ddcb320e8fb2b686f212
SHA1 b5d077deb052141c251bbf611cfbf4a9325bd978
SHA256 252e9f051861ac6da0de291954a743d52c68e9873ee48c5e188cc5697e5dfabb
SHA512 9cfe89af89b991a2a25bb640977bb81c1850e6bc78469cb9ccdec62f24a211f9abcb1406f07cbad50ceb2e027b77e7e63b23761d0f9a8b4d294579796adf513a

C:\Windows\system\BlJlSfJ.exe

MD5 087441ee4e8a869c06f93b88c7504867
SHA1 6693c95c20ae7f71131abfdf229ba01ea33d344f
SHA256 020990ab014cbee0b8d40180f2c56f73c4f4cbf0235a477b7f965a977f64adb7
SHA512 f23423d6f02d995f85d4f38261d16765398cc87c8796f509e3c9edd6248ec2eff4e3c0f45b8317ace3f061ff543ec836eaf67be292569765336ba0928940b8ac

memory/1372-112-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/3036-103-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2680-92-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/3024-88-0x000000013F7F0000-0x000000013FB44000-memory.dmp

C:\Windows\system\kDDATMa.exe

MD5 969d429537ed4e62fae32ed737a839b0
SHA1 00e3a23082f084936dc45b0d31584baa053e79b0
SHA256 eb794d94970d0afb70bd3d612813cbc1d3839a761f53649389b2a1847ccce853
SHA512 25d5cc33e0cc61e07a762a8601f9bea9816d3090a29af0d3b5cf371b49f34e3842113af02bcaf2c66ab0a3edc3eae418ca1d6a5efb505dac92d07ae17203510e

C:\Windows\system\LRVfIDs.exe

MD5 79094faeee44e3092c1ce8051be98c81
SHA1 a84ebfcc5dfdb26da04f0dd68b368ae11d463291
SHA256 23195053fce27d7966060633582064f113534a5978886addda89327b49473565
SHA512 707f42636841f4ce43e3570b6e6265f962611f863deac2c8245cf37a8d3dac9ae6a6278bbb541fdf3a22f5966cba7454c617ea51df3a59fce3792233cc3efda4

memory/1372-62-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2656-134-0x000000013F330000-0x000000013F684000-memory.dmp

memory/1372-135-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/1372-136-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2592-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/3024-138-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/1372-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1372-140-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2992-141-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2668-142-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/3056-143-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2928-144-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2656-145-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2612-146-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2572-147-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2736-148-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2592-149-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2516-150-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2064-151-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2680-153-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/3024-152-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/3036-154-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 06:04

Reported

2024-06-08 06:06

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xNzeUrI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LRVfIDs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXgbDsm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wCuNEVN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bMWYaTm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PBkHohF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BlJlSfJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ElMcmSa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mfsqTiT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\spzJwKW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nEhtEFy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jwLXAGy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DSvPgHE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kDDATMa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NkDvgOW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GupLWpW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FchxZct.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sRsrnYP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kVOWQjr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SkqBvTB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\icWZrGh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\SkqBvTB.exe
PID 4016 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\SkqBvTB.exe
PID 4016 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\FchxZct.exe
PID 4016 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\FchxZct.exe
PID 4016 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\spzJwKW.exe
PID 4016 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\spzJwKW.exe
PID 4016 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMWYaTm.exe
PID 4016 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMWYaTm.exe
PID 4016 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRsrnYP.exe
PID 4016 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRsrnYP.exe
PID 4016 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\PBkHohF.exe
PID 4016 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\PBkHohF.exe
PID 4016 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEhtEFy.exe
PID 4016 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEhtEFy.exe
PID 4016 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\jwLXAGy.exe
PID 4016 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\jwLXAGy.exe
PID 4016 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSvPgHE.exe
PID 4016 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSvPgHE.exe
PID 4016 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNzeUrI.exe
PID 4016 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNzeUrI.exe
PID 4016 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kDDATMa.exe
PID 4016 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kDDATMa.exe
PID 4016 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRVfIDs.exe
PID 4016 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRVfIDs.exe
PID 4016 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkDvgOW.exe
PID 4016 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\NkDvgOW.exe
PID 4016 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\icWZrGh.exe
PID 4016 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\icWZrGh.exe
PID 4016 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlJlSfJ.exe
PID 4016 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlJlSfJ.exe
PID 4016 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXgbDsm.exe
PID 4016 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXgbDsm.exe
PID 4016 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\GupLWpW.exe
PID 4016 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\GupLWpW.exe
PID 4016 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElMcmSa.exe
PID 4016 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElMcmSa.exe
PID 4016 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCuNEVN.exe
PID 4016 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCuNEVN.exe
PID 4016 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\mfsqTiT.exe
PID 4016 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\mfsqTiT.exe
PID 4016 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVOWQjr.exe
PID 4016 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVOWQjr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c8fc86ced5edd49f6a9e464016f5743_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SkqBvTB.exe

C:\Windows\System\SkqBvTB.exe

C:\Windows\System\FchxZct.exe

C:\Windows\System\FchxZct.exe

C:\Windows\System\spzJwKW.exe

C:\Windows\System\spzJwKW.exe

C:\Windows\System\bMWYaTm.exe

C:\Windows\System\bMWYaTm.exe

C:\Windows\System\sRsrnYP.exe

C:\Windows\System\sRsrnYP.exe

C:\Windows\System\PBkHohF.exe

C:\Windows\System\PBkHohF.exe

C:\Windows\System\nEhtEFy.exe

C:\Windows\System\nEhtEFy.exe

C:\Windows\System\jwLXAGy.exe

C:\Windows\System\jwLXAGy.exe

C:\Windows\System\DSvPgHE.exe

C:\Windows\System\DSvPgHE.exe

C:\Windows\System\xNzeUrI.exe

C:\Windows\System\xNzeUrI.exe

C:\Windows\System\kDDATMa.exe

C:\Windows\System\kDDATMa.exe

C:\Windows\System\LRVfIDs.exe

C:\Windows\System\LRVfIDs.exe

C:\Windows\System\NkDvgOW.exe

C:\Windows\System\NkDvgOW.exe

C:\Windows\System\icWZrGh.exe

C:\Windows\System\icWZrGh.exe

C:\Windows\System\BlJlSfJ.exe

C:\Windows\System\BlJlSfJ.exe

C:\Windows\System\kXgbDsm.exe

C:\Windows\System\kXgbDsm.exe

C:\Windows\System\GupLWpW.exe

C:\Windows\System\GupLWpW.exe

C:\Windows\System\ElMcmSa.exe

C:\Windows\System\ElMcmSa.exe

C:\Windows\System\wCuNEVN.exe

C:\Windows\System\wCuNEVN.exe

C:\Windows\System\mfsqTiT.exe

C:\Windows\System\mfsqTiT.exe

C:\Windows\System\kVOWQjr.exe

C:\Windows\System\kVOWQjr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/4016-0-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

memory/4016-1-0x00000299BAD60000-0x00000299BAD70000-memory.dmp

C:\Windows\System\SkqBvTB.exe

MD5 3b53248ba8c70e5d77f81f1db49d9a99
SHA1 aebf0b8f45b29d1103100807ac33351acb945165
SHA256 70bc8fbada8f0ee7291b59d0610f5fa5d61729ec9576e7dcffe46035d94b7083
SHA512 7f0cdd9dd2f1a8fc9487a4e827832c3c86e7ce76b05820e4a3bc0a7cfa10378064d2b0027412e540375d50c6fdbfe530e0ecad9dfd4e95b3120e164c9a5727a5

C:\Windows\System\spzJwKW.exe

MD5 33f5a01ff9d2d0a7c15ce3a09908cb5f
SHA1 fe352ba4dad3c751c0e46e0d508576132b074bde
SHA256 6f92e7b62ac0b75ba40a2824189a07479f74fdff0b0c17369302035a001addfc
SHA512 cc30f5cb8a2d6033b888bb039925fdcb73db838441128a7e6846b4329d9b0608fce5f1ce2169cd538d38da88b5e6f40968d7f0227519bdabb6193ad900a7c152

C:\Windows\System\FchxZct.exe

MD5 3c80dcc88cc1ba2276555f99f3e17134
SHA1 279a6a4da31c7fea94b1a5e127d1ed56047c9589
SHA256 909d3de24927b36fd03bc6a9ae63058f013170b78a5f51b21d361a0d025825ec
SHA512 7161318da75618902a68aaf63c89448077ee1f20ea71691c8911a52730b454627eb39ee6752c7d4ccb41808978bb573707b2e583693ea3e0730844fa04799bc3

C:\Windows\System\sRsrnYP.exe

MD5 b77a66d41ca8a668a5ed185e4e990917
SHA1 019210efbef1a351240e50296aa3fd30f8fae7f1
SHA256 7252d80400f91fdfb9eda1772231ebdba1b63b7458be06640d03729443a81bca
SHA512 4295ebca6d833f1317dbb1c7b77b247d0caed2f6b0883b1a172b0e5ed5d3c0c402661ff7057a0f3ea4bb5adcd1998866176eb78c8b52146fce390bc6d5f96383

C:\Windows\System\PBkHohF.exe

MD5 4e5ad1f07e4ecf6eff54cbf41dfdedd3
SHA1 cbe5a8fb0c7a104364c0b7f6903c65eee8613737
SHA256 d45b50891e988d120c74da28d4c6cc6a4a8bb7cc455ea11007a42f2743a212e0
SHA512 b1bf1efb9778e484669e6232534aeff73045114c6bfd2ef5dcea907b0f719ba6b9a33678779b23fafc35c40734f7f6e8e4a5f914ce9a82813d8258e16ba20317

C:\Windows\System\nEhtEFy.exe

MD5 d2bc4986b5900b2496fe583033fa1b61
SHA1 4ec7b284bb4b56f17dddf098c07b637a03fbf9b9
SHA256 c886018d965b6c293a42b2ac84445ac56a034cb575910b8c12fe9e7b71983d65
SHA512 2642b1138ab9c5310ecfdc90320ecd40800d4b38e3cbc3894f50d7ce9196b13e8c7bb6b54caba4375b545022284de5f7fbb466f3150c84c1e9f9399cc05b5323

memory/900-51-0x00007FF7EF8F0000-0x00007FF7EFC44000-memory.dmp

C:\Windows\System\DSvPgHE.exe

MD5 622c96c822566f074ec2625dea1d4e97
SHA1 97c08e2cefbcc85c393d307e8e8e8918f536bbea
SHA256 89b34158465eb40671cc6c53c11161f4f35d8c10febb225b787cbeae1cf2ca36
SHA512 4c765e0c4c3a70ddf8b8c7a9d75a6a64eafadb5ae4b5cfad2f0f1c6e8609b9e5264f299e869d76ca2e5a09c70bb08ea089377d0dfe07ba19da3317035d3c8433

C:\Windows\System\xNzeUrI.exe

MD5 bfba51f2fd3e4f8f2c1a47fe748d073f
SHA1 94992f8bf2b650dffcbf9c1bd4175f9bf1492b34
SHA256 a343e2fdf4a2757fbf6a14743377d0e52873679764a0720252a85c37fe0ec857
SHA512 218080a5136411bc3ddbabe7d3c7059cb1dcbef45f6789e72b407bc99f03e24087b34c75c9deb3058d8b3c524104cb57f5472cba6ee6417d4e7fbaa8199015df

memory/2264-60-0x00007FF623050000-0x00007FF6233A4000-memory.dmp

memory/1312-54-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp

C:\Windows\System\jwLXAGy.exe

MD5 f48d42e39cde0ed5646565c975d15400
SHA1 528be1164902c0b405cf620b9b93e6ba921294b6
SHA256 d72000aa611688e33d81475b5fead0d833743d063e693b4dd14616205567d49a
SHA512 22c4fa9307b4ff653c81e942493940972153be7ddcafb41a4100e3ea0167999c62bab976022354505eb3695aa20d3945258e7653e42112cddea715b7cfd1ca4d

memory/4516-49-0x00007FF7E81F0000-0x00007FF7E8544000-memory.dmp

memory/4064-38-0x00007FF7FB730000-0x00007FF7FBA84000-memory.dmp

C:\Windows\System\bMWYaTm.exe

MD5 7fa25992288e4f5c38c68e3933d74561
SHA1 f4b960eb849248e2fdc2bea6cc0e86a8bc3bd2fc
SHA256 f9760f908a931843ce4a198889f795a3a30109e9e9424ce4fd0c013ff1d97ee0
SHA512 c27c03d2d6365d26185391993ffcb8428b750ed38af73eea83ac1023d8af0c4636fd1c8063d6858703aea134bcafde98f80bc9218c7617ad0c1fcb9c1194329d

memory/2888-27-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp

memory/1080-26-0x00007FF6B29F0000-0x00007FF6B2D44000-memory.dmp

memory/1076-23-0x00007FF6C93D0000-0x00007FF6C9724000-memory.dmp

memory/2800-21-0x00007FF6B6DF0000-0x00007FF6B7144000-memory.dmp

memory/2832-11-0x00007FF74A300000-0x00007FF74A654000-memory.dmp

C:\Windows\System\kDDATMa.exe

MD5 969d429537ed4e62fae32ed737a839b0
SHA1 00e3a23082f084936dc45b0d31584baa053e79b0
SHA256 eb794d94970d0afb70bd3d612813cbc1d3839a761f53649389b2a1847ccce853
SHA512 25d5cc33e0cc61e07a762a8601f9bea9816d3090a29af0d3b5cf371b49f34e3842113af02bcaf2c66ab0a3edc3eae418ca1d6a5efb505dac92d07ae17203510e

memory/4040-68-0x00007FF6150A0000-0x00007FF6153F4000-memory.dmp

C:\Windows\System\LRVfIDs.exe

MD5 79094faeee44e3092c1ce8051be98c81
SHA1 a84ebfcc5dfdb26da04f0dd68b368ae11d463291
SHA256 23195053fce27d7966060633582064f113534a5978886addda89327b49473565
SHA512 707f42636841f4ce43e3570b6e6265f962611f863deac2c8245cf37a8d3dac9ae6a6278bbb541fdf3a22f5966cba7454c617ea51df3a59fce3792233cc3efda4

C:\Windows\System\BlJlSfJ.exe

MD5 087441ee4e8a869c06f93b88c7504867
SHA1 6693c95c20ae7f71131abfdf229ba01ea33d344f
SHA256 020990ab014cbee0b8d40180f2c56f73c4f4cbf0235a477b7f965a977f64adb7
SHA512 f23423d6f02d995f85d4f38261d16765398cc87c8796f509e3c9edd6248ec2eff4e3c0f45b8317ace3f061ff543ec836eaf67be292569765336ba0928940b8ac

C:\Windows\System\NkDvgOW.exe

MD5 852376b91d06738a116d4acc676da2df
SHA1 21981bd518d4d4981f92c1c1dbd3a7883506589c
SHA256 d4ef1a4038bc7ae3bad99f6449542485bd9292e9404e82699277c2afca4aff39
SHA512 acac0578091e5bc5a4bebabbab8e6075bbc5e65ffdbd29e00fd0172383e8075f42aed3e58d8f1650ad95819965ecd725b21c6a01e823760562912b4cecffa9a0

C:\Windows\System\kXgbDsm.exe

MD5 9bedd372e3e63f88aaee31df21b4a15a
SHA1 30673c8afab952b32ade1b4974248102a3cec3a5
SHA256 194f4815c9cf46bd8967ed35e7d5c550a457210a0b30418627e40975da82f277
SHA512 9c4377d880d59c21ccd0a763c4ed9bb1c4ed5b19bde3351d23bf18f541a462e23d7665e82e3ce5ef0dbd21c54f85cc962120122c498d45b48d222fa9f66ae482

memory/4740-112-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp

memory/2500-118-0x00007FF662C20000-0x00007FF662F74000-memory.dmp

C:\Windows\System\kVOWQjr.exe

MD5 720480bede1f55d724b2a4a752190e2e
SHA1 5cba1bf30ebb3bd592a2a314d290c641fc6870e6
SHA256 f7a22a9e742b1cd5cf9d5f059daff36bf962317601f54afeddf22ec66e3047b1
SHA512 fb62701c55f5a1c254290bc8e0c4628b3545c1a1297a566448cb100532bf0a14a7602777e4eba5e8792a23f04b0267bab186e5322d9acdf72f0674823a55d428

memory/1260-130-0x00007FF737C20000-0x00007FF737F74000-memory.dmp

C:\Windows\System\mfsqTiT.exe

MD5 b5979aabb373ddcb320e8fb2b686f212
SHA1 b5d077deb052141c251bbf611cfbf4a9325bd978
SHA256 252e9f051861ac6da0de291954a743d52c68e9873ee48c5e188cc5697e5dfabb
SHA512 9cfe89af89b991a2a25bb640977bb81c1850e6bc78469cb9ccdec62f24a211f9abcb1406f07cbad50ceb2e027b77e7e63b23761d0f9a8b4d294579796adf513a

memory/2888-129-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp

memory/2808-128-0x00007FF6E5EF0000-0x00007FF6E6244000-memory.dmp

memory/4904-125-0x00007FF60E680000-0x00007FF60E9D4000-memory.dmp

memory/2804-124-0x00007FF762F90000-0x00007FF7632E4000-memory.dmp

C:\Windows\System\ElMcmSa.exe

MD5 d0e8738baf71d1d89326d9ad54094127
SHA1 696793693aaaf1f6eac01a24408cda676230fb2e
SHA256 8d2c8d3ca0f226d73be8d08e3b75199e50d5eab6396f1149c1e65d9d6f6b3be9
SHA512 456afff01590badfc1cfd853a33911a85447eee6be2848b7d27457f7a6c932580c5d7922261bf0e0a73428b97b6d456a2fe002ab18a90601b82fd56f17f9ca74

C:\Windows\System\wCuNEVN.exe

MD5 35dfc89b9df80b180107e5efd3c95991
SHA1 30af2369691dfca28199ea623be9efb59027e0ca
SHA256 8b59cf3dfb198fd377608ef81e9a7a1d3996949a90b287dc2b51d1fb30ade3f8
SHA512 478e0dffbd1377e8c59427f782b1eca9f9c7a3d3d5b1c05b949bd428eedcd4b9a4551483d6443789db167c1891d782041fa7ec440591cb2f9f84c8ec80e0b3de

C:\Windows\System\GupLWpW.exe

MD5 17ee2d62482477147e0134c9d41e7c5b
SHA1 56fb257132e9caf0e07ac64a315517f37cae4fb3
SHA256 ecf57e75f4db9b7ad3180a67e3ceb6aee35ef66e571470ca77ba937b38bf7fea
SHA512 59cb0a658323a67891eb698efd68d5580bf16610f944aae26fed7cea0f1ceaee13847d41143fa2be888e765ce05b1eb00a0de03864f3ba99163fa2f51cf2e71e

memory/1080-102-0x00007FF6B29F0000-0x00007FF6B2D44000-memory.dmp

C:\Windows\System\icWZrGh.exe

MD5 73f1015adb8fc89e0cc6aadb0d15b57d
SHA1 dd5d5d642353ff7cced16bb0d518a657fac70bf3
SHA256 f26238445aa10a530048ffd0a90bc0e5fc0c09bc6b9899fe176c8b8eafc00504
SHA512 ad384529042c8f6d851568b3db0a4070fddcabbf2378962173730473176f25bc9619b571b84206dcb6a008fa7f5778b7f2e2c3d832a115e123c808ddcf776198

memory/2084-103-0x00007FF791560000-0x00007FF7918B4000-memory.dmp

memory/2400-92-0x00007FF6B48A0000-0x00007FF6B4BF4000-memory.dmp

memory/1076-91-0x00007FF6C93D0000-0x00007FF6C9724000-memory.dmp

memory/3328-85-0x00007FF66B540000-0x00007FF66B894000-memory.dmp

memory/2800-84-0x00007FF6B6DF0000-0x00007FF6B7144000-memory.dmp

memory/1364-78-0x00007FF7BFFD0000-0x00007FF7C0324000-memory.dmp

memory/4016-74-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

memory/4064-133-0x00007FF7FB730000-0x00007FF7FBA84000-memory.dmp

memory/900-134-0x00007FF7EF8F0000-0x00007FF7EFC44000-memory.dmp

memory/1312-135-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp

memory/2264-136-0x00007FF623050000-0x00007FF6233A4000-memory.dmp

memory/4040-137-0x00007FF6150A0000-0x00007FF6153F4000-memory.dmp

memory/1364-138-0x00007FF7BFFD0000-0x00007FF7C0324000-memory.dmp

memory/3328-139-0x00007FF66B540000-0x00007FF66B894000-memory.dmp

memory/4740-140-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp

memory/2400-141-0x00007FF6B48A0000-0x00007FF6B4BF4000-memory.dmp

memory/2084-142-0x00007FF791560000-0x00007FF7918B4000-memory.dmp

memory/1260-143-0x00007FF737C20000-0x00007FF737F74000-memory.dmp

memory/2832-144-0x00007FF74A300000-0x00007FF74A654000-memory.dmp

memory/2800-145-0x00007FF6B6DF0000-0x00007FF6B7144000-memory.dmp

memory/1076-146-0x00007FF6C93D0000-0x00007FF6C9724000-memory.dmp

memory/1080-147-0x00007FF6B29F0000-0x00007FF6B2D44000-memory.dmp

memory/2888-148-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp

memory/1312-149-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp

memory/4516-152-0x00007FF7E81F0000-0x00007FF7E8544000-memory.dmp

memory/4064-151-0x00007FF7FB730000-0x00007FF7FBA84000-memory.dmp

memory/900-150-0x00007FF7EF8F0000-0x00007FF7EFC44000-memory.dmp

memory/2264-153-0x00007FF623050000-0x00007FF6233A4000-memory.dmp

memory/4040-154-0x00007FF6150A0000-0x00007FF6153F4000-memory.dmp

memory/1364-155-0x00007FF7BFFD0000-0x00007FF7C0324000-memory.dmp

memory/2400-156-0x00007FF6B48A0000-0x00007FF6B4BF4000-memory.dmp

memory/3328-157-0x00007FF66B540000-0x00007FF66B894000-memory.dmp

memory/2804-159-0x00007FF762F90000-0x00007FF7632E4000-memory.dmp

memory/2500-160-0x00007FF662C20000-0x00007FF662F74000-memory.dmp

memory/4740-162-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp

memory/2808-163-0x00007FF6E5EF0000-0x00007FF6E6244000-memory.dmp

memory/4904-161-0x00007FF60E680000-0x00007FF60E9D4000-memory.dmp

memory/2084-158-0x00007FF791560000-0x00007FF7918B4000-memory.dmp

memory/1260-164-0x00007FF737C20000-0x00007FF737F74000-memory.dmp