Malware Analysis Report

2025-01-06 17:55

Sample ID 240527-wst83acg21
Target 2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike
SHA256 55d03d48cd050dc88739c520514c649046b38b4573fc1dde9ec4a0d180a52ada
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55d03d48cd050dc88739c520514c649046b38b4573fc1dde9ec4a0d180a52ada

Threat Level: Known bad

The file 2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Detects Reflective DLL injection artifacts

xmrig

UPX dump on OEP (original entry point)

Xmrig family

XMRig Miner payload

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 18:11

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 18:11

Reported

2024-05-27 18:14

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nwwPTHV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yAuAxVq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NpyRNKN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LKBqiuz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xMRhQCs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HaVOptC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FuFnSJa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AWtwYgB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AAVfAVv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HqGvonj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MUcVsFC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bEreGKp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eDnuyfI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\URneELu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zwMUkrD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MOmSpLW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RMQxwuK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qqEdNBJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nvAhfaW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eAkOuky.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nlDPfHI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eAkOuky.exe
PID 2816 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eAkOuky.exe
PID 2816 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWtwYgB.exe
PID 2816 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWtwYgB.exe
PID 2816 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nlDPfHI.exe
PID 2816 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nlDPfHI.exe
PID 2816 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAVfAVv.exe
PID 2816 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAVfAVv.exe
PID 2816 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LKBqiuz.exe
PID 2816 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LKBqiuz.exe
PID 2816 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMRhQCs.exe
PID 2816 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMRhQCs.exe
PID 2816 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwwPTHV.exe
PID 2816 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwwPTHV.exe
PID 2816 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaVOptC.exe
PID 2816 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaVOptC.exe
PID 2816 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FuFnSJa.exe
PID 2816 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FuFnSJa.exe
PID 2816 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\URneELu.exe
PID 2816 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\URneELu.exe
PID 2816 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwMUkrD.exe
PID 2816 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwMUkrD.exe
PID 2816 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\bEreGKp.exe
PID 2816 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\bEreGKp.exe
PID 2816 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MOmSpLW.exe
PID 2816 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MOmSpLW.exe
PID 2816 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eDnuyfI.exe
PID 2816 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eDnuyfI.exe
PID 2816 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMQxwuK.exe
PID 2816 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMQxwuK.exe
PID 2816 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAuAxVq.exe
PID 2816 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAuAxVq.exe
PID 2816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqGvonj.exe
PID 2816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqGvonj.exe
PID 2816 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUcVsFC.exe
PID 2816 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUcVsFC.exe
PID 2816 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpyRNKN.exe
PID 2816 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpyRNKN.exe
PID 2816 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qqEdNBJ.exe
PID 2816 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qqEdNBJ.exe
PID 2816 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nvAhfaW.exe
PID 2816 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nvAhfaW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\eAkOuky.exe

C:\Windows\System\eAkOuky.exe

C:\Windows\System\AWtwYgB.exe

C:\Windows\System\AWtwYgB.exe

C:\Windows\System\nlDPfHI.exe

C:\Windows\System\nlDPfHI.exe

C:\Windows\System\AAVfAVv.exe

C:\Windows\System\AAVfAVv.exe

C:\Windows\System\LKBqiuz.exe

C:\Windows\System\LKBqiuz.exe

C:\Windows\System\xMRhQCs.exe

C:\Windows\System\xMRhQCs.exe

C:\Windows\System\nwwPTHV.exe

C:\Windows\System\nwwPTHV.exe

C:\Windows\System\HaVOptC.exe

C:\Windows\System\HaVOptC.exe

C:\Windows\System\FuFnSJa.exe

C:\Windows\System\FuFnSJa.exe

C:\Windows\System\URneELu.exe

C:\Windows\System\URneELu.exe

C:\Windows\System\zwMUkrD.exe

C:\Windows\System\zwMUkrD.exe

C:\Windows\System\bEreGKp.exe

C:\Windows\System\bEreGKp.exe

C:\Windows\System\MOmSpLW.exe

C:\Windows\System\MOmSpLW.exe

C:\Windows\System\eDnuyfI.exe

C:\Windows\System\eDnuyfI.exe

C:\Windows\System\RMQxwuK.exe

C:\Windows\System\RMQxwuK.exe

C:\Windows\System\yAuAxVq.exe

C:\Windows\System\yAuAxVq.exe

C:\Windows\System\HqGvonj.exe

C:\Windows\System\HqGvonj.exe

C:\Windows\System\MUcVsFC.exe

C:\Windows\System\MUcVsFC.exe

C:\Windows\System\NpyRNKN.exe

C:\Windows\System\NpyRNKN.exe

C:\Windows\System\qqEdNBJ.exe

C:\Windows\System\qqEdNBJ.exe

C:\Windows\System\nvAhfaW.exe

C:\Windows\System\nvAhfaW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2816-0-0x00007FF6A76F0000-0x00007FF6A7A44000-memory.dmp

memory/2816-1-0x00000265CCF20000-0x00000265CCF30000-memory.dmp

C:\Windows\System\eAkOuky.exe

MD5 0792c7c68cac01ceeb010d5f3a4b3fab
SHA1 f989693051623c0539f7c625e43e97bb14ec0226
SHA256 71bf069e766647aee39f1e272cd6f9b43d3616217e6b90445ec90987cae30730
SHA512 9b6c91e56c57d91ce0a23cf6029dc73be400bd193d269c0ce9ba77b0641957a40f8917267cb9cc9e583a72c4061533239aea9423a802736fe06c8a0fae47662f

memory/4480-8-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp

C:\Windows\System\AWtwYgB.exe

MD5 f70768c1efb0e9095346d8d5b12e47e2
SHA1 80cc446ae7118a9ebc4680a977ba12bcb4b3ca0d
SHA256 c612bac4438effafd40eddc25a6a04eaee6b3f8fb4e085df2fa19dea7956ed8a
SHA512 49fb731442c37bbdf5b02899875bf63da872c843689bd6b9ba97460a52f712d67fb4d08a8eed45c478845cdaeaa0e2aecf9c60423e7af7a42fea301cdea31e83

C:\Windows\System\nlDPfHI.exe

MD5 3045196588cd63bd11654b2be79420c8
SHA1 85d79ac27186d4f67507701d46652bea09168c4a
SHA256 fa6b9e9514fe3a34c713125ff6f2b525e232801db4010899e800fb1d56cfd752
SHA512 e48cffb3f15a1a2f32cc5a5ef8a0ff306eb0546f1504d22174c241822dba39cf5c71948b441284eceab8905a60daaae35a4adebeedc6e0223a24483e5fa92059

memory/1164-20-0x00007FF7D8380000-0x00007FF7D86D4000-memory.dmp

C:\Windows\System\AAVfAVv.exe

MD5 0ab87eee8b9916ead741341fce78ba73
SHA1 01bcb916a8f8c479a9bf7f1d41e5a4d4ecc0bdf0
SHA256 b59343b562ea21c236d618632f629e098d78a96b3f14a81a38106e610116cfb8
SHA512 75b3254666b0c62daec0982c82d8ad699a4f114a42af9891c3fb37771e439c8c7a1970e0573de1e340be00a322544726a7f7ef178bb078da9d094ada4cc324c7

memory/4844-25-0x00007FF74B220000-0x00007FF74B574000-memory.dmp

C:\Windows\System\LKBqiuz.exe

MD5 b07494cc89db25b13ab7e9a63b6ee6ff
SHA1 6b922f0de01f7a028e3d86852583de240a56a7fb
SHA256 d762c179a648009829ffc9ebbe9e9a2d0b8bef92656860b6a7db02618b1d4aba
SHA512 332cdbdc6fcbb0d966ab500100f7715929f0bb9f80e1e3e6a2aebc2e07ac42bca50062b9feebff7f000a75047b7c5fa87ed6f6065527e5c19c4f47b6617c23bd

memory/5068-33-0x00007FF628230000-0x00007FF628584000-memory.dmp

C:\Windows\System\nwwPTHV.exe

MD5 4bcbb136158e779eac6798f9713e6cde
SHA1 5d3068989e8d457d4065cb712ef020adddb79a31
SHA256 fe9f9285184312cf5f3a9bee928122006285ef40c74fbf26069a552e38bbdddf
SHA512 7955b07294e09274fe859371483a046ccd6eca058d4c69729ada6b439e5f003ee6dca7486b3b0218ed865b263c6757b6004cea6a03c1cecad714fcb60b272ee4

memory/3200-41-0x00007FF6277B0000-0x00007FF627B04000-memory.dmp

memory/2232-42-0x00007FF7B1A00000-0x00007FF7B1D54000-memory.dmp

C:\Windows\System\xMRhQCs.exe

MD5 660fd2ae070474a24737676342d32932
SHA1 4d26e61542f280094d79c7f6a1b1a16bfa4ba5d4
SHA256 2672815eee8375bb24aab6ed815e46db61cbb78c2128e60858f5c7f047c140d1
SHA512 aa9a9386141f121cb87eeeae0389042edc6f23b62902dcc8d4d6188468e656f7692c83c6386d5676b813a2129dfec91558493f2c86ee697dfdf2930580aa58e0

memory/2812-13-0x00007FF63A080000-0x00007FF63A3D4000-memory.dmp

C:\Windows\System\HaVOptC.exe

MD5 b33d0e6285d39bd685732c6e727ae216
SHA1 8eab1078170d0fe77d05c7440dfa1efec433171a
SHA256 3a2785c2ecfd57d546d0a6fdaa456dc70e79a5866f9f6c2176711488b49f9ed4
SHA512 acd2d526d479ba8d16b03318991f97b2fde74f48ecd52b80cdb85f137ff6e0844e6862046360e1fe58708021ae52aa81377765af5df1cf49118364090158f5a2

C:\Windows\System\FuFnSJa.exe

MD5 adf38dd5ced0b3255c6d1352d8e92928
SHA1 04a0d8a60911e873e7a5b4a015b1f329d432aa52
SHA256 7a90d699b8f513f3eb38d38498dc63249f0f47a3e5f152e58b55030bae73b715
SHA512 556c15e26b52c669a89e440d16ed6c9740c521595ead71fde46071f55f8c41f3cb8a19a054ddb37f76d72d3721a952399d155ca5e4b7a80f04de6816c4152caf

memory/4024-50-0x00007FF6A2990000-0x00007FF6A2CE4000-memory.dmp

memory/3324-56-0x00007FF73C440000-0x00007FF73C794000-memory.dmp

C:\Windows\System\URneELu.exe

MD5 64eaaa5dfde7a0826ef62bb8aa34dade
SHA1 652e0344e1fcb0457ba2a522c4ca757cd3331b6d
SHA256 569d81f57b46a7c1d9f0ef7af1b1ad10c7cfbb16b28a47bce9edd6b6f5359488
SHA512 30a6369f3f233c514a6c4d694adc47c7e9c3adec2290bda871d9df7ddddeabeae421aba4aaf2860092a12a6da65421f071a57c652cf6935430a4cc0d8a09a60c

C:\Windows\System\zwMUkrD.exe

MD5 c2742a3f6fee026fe51c340cab144264
SHA1 0a99e04f2a0a33022189fdcca92c7d5904aace75
SHA256 8a9cf878ba7ff80bada6624fbc39a25ab69a54522fd3832f56f17aa5f882fe6b
SHA512 ed537dcdd709acd161fe3ec0f9f158259c7538931ff4a92331549ab4b19f7115f095698cd24c844cbc4d477a2857e874361aaa4ffd99be8775e780a90f4da47a

C:\Windows\System\bEreGKp.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\System\MOmSpLW.exe

MD5 ac4dcc893c14516cc3ef012cd135db17
SHA1 039449f9eb420ed6bd1cfed9185ef1ead0c516aa
SHA256 91b2c5e6ad6954e7dfe185481c2e6a6e2f4c5850ecd38ff3ea784526ff8e72f8
SHA512 d4e940a2bcfce484a3f554ae61b4332519f2d8c624f944ddc307aa111f1efef5e60e97107e3c74a237098baeb8430732c8084cd1387cc4e659f71c7fba34ce1a

C:\Windows\System\HqGvonj.exe

MD5 2faf106a7781bcc286cba30ebec44c1c
SHA1 cf5a352da50c4e81ce1bade8d1108e85f5884db1
SHA256 179b6abaf8f66d39651ec0c0b5cf2b596081d11cad54de032997c1bcacfddb7a
SHA512 dabd3b53ec7be2dbf9bd9466bd356612b61a869c1017c09670b4a6525813465eae03e5f91005e5df8a055de921549c06c15e5d395a5c8d0894700d497189aaeb

C:\Windows\System\MUcVsFC.exe

MD5 9a5474c96c071c7ee44833767db9e5df
SHA1 a27276ccdf68403bdc1a31826f539c961599357b
SHA256 632e8d5c97ab67faa2a2f3e5f4465b63aa1d572f7c41dacd9fba986e88b76de7
SHA512 32a6bf80f501b0787f0dcb66b06517ecc6058b4788c18a57eb11f397ed3f8db9c0f54bca569254a4efdcde45f42b1df97b508298856943d693c2f58e9886bc76

C:\Windows\System\nvAhfaW.exe

MD5 926b9ef42bc5ed0f2fec5dd6cc3f31a9
SHA1 e18a9345c14cf085311b03de4c3588dd023b63f1
SHA256 c77abf3f191f0782730b65b156d2de24c5106d4979ffa95f1d10a8f8c565a3c5
SHA512 d15083d38d1f807c45fa8e194b952489b0dc805db09c00e3238e4704a95986ec29644755a0a31ae8c7d83b4b65f2916f39b683911250269bf434e8569c41a4f2

C:\Windows\System\qqEdNBJ.exe

MD5 64756dbbc530faf6a619f186accab27c
SHA1 cf85e33c4b25e4210368e746e08a1ca86039c14f
SHA256 1e350890d2bfb293be97f889fd5e9057d9c9cdeecb64d448ed110485e136297b
SHA512 24919cee0c7c90c371c1073990b8da62f1498b7d2b62fc90f5807ffb342031f1d2bf3e166ed9ba4ba313c903301ce1ad2afc307ebf44c4c82222a8896690a7a9

C:\Windows\System\NpyRNKN.exe

MD5 b3a9b01df1ada81ff93c1626f1d35d68
SHA1 45433a24dceb6e171558e553d2ccb5b9774a50a9
SHA256 e4a36798ceb00b27e240a388486f9538ff46c70866be5783694c29f408757e2b
SHA512 99f511f4cb5868df33b195a2dc641da36db2605dc85255d0e37a442cac7b471d332311191ddba7fb9e43e6c1ab7b0edcaa9ee0f6ab8dbf8d55b68b8a52768f4e

C:\Windows\System\yAuAxVq.exe

MD5 531a107221be1dc1134dcc9ac52e31d3
SHA1 291d11a94c323c08846e83e02f1cb3599f55e614
SHA256 c1ebee1c7ba54645d693d87534f25fb6026158419d8ed7f09c4e03d377344dab
SHA512 e3227d86e2c298872218e427f44101768b405c0eb666e3c6a4873af0122c115ed29ac518375c242169d62ee8e302ea489e2d861018cb483e5c59ec2e4248da73

C:\Windows\System\RMQxwuK.exe

MD5 f26da651101f7f276ca820a43b852ce1
SHA1 8e03fdaedf7fb487cae50a1be1b5f62fc93a3d4b
SHA256 5f35f2960e65f9d526441442b7c0ffd3ed52c2ffbd0317f7b09f43170fd629c1
SHA512 384ed8e88f23a656a08c677f42e2cb3fdc04980e291d40df6fc1c79f7f890442af69b29f95841294688ffc29b95e153e7053cba3452a771f27baa99f82f19f6b

C:\Windows\System\eDnuyfI.exe

MD5 5c4a29d457cb68fcec070129b78890ad
SHA1 f37cf2c1fd37dd8a96e1ee1411168e6b051687cd
SHA256 8a674397c23563e19c171f04e067ac77b04bb609a081776c96bb39ca5f7f8775
SHA512 3631c8307419465a50087e778168c69d461addcce56c26a7a37827372fad7e18d5e24f917e811047ccafea52e64b35b3561bd7d3c85583df53f0a4958d37d6b9

memory/2816-75-0x00007FF6A76F0000-0x00007FF6A7A44000-memory.dmp

C:\Windows\System\bEreGKp.exe

MD5 010981bc84eafb09f4e4436e0570e1da
SHA1 eeda0fa404ab7224557f9f91c5e5057e1e234961
SHA256 27c2fcf60f084aba973fdedd323e08590a3c4a6d9866f1db2346f15337a2660d
SHA512 4fb357a27bd4702de446c939b58b8620ed4286d7bafe4c7d60de3e19990c2c4f7d8129571a39e0d849a4f9ce8304e90d0413871cc635f357860a6c7aa3af4e05

memory/1680-64-0x00007FF657560000-0x00007FF6578B4000-memory.dmp

memory/4280-119-0x00007FF7D9140000-0x00007FF7D9494000-memory.dmp

memory/4404-121-0x00007FF72E980000-0x00007FF72ECD4000-memory.dmp

memory/2584-123-0x00007FF740F30000-0x00007FF741284000-memory.dmp

memory/620-122-0x00007FF76D370000-0x00007FF76D6C4000-memory.dmp

memory/396-120-0x00007FF78E900000-0x00007FF78EC54000-memory.dmp

memory/2716-118-0x00007FF6AC5E0000-0x00007FF6AC934000-memory.dmp

memory/5104-124-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp

memory/4740-125-0x00007FF63E7F0000-0x00007FF63EB44000-memory.dmp

memory/1064-126-0x00007FF75AF80000-0x00007FF75B2D4000-memory.dmp

memory/4480-128-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp

memory/2124-127-0x00007FF6DC770000-0x00007FF6DCAC4000-memory.dmp

memory/4836-129-0x00007FF6CDCB0000-0x00007FF6CE004000-memory.dmp

memory/2812-130-0x00007FF63A080000-0x00007FF63A3D4000-memory.dmp

memory/1164-131-0x00007FF7D8380000-0x00007FF7D86D4000-memory.dmp

memory/4844-132-0x00007FF74B220000-0x00007FF74B574000-memory.dmp

memory/5068-133-0x00007FF628230000-0x00007FF628584000-memory.dmp

memory/3200-134-0x00007FF6277B0000-0x00007FF627B04000-memory.dmp

memory/2232-135-0x00007FF7B1A00000-0x00007FF7B1D54000-memory.dmp

memory/4480-136-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp

memory/2812-137-0x00007FF63A080000-0x00007FF63A3D4000-memory.dmp

memory/1164-138-0x00007FF7D8380000-0x00007FF7D86D4000-memory.dmp

memory/4844-139-0x00007FF74B220000-0x00007FF74B574000-memory.dmp

memory/5068-140-0x00007FF628230000-0x00007FF628584000-memory.dmp

memory/3200-141-0x00007FF6277B0000-0x00007FF627B04000-memory.dmp

memory/2232-142-0x00007FF7B1A00000-0x00007FF7B1D54000-memory.dmp

memory/4024-143-0x00007FF6A2990000-0x00007FF6A2CE4000-memory.dmp

memory/3324-144-0x00007FF73C440000-0x00007FF73C794000-memory.dmp

memory/1680-145-0x00007FF657560000-0x00007FF6578B4000-memory.dmp

memory/2716-146-0x00007FF6AC5E0000-0x00007FF6AC934000-memory.dmp

memory/4280-147-0x00007FF7D9140000-0x00007FF7D9494000-memory.dmp

memory/396-148-0x00007FF78E900000-0x00007FF78EC54000-memory.dmp

memory/4836-149-0x00007FF6CDCB0000-0x00007FF6CE004000-memory.dmp

memory/4404-150-0x00007FF72E980000-0x00007FF72ECD4000-memory.dmp

memory/620-151-0x00007FF76D370000-0x00007FF76D6C4000-memory.dmp

memory/2584-152-0x00007FF740F30000-0x00007FF741284000-memory.dmp

memory/5104-153-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp

memory/4740-154-0x00007FF63E7F0000-0x00007FF63EB44000-memory.dmp

memory/1064-156-0x00007FF75AF80000-0x00007FF75B2D4000-memory.dmp

memory/2124-155-0x00007FF6DC770000-0x00007FF6DCAC4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 18:11

Reported

2024-05-27 18:14

Platform

win7-20240221-en

Max time kernel

139s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hraVomt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KiITmwD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kwrruvE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wUNZGcP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IAkIqhS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HKqcDeg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\swsOrNB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TEiCaTO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UTTlyuL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hvgEdyf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KnbJsKR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BGwanBV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PQekvXV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QDXITov.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iWGESqs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ONmcIDO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lVgZfmj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rUvgYBx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ASNwXTz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AcYKSht.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YfaqlWC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVgZfmj.exe
PID 1712 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVgZfmj.exe
PID 1712 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVgZfmj.exe
PID 1712 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hvgEdyf.exe
PID 1712 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hvgEdyf.exe
PID 1712 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hvgEdyf.exe
PID 1712 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUNZGcP.exe
PID 1712 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUNZGcP.exe
PID 1712 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUNZGcP.exe
PID 1712 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IAkIqhS.exe
PID 1712 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IAkIqhS.exe
PID 1712 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IAkIqhS.exe
PID 1712 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUvgYBx.exe
PID 1712 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUvgYBx.exe
PID 1712 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUvgYBx.exe
PID 1712 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnbJsKR.exe
PID 1712 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnbJsKR.exe
PID 1712 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnbJsKR.exe
PID 1712 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HKqcDeg.exe
PID 1712 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HKqcDeg.exe
PID 1712 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HKqcDeg.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\swsOrNB.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\swsOrNB.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\swsOrNB.exe
PID 1712 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BGwanBV.exe
PID 1712 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BGwanBV.exe
PID 1712 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BGwanBV.exe
PID 1712 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ASNwXTz.exe
PID 1712 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ASNwXTz.exe
PID 1712 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ASNwXTz.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcYKSht.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcYKSht.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcYKSht.exe
PID 1712 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEiCaTO.exe
PID 1712 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEiCaTO.exe
PID 1712 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEiCaTO.exe
PID 1712 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YfaqlWC.exe
PID 1712 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YfaqlWC.exe
PID 1712 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YfaqlWC.exe
PID 1712 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iWGESqs.exe
PID 1712 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iWGESqs.exe
PID 1712 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iWGESqs.exe
PID 1712 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQekvXV.exe
PID 1712 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQekvXV.exe
PID 1712 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQekvXV.exe
PID 1712 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDXITov.exe
PID 1712 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDXITov.exe
PID 1712 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDXITov.exe
PID 1712 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hraVomt.exe
PID 1712 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hraVomt.exe
PID 1712 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hraVomt.exe
PID 1712 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONmcIDO.exe
PID 1712 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONmcIDO.exe
PID 1712 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONmcIDO.exe
PID 1712 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwrruvE.exe
PID 1712 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwrruvE.exe
PID 1712 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwrruvE.exe
PID 1712 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTTlyuL.exe
PID 1712 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTTlyuL.exe
PID 1712 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTTlyuL.exe
PID 1712 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KiITmwD.exe
PID 1712 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KiITmwD.exe
PID 1712 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KiITmwD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\lVgZfmj.exe

C:\Windows\System\lVgZfmj.exe

C:\Windows\System\hvgEdyf.exe

C:\Windows\System\hvgEdyf.exe

C:\Windows\System\wUNZGcP.exe

C:\Windows\System\wUNZGcP.exe

C:\Windows\System\IAkIqhS.exe

C:\Windows\System\IAkIqhS.exe

C:\Windows\System\rUvgYBx.exe

C:\Windows\System\rUvgYBx.exe

C:\Windows\System\KnbJsKR.exe

C:\Windows\System\KnbJsKR.exe

C:\Windows\System\HKqcDeg.exe

C:\Windows\System\HKqcDeg.exe

C:\Windows\System\swsOrNB.exe

C:\Windows\System\swsOrNB.exe

C:\Windows\System\BGwanBV.exe

C:\Windows\System\BGwanBV.exe

C:\Windows\System\ASNwXTz.exe

C:\Windows\System\ASNwXTz.exe

C:\Windows\System\AcYKSht.exe

C:\Windows\System\AcYKSht.exe

C:\Windows\System\TEiCaTO.exe

C:\Windows\System\TEiCaTO.exe

C:\Windows\System\YfaqlWC.exe

C:\Windows\System\YfaqlWC.exe

C:\Windows\System\iWGESqs.exe

C:\Windows\System\iWGESqs.exe

C:\Windows\System\PQekvXV.exe

C:\Windows\System\PQekvXV.exe

C:\Windows\System\QDXITov.exe

C:\Windows\System\QDXITov.exe

C:\Windows\System\hraVomt.exe

C:\Windows\System\hraVomt.exe

C:\Windows\System\ONmcIDO.exe

C:\Windows\System\ONmcIDO.exe

C:\Windows\System\kwrruvE.exe

C:\Windows\System\kwrruvE.exe

C:\Windows\System\UTTlyuL.exe

C:\Windows\System\UTTlyuL.exe

C:\Windows\System\KiITmwD.exe

C:\Windows\System\KiITmwD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1712-0-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/1712-1-0x0000000000480000-0x0000000000490000-memory.dmp

C:\Windows\system\lVgZfmj.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

C:\Windows\system\IAkIqhS.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/2684-28-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/1712-29-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\KnbJsKR.exe

MD5 875adb05ca7978a782a422eae0e659d5
SHA1 62ff05ff43b62454b0d2de31a6d3e5ab5b20078e
SHA256 37dd63fa608e19033cbf1d6fe95b6c7cae69d9504fa48e33d41d5ec13ee264fc
SHA512 a52ebf1339c0fe55188b04cd82a747d77ad57139865b9b75fdf3b9fdf3c02e03688e0ddf137cf4743af68901034727d33ac639825cb8b6403a17b8673a4dfd6f

C:\Windows\system\swsOrNB.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

C:\Windows\system\KiITmwD.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

\Windows\system\UTTlyuL.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

C:\Windows\system\UTTlyuL.exe

MD5 f6ff13f5b74581b4d693140d7ed15d42
SHA1 b5f72d745d10b4b9c5938885364efade2590a6ab
SHA256 0632369166c9bc5c9b434ffd89ec9c9f265e35db5f9f6e8b7957c45b2c7683c7
SHA512 39ddedcd48f0afefef8b6d9f4c6350246031d6adffaa23199754b30948665cbedbf8af674f3d181d1c85403f8709c1fd9ff92429b133ea7e8be126dcdcc115dd

memory/1712-99-0x00000000022A0000-0x00000000025F4000-memory.dmp

\Windows\system\ONmcIDO.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

C:\Windows\system\ONmcIDO.exe

MD5 a3e64e88a07b7e80502dfe1579d5d47b
SHA1 c1b22e9359a8042dd76aa237120934d7bc9224ef
SHA256 09f9d78b52041a781342402d5c596c3ea15577e11a90bea7dbf6b09a0ab8af29
SHA512 4f345d7911b229531b4dea096be7f6908f7ff86206d60722d0ce4952fd1b7ca4b74ad647ef1165c7c4f85972d89af1c752eeea38f8c629aaad23d945089333cf

memory/1712-78-0x000000013F030000-0x000000013F384000-memory.dmp

C:\Windows\system\QDXITov.exe

MD5 4d0cad39a14fefa3a36e7a39d8c35b44
SHA1 cb1f54abf2c4e73d9a1920ce0edcf56fa54b7a3c
SHA256 f3acd82830976bea178f2395f729a89691bb342cb7aab598203c377d531ec3af
SHA512 78160df1bbd3ba274124e4c2c1a406f76d100e9e65eeff7f72fe47b51a804384df4db4cbd67c58a9ede32bdb508c250fef39076c978a16f29a25c83aa27faf2c

\Windows\system\iWGESqs.exe

MD5 9d367348bc2b0a338371873ab92b5ce0
SHA1 7f656575ff1e475fc391f43341a8d5f4ac819b19
SHA256 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309
SHA512 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454

\Windows\system\KiITmwD.exe

MD5 7d9f1099f6b47550fd37adb914ba896f
SHA1 73597804426883357ebb880f6c0164793f40ad60
SHA256 66cd4cd4af8f630e7f196e1d09756e078751dfa9bcc54e0d14fae0ccbe492285
SHA512 e8add13893f4c014a42f0f57f95da110b546828bbf0b90c6e45d275710a9847ff130353175caa02a22132a7aec183fbbcda6a7a954c359f2b63e3b3f4a4cba77

\Windows\system\kwrruvE.exe

MD5 aea466b9d11f003266238669d01140de
SHA1 03f26cf832ef53654251e13c14952fa7acda4591
SHA256 1cc51492361df0409c34002146ed0cbc18c78ed806e3e39994c74ac9a95fb2ce
SHA512 0dec6a7f832a055996449cf674d3e49feb4c26f31f74d35c218ec63a629f3439b4eca9937dd36dd05824bfc88d10046f8bb1ce5271284b8ef5b5197814c9c7bd

memory/2424-95-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2028-82-0x000000013F160000-0x000000013F4B4000-memory.dmp

\Windows\system\PQekvXV.exe

MD5 74aaf47b8b79abc5b6aefbd53c40fc17
SHA1 7f73daf1eb53239eac1227fec61f04b311a3db3d
SHA256 7ffc7610319036669a6e39401e49cc6408a3fc3cd52ac5f59e888f0860a60c06
SHA512 ec48fe0260fd833bb13cfa9ff607ae52e1a30b4735746f7e17876cc971abe45895b17d54370d58e4151b373ec744fd420b680e66b51d37445f9704182b7787f6

\Windows\system\TEiCaTO.exe

MD5 e8aa03d37a73cd8b872c5e7991025b56
SHA1 87c6132a0e939eceee7dda5a16f08157866f7753
SHA256 ef11b636fa48a677d5e28d45df64d29790a2b31560b2909879b4fd5734d1d692
SHA512 b578c8110c70705115d8150545580acff01598970b964979ce15e6aaf00d4e36b41a360fb01d41f0790d9b625a3cf9fa992a50f207a931cfd35f346263215ad8

memory/1712-74-0x000000013F160000-0x000000013F4B4000-memory.dmp

\Windows\system\YfaqlWC.exe

MD5 37bb4a68c9b7852b67cbef8040f1a3d0
SHA1 84545600d16d7710d88f82db8e5c041b18c43e42
SHA256 2302e88ae0a54b7163f93a4e54e4ffdb91b7cef3d88634803f6a543259a6216d
SHA512 3619a978fc76c6cc24d18b230b104be1111d4ad43ac133bcfde882331c55b5a237430a955ecc517bdbe831a58e3cb7ca0ddf690a867102fca701b9ce07203f50

memory/2664-65-0x000000013F2B0000-0x000000013F604000-memory.dmp

C:\Windows\system\AcYKSht.exe

MD5 06ba3dda744dbe1471ef19e45d9b2e77
SHA1 7342e2c5a474faf8deea3e2473a126336791f28d
SHA256 8ed39dab3f47832a751492036af8301f4885862d29803cf620a1ceac220c4d43
SHA512 3311373b89420cf2f6eefe429e2d919c05463b5b856bcf4c931b6b8fe727cf4667ee320cb957d424a518c7d5059190a8c0058345de9006d90a139d0cf37de0ed

C:\Windows\system\ASNwXTz.exe

MD5 2b405c074ad1fde3f6aa9b2a77fd52bb
SHA1 cc979480a1a6e223d3859d1a83010ac7b4a5d9a7
SHA256 53da465f75c8bf713a60e5fa061be37f64eb73c888f1acde22ec4ea269649786
SHA512 47ee7a0c0f73230e78d657ab4d64818e65b74623fa13bc09b88c7cf31d5bef912b833cdab14d80ed93e27fcc9b7ed03dc7fb6b72ec8cf8620c51e60d92c9a365

C:\Windows\system\BGwanBV.exe

MD5 5fda5d3fca5acc1c9bb1f863a223af15
SHA1 54302c11e9fcd93af99cdbbb5995b393c3880be3
SHA256 8397e4df574c96ed0bf61ab8d7494e7b1191428d6a2f6ac4247c800378e43c36
SHA512 fa9d39686e35b3b54b882c3a6d6998cdaf01dcda64f3e011d1f907b7fdea0e2d335fee2d30d6c948e616772fcbde052d812cfc9f409ef2e0e9aa5cf25b8091af

memory/2724-35-0x000000013F560000-0x000000013F8B4000-memory.dmp

\Windows\system\rUvgYBx.exe

MD5 198264203bf80d452763737fda3171d1
SHA1 e8aedb403a9ff70d66d79bfd353e10ffafd671af
SHA256 84fa29facf1797205a948863e1063e652e34263872f2062c48883aeb4ed50c85
SHA512 d87b837857a56514bff46b09134591bcc80f597124d1c95345d2bece7c0639227c4a6492c3ade055c1db41519251db795db8cee7bebc8e50c2414631a8259e35

memory/2864-26-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1712-21-0x000000013F170000-0x000000013F4C4000-memory.dmp

\Windows\system\IAkIqhS.exe

MD5 f6276feb65ff3a9e57e997fb7cdd9ed0
SHA1 a4284a49fd100dc060e25a3cadb7f792fb608b91
SHA256 cadaec1ba090c1a37fd0dcb191aa0b8f6b77d91b4395e860abf5b57c3d338ccb
SHA512 a1d77762facadc56d589c66c2be16c6e77e033854b882a46fe0fa6d182968c5280dacfdee104881c4c5021152a373b7144e69effe529e213a027330414792645

memory/2616-18-0x000000013F170000-0x000000013F4C4000-memory.dmp

C:\Windows\system\wUNZGcP.exe

MD5 735084bb3a85018fc8f80a621b4ed0de
SHA1 f1fe27ed98cd499b3967beec1f2c42dea8913b4d
SHA256 822a9a0f7461db5401647fe28394a2038422fffbca2ea477c5d945633efff057
SHA512 8746015022485b3bb0f8d904b89b9895ae84ebd713db45df75715ec7aa26ef7de71073bc1dbf09a44eb3b3b70dc844b7dd0ba122ce3e064593d510a6ac01cd86

memory/2836-12-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1712-8-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2588-121-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2472-123-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2496-122-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/1392-124-0x000000013F220000-0x000000013F574000-memory.dmp

memory/1172-125-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/1712-126-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/1712-127-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1712-128-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1712-129-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/1712-130-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2616-131-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2724-132-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2836-133-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2616-134-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2864-135-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2684-136-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2724-137-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2664-138-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2588-141-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2496-142-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2472-143-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2424-140-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2028-139-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/1172-145-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/1392-144-0x000000013F220000-0x000000013F574000-memory.dmp