Malware Analysis Report

2025-04-19 15:33

Sample ID 240522-zyk45agg76
Target 2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike
SHA256 48e8c297df9937dcd80f215209ac5dfefca278643bf9138174bb25c21e252980
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48e8c297df9937dcd80f215209ac5dfefca278643bf9138174bb25c21e252980

Threat Level: Known bad

The file 2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:07

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:07

Reported

2024-05-22 21:10

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JdYRDLb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dAryjjI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QZnpINS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wjuFGOR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WAIifaW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vBzIJEs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sXMrzDx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JxEsDcZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bXPzJGC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FNAkBoU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\thduBvM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DcFDwvM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sGRRqdF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KXdypXO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BtthDZl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xFLLWrQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ifyplgn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZBtGKbL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KxrXlHg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWtOKlN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YpuPeqj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBzIJEs.exe
PID 4492 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBzIJEs.exe
PID 4492 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DcFDwvM.exe
PID 4492 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DcFDwvM.exe
PID 4492 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXMrzDx.exe
PID 4492 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXMrzDx.exe
PID 4492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGRRqdF.exe
PID 4492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGRRqdF.exe
PID 4492 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWtOKlN.exe
PID 4492 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWtOKlN.exe
PID 4492 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xFLLWrQ.exe
PID 4492 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xFLLWrQ.exe
PID 4492 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxEsDcZ.exe
PID 4492 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxEsDcZ.exe
PID 4492 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpuPeqj.exe
PID 4492 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpuPeqj.exe
PID 4492 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXPzJGC.exe
PID 4492 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXPzJGC.exe
PID 4492 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBtGKbL.exe
PID 4492 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBtGKbL.exe
PID 4492 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifyplgn.exe
PID 4492 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifyplgn.exe
PID 4492 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdYRDLb.exe
PID 4492 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdYRDLb.exe
PID 4492 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAryjjI.exe
PID 4492 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAryjjI.exe
PID 4492 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNAkBoU.exe
PID 4492 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNAkBoU.exe
PID 4492 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\thduBvM.exe
PID 4492 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\thduBvM.exe
PID 4492 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXdypXO.exe
PID 4492 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXdypXO.exe
PID 4492 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZnpINS.exe
PID 4492 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZnpINS.exe
PID 4492 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjuFGOR.exe
PID 4492 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjuFGOR.exe
PID 4492 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAIifaW.exe
PID 4492 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAIifaW.exe
PID 4492 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KxrXlHg.exe
PID 4492 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KxrXlHg.exe
PID 4492 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtthDZl.exe
PID 4492 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtthDZl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vBzIJEs.exe

C:\Windows\System\vBzIJEs.exe

C:\Windows\System\DcFDwvM.exe

C:\Windows\System\DcFDwvM.exe

C:\Windows\System\sXMrzDx.exe

C:\Windows\System\sXMrzDx.exe

C:\Windows\System\sGRRqdF.exe

C:\Windows\System\sGRRqdF.exe

C:\Windows\System\sWtOKlN.exe

C:\Windows\System\sWtOKlN.exe

C:\Windows\System\xFLLWrQ.exe

C:\Windows\System\xFLLWrQ.exe

C:\Windows\System\JxEsDcZ.exe

C:\Windows\System\JxEsDcZ.exe

C:\Windows\System\YpuPeqj.exe

C:\Windows\System\YpuPeqj.exe

C:\Windows\System\bXPzJGC.exe

C:\Windows\System\bXPzJGC.exe

C:\Windows\System\ZBtGKbL.exe

C:\Windows\System\ZBtGKbL.exe

C:\Windows\System\ifyplgn.exe

C:\Windows\System\ifyplgn.exe

C:\Windows\System\JdYRDLb.exe

C:\Windows\System\JdYRDLb.exe

C:\Windows\System\dAryjjI.exe

C:\Windows\System\dAryjjI.exe

C:\Windows\System\FNAkBoU.exe

C:\Windows\System\FNAkBoU.exe

C:\Windows\System\thduBvM.exe

C:\Windows\System\thduBvM.exe

C:\Windows\System\KXdypXO.exe

C:\Windows\System\KXdypXO.exe

C:\Windows\System\QZnpINS.exe

C:\Windows\System\QZnpINS.exe

C:\Windows\System\wjuFGOR.exe

C:\Windows\System\wjuFGOR.exe

C:\Windows\System\WAIifaW.exe

C:\Windows\System\WAIifaW.exe

C:\Windows\System\KxrXlHg.exe

C:\Windows\System\KxrXlHg.exe

C:\Windows\System\BtthDZl.exe

C:\Windows\System\BtthDZl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4492-0-0x00007FF7FBBB0000-0x00007FF7FBF01000-memory.dmp

memory/4492-1-0x0000022CF86F0000-0x0000022CF8700000-memory.dmp

C:\Windows\System\vBzIJEs.exe

MD5 37de40c33a526bf042c9e166c04861ad
SHA1 707916a778e3d4550c58cba1b1987d0c70ecdd7c
SHA256 20954428ad3b4c39285ac299ab0065ee1f5fe82903c4ec11b8aead656515f7e8
SHA512 122c939812924e09e28fcd452ae28f7fe610d1dde8adb9d1346bde33d77102bda8d0989be47e7dedf540582b46e0bbff9b22d4b8e1be82a7c7cb3e484cd59086

C:\Windows\System\sXMrzDx.exe

MD5 036d814de366482c221294b653ae3e48
SHA1 82e32d1f1447dd5dabb48caa124ca6cae6774268
SHA256 850bb2f083e368a06f35faf68cd54d969bf13d34f02ccb24cdbefce6aabbbbae
SHA512 fae1fe3855c328fb2e7de0d4761d41f645c0f0b81b9a4ebf5cfca1edb6cbec64652aa9e31bd6743818f930f5e0571ba7d7979f1f97964da6f6daa8008ff541bb

C:\Windows\System\DcFDwvM.exe

MD5 fe11f24ff6638b8cb98b1441a2ae5512
SHA1 3b122ea9f2f8ff3a664c2f2e7b4e47b12ae12f6f
SHA256 ad39b3a2d653b7aa5788fb871e574f29bc4c2583716e5efa2e21263bce3ee529
SHA512 7742e4f5c5c149c6d0390187ad342a8bde03739d2d16dba143e971e4a23f263ce5af55e8f4575e57305b06ef6c8263b22ae400106bdbee81a7faae6fb5131804

memory/344-16-0x00007FF64B3B0000-0x00007FF64B701000-memory.dmp

C:\Windows\System\xFLLWrQ.exe

MD5 fbe66136ca75d84b7a34809b074e6e98
SHA1 b1341373c2966f2570ff28b04fac044196e0183e
SHA256 1427917ea62521c8a0e0f8eb7b92a63ab1e827d4094f43ec3006c02d81ab48e0
SHA512 a84f1a7134ebb631a839d439ab49d5255eb3d14f8d9181f4c4a0d007189fd36ed1123650e4358a2a6be9ad5e468d6fd6985ecaa6ffb2fa926628f61720628914

memory/1584-40-0x00007FF7714F0000-0x00007FF771841000-memory.dmp

C:\Windows\System\bXPzJGC.exe

MD5 cf6f0e130dcf5bc254d5f3c6ee43b18f
SHA1 50836acb1824e6392178f93f518dd56ef2a2e6fc
SHA256 a9a8f9eb3cea9778dcb6c6a4c8b43b2383b004c0ea32e4f86c51ff8c7d0d116f
SHA512 a3b5d08eb610f91b4f78d5f34e6310e32d4e60864f28ad192acd9e60fc2e7b9dd2bde3bc8a2aca7813fb1689a54ebd2b318591a5b13b63b605ceced159f84bfc

memory/4968-52-0x00007FF69B770000-0x00007FF69BAC1000-memory.dmp

C:\Windows\System\YpuPeqj.exe

MD5 837fceb8824ec7941819e46e718e1db9
SHA1 169a8d443e10812407beae622a5d0649de540024
SHA256 3a901687bad87f98ac145d4a55cc7fc8770598afed24ba5b66aa65ca3a95ab88
SHA512 e46a47ae3a6a2e7d8c129202fc6e4e0f444421142deb0de960476a8cbcdcdcca591bf557b482fc22ede73842174f4d2e53b89b5427736a8cd12e45ef7829d7cd

C:\Windows\System\JxEsDcZ.exe

MD5 12368338021b36a7fbbd8601c81baf03
SHA1 3aa4cbb763b65cd86f5e8385c58ab4e0b179be25
SHA256 f69b804bded3e181a49ea610f9b7545db5337244be5338da0b6458f1b448e466
SHA512 cb3afc71d956c231eebd2abac1bb9f94e8058dbd969e8e0acd3f2314c292ce0bc59490034ed8c89f0d8f95759241e1d6ba116ceada3e7decb3d36ad58018394b

memory/4540-49-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp

memory/2172-47-0x00007FF67AEF0000-0x00007FF67B241000-memory.dmp

memory/1904-37-0x00007FF7873C0000-0x00007FF787711000-memory.dmp

memory/1648-33-0x00007FF65FE60000-0x00007FF6601B1000-memory.dmp

C:\Windows\System\sWtOKlN.exe

MD5 3a5315dbe59ab609e32a5e810c19c820
SHA1 da571281875870d1b4ba20f099b816f82caf6035
SHA256 98ac9fabed96db63368bb9e97cfee067a0a04e112015d2a05779ea23663d5e8a
SHA512 b52932f737e089e17ed775c3f8b2aea2ffe9a208d5693a1e319cc39563c1058c1216347cf8c6b5dd408478281f0e131dc3d4a59bb3c18b5d99d714c6880a8b36

C:\Windows\System\sGRRqdF.exe

MD5 d4bc94489f05d7f8254102538a96db32
SHA1 64f91a5b0463d036c1d497ebc6d98f9cc8e03e90
SHA256 f34233f9dd5fa507d71de57ca4aa1a10916d5aff05e2e65d079d7dcc30a6f613
SHA512 162998a004971fbf1809f2da577a773b288109885430e17a3330b1cf6dd044d89c03775622e6c2ca3918f7ea14990cab06893b449916969132f93f39214e9b15

memory/3472-27-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp

memory/632-22-0x00007FF609810000-0x00007FF609B61000-memory.dmp

C:\Windows\System\ZBtGKbL.exe

MD5 b69c8e30718512130f2b412793952827
SHA1 16e2a65c169a2c918197ab37d70b0a9e83a35a5a
SHA256 9dda8090f534ffea8238f450e05f2d5c90b9f4692d893d72dcaba5c7c8f83ae2
SHA512 cd26504279316f1c35ae7d74a73a2f8e9f790e1f6246d9039b09409ca9293073ad44decb47fb5d8cccf0cd00aeeea6c86acc4589031d016c49e906a78d28507c

memory/1992-63-0x00007FF6D7610000-0x00007FF6D7961000-memory.dmp

C:\Windows\System\ifyplgn.exe

MD5 65eac8ba0bf5c059efcfd85e3a1c838a
SHA1 0eade84e5c36c6dafb5758815df1f48625fb838f
SHA256 2f2a95c715cc1d63d0d166e1503f523f8612f6282e5f0d94c793a26eff433378
SHA512 c5520e0b0b981c636efc8fa7eda76764983974ca61206e2f5ef46ba8476489f7c8830fc7f2bb61b31c72e9855efbae5cfefc5ff995a7d943c26081542e6cbdf1

C:\Windows\System\JdYRDLb.exe

MD5 2066da0f8f2b442ce72bd34aca34b548
SHA1 c5352e28610d38bf473087cfc0b1c32ffa006c65
SHA256 4fc4ade2ca9897639532a0b2b4e33c122ad5540024363e5a5e1f65e2afeec81d
SHA512 79ccce38bf301c3a5e72253d23f0b27c78ba40168143cb1221b0b6685c6316c5f23c2f5163cf464eb4481f1621905df3035206a9e963b3cfca67c93c018e652e

C:\Windows\System\dAryjjI.exe

MD5 6224debff468484d49308de1cba3e50e
SHA1 ec99fb1dc5d3d55c27eca9961390c0a41aea5cd5
SHA256 9ddfa3cf8746e1062732b5a2d69bfb109201619a936b9ac201e9269d6d1b5b08
SHA512 1b1c239eb7ee63ff03860e78fad79bbd7564ec12e4f6b04d345bc8e19eb4cc7e80bd289cba611aac9cdbbb57619cb3e91b4d90a2fa736def114d608c53ba193c

C:\Windows\System\FNAkBoU.exe

MD5 c1abdf1624a6700724e4bd300c820e2a
SHA1 6646e19c5944d0e44e2302851e6f2643fddddb48
SHA256 27a5f82755760324bb8e633493802f58785ada3b802d8a3270ef3b54b166d41d
SHA512 bb79e59f9a172c57dc898d8d965abb3c35e2ec06f2edecbbcaf963b201f0666caa3892d6baa4aaaa1b29ae72dabd53b92b5013d21f9e2ffab3e57ac8a10f6e89

C:\Windows\System\thduBvM.exe

MD5 2762902c205bd65db600a060f34dada1
SHA1 28e0bdc35d44371379795215ff6b86947af2e58e
SHA256 7d45877664c3e3cf8fee158cafbec3ef3dfcb2b9d96558756eec66b7d2340778
SHA512 451c2d96f418d91876d7922f9a48263becd5b6fc62bd8f0f6513982045568113614561f5c43d8fb4796a58415efa01a9bff66a06956556301a0db5ae751e4e6f

C:\Windows\System\wjuFGOR.exe

MD5 a078d6c5ce44bc9cae9e4bd757e7f546
SHA1 4f78030af7ee5addd7d5ad1328f7ba2f2da6e219
SHA256 90a437d8e61b6b9d01df38ad09eba7ceaa383de6b70cfb86d3ec9d88273ed380
SHA512 99ef15f0a60d94cbfb488b23ff35bd85463b7bfb5aad8c2c86363487bcbea020b8bb40772f080998e3c46836015e83509f88315d010c686264145a71594db34f

C:\Windows\System\KXdypXO.exe

MD5 ccfdab6800e2064d0003ceaf779ab1b7
SHA1 e5cbf0f484dfed50d626b585b69121c686bf7f32
SHA256 e06dff0ff4916906e440030e24382f3bec714fecb1eebfd63bb1843a73b1dfc1
SHA512 5cd4bc2fdd155f637754cb621beaf564419f32b2315bf6fc232d69662d55e80e063aaa6ae92ae0b6e7d3c496f8fdcbc0c2dbafd283104d45cc8622d737c16fbc

C:\Windows\System\WAIifaW.exe

MD5 47ffcc635e02104e189642ba7022f247
SHA1 24b7339874b6cbc31fec1098ee01f6157f471865
SHA256 b7a54a1a0845eb730840afc6712e619d186b816c7003aaa58a84c35dd0e3ca83
SHA512 4c30c3635fa9f2bcfb41f89ae49689168017e467223a9100b4497bbd606fc2fd49401f05457799c9e161915cce40d7fa8e154870b4dfeb15a11244e6450129c1

C:\Windows\System\KxrXlHg.exe

MD5 e05c24daa3c46db53a454d717ccf8b0a
SHA1 a7c702fab3c20acc67dc325782c49675c13e4550
SHA256 b0d342b558cd93f94718acacb6d2c654382d6dcdeff6bb40a698026ab00f8244
SHA512 4c3bab0ec20b7fe7700d0bd7a137b1628144f3b38ef1651eb7819e39ba6f4c1ad361ca1c179f5a6550c1b92de722a97fb39985a5878e84bed63bf3ad7db0279c

C:\Windows\System\BtthDZl.exe

MD5 94584123f2744a12babf48dba44f2323
SHA1 caa88409e8c1113f06a3b2db0d1554b8b3535c17
SHA256 d716616a00298c7b336d0059a49c624b391ce31d8da84ff71141e55cc46e22cf
SHA512 c6a70e4741555aeb40ad1c22d7abcf2151d8bb7f65c96cac51b0f4145c155d3d1b10a407b98c51f2a5526d6652d970fd2c594da3436bc9a3d69c34e0b59b305f

memory/4440-114-0x00007FF6CC420000-0x00007FF6CC771000-memory.dmp

memory/1272-106-0x00007FF7EC1F0000-0x00007FF7EC541000-memory.dmp

memory/1204-104-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp

C:\Windows\System\QZnpINS.exe

MD5 336498fbee5713368a34e7ffc54420b2
SHA1 83235518c7bfd24cc89c69b9c25820dc8335fd11
SHA256 8fba17215ffb2803758654ff447804d12d82b78b30a2c63d0726210214361d2d
SHA512 8f198db5b1df394ed7288d0248eb5ac9655b42b29aa0dd6e70d62da5a8b46a5c014ce2061b70d16b4f5e515b35c494011efd74df55d26c2c4d6b25875eef0534

memory/632-95-0x00007FF609810000-0x00007FF609B61000-memory.dmp

memory/4492-90-0x00007FF7FBBB0000-0x00007FF7FBF01000-memory.dmp

memory/4812-89-0x00007FF63C600000-0x00007FF63C951000-memory.dmp

memory/3464-76-0x00007FF74C1E0000-0x00007FF74C531000-memory.dmp

memory/4176-75-0x00007FF657CB0000-0x00007FF658001000-memory.dmp

memory/3216-71-0x00007FF7D04D0000-0x00007FF7D0821000-memory.dmp

memory/3600-126-0x00007FF65EC80000-0x00007FF65EFD1000-memory.dmp

memory/4492-127-0x00007FF7FBBB0000-0x00007FF7FBF01000-memory.dmp

memory/2172-135-0x00007FF67AEF0000-0x00007FF67B241000-memory.dmp

memory/4968-136-0x00007FF69B770000-0x00007FF69BAC1000-memory.dmp

memory/4540-134-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp

memory/4880-138-0x00007FF79C5B0000-0x00007FF79C901000-memory.dmp

memory/1904-133-0x00007FF7873C0000-0x00007FF787711000-memory.dmp

memory/2816-139-0x00007FF77EC90000-0x00007FF77EFE1000-memory.dmp

memory/4584-140-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp

memory/4176-142-0x00007FF657CB0000-0x00007FF658001000-memory.dmp

memory/3216-141-0x00007FF7D04D0000-0x00007FF7D0821000-memory.dmp

memory/4812-144-0x00007FF63C600000-0x00007FF63C951000-memory.dmp

memory/1272-146-0x00007FF7EC1F0000-0x00007FF7EC541000-memory.dmp

memory/3600-149-0x00007FF65EC80000-0x00007FF65EFD1000-memory.dmp

memory/1204-145-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp

memory/3464-143-0x00007FF74C1E0000-0x00007FF74C531000-memory.dmp

memory/4492-152-0x00007FF7FBBB0000-0x00007FF7FBF01000-memory.dmp

memory/344-209-0x00007FF64B3B0000-0x00007FF64B701000-memory.dmp

memory/3472-210-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp

memory/632-213-0x00007FF609810000-0x00007FF609B61000-memory.dmp

memory/1648-214-0x00007FF65FE60000-0x00007FF6601B1000-memory.dmp

memory/1584-216-0x00007FF7714F0000-0x00007FF771841000-memory.dmp

memory/4968-219-0x00007FF69B770000-0x00007FF69BAC1000-memory.dmp

memory/4540-224-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp

memory/2172-223-0x00007FF67AEF0000-0x00007FF67B241000-memory.dmp

memory/1904-220-0x00007FF7873C0000-0x00007FF787711000-memory.dmp

memory/1992-227-0x00007FF6D7610000-0x00007FF6D7961000-memory.dmp

memory/3216-229-0x00007FF7D04D0000-0x00007FF7D0821000-memory.dmp

memory/4176-231-0x00007FF657CB0000-0x00007FF658001000-memory.dmp

memory/3464-233-0x00007FF74C1E0000-0x00007FF74C531000-memory.dmp

memory/4812-235-0x00007FF63C600000-0x00007FF63C951000-memory.dmp

memory/4440-237-0x00007FF6CC420000-0x00007FF6CC771000-memory.dmp

memory/1204-239-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp

memory/2816-246-0x00007FF77EC90000-0x00007FF77EFE1000-memory.dmp

memory/4584-249-0x00007FF659BE0000-0x00007FF659F31000-memory.dmp

memory/1272-247-0x00007FF7EC1F0000-0x00007FF7EC541000-memory.dmp

memory/3600-243-0x00007FF65EC80000-0x00007FF65EFD1000-memory.dmp

memory/4880-242-0x00007FF79C5B0000-0x00007FF79C901000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:07

Reported

2024-05-22 21:10

Platform

win7-20240221-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DcFDwvM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ifyplgn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JdYRDLb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vBzIJEs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sXMrzDx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZBtGKbL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KXdypXO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QZnpINS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KxrXlHg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sGRRqdF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xFLLWrQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YpuPeqj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dAryjjI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wjuFGOR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BtthDZl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWtOKlN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JxEsDcZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bXPzJGC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FNAkBoU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\thduBvM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WAIifaW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBzIJEs.exe
PID 2864 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBzIJEs.exe
PID 2864 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBzIJEs.exe
PID 2864 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DcFDwvM.exe
PID 2864 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DcFDwvM.exe
PID 2864 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DcFDwvM.exe
PID 2864 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXMrzDx.exe
PID 2864 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXMrzDx.exe
PID 2864 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXMrzDx.exe
PID 2864 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGRRqdF.exe
PID 2864 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGRRqdF.exe
PID 2864 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGRRqdF.exe
PID 2864 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWtOKlN.exe
PID 2864 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWtOKlN.exe
PID 2864 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWtOKlN.exe
PID 2864 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xFLLWrQ.exe
PID 2864 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xFLLWrQ.exe
PID 2864 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xFLLWrQ.exe
PID 2864 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxEsDcZ.exe
PID 2864 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxEsDcZ.exe
PID 2864 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxEsDcZ.exe
PID 2864 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpuPeqj.exe
PID 2864 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpuPeqj.exe
PID 2864 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpuPeqj.exe
PID 2864 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXPzJGC.exe
PID 2864 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXPzJGC.exe
PID 2864 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bXPzJGC.exe
PID 2864 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBtGKbL.exe
PID 2864 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBtGKbL.exe
PID 2864 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBtGKbL.exe
PID 2864 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifyplgn.exe
PID 2864 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifyplgn.exe
PID 2864 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifyplgn.exe
PID 2864 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdYRDLb.exe
PID 2864 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdYRDLb.exe
PID 2864 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdYRDLb.exe
PID 2864 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAryjjI.exe
PID 2864 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAryjjI.exe
PID 2864 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAryjjI.exe
PID 2864 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNAkBoU.exe
PID 2864 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNAkBoU.exe
PID 2864 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNAkBoU.exe
PID 2864 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\thduBvM.exe
PID 2864 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\thduBvM.exe
PID 2864 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\thduBvM.exe
PID 2864 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXdypXO.exe
PID 2864 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXdypXO.exe
PID 2864 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXdypXO.exe
PID 2864 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZnpINS.exe
PID 2864 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZnpINS.exe
PID 2864 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZnpINS.exe
PID 2864 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjuFGOR.exe
PID 2864 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjuFGOR.exe
PID 2864 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjuFGOR.exe
PID 2864 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAIifaW.exe
PID 2864 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAIifaW.exe
PID 2864 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\WAIifaW.exe
PID 2864 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KxrXlHg.exe
PID 2864 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KxrXlHg.exe
PID 2864 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KxrXlHg.exe
PID 2864 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtthDZl.exe
PID 2864 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtthDZl.exe
PID 2864 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtthDZl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f2c627fcf93b5cd2947ebd011606decc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vBzIJEs.exe

C:\Windows\System\vBzIJEs.exe

C:\Windows\System\DcFDwvM.exe

C:\Windows\System\DcFDwvM.exe

C:\Windows\System\sXMrzDx.exe

C:\Windows\System\sXMrzDx.exe

C:\Windows\System\sGRRqdF.exe

C:\Windows\System\sGRRqdF.exe

C:\Windows\System\sWtOKlN.exe

C:\Windows\System\sWtOKlN.exe

C:\Windows\System\xFLLWrQ.exe

C:\Windows\System\xFLLWrQ.exe

C:\Windows\System\JxEsDcZ.exe

C:\Windows\System\JxEsDcZ.exe

C:\Windows\System\YpuPeqj.exe

C:\Windows\System\YpuPeqj.exe

C:\Windows\System\bXPzJGC.exe

C:\Windows\System\bXPzJGC.exe

C:\Windows\System\ZBtGKbL.exe

C:\Windows\System\ZBtGKbL.exe

C:\Windows\System\ifyplgn.exe

C:\Windows\System\ifyplgn.exe

C:\Windows\System\JdYRDLb.exe

C:\Windows\System\JdYRDLb.exe

C:\Windows\System\dAryjjI.exe

C:\Windows\System\dAryjjI.exe

C:\Windows\System\FNAkBoU.exe

C:\Windows\System\FNAkBoU.exe

C:\Windows\System\thduBvM.exe

C:\Windows\System\thduBvM.exe

C:\Windows\System\KXdypXO.exe

C:\Windows\System\KXdypXO.exe

C:\Windows\System\QZnpINS.exe

C:\Windows\System\QZnpINS.exe

C:\Windows\System\wjuFGOR.exe

C:\Windows\System\wjuFGOR.exe

C:\Windows\System\WAIifaW.exe

C:\Windows\System\WAIifaW.exe

C:\Windows\System\KxrXlHg.exe

C:\Windows\System\KxrXlHg.exe

C:\Windows\System\BtthDZl.exe

C:\Windows\System\BtthDZl.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2864-0-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2864-1-0x0000000000580000-0x0000000000590000-memory.dmp

\Windows\system\vBzIJEs.exe

MD5 37de40c33a526bf042c9e166c04861ad
SHA1 707916a778e3d4550c58cba1b1987d0c70ecdd7c
SHA256 20954428ad3b4c39285ac299ab0065ee1f5fe82903c4ec11b8aead656515f7e8
SHA512 122c939812924e09e28fcd452ae28f7fe610d1dde8adb9d1346bde33d77102bda8d0989be47e7dedf540582b46e0bbff9b22d4b8e1be82a7c7cb3e484cd59086

memory/2864-6-0x0000000002140000-0x0000000002491000-memory.dmp

memory/792-8-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

\Windows\system\DcFDwvM.exe

MD5 fe11f24ff6638b8cb98b1441a2ae5512
SHA1 3b122ea9f2f8ff3a664c2f2e7b4e47b12ae12f6f
SHA256 ad39b3a2d653b7aa5788fb871e574f29bc4c2583716e5efa2e21263bce3ee529
SHA512 7742e4f5c5c149c6d0390187ad342a8bde03739d2d16dba143e971e4a23f263ce5af55e8f4575e57305b06ef6c8263b22ae400106bdbee81a7faae6fb5131804

C:\Windows\system\sXMrzDx.exe

MD5 036d814de366482c221294b653ae3e48
SHA1 82e32d1f1447dd5dabb48caa124ca6cae6774268
SHA256 850bb2f083e368a06f35faf68cd54d969bf13d34f02ccb24cdbefce6aabbbbae
SHA512 fae1fe3855c328fb2e7de0d4761d41f645c0f0b81b9a4ebf5cfca1edb6cbec64652aa9e31bd6743818f930f5e0571ba7d7979f1f97964da6f6daa8008ff541bb

memory/2264-15-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2572-23-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2864-21-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2864-14-0x000000013FC10000-0x000000013FF61000-memory.dmp

\Windows\system\sGRRqdF.exe

MD5 d4bc94489f05d7f8254102538a96db32
SHA1 64f91a5b0463d036c1d497ebc6d98f9cc8e03e90
SHA256 f34233f9dd5fa507d71de57ca4aa1a10916d5aff05e2e65d079d7dcc30a6f613
SHA512 162998a004971fbf1809f2da577a773b288109885430e17a3330b1cf6dd044d89c03775622e6c2ca3918f7ea14990cab06893b449916969132f93f39214e9b15

memory/2864-28-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2864-34-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2604-36-0x000000013F720000-0x000000013FA71000-memory.dmp

C:\Windows\system\xFLLWrQ.exe

MD5 fbe66136ca75d84b7a34809b074e6e98
SHA1 b1341373c2966f2570ff28b04fac044196e0183e
SHA256 1427917ea62521c8a0e0f8eb7b92a63ab1e827d4094f43ec3006c02d81ab48e0
SHA512 a84f1a7134ebb631a839d439ab49d5255eb3d14f8d9181f4c4a0d007189fd36ed1123650e4358a2a6be9ad5e468d6fd6985ecaa6ffb2fa926628f61720628914

memory/2864-41-0x0000000002140000-0x0000000002491000-memory.dmp

C:\Windows\system\sWtOKlN.exe

MD5 3a5315dbe59ab609e32a5e810c19c820
SHA1 da571281875870d1b4ba20f099b816f82caf6035
SHA256 98ac9fabed96db63368bb9e97cfee067a0a04e112015d2a05779ea23663d5e8a
SHA512 b52932f737e089e17ed775c3f8b2aea2ffe9a208d5693a1e319cc39563c1058c1216347cf8c6b5dd408478281f0e131dc3d4a59bb3c18b5d99d714c6880a8b36

memory/2616-49-0x000000013F2F0000-0x000000013F641000-memory.dmp

\Windows\system\KxrXlHg.exe

MD5 e05c24daa3c46db53a454d717ccf8b0a
SHA1 a7c702fab3c20acc67dc325782c49675c13e4550
SHA256 b0d342b558cd93f94718acacb6d2c654382d6dcdeff6bb40a698026ab00f8244
SHA512 4c3bab0ec20b7fe7700d0bd7a137b1628144f3b38ef1651eb7819e39ba6f4c1ad361ca1c179f5a6550c1b92de722a97fb39985a5878e84bed63bf3ad7db0279c

memory/2572-119-0x000000013FCE0000-0x0000000140031000-memory.dmp

C:\Windows\system\dAryjjI.exe

MD5 6224debff468484d49308de1cba3e50e
SHA1 ec99fb1dc5d3d55c27eca9961390c0a41aea5cd5
SHA256 9ddfa3cf8746e1062732b5a2d69bfb109201619a936b9ac201e9269d6d1b5b08
SHA512 1b1c239eb7ee63ff03860e78fad79bbd7564ec12e4f6b04d345bc8e19eb4cc7e80bd289cba611aac9cdbbb57619cb3e91b4d90a2fa736def114d608c53ba193c

C:\Windows\system\WAIifaW.exe

MD5 47ffcc635e02104e189642ba7022f247
SHA1 24b7339874b6cbc31fec1098ee01f6157f471865
SHA256 b7a54a1a0845eb730840afc6712e619d186b816c7003aaa58a84c35dd0e3ca83
SHA512 4c30c3635fa9f2bcfb41f89ae49689168017e467223a9100b4497bbd606fc2fd49401f05457799c9e161915cce40d7fa8e154870b4dfeb15a11244e6450129c1

memory/2864-99-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2864-98-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2864-97-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2864-96-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2864-95-0x000000013F200000-0x000000013F551000-memory.dmp

\Windows\system\BtthDZl.exe

MD5 94584123f2744a12babf48dba44f2323
SHA1 caa88409e8c1113f06a3b2db0d1554b8b3535c17
SHA256 d716616a00298c7b336d0059a49c624b391ce31d8da84ff71141e55cc46e22cf
SHA512 c6a70e4741555aeb40ad1c22d7abcf2151d8bb7f65c96cac51b0f4145c155d3d1b10a407b98c51f2a5526d6652d970fd2c594da3436bc9a3d69c34e0b59b305f

memory/2864-89-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2864-87-0x0000000002140000-0x0000000002491000-memory.dmp

\Windows\system\QZnpINS.exe

MD5 336498fbee5713368a34e7ffc54420b2
SHA1 83235518c7bfd24cc89c69b9c25820dc8335fd11
SHA256 8fba17215ffb2803758654ff447804d12d82b78b30a2c63d0726210214361d2d
SHA512 8f198db5b1df394ed7288d0248eb5ac9655b42b29aa0dd6e70d62da5a8b46a5c014ce2061b70d16b4f5e515b35c494011efd74df55d26c2c4d6b25875eef0534

\Windows\system\thduBvM.exe

MD5 2762902c205bd65db600a060f34dada1
SHA1 28e0bdc35d44371379795215ff6b86947af2e58e
SHA256 7d45877664c3e3cf8fee158cafbec3ef3dfcb2b9d96558756eec66b7d2340778
SHA512 451c2d96f418d91876d7922f9a48263becd5b6fc62bd8f0f6513982045568113614561f5c43d8fb4796a58415efa01a9bff66a06956556301a0db5ae751e4e6f

memory/2196-134-0x000000013FFC0000-0x0000000140311000-memory.dmp

\Windows\system\ifyplgn.exe

MD5 65eac8ba0bf5c059efcfd85e3a1c838a
SHA1 0eade84e5c36c6dafb5758815df1f48625fb838f
SHA256 2f2a95c715cc1d63d0d166e1503f523f8612f6282e5f0d94c793a26eff433378
SHA512 c5520e0b0b981c636efc8fa7eda76764983974ca61206e2f5ef46ba8476489f7c8830fc7f2bb61b31c72e9855efbae5cfefc5ff995a7d943c26081542e6cbdf1

\Windows\system\bXPzJGC.exe

MD5 cf6f0e130dcf5bc254d5f3c6ee43b18f
SHA1 50836acb1824e6392178f93f518dd56ef2a2e6fc
SHA256 a9a8f9eb3cea9778dcb6c6a4c8b43b2383b004c0ea32e4f86c51ff8c7d0d116f
SHA512 a3b5d08eb610f91b4f78d5f34e6310e32d4e60864f28ad192acd9e60fc2e7b9dd2bde3bc8a2aca7813fb1689a54ebd2b318591a5b13b63b605ceced159f84bfc

memory/2264-118-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2436-117-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2864-109-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/792-108-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2864-107-0x0000000002140000-0x0000000002491000-memory.dmp

C:\Windows\system\wjuFGOR.exe

MD5 a078d6c5ce44bc9cae9e4bd757e7f546
SHA1 4f78030af7ee5addd7d5ad1328f7ba2f2da6e219
SHA256 90a437d8e61b6b9d01df38ad09eba7ceaa383de6b70cfb86d3ec9d88273ed380
SHA512 99ef15f0a60d94cbfb488b23ff35bd85463b7bfb5aad8c2c86363487bcbea020b8bb40772f080998e3c46836015e83509f88315d010c686264145a71594db34f

C:\Windows\system\KXdypXO.exe

MD5 ccfdab6800e2064d0003ceaf779ab1b7
SHA1 e5cbf0f484dfed50d626b585b69121c686bf7f32
SHA256 e06dff0ff4916906e440030e24382f3bec714fecb1eebfd63bb1843a73b1dfc1
SHA512 5cd4bc2fdd155f637754cb621beaf564419f32b2315bf6fc232d69662d55e80e063aaa6ae92ae0b6e7d3c496f8fdcbc0c2dbafd283104d45cc8622d737c16fbc

C:\Windows\system\FNAkBoU.exe

MD5 c1abdf1624a6700724e4bd300c820e2a
SHA1 6646e19c5944d0e44e2302851e6f2643fddddb48
SHA256 27a5f82755760324bb8e633493802f58785ada3b802d8a3270ef3b54b166d41d
SHA512 bb79e59f9a172c57dc898d8d965abb3c35e2ec06f2edecbbcaf963b201f0666caa3892d6baa4aaaa1b29ae72dabd53b92b5013d21f9e2ffab3e57ac8a10f6e89

C:\Windows\system\JdYRDLb.exe

MD5 2066da0f8f2b442ce72bd34aca34b548
SHA1 c5352e28610d38bf473087cfc0b1c32ffa006c65
SHA256 4fc4ade2ca9897639532a0b2b4e33c122ad5540024363e5a5e1f65e2afeec81d
SHA512 79ccce38bf301c3a5e72253d23f0b27c78ba40168143cb1221b0b6685c6316c5f23c2f5163cf464eb4481f1621905df3035206a9e963b3cfca67c93c018e652e

C:\Windows\system\ZBtGKbL.exe

MD5 b69c8e30718512130f2b412793952827
SHA1 16e2a65c169a2c918197ab37d70b0a9e83a35a5a
SHA256 9dda8090f534ffea8238f450e05f2d5c90b9f4692d893d72dcaba5c7c8f83ae2
SHA512 cd26504279316f1c35ae7d74a73a2f8e9f790e1f6246d9039b09409ca9293073ad44decb47fb5d8cccf0cd00aeeea6c86acc4589031d016c49e906a78d28507c

C:\Windows\system\YpuPeqj.exe

MD5 837fceb8824ec7941819e46e718e1db9
SHA1 169a8d443e10812407beae622a5d0649de540024
SHA256 3a901687bad87f98ac145d4a55cc7fc8770598afed24ba5b66aa65ca3a95ab88
SHA512 e46a47ae3a6a2e7d8c129202fc6e4e0f444421142deb0de960476a8cbcdcdcca591bf557b482fc22ede73842174f4d2e53b89b5427736a8cd12e45ef7829d7cd

memory/2864-58-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2864-48-0x000000013F2F0000-0x000000013F641000-memory.dmp

C:\Windows\system\JxEsDcZ.exe

MD5 12368338021b36a7fbbd8601c81baf03
SHA1 3aa4cbb763b65cd86f5e8385c58ab4e0b179be25
SHA256 f69b804bded3e181a49ea610f9b7545db5337244be5338da0b6458f1b448e466
SHA512 cb3afc71d956c231eebd2abac1bb9f94e8058dbd969e8e0acd3f2314c292ce0bc59490034ed8c89f0d8f95759241e1d6ba116ceada3e7decb3d36ad58018394b

memory/2604-136-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2864-135-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2196-33-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2864-137-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2820-143-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1720-149-0x000000013F200000-0x000000013F551000-memory.dmp

memory/3000-151-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2808-156-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2096-154-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/3020-153-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/1520-150-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2976-148-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2516-147-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1976-155-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2972-152-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2456-146-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2616-144-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/1748-158-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2696-157-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2864-159-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2864-181-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/792-207-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2264-209-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2572-211-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2196-213-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2820-215-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2604-217-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2616-220-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2436-236-0x000000013FEC0000-0x0000000140211000-memory.dmp