Malware Analysis Report

2025-03-15 08:10

Sample ID 240529-zypsbahh3z
Target 2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike
SHA256 12bde61e9ca0a7cbd29b99924a31be0613fd98d044b1b0703cc01810a909d83d
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12bde61e9ca0a7cbd29b99924a31be0613fd98d044b1b0703cc01810a909d83d

Threat Level: Known bad

The file 2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 21:07

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 21:07

Reported

2024-05-29 21:10

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nATmHie.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NyOOUpe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zyMuWGk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BLWOWZr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jYCuEAB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SifaOgN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hhJvzwR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BkhgABM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HDPlrpo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VCkAmos.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\knPzQxL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SDDORAT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TvjhXFi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KjoZrLj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SusteVJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bPJTrxg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zNlcRNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rgwHSMF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QLAluEd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XcjjfPW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IGuWhqW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\hhJvzwR.exe
PID 1192 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\hhJvzwR.exe
PID 1192 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNlcRNZ.exe
PID 1192 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNlcRNZ.exe
PID 1192 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCkAmos.exe
PID 1192 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCkAmos.exe
PID 1192 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\knPzQxL.exe
PID 1192 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\knPzQxL.exe
PID 1192 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDDORAT.exe
PID 1192 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDDORAT.exe
PID 1192 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BkhgABM.exe
PID 1192 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BkhgABM.exe
PID 1192 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgwHSMF.exe
PID 1192 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgwHSMF.exe
PID 1192 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\TvjhXFi.exe
PID 1192 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\TvjhXFi.exe
PID 1192 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLAluEd.exe
PID 1192 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLAluEd.exe
PID 1192 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\KjoZrLj.exe
PID 1192 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\KjoZrLj.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nATmHie.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nATmHie.exe
PID 1192 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyOOUpe.exe
PID 1192 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyOOUpe.exe
PID 1192 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\XcjjfPW.exe
PID 1192 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\XcjjfPW.exe
PID 1192 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SusteVJ.exe
PID 1192 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SusteVJ.exe
PID 1192 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyMuWGk.exe
PID 1192 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyMuWGk.exe
PID 1192 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLWOWZr.exe
PID 1192 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLWOWZr.exe
PID 1192 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGuWhqW.exe
PID 1192 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGuWhqW.exe
PID 1192 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYCuEAB.exe
PID 1192 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYCuEAB.exe
PID 1192 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SifaOgN.exe
PID 1192 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SifaOgN.exe
PID 1192 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPJTrxg.exe
PID 1192 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPJTrxg.exe
PID 1192 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDPlrpo.exe
PID 1192 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDPlrpo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\hhJvzwR.exe

C:\Windows\System\hhJvzwR.exe

C:\Windows\System\zNlcRNZ.exe

C:\Windows\System\zNlcRNZ.exe

C:\Windows\System\VCkAmos.exe

C:\Windows\System\VCkAmos.exe

C:\Windows\System\knPzQxL.exe

C:\Windows\System\knPzQxL.exe

C:\Windows\System\SDDORAT.exe

C:\Windows\System\SDDORAT.exe

C:\Windows\System\BkhgABM.exe

C:\Windows\System\BkhgABM.exe

C:\Windows\System\rgwHSMF.exe

C:\Windows\System\rgwHSMF.exe

C:\Windows\System\TvjhXFi.exe

C:\Windows\System\TvjhXFi.exe

C:\Windows\System\QLAluEd.exe

C:\Windows\System\QLAluEd.exe

C:\Windows\System\KjoZrLj.exe

C:\Windows\System\KjoZrLj.exe

C:\Windows\System\nATmHie.exe

C:\Windows\System\nATmHie.exe

C:\Windows\System\NyOOUpe.exe

C:\Windows\System\NyOOUpe.exe

C:\Windows\System\XcjjfPW.exe

C:\Windows\System\XcjjfPW.exe

C:\Windows\System\SusteVJ.exe

C:\Windows\System\SusteVJ.exe

C:\Windows\System\zyMuWGk.exe

C:\Windows\System\zyMuWGk.exe

C:\Windows\System\BLWOWZr.exe

C:\Windows\System\BLWOWZr.exe

C:\Windows\System\IGuWhqW.exe

C:\Windows\System\IGuWhqW.exe

C:\Windows\System\jYCuEAB.exe

C:\Windows\System\jYCuEAB.exe

C:\Windows\System\SifaOgN.exe

C:\Windows\System\SifaOgN.exe

C:\Windows\System\bPJTrxg.exe

C:\Windows\System\bPJTrxg.exe

C:\Windows\System\HDPlrpo.exe

C:\Windows\System\HDPlrpo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 137.126.19.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/1192-0-0x00007FF758880000-0x00007FF758BD1000-memory.dmp

memory/1192-1-0x00000249DB2D0000-0x00000249DB2E0000-memory.dmp

C:\Windows\System\hhJvzwR.exe

MD5 8ccac03fd2c1803424dc7f8231e16221
SHA1 37df042438cd796781773443d292f1a84e149401
SHA256 b7978177fc457f0a022d6ff1d8c47a2f8fb8b5462715368ede6a0b3d4fd76eb8
SHA512 8d81de3f72515cbf6e6aa4683cf7bf2ed964a40f10b3aec227f55e9b9ed997efde21236ce5a4d0929f68a5dd524a4f322a96e0d89213ad801afd7dbae4676ebf

memory/732-8-0x00007FF6E0540000-0x00007FF6E0891000-memory.dmp

C:\Windows\System\zNlcRNZ.exe

MD5 686c51a3ce8cc19f0320f6ca4dc06be3
SHA1 a4eae3be1dce6ce0e1a75e2efc98924fe779255e
SHA256 7ea3340614eb893577313bb46ea4756bdaf37cb39d2e16c687be4fc1cc453b41
SHA512 23e2ec6b26c6e60f37bdf065bb083c2f3ff388681a3ac32315141ea0b303761bba10c62a5d88a4fe61cbc5fdf819a75d841526e8f4d5e3055739a6a25242b35f

C:\Windows\System\VCkAmos.exe

MD5 64da065fc0f4e9b296dca75cd5a9792b
SHA1 d2626305d3e03d8a0359b48e5002dff995e7b0dd
SHA256 910886b9143b2aa9d261f72fe4d9effd9bba9b38240ff084d000d86f36228bf3
SHA512 346915feb3eaa79da876f57432252b6530c53eefc2082656c7d1029341002e328033efeae384eae11adfba85fcf12b6a322ade4bb5d48af9418a5ef5c261a7bf

memory/2848-16-0x00007FF77B4C0000-0x00007FF77B811000-memory.dmp

C:\Windows\System\knPzQxL.exe

MD5 1af25cc1b2aa54220ab89b3b675b9fc5
SHA1 20d3c30c981645a4b9b6005172d23d6e2f4d3691
SHA256 769617bf693fb7e1099b8bd1b163506044ab80a0272babd2a09842589dca12b4
SHA512 039382778a18c17cdbc0ca759f0226dc145d23e7a26b126367966bf7d535ca6c4fadd295102e789b184bce4e2ac4b438e0e2631d06297e78221b0a4f0f1849e4

memory/3432-20-0x00007FF7C1C20000-0x00007FF7C1F71000-memory.dmp

C:\Windows\System\SDDORAT.exe

MD5 0ece59447b9eeb3f827f52ad4796e831
SHA1 f7793cb9ce7596f4ebd3f0fcb6dda75e98ed73ee
SHA256 7a560e91dad00e38aecf44c6a5ca83f61092c7487e34b24a7c0078c787688a47
SHA512 223e3de9ad4123bb6a65554403c5c6458e148b44139092c8d364bf4a595bfea1946bbdd1041dd01caaae277f7ad49befc37fdb70a8643186956a9cec1685667f

memory/3864-28-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp

memory/1824-30-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp

C:\Windows\System\BkhgABM.exe

MD5 ea837a2effdf598ca670808c1db20a1a
SHA1 c405a5219eff171e5e93cb9738ab423da1299036
SHA256 ca2e7a7eae94c67b69042c7ef0655ab2898d4799bf63121f40e20ea8fb78f9d4
SHA512 2d5fbdf66e614e8e0314ae0fa6faed9d4f745b7cfc97988d92ca6d81c3a98d64ab619c75fa07088c5f912ba08fe1fe85b3888db1ecbcd4299c251bdff3d2a682

C:\Windows\System\rgwHSMF.exe

MD5 0b46aa6fd706ee83875774f75117d1a9
SHA1 29fa4ffdf2aa42bc39e6e4335b8110df46d5025b
SHA256 d4c6ef7d384d34200d528ed7a88fe92109b041cb26bd1e5e9d8a495cdaf92db7
SHA512 8634e85aac9604a5169d43ea94d88fc6c57ddb2c85965925a46533619b60f816ae63c50c2436c510d9a8678a6a3b80df4164a49f6ae1ec3a1cd869952d2a5871

C:\Windows\System\TvjhXFi.exe

MD5 290ae6165e93e8d03c2da75f41b8fc9a
SHA1 5818de01a1d78d5d1edb0aeae71513fc169d1541
SHA256 afb5d6c8a170e304f42b7df9eca303daa1fec2cf320eb3de4f58367afcbd7c8e
SHA512 9ff5c90da13c6d8603d52a19856e22c05a72c64357b4ba59fb88134c24fc76fc9d664fc28100911f0326a53ce1522f8d954143b07917a30a630b07f1c3ffe215

memory/2860-47-0x00007FF6328D0000-0x00007FF632C21000-memory.dmp

C:\Windows\System\QLAluEd.exe

MD5 4402f7a28a21a1d504fd12c93388842f
SHA1 8cac19c08751d91e13795b5ad3e750a4fb445a9e
SHA256 70d0453f93b9ee78242f2a0d657dbbfe88d3f1b94a78adbc42d04802a04822b7
SHA512 9aee062d09ff192dcc1a96328d6a3be84515d656a71eab034e54a8b9e393e35a177851eb79d47ba8fceb3ece7318e14adddd4b5ca152322b00492234193181f7

C:\Windows\System\KjoZrLj.exe

MD5 ae0f95e73ea92262413bce028b0ba46f
SHA1 e524c5f9b0cf461a0b045e62cd5e4b30a2e4ae45
SHA256 c8a692b25d1850f173a962ade94ff7699b35b4022660cc215566f1f6e5b0197b
SHA512 3aa0784a7b7d6d9d993bef32a848944bf555fa3036fc91cd2153f7edc7ca80eca90b48adbf8c3c8d1cc876f4196fd5e1d109ee26f86cbc418505e72ea7ac55fb

C:\Windows\System\nATmHie.exe

MD5 9414c4510296359fb0e26ebb5a7f0a2f
SHA1 14d20a63bb4532764866193ab312e4ab229eb35a
SHA256 5367b648023ed64793e3a1eb464603781ec82e4e6854c8becda3d8b54295457d
SHA512 599db02574f1a23c0982e5d2204e504c059bb50cbeb1ff8c642e549c972272f3a1e3840453c33fe603f9a99976879ad50c823917da8f54f7193184f67e83eaf8

C:\Windows\System\XcjjfPW.exe

MD5 de5b228fb1f0dea70b2ad77976450325
SHA1 5c4f9125d6e71fdceac51cd0a8da9b102d892dd0
SHA256 f241de43a107e7104bcda5f354699e477854753b8347ba006a139133c76a1320
SHA512 bbea47f5ce328fccdbf54aa022c1848358be0bbdd9125107cc57225a50fcd109245acab9df4ca6e5a73f0f94b83d79329f6804c36cd8c18f0976948d0a4de1a7

C:\Windows\System\zyMuWGk.exe

MD5 5e486b8b680e288f42eae5ef70799416
SHA1 4311218eb7e68720913e93c50ec8bf673544fa29
SHA256 e7bde4a07007133bf4c1ae821f629ff04d93c5aafc8ba6264bf7d0b1193b8373
SHA512 0a973310dbfbc4915cb036d3fe27d8de41cdf40440828fdaa025cf833ea33cf30a143dd7a1b8f4ac6490ba5a4729c57289c2d2b3278475182b26d34b6d7ebea9

C:\Windows\System\BLWOWZr.exe

MD5 dd4f0ea6e741976e0453f59850da3ac5
SHA1 aabb76b6a640555143b308cf2d9bc9be0449b160
SHA256 8edbe49d8e0ef7a9d51867982ddf70a85fffddb90e11e23401e0dd1daa8800f0
SHA512 0e13255ff7563d4437953a57673e2791935dabc06a2e341ee8ced891f2d42a96eaeda4b54de48934189b1826230b929e17534f50a948f308b8921a166f5220e0

C:\Windows\System\jYCuEAB.exe

MD5 28ad2be5eac0f79ee0f060ce69227a88
SHA1 49caf21f07aba1358dd4a3fba64b487b7065fc38
SHA256 461cf3b19e0ad3e68d83638432bb5f5e8f5b9bad101106af0fb275d353b6e2db
SHA512 1ab10eca8b894ed614fa1bc921cb8a1a45c97ceeaad9469a9a110e33991c23d2b786e3fc280e2c5f5ddbae1ee33f2ffc13e0aca0099c8904a4bb2df8f5e05221

C:\Windows\System\IGuWhqW.exe

MD5 5db8a4b3e809c144ad62f7e02a719bf1
SHA1 5abec9498e68369e66dd4b2a57d0a27018e3aa56
SHA256 aca2ec8976b6b1bdb87f32ca3229b0b0080e6d207e5163de50a85a1dac581105
SHA512 894ba9a356219064429f94b853281331adc092bbc65543249a03e8e8926efe0270f436c764d2e5fd33e36982aac0ae5a6fd99c3183a5417e1d3063c66ce4c9d5

C:\Windows\System\SusteVJ.exe

MD5 23b14758e77d837a87973be7ddafb69a
SHA1 64af4610e2fa631a5543a6dcbc70594d4cd86e01
SHA256 bf41dc22e912f52f157f4ce00a9c3eaecc396d1eef8f37136ab622ff874e07a2
SHA512 12e90ad277b2f36fcf461ddc73481dc7d4d2835472230bdffb38a6566b2669670ce7fab201d28972246e700ec81c76b6d91b4208b4c18ad22b496cf9d4472559

C:\Windows\System\bPJTrxg.exe

MD5 8839d819b8d657a3299bd849493bf092
SHA1 96186cc875ccf0d163b01a45797df2207de42ca5
SHA256 ec465aa3fec8eeb3cb966d7ce375512e6e3f5c9759e3e339aa9a3c017bdb4b67
SHA512 1e5bd519124d8c8e583f2fdb1e0acebf6b823a9f8aa6e4be72b8371290c609eb315ca697dcf71c6543a1ae37eb4da31a45595441ddfcf659dc980e0cf015202b

C:\Windows\System\HDPlrpo.exe

MD5 740a51714bfd99a224ef6b24701d5bbc
SHA1 f9aef7cec8eb90204e59a0bab7a28ff29e87dfe1
SHA256 52e00ee0338dd67c544cd1abd913bfccc9f84420a2d4c8221e6fb8ad863f450d
SHA512 38e3576146c9288d2b8c35d90fe00afcd18cf342c4aa14d1324c1fa41b5b61851ef1b3b471f17d8330c67019a443d020c67e7f92eba3dbd262df527c939cc06d

C:\Windows\System\SifaOgN.exe

MD5 3562e25fa6235ed65cb06a8291725947
SHA1 6ff66db358f784d11963a4addb3d49c52013d7a0
SHA256 c4742c69a1a9ba231b0bffa02993a76059a48e071baa7e5bb40ee01afe26cd30
SHA512 73bf61336a78a5baecd0b85b0d2f53e58b998e03d3f5073a9ac5da7a83cfc2fd46bf83d24c8daf09a8e9db6261b5727c782214cf99772bed88ea3175e41fc6bf

C:\Windows\System\NyOOUpe.exe

MD5 401cd6877b8062dd7ad0f5ac22837c64
SHA1 43d53c604ca46db702ad68dcdbf4f1af8a83057a
SHA256 26328276dde8c8b1ab172643075067a63ac72308ca7d855a55ac4d8552546b1a
SHA512 eead477b3b4c0f0d57f01c706711c38150d1994043701033162eb4f82ff51fd8f9ee24b9bffb419281cbce777082879d43a2b8164d00c3d261857757e4891db9

memory/4520-48-0x00007FF6D2190000-0x00007FF6D24E1000-memory.dmp

memory/1984-46-0x00007FF7B3690000-0x00007FF7B39E1000-memory.dmp

memory/3404-115-0x00007FF670DA0000-0x00007FF6710F1000-memory.dmp

memory/1192-116-0x00007FF758880000-0x00007FF758BD1000-memory.dmp

memory/732-117-0x00007FF6E0540000-0x00007FF6E0891000-memory.dmp

memory/1616-121-0x00007FF7AF1F0000-0x00007FF7AF541000-memory.dmp

memory/2136-122-0x00007FF70AA30000-0x00007FF70AD81000-memory.dmp

memory/548-124-0x00007FF7C32C0000-0x00007FF7C3611000-memory.dmp

memory/3684-123-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp

memory/3456-125-0x00007FF7C5010000-0x00007FF7C5361000-memory.dmp

memory/3644-126-0x00007FF69DAF0000-0x00007FF69DE41000-memory.dmp

memory/3408-127-0x00007FF758DF0000-0x00007FF759141000-memory.dmp

memory/1824-129-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp

memory/552-128-0x00007FF6E0F70000-0x00007FF6E12C1000-memory.dmp

memory/4068-131-0x00007FF7B3C10000-0x00007FF7B3F61000-memory.dmp

memory/2472-133-0x00007FF7914D0000-0x00007FF791821000-memory.dmp

memory/3240-134-0x00007FF70A7A0000-0x00007FF70AAF1000-memory.dmp

memory/4688-132-0x00007FF66DF40000-0x00007FF66E291000-memory.dmp

memory/3404-137-0x00007FF670DA0000-0x00007FF6710F1000-memory.dmp

memory/4520-136-0x00007FF6D2190000-0x00007FF6D24E1000-memory.dmp

memory/1192-150-0x00007FF758880000-0x00007FF758BD1000-memory.dmp

memory/1192-151-0x00007FF758880000-0x00007FF758BD1000-memory.dmp

memory/732-196-0x00007FF6E0540000-0x00007FF6E0891000-memory.dmp

memory/2848-204-0x00007FF77B4C0000-0x00007FF77B811000-memory.dmp

memory/3432-206-0x00007FF7C1C20000-0x00007FF7C1F71000-memory.dmp

memory/3864-208-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp

memory/1824-210-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp

memory/1984-212-0x00007FF7B3690000-0x00007FF7B39E1000-memory.dmp

memory/2860-214-0x00007FF6328D0000-0x00007FF632C21000-memory.dmp

memory/4520-216-0x00007FF6D2190000-0x00007FF6D24E1000-memory.dmp

memory/3240-231-0x00007FF70A7A0000-0x00007FF70AAF1000-memory.dmp

memory/3404-230-0x00007FF670DA0000-0x00007FF6710F1000-memory.dmp

memory/1616-234-0x00007FF7AF1F0000-0x00007FF7AF541000-memory.dmp

memory/2136-235-0x00007FF70AA30000-0x00007FF70AD81000-memory.dmp

memory/3644-238-0x00007FF69DAF0000-0x00007FF69DE41000-memory.dmp

memory/3408-245-0x00007FF758DF0000-0x00007FF759141000-memory.dmp

memory/552-247-0x00007FF6E0F70000-0x00007FF6E12C1000-memory.dmp

memory/3684-243-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp

memory/3456-241-0x00007FF7C5010000-0x00007FF7C5361000-memory.dmp

memory/548-239-0x00007FF7C32C0000-0x00007FF7C3611000-memory.dmp

memory/4068-249-0x00007FF7B3C10000-0x00007FF7B3F61000-memory.dmp

memory/2472-251-0x00007FF7914D0000-0x00007FF791821000-memory.dmp

memory/4688-253-0x00007FF66DF40000-0x00007FF66E291000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 21:07

Reported

2024-05-29 21:10

Platform

win7-20240508-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NyOOUpe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SusteVJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BLWOWZr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zNlcRNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VCkAmos.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SDDORAT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KjoZrLj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rgwHSMF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QLAluEd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bPJTrxg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HDPlrpo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hhJvzwR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\knPzQxL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jYCuEAB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SifaOgN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zyMuWGk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IGuWhqW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BkhgABM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TvjhXFi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nATmHie.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XcjjfPW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\hhJvzwR.exe
PID 2244 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\hhJvzwR.exe
PID 2244 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\hhJvzwR.exe
PID 2244 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNlcRNZ.exe
PID 2244 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNlcRNZ.exe
PID 2244 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNlcRNZ.exe
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCkAmos.exe
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCkAmos.exe
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCkAmos.exe
PID 2244 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\knPzQxL.exe
PID 2244 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\knPzQxL.exe
PID 2244 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\knPzQxL.exe
PID 2244 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDDORAT.exe
PID 2244 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDDORAT.exe
PID 2244 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDDORAT.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BkhgABM.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BkhgABM.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BkhgABM.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgwHSMF.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgwHSMF.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgwHSMF.exe
PID 2244 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\TvjhXFi.exe
PID 2244 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\TvjhXFi.exe
PID 2244 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\TvjhXFi.exe
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLAluEd.exe
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLAluEd.exe
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLAluEd.exe
PID 2244 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\KjoZrLj.exe
PID 2244 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\KjoZrLj.exe
PID 2244 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\KjoZrLj.exe
PID 2244 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nATmHie.exe
PID 2244 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nATmHie.exe
PID 2244 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nATmHie.exe
PID 2244 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyOOUpe.exe
PID 2244 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyOOUpe.exe
PID 2244 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyOOUpe.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\XcjjfPW.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\XcjjfPW.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\XcjjfPW.exe
PID 2244 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SusteVJ.exe
PID 2244 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SusteVJ.exe
PID 2244 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SusteVJ.exe
PID 2244 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyMuWGk.exe
PID 2244 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyMuWGk.exe
PID 2244 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyMuWGk.exe
PID 2244 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLWOWZr.exe
PID 2244 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLWOWZr.exe
PID 2244 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLWOWZr.exe
PID 2244 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGuWhqW.exe
PID 2244 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGuWhqW.exe
PID 2244 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGuWhqW.exe
PID 2244 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYCuEAB.exe
PID 2244 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYCuEAB.exe
PID 2244 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYCuEAB.exe
PID 2244 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SifaOgN.exe
PID 2244 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SifaOgN.exe
PID 2244 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SifaOgN.exe
PID 2244 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPJTrxg.exe
PID 2244 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPJTrxg.exe
PID 2244 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPJTrxg.exe
PID 2244 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDPlrpo.exe
PID 2244 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDPlrpo.exe
PID 2244 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDPlrpo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\hhJvzwR.exe

C:\Windows\System\hhJvzwR.exe

C:\Windows\System\zNlcRNZ.exe

C:\Windows\System\zNlcRNZ.exe

C:\Windows\System\VCkAmos.exe

C:\Windows\System\VCkAmos.exe

C:\Windows\System\knPzQxL.exe

C:\Windows\System\knPzQxL.exe

C:\Windows\System\SDDORAT.exe

C:\Windows\System\SDDORAT.exe

C:\Windows\System\BkhgABM.exe

C:\Windows\System\BkhgABM.exe

C:\Windows\System\rgwHSMF.exe

C:\Windows\System\rgwHSMF.exe

C:\Windows\System\TvjhXFi.exe

C:\Windows\System\TvjhXFi.exe

C:\Windows\System\QLAluEd.exe

C:\Windows\System\QLAluEd.exe

C:\Windows\System\KjoZrLj.exe

C:\Windows\System\KjoZrLj.exe

C:\Windows\System\nATmHie.exe

C:\Windows\System\nATmHie.exe

C:\Windows\System\NyOOUpe.exe

C:\Windows\System\NyOOUpe.exe

C:\Windows\System\XcjjfPW.exe

C:\Windows\System\XcjjfPW.exe

C:\Windows\System\SusteVJ.exe

C:\Windows\System\SusteVJ.exe

C:\Windows\System\zyMuWGk.exe

C:\Windows\System\zyMuWGk.exe

C:\Windows\System\BLWOWZr.exe

C:\Windows\System\BLWOWZr.exe

C:\Windows\System\IGuWhqW.exe

C:\Windows\System\IGuWhqW.exe

C:\Windows\System\jYCuEAB.exe

C:\Windows\System\jYCuEAB.exe

C:\Windows\System\SifaOgN.exe

C:\Windows\System\SifaOgN.exe

C:\Windows\System\bPJTrxg.exe

C:\Windows\System\bPJTrxg.exe

C:\Windows\System\HDPlrpo.exe

C:\Windows\System\HDPlrpo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2244-0-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2244-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\hhJvzwR.exe

MD5 8ccac03fd2c1803424dc7f8231e16221
SHA1 37df042438cd796781773443d292f1a84e149401
SHA256 b7978177fc457f0a022d6ff1d8c47a2f8fb8b5462715368ede6a0b3d4fd76eb8
SHA512 8d81de3f72515cbf6e6aa4683cf7bf2ed964a40f10b3aec227f55e9b9ed997efde21236ce5a4d0929f68a5dd524a4f322a96e0d89213ad801afd7dbae4676ebf

memory/1708-13-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

C:\Windows\system\zNlcRNZ.exe

MD5 686c51a3ce8cc19f0320f6ca4dc06be3
SHA1 a4eae3be1dce6ce0e1a75e2efc98924fe779255e
SHA256 7ea3340614eb893577313bb46ea4756bdaf37cb39d2e16c687be4fc1cc453b41
SHA512 23e2ec6b26c6e60f37bdf065bb083c2f3ff388681a3ac32315141ea0b303761bba10c62a5d88a4fe61cbc5fdf819a75d841526e8f4d5e3055739a6a25242b35f

memory/2244-7-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2064-23-0x000000013FE00000-0x0000000140151000-memory.dmp

\Windows\system\SDDORAT.exe

MD5 0ece59447b9eeb3f827f52ad4796e831
SHA1 f7793cb9ce7596f4ebd3f0fcb6dda75e98ed73ee
SHA256 7a560e91dad00e38aecf44c6a5ca83f61092c7487e34b24a7c0078c787688a47
SHA512 223e3de9ad4123bb6a65554403c5c6458e148b44139092c8d364bf4a595bfea1946bbdd1041dd01caaae277f7ad49befc37fdb70a8643186956a9cec1685667f

C:\Windows\system\knPzQxL.exe

MD5 1af25cc1b2aa54220ab89b3b675b9fc5
SHA1 20d3c30c981645a4b9b6005172d23d6e2f4d3691
SHA256 769617bf693fb7e1099b8bd1b163506044ab80a0272babd2a09842589dca12b4
SHA512 039382778a18c17cdbc0ca759f0226dc145d23e7a26b126367966bf7d535ca6c4fadd295102e789b184bce4e2ac4b438e0e2631d06297e78221b0a4f0f1849e4

\Windows\system\VCkAmos.exe

MD5 64da065fc0f4e9b296dca75cd5a9792b
SHA1 d2626305d3e03d8a0359b48e5002dff995e7b0dd
SHA256 910886b9143b2aa9d261f72fe4d9effd9bba9b38240ff084d000d86f36228bf3
SHA512 346915feb3eaa79da876f57432252b6530c53eefc2082656c7d1029341002e328033efeae384eae11adfba85fcf12b6a322ade4bb5d48af9418a5ef5c261a7bf

C:\Windows\system\rgwHSMF.exe

MD5 0b46aa6fd706ee83875774f75117d1a9
SHA1 29fa4ffdf2aa42bc39e6e4335b8110df46d5025b
SHA256 d4c6ef7d384d34200d528ed7a88fe92109b041cb26bd1e5e9d8a495cdaf92db7
SHA512 8634e85aac9604a5169d43ea94d88fc6c57ddb2c85965925a46533619b60f816ae63c50c2436c510d9a8678a6a3b80df4164a49f6ae1ec3a1cd869952d2a5871

\Windows\system\TvjhXFi.exe

MD5 290ae6165e93e8d03c2da75f41b8fc9a
SHA1 5818de01a1d78d5d1edb0aeae71513fc169d1541
SHA256 afb5d6c8a170e304f42b7df9eca303daa1fec2cf320eb3de4f58367afcbd7c8e
SHA512 9ff5c90da13c6d8603d52a19856e22c05a72c64357b4ba59fb88134c24fc76fc9d664fc28100911f0326a53ce1522f8d954143b07917a30a630b07f1c3ffe215

memory/2684-65-0x000000013FCC0000-0x0000000140011000-memory.dmp

C:\Windows\system\KjoZrLj.exe

MD5 ae0f95e73ea92262413bce028b0ba46f
SHA1 e524c5f9b0cf461a0b045e62cd5e4b30a2e4ae45
SHA256 c8a692b25d1850f173a962ade94ff7699b35b4022660cc215566f1f6e5b0197b
SHA512 3aa0784a7b7d6d9d993bef32a848944bf555fa3036fc91cd2153f7edc7ca80eca90b48adbf8c3c8d1cc876f4196fd5e1d109ee26f86cbc418505e72ea7ac55fb

memory/2244-71-0x00000000023B0000-0x0000000002701000-memory.dmp

\Windows\system\NyOOUpe.exe

MD5 401cd6877b8062dd7ad0f5ac22837c64
SHA1 43d53c604ca46db702ad68dcdbf4f1af8a83057a
SHA256 26328276dde8c8b1ab172643075067a63ac72308ca7d855a55ac4d8552546b1a
SHA512 eead477b3b4c0f0d57f01c706711c38150d1994043701033162eb4f82ff51fd8f9ee24b9bffb419281cbce777082879d43a2b8164d00c3d261857757e4891db9

C:\Windows\system\bPJTrxg.exe

MD5 8839d819b8d657a3299bd849493bf092
SHA1 96186cc875ccf0d163b01a45797df2207de42ca5
SHA256 ec465aa3fec8eeb3cb966d7ce375512e6e3f5c9759e3e339aa9a3c017bdb4b67
SHA512 1e5bd519124d8c8e583f2fdb1e0acebf6b823a9f8aa6e4be72b8371290c609eb315ca697dcf71c6543a1ae37eb4da31a45595441ddfcf659dc980e0cf015202b

C:\Windows\system\HDPlrpo.exe

MD5 740a51714bfd99a224ef6b24701d5bbc
SHA1 f9aef7cec8eb90204e59a0bab7a28ff29e87dfe1
SHA256 52e00ee0338dd67c544cd1abd913bfccc9f84420a2d4c8221e6fb8ad863f450d
SHA512 38e3576146c9288d2b8c35d90fe00afcd18cf342c4aa14d1324c1fa41b5b61851ef1b3b471f17d8330c67019a443d020c67e7f92eba3dbd262df527c939cc06d

C:\Windows\system\SifaOgN.exe

MD5 3562e25fa6235ed65cb06a8291725947
SHA1 6ff66db358f784d11963a4addb3d49c52013d7a0
SHA256 c4742c69a1a9ba231b0bffa02993a76059a48e071baa7e5bb40ee01afe26cd30
SHA512 73bf61336a78a5baecd0b85b0d2f53e58b998e03d3f5073a9ac5da7a83cfc2fd46bf83d24c8daf09a8e9db6261b5727c782214cf99772bed88ea3175e41fc6bf

C:\Windows\system\jYCuEAB.exe

MD5 28ad2be5eac0f79ee0f060ce69227a88
SHA1 49caf21f07aba1358dd4a3fba64b487b7065fc38
SHA256 461cf3b19e0ad3e68d83638432bb5f5e8f5b9bad101106af0fb275d353b6e2db
SHA512 1ab10eca8b894ed614fa1bc921cb8a1a45c97ceeaad9469a9a110e33991c23d2b786e3fc280e2c5f5ddbae1ee33f2ffc13e0aca0099c8904a4bb2df8f5e05221

memory/2244-97-0x00000000023B0000-0x0000000002701000-memory.dmp

\Windows\system\BLWOWZr.exe

MD5 dd4f0ea6e741976e0453f59850da3ac5
SHA1 aabb76b6a640555143b308cf2d9bc9be0449b160
SHA256 8edbe49d8e0ef7a9d51867982ddf70a85fffddb90e11e23401e0dd1daa8800f0
SHA512 0e13255ff7563d4437953a57673e2791935dabc06a2e341ee8ced891f2d42a96eaeda4b54de48934189b1826230b929e17534f50a948f308b8921a166f5220e0

C:\Windows\system\XcjjfPW.exe

MD5 de5b228fb1f0dea70b2ad77976450325
SHA1 5c4f9125d6e71fdceac51cd0a8da9b102d892dd0
SHA256 f241de43a107e7104bcda5f354699e477854753b8347ba006a139133c76a1320
SHA512 bbea47f5ce328fccdbf54aa022c1848358be0bbdd9125107cc57225a50fcd109245acab9df4ca6e5a73f0f94b83d79329f6804c36cd8c18f0976948d0a4de1a7

memory/2064-88-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2004-137-0x000000013FF60000-0x00000001402B1000-memory.dmp

\Windows\system\SusteVJ.exe

MD5 23b14758e77d837a87973be7ddafb69a
SHA1 64af4610e2fa631a5543a6dcbc70594d4cd86e01
SHA256 bf41dc22e912f52f157f4ce00a9c3eaecc396d1eef8f37136ab622ff874e07a2
SHA512 12e90ad277b2f36fcf461ddc73481dc7d4d2835472230bdffb38a6566b2669670ce7fab201d28972246e700ec81c76b6d91b4208b4c18ad22b496cf9d4472559

memory/2244-81-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2244-108-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2244-107-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2244-106-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2244-105-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2528-72-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2244-104-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2560-103-0x000000013FBB0000-0x000000013FF01000-memory.dmp

C:\Windows\system\IGuWhqW.exe

MD5 5db8a4b3e809c144ad62f7e02a719bf1
SHA1 5abec9498e68369e66dd4b2a57d0a27018e3aa56
SHA256 aca2ec8976b6b1bdb87f32ca3229b0b0080e6d207e5163de50a85a1dac581105
SHA512 894ba9a356219064429f94b853281331adc092bbc65543249a03e8e8926efe0270f436c764d2e5fd33e36982aac0ae5a6fd99c3183a5417e1d3063c66ce4c9d5

C:\Windows\system\zyMuWGk.exe

MD5 5e486b8b680e288f42eae5ef70799416
SHA1 4311218eb7e68720913e93c50ec8bf673544fa29
SHA256 e7bde4a07007133bf4c1ae821f629ff04d93c5aafc8ba6264bf7d0b1193b8373
SHA512 0a973310dbfbc4915cb036d3fe27d8de41cdf40440828fdaa025cf833ea33cf30a143dd7a1b8f4ac6490ba5a4729c57289c2d2b3278475182b26d34b6d7ebea9

memory/1684-93-0x000000013F170000-0x000000013F4C1000-memory.dmp

C:\Windows\system\nATmHie.exe

MD5 9414c4510296359fb0e26ebb5a7f0a2f
SHA1 14d20a63bb4532764866193ab312e4ab229eb35a
SHA256 5367b648023ed64793e3a1eb464603781ec82e4e6854c8becda3d8b54295457d
SHA512 599db02574f1a23c0982e5d2204e504c059bb50cbeb1ff8c642e549c972272f3a1e3840453c33fe603f9a99976879ad50c823917da8f54f7193184f67e83eaf8

memory/2664-138-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2244-64-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2696-58-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2244-54-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2784-53-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2244-52-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\QLAluEd.exe

MD5 4402f7a28a21a1d504fd12c93388842f
SHA1 8cac19c08751d91e13795b5ad3e750a4fb445a9e
SHA256 70d0453f93b9ee78242f2a0d657dbbfe88d3f1b94a78adbc42d04802a04822b7
SHA512 9aee062d09ff192dcc1a96328d6a3be84515d656a71eab034e54a8b9e393e35a177851eb79d47ba8fceb3ece7318e14adddd4b5ca152322b00492234193181f7

memory/2664-43-0x000000013FB20000-0x000000013FE71000-memory.dmp

C:\Windows\system\BkhgABM.exe

MD5 ea837a2effdf598ca670808c1db20a1a
SHA1 c405a5219eff171e5e93cb9738ab423da1299036
SHA256 ca2e7a7eae94c67b69042c7ef0655ab2898d4799bf63121f40e20ea8fb78f9d4
SHA512 2d5fbdf66e614e8e0314ae0fa6faed9d4f745b7cfc97988d92ca6d81c3a98d64ab619c75fa07088c5f912ba08fe1fe85b3888db1ecbcd4299c251bdff3d2a682

memory/2244-39-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2004-38-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2352-37-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2244-35-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/1828-153-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2576-156-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/1640-155-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2176-154-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2560-152-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2008-151-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2244-139-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2244-32-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2656-31-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2244-30-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2244-29-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2184-160-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2168-159-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1976-158-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2492-157-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2244-161-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2244-162-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2244-184-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2244-185-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2244-186-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/1708-210-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2656-216-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2352-215-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2064-213-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2784-218-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2664-222-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2004-221-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2696-224-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2684-226-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2528-228-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1684-230-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2560-232-0x000000013FBB0000-0x000000013FF01000-memory.dmp