Malware Analysis Report

2025-03-15 08:11

Sample ID 240529-zzvd7aaf97
Target 2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike
SHA256 726914d628598886304ef351405730241e562ed8585971a69f30e528570d2f98
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

726914d628598886304ef351405730241e562ed8585971a69f30e528570d2f98

Threat Level: Known bad

The file 2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 21:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 21:09

Reported

2024-05-29 21:12

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qKFKbsv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pbIlHSw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wwviOrR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qHNmkXR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SvjRilp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uCZYxud.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UMnDPtM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kzGlmhI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QohzuvY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PsnMUPe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WJDKysA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SfaDwso.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zAEeNvZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KTpODwa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XphbLfu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BuEphUR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ldMPqfl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KdOBxVg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\likxodp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LERbveN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tGjZpYe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfaDwso.exe
PID 2792 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfaDwso.exe
PID 2792 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCZYxud.exe
PID 2792 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCZYxud.exe
PID 2792 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\likxodp.exe
PID 2792 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\likxodp.exe
PID 2792 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAEeNvZ.exe
PID 2792 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAEeNvZ.exe
PID 2792 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMnDPtM.exe
PID 2792 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMnDPtM.exe
PID 2792 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTpODwa.exe
PID 2792 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTpODwa.exe
PID 2792 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzGlmhI.exe
PID 2792 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzGlmhI.exe
PID 2792 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\XphbLfu.exe
PID 2792 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\XphbLfu.exe
PID 2792 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\PsnMUPe.exe
PID 2792 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\PsnMUPe.exe
PID 2792 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\LERbveN.exe
PID 2792 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\LERbveN.exe
PID 2792 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\BuEphUR.exe
PID 2792 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\BuEphUR.exe
PID 2792 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGjZpYe.exe
PID 2792 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGjZpYe.exe
PID 2792 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKFKbsv.exe
PID 2792 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKFKbsv.exe
PID 2792 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\WJDKysA.exe
PID 2792 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\WJDKysA.exe
PID 2792 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\pbIlHSw.exe
PID 2792 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\pbIlHSw.exe
PID 2792 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldMPqfl.exe
PID 2792 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldMPqfl.exe
PID 2792 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdOBxVg.exe
PID 2792 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdOBxVg.exe
PID 2792 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wwviOrR.exe
PID 2792 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wwviOrR.exe
PID 2792 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHNmkXR.exe
PID 2792 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHNmkXR.exe
PID 2792 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SvjRilp.exe
PID 2792 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SvjRilp.exe
PID 2792 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QohzuvY.exe
PID 2792 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\QohzuvY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SfaDwso.exe

C:\Windows\System\SfaDwso.exe

C:\Windows\System\uCZYxud.exe

C:\Windows\System\uCZYxud.exe

C:\Windows\System\likxodp.exe

C:\Windows\System\likxodp.exe

C:\Windows\System\zAEeNvZ.exe

C:\Windows\System\zAEeNvZ.exe

C:\Windows\System\UMnDPtM.exe

C:\Windows\System\UMnDPtM.exe

C:\Windows\System\KTpODwa.exe

C:\Windows\System\KTpODwa.exe

C:\Windows\System\kzGlmhI.exe

C:\Windows\System\kzGlmhI.exe

C:\Windows\System\XphbLfu.exe

C:\Windows\System\XphbLfu.exe

C:\Windows\System\PsnMUPe.exe

C:\Windows\System\PsnMUPe.exe

C:\Windows\System\LERbveN.exe

C:\Windows\System\LERbveN.exe

C:\Windows\System\BuEphUR.exe

C:\Windows\System\BuEphUR.exe

C:\Windows\System\tGjZpYe.exe

C:\Windows\System\tGjZpYe.exe

C:\Windows\System\qKFKbsv.exe

C:\Windows\System\qKFKbsv.exe

C:\Windows\System\WJDKysA.exe

C:\Windows\System\WJDKysA.exe

C:\Windows\System\pbIlHSw.exe

C:\Windows\System\pbIlHSw.exe

C:\Windows\System\ldMPqfl.exe

C:\Windows\System\ldMPqfl.exe

C:\Windows\System\KdOBxVg.exe

C:\Windows\System\KdOBxVg.exe

C:\Windows\System\wwviOrR.exe

C:\Windows\System\wwviOrR.exe

C:\Windows\System\qHNmkXR.exe

C:\Windows\System\qHNmkXR.exe

C:\Windows\System\SvjRilp.exe

C:\Windows\System\SvjRilp.exe

C:\Windows\System\QohzuvY.exe

C:\Windows\System\QohzuvY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 163.126.19.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.126.19.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2792-0-0x00007FF6104F0000-0x00007FF610841000-memory.dmp

memory/2792-1-0x00000121A2460000-0x00000121A2470000-memory.dmp

C:\Windows\System\SfaDwso.exe

MD5 884060902072fbc1414a5370e8b49083
SHA1 8a9455602c7d8270739757f4cd1297fd8a4cb1e8
SHA256 ee3ef25a168a9a19e946dcae225bfee88319ae83431fae9fc15fe65eb9295972
SHA512 80ed0d7dd429d08319649f9e48d6f722e09baee6c2aa1faa649568b050fccb4983caae3b719b96fa0b8366368f83c00feb7bb501d89aeb0fcbca94647a2f131f

C:\Windows\System\uCZYxud.exe

MD5 73603ab1d91811038c9d248e20cdd08e
SHA1 f34d172cb614ed75f827846429840d6ab140bd29
SHA256 e84bad6eca0ceb9ca4aed8d433bda3128ce2750b14404681d8a46af05826ffa7
SHA512 057d82be6b7b946aa2da8bdc5c81771fff48c34086bc0c8ecdeeb7e303d19bf5228405229b538b487431aeba8b05bf2c982abd7ab104786bbab287dbf66214cf

memory/536-7-0x00007FF7BAF30000-0x00007FF7BB281000-memory.dmp

C:\Windows\System\likxodp.exe

MD5 2558b9e156a46f8322636d7924766511
SHA1 8d8ef136c016db67067f5fc64a28b91234c15475
SHA256 78b635248d08f9b64085e8cb34406bd78e09aea57262416d76f546fae82a8e50
SHA512 575412b5538b05c963a0f9dc9584f5e6ab2059bc2f232dc5a8ed5b02fb441c31b4638d342574c35bf1f26e9ddc60b8f08ad20ea8d3c2fd954fe1d904c9a1b5b8

memory/5056-13-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp

memory/2404-19-0x00007FF7D1250000-0x00007FF7D15A1000-memory.dmp

C:\Windows\System\zAEeNvZ.exe

MD5 3c8d92b5b5771624fb0b40bf85fe3b24
SHA1 df7c5db2b90bd2037e5670dcad3b855eab072d48
SHA256 da2f6818d92a8e218ef796c60c187a1db2d978bcfc4c450ced08e011a527de8a
SHA512 ac972232673bceb1e43c0f77349a7c14b70dc638f2ad2d1c60d317583e33d2a40aefa1b81022b4b45a4f0a2706c74cc123d2e0ded91e46095c079dfe95218500

memory/948-26-0x00007FF7AF4C0000-0x00007FF7AF811000-memory.dmp

C:\Windows\System\UMnDPtM.exe

MD5 83037d34043032c01dda75a7ff8bd9fb
SHA1 1b9747952ddc1cb15bf2a0ac9428b57dd5377c3b
SHA256 787be9cd074e3aea343c23d9fe8f388580caf757b0f7458b4ef20a0bd5af8a98
SHA512 c6eb962e12c166f07b6d7210351e5d15563cb989f1f011712a6fcd1aeac93fcbc6cb53d25b158522649a06e4ef6aa54c7a5feac06011a2b2d73e520b70ac3e06

C:\Windows\System\KTpODwa.exe

MD5 b9e0693c3cc296578a749e551bf0d430
SHA1 17c4ee8c18a84c8cd7fcb0d8aaf629fe37c669fb
SHA256 46532107dc098f33699ce858105d6ba78ea200fd3bfc0203731c36bd80c858ed
SHA512 0c45d299ce03f796037f6c1ddf25a959835d8c08787b4ea06f33b9e645948825c5ad674cd0f128cd1248779a19e394648213ae07d87f0b0f247f70c39b528c4a

C:\Windows\System\kzGlmhI.exe

MD5 ff79a2101fe37c57ad65da446fd25d6d
SHA1 2862b7829829db9fccb3898793c68204635cbc4a
SHA256 cc5a4b4372d32c9f45c23987efb16b754417d2fb50bda308888f165890234d8a
SHA512 949c06966ed7852fc8c54df5df80cacd84cdee8361c45327968a3e6d3c1327e9bb61b4aac586dcb086c721c1f6df6f665cc489c9365e3eb39337741c535d99bc

memory/4568-43-0x00007FF60A8E0000-0x00007FF60AC31000-memory.dmp

C:\Windows\System\XphbLfu.exe

MD5 2eb2003ab1da3ea86a578dc1fe32a935
SHA1 7e2674c4bcb453ce462cc6d34e05b4c67f1b9a59
SHA256 e0b9713e2804ccbc4cf0108265ce957a89fceaa35022f97b2d313f54694da3e4
SHA512 783ef81cb88de592037ab4b42f02085492d666457ddcc43b2a3f26db8426455a3782bab6208e5f91c4ae20f329ca36185cd963ab4f2dbe162e6c6d2143e812d1

C:\Windows\System\PsnMUPe.exe

MD5 83c203a88d34ea1bf96f2785fe084bc5
SHA1 f90a03bfe83b8d3611cba785b95eb5dec1e06893
SHA256 0f36799e93c76286b286a5d4f436b1a378a2124f2eddfc193a23ac25ed670039
SHA512 0c4350af500af87c9164b22e4e4a528da8414a98c1aa86e581b670677c5064c4bbfda236ddcc6d7d68561bff557008d408817f1742881434a0f110bd7ed79e2c

C:\Windows\System\LERbveN.exe

MD5 4212ad208e81f382ae29289e9697d1a9
SHA1 1fa64d2974b6c97e61fa7580b49c92046af73618
SHA256 3a97e561238f4ca827a6933bb35d0317b0b2da6861ba4cdc61074d3afccd4ea0
SHA512 3223a9f425bd1cb0255bce3066932e2d1bdddd37d85a2b02d21b74f504012dd8252ca252253293bddbf25bbdbbf51683c4396b36f163dbaca9aed4e975f9dccc

memory/2792-60-0x00007FF6104F0000-0x00007FF610841000-memory.dmp

C:\Windows\System\BuEphUR.exe

MD5 234b4230941665fe2fa6da0b83c6192d
SHA1 0594578766bdac733434348a23681dca15700975
SHA256 8eec60d6f3b326cf18c146c1b994bab8ed9930059b669499c368b393ef64ff87
SHA512 92940d8a06e21002b07acc1c9bdb584ad3c6e72536c69b12ad98f7d1635e89f3144725ecabeb9b2e4a6e34bfc72f3298737195dc57465b2de2b5bca934b59243

C:\Windows\System\tGjZpYe.exe

MD5 e957ee8906a56c67ee034e7cbe15c827
SHA1 3a207572763ccd99838fa735f7957f4bde32f6b4
SHA256 b12779c43eb91e041a0ae8f30b7037e09c3e7607118def37055bd0876bbff31a
SHA512 d36c0f25c3089604ec9b3b270f402281c0392c0ed843d2f703d33cd06e886c345d1c43f2bdb52d90a5608c3ad15062735eb6ee3f2821190bea374407af4f444a

memory/5056-72-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp

memory/2404-81-0x00007FF7D1250000-0x00007FF7D15A1000-memory.dmp

C:\Windows\System\WJDKysA.exe

MD5 04cf3b282fda8843b92ebc68d39bc4bc
SHA1 ebd60b34663955b2ec4e493c3a2dde1eee35d249
SHA256 87f56d15c5fd1ade6cf7173cbb88616ccebe93b98c45e5676953c238e09b99ec
SHA512 d8a8c3bd92f1830d1c120c75d0f76746518595d778acd93ac7dab9e4dc9a951ca1831517bd81a5f09e473a5c2a20414520aa3d99f17c9be70f741fc68bf664f5

C:\Windows\System\pbIlHSw.exe

MD5 bffd3bc532f8fe45d2636930998cd854
SHA1 76d043a6a3e7c24ba8f03fb72dfbe9d54c21a3a4
SHA256 0aaa098791f8703a9af9be01f5c71fd820d3f3a98628e344b0b28f44260ed4af
SHA512 ee1dbbe023f9d31fa778ac6c04b13d912eda90e5ae60f6b77b6d231184353166f7c296e5a7d7404ccb73d5c261ca9235611127678174bd2c5fe04a49d1804d18

memory/4796-93-0x00007FF71C820000-0x00007FF71CB71000-memory.dmp

memory/1576-92-0x00007FF7ED240000-0x00007FF7ED591000-memory.dmp

C:\Windows\System\qKFKbsv.exe

MD5 f2f1dfd377c15f041e42ed926365d887
SHA1 df37e046cfd1150ab3231e3f98ff08b04361e58e
SHA256 a34950ec1736410f9486d31188c8c0f9e007ced677a97a0f548274396b2d4aeb
SHA512 b033c3b46a9d1145f2478d6f873b3078e290bc26af758127a6aaa632213ecbf30862ee7a4907314a6b7fcb5c0bccabe1014760da0b3d835dd2f7fc3ab2a6b841

memory/5052-84-0x00007FF6CDBA0000-0x00007FF6CDEF1000-memory.dmp

memory/1836-76-0x00007FF629690000-0x00007FF6299E1000-memory.dmp

memory/1944-71-0x00007FF721240000-0x00007FF721591000-memory.dmp

memory/536-68-0x00007FF7BAF30000-0x00007FF7BB281000-memory.dmp

memory/540-63-0x00007FF627EC0000-0x00007FF628211000-memory.dmp

memory/3392-59-0x00007FF6C9B30000-0x00007FF6C9E81000-memory.dmp

memory/4644-51-0x00007FF634450000-0x00007FF6347A1000-memory.dmp

memory/1972-38-0x00007FF6B3D50000-0x00007FF6B40A1000-memory.dmp

memory/2644-32-0x00007FF7DC670000-0x00007FF7DC9C1000-memory.dmp

C:\Windows\System\ldMPqfl.exe

MD5 55f4fe7dc17d288b771fda4b49fb7029
SHA1 469d295cd6ae194c68bd7bd217a4690ae13d9b39
SHA256 912e2b1bb1546f43d94c2c84464d114bd9b8c00806a6aa2094940d3426da9dd3
SHA512 4972d6010943fcf5e199eba2e61ba82edd77228b8c56e2364ead6df15fd8d119dc58f80e7f0c9fc1859dc90501347a5a52bb3eaca744608c1c04f94cfa94cb36

C:\Windows\System\KdOBxVg.exe

MD5 52091397340b0ab7753497d7f0dd542d
SHA1 9790fe317105be77fafaf4c1637e5acd56f0985b
SHA256 17b8bb34a2c05b5b1d14a36cd90eab1e4b2e07ebca85ad9a91d160c45028c1e1
SHA512 2bf9e75c810372e2980cf77b6c6325b7cb5abd237e2f473dba3d0d9f8406d19f61340c3ad63ce64bc5dea0727ddb8dd0ef7a535ece70a10c59505faa3d9442c2

C:\Windows\System\wwviOrR.exe

MD5 561ce1d441f52c720b8730fd8bdf15fe
SHA1 ee8e11311106501edba7605235792471c3852b1e
SHA256 d615fdee8895559d04a9703c8bab88be51e77df7184fd3dcc411bfa5ee0404d9
SHA512 f080d335914336edc71aebf4249f8bd044a270e020ebfa558dce95ae21a70ba2924c1e2e4c18f49f03666968634f8c7c679530c65e7c9db891078d28f984bf2d

C:\Windows\System\qHNmkXR.exe

MD5 59f39acbcaffc01c1a6fad3e684b6927
SHA1 b687743d7cfd826c9f6951c41b7e05e8221f1182
SHA256 be99d93de17d260f967ac721f68c63c9fb9db3306893513631a8edabcd2ea1d0
SHA512 d26ad9f0eab993f9907cba886a0b5d1f073445780ba2394a9d354eedff91f6a2ac71b00feb6a1831adceef8ea473bcfb283c0933bedd6200cd996f0966419ecc

C:\Windows\System\SvjRilp.exe

MD5 47ca8be4e5c27afe6697818c480e8bac
SHA1 11c8f69c2d1c20ae01eb3f51872c3ea5c030dddb
SHA256 53648548e316402d4ffddccb821cc45b1625ef806743dea4b2aa120e356f3b61
SHA512 ca5bcb89cb82f2409c01551e24ba72105b7347aff2a5e795cf0c9e19e3da3a9e9bfc163c96e0a7478c4ca714e87bddf2c751a207c0a96a6daff4721ab6330770

memory/2644-126-0x00007FF7DC670000-0x00007FF7DC9C1000-memory.dmp

memory/1332-129-0x00007FF6C68F0000-0x00007FF6C6C41000-memory.dmp

memory/2608-132-0x00007FF642380000-0x00007FF6426D1000-memory.dmp

C:\Windows\System\QohzuvY.exe

MD5 cadbfd6a01aa2701954623328b9c51d6
SHA1 999d20134554c58814460aeecdcabb305bf93b6d
SHA256 5f8afe9728f57ad9627dc999443b828ec84c502ffaa4d2bb333c34d9986aa085
SHA512 72a6db815f29dfe6c9b364e47eb78784daee9d47f0786dcd55d606f618ce950d8318aaee08e56fa32f2b327b658822cb2e3189c90a4438f1c85765bf7bcd53c4

memory/4308-128-0x00007FF72A690000-0x00007FF72A9E1000-memory.dmp

memory/1900-127-0x00007FF7414A0000-0x00007FF7417F1000-memory.dmp

memory/3516-135-0x00007FF7BAC30000-0x00007FF7BAF81000-memory.dmp

memory/4568-139-0x00007FF60A8E0000-0x00007FF60AC31000-memory.dmp

memory/1576-146-0x00007FF7ED240000-0x00007FF7ED591000-memory.dmp

memory/3260-148-0x00007FF711250000-0x00007FF7115A1000-memory.dmp

memory/5052-145-0x00007FF6CDBA0000-0x00007FF6CDEF1000-memory.dmp

memory/1836-144-0x00007FF629690000-0x00007FF6299E1000-memory.dmp

memory/1944-143-0x00007FF721240000-0x00007FF721591000-memory.dmp

memory/540-142-0x00007FF627EC0000-0x00007FF628211000-memory.dmp

memory/4644-140-0x00007FF634450000-0x00007FF6347A1000-memory.dmp

memory/4796-147-0x00007FF71C820000-0x00007FF71CB71000-memory.dmp

memory/2792-149-0x00007FF6104F0000-0x00007FF610841000-memory.dmp

memory/2792-171-0x00007FF6104F0000-0x00007FF610841000-memory.dmp

memory/536-194-0x00007FF7BAF30000-0x00007FF7BB281000-memory.dmp

memory/5056-196-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp

memory/2404-208-0x00007FF7D1250000-0x00007FF7D15A1000-memory.dmp

memory/948-207-0x00007FF7AF4C0000-0x00007FF7AF811000-memory.dmp

memory/2644-211-0x00007FF7DC670000-0x00007FF7DC9C1000-memory.dmp

memory/1972-212-0x00007FF6B3D50000-0x00007FF6B40A1000-memory.dmp

memory/4568-214-0x00007FF60A8E0000-0x00007FF60AC31000-memory.dmp

memory/4644-216-0x00007FF634450000-0x00007FF6347A1000-memory.dmp

memory/3392-218-0x00007FF6C9B30000-0x00007FF6C9E81000-memory.dmp

memory/540-220-0x00007FF627EC0000-0x00007FF628211000-memory.dmp

memory/1944-222-0x00007FF721240000-0x00007FF721591000-memory.dmp

memory/1836-224-0x00007FF629690000-0x00007FF6299E1000-memory.dmp

memory/5052-226-0x00007FF6CDBA0000-0x00007FF6CDEF1000-memory.dmp

memory/1576-228-0x00007FF7ED240000-0x00007FF7ED591000-memory.dmp

memory/4796-230-0x00007FF71C820000-0x00007FF71CB71000-memory.dmp

memory/1900-232-0x00007FF7414A0000-0x00007FF7417F1000-memory.dmp

memory/4308-234-0x00007FF72A690000-0x00007FF72A9E1000-memory.dmp

memory/1332-236-0x00007FF6C68F0000-0x00007FF6C6C41000-memory.dmp

memory/3516-239-0x00007FF7BAC30000-0x00007FF7BAF81000-memory.dmp

memory/2608-240-0x00007FF642380000-0x00007FF6426D1000-memory.dmp

memory/3260-242-0x00007FF711250000-0x00007FF7115A1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 21:09

Reported

2024-05-29 21:12

Platform

win7-20240508-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nuUciwd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\apvnSwb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nLqcKJZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tSbMTAQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nKWRkTY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JtDWUFd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rRKcMFX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rAsWdkJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mWzleJq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SUNDXIF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CnoFHNp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BOGbRfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FLVaQZc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CNOuPWa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MjFImqY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NiVgHNl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SUuEYAj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DFVYQvY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\igoyOUS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BnFdVRx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kzimpTo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNOuPWa.exe
PID 1260 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNOuPWa.exe
PID 1260 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNOuPWa.exe
PID 1260 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MjFImqY.exe
PID 1260 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MjFImqY.exe
PID 1260 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\MjFImqY.exe
PID 1260 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\igoyOUS.exe
PID 1260 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\igoyOUS.exe
PID 1260 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\igoyOUS.exe
PID 1260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JtDWUFd.exe
PID 1260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JtDWUFd.exe
PID 1260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JtDWUFd.exe
PID 1260 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRKcMFX.exe
PID 1260 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRKcMFX.exe
PID 1260 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRKcMFX.exe
PID 1260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\rAsWdkJ.exe
PID 1260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\rAsWdkJ.exe
PID 1260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\rAsWdkJ.exe
PID 1260 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuUciwd.exe
PID 1260 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuUciwd.exe
PID 1260 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuUciwd.exe
PID 1260 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\apvnSwb.exe
PID 1260 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\apvnSwb.exe
PID 1260 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\apvnSwb.exe
PID 1260 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiVgHNl.exe
PID 1260 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiVgHNl.exe
PID 1260 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiVgHNl.exe
PID 1260 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLqcKJZ.exe
PID 1260 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLqcKJZ.exe
PID 1260 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLqcKJZ.exe
PID 1260 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWzleJq.exe
PID 1260 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWzleJq.exe
PID 1260 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWzleJq.exe
PID 1260 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\BnFdVRx.exe
PID 1260 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\BnFdVRx.exe
PID 1260 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\BnFdVRx.exe
PID 1260 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUNDXIF.exe
PID 1260 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUNDXIF.exe
PID 1260 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUNDXIF.exe
PID 1260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSbMTAQ.exe
PID 1260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSbMTAQ.exe
PID 1260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSbMTAQ.exe
PID 1260 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CnoFHNp.exe
PID 1260 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CnoFHNp.exe
PID 1260 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\CnoFHNp.exe
PID 1260 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzimpTo.exe
PID 1260 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzimpTo.exe
PID 1260 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzimpTo.exe
PID 1260 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\nKWRkTY.exe
PID 1260 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\nKWRkTY.exe
PID 1260 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\nKWRkTY.exe
PID 1260 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOGbRfZ.exe
PID 1260 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOGbRfZ.exe
PID 1260 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOGbRfZ.exe
PID 1260 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLVaQZc.exe
PID 1260 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLVaQZc.exe
PID 1260 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLVaQZc.exe
PID 1260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFVYQvY.exe
PID 1260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFVYQvY.exe
PID 1260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFVYQvY.exe
PID 1260 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUuEYAj.exe
PID 1260 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUuEYAj.exe
PID 1260 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUuEYAj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\CNOuPWa.exe

C:\Windows\System\CNOuPWa.exe

C:\Windows\System\MjFImqY.exe

C:\Windows\System\MjFImqY.exe

C:\Windows\System\igoyOUS.exe

C:\Windows\System\igoyOUS.exe

C:\Windows\System\JtDWUFd.exe

C:\Windows\System\JtDWUFd.exe

C:\Windows\System\rRKcMFX.exe

C:\Windows\System\rRKcMFX.exe

C:\Windows\System\rAsWdkJ.exe

C:\Windows\System\rAsWdkJ.exe

C:\Windows\System\nuUciwd.exe

C:\Windows\System\nuUciwd.exe

C:\Windows\System\apvnSwb.exe

C:\Windows\System\apvnSwb.exe

C:\Windows\System\NiVgHNl.exe

C:\Windows\System\NiVgHNl.exe

C:\Windows\System\nLqcKJZ.exe

C:\Windows\System\nLqcKJZ.exe

C:\Windows\System\mWzleJq.exe

C:\Windows\System\mWzleJq.exe

C:\Windows\System\BnFdVRx.exe

C:\Windows\System\BnFdVRx.exe

C:\Windows\System\SUNDXIF.exe

C:\Windows\System\SUNDXIF.exe

C:\Windows\System\tSbMTAQ.exe

C:\Windows\System\tSbMTAQ.exe

C:\Windows\System\CnoFHNp.exe

C:\Windows\System\CnoFHNp.exe

C:\Windows\System\kzimpTo.exe

C:\Windows\System\kzimpTo.exe

C:\Windows\System\nKWRkTY.exe

C:\Windows\System\nKWRkTY.exe

C:\Windows\System\BOGbRfZ.exe

C:\Windows\System\BOGbRfZ.exe

C:\Windows\System\FLVaQZc.exe

C:\Windows\System\FLVaQZc.exe

C:\Windows\System\DFVYQvY.exe

C:\Windows\System\DFVYQvY.exe

C:\Windows\System\SUuEYAj.exe

C:\Windows\System\SUuEYAj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1260-0-0x000000013F620000-0x000000013F971000-memory.dmp

memory/1260-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\CNOuPWa.exe

MD5 6b9e3bca061e97f018697a9a8b8ac8c6
SHA1 5c914e0dc3409ed2f6bf2fd72161a1a78aef45d2
SHA256 4986dcf3e39a0f3342b8453f23cbe898be93746c63e75b7ec88db1b9306ec5a4
SHA512 73e489d204a9452b32662c0d346c8d70ab9fdb8cf000b0b1e1817988adfe839689990717ee3c34cfd931f3580719eb61dedcf0e44994cdf2d92203dbe2fb2a30

memory/1788-7-0x000000013F590000-0x000000013F8E1000-memory.dmp

C:\Windows\system\MjFImqY.exe

MD5 cc8e8207ecc409255de08cca354c5240
SHA1 fa88fce5c7511b171b961370572ae0890b320f19
SHA256 27e70a9c3ed17f0a0575dacf1a326c6c1915c530aa21ec829bb96265bac924c2
SHA512 83f7e818481c0ab4abe3b7c4fac80dd34e6d30f4fcf6b6be68500c68244c3a4ca4a875e0ebb22b9cd78870081072b689d2f72c286c29d99f38f7e2465dce77bf

memory/2372-15-0x000000013F330000-0x000000013F681000-memory.dmp

memory/1260-13-0x00000000021B0000-0x0000000002501000-memory.dmp

C:\Windows\system\igoyOUS.exe

MD5 0c42f651c13e6c436f0a24bd97a8695f
SHA1 f4df28259e188588396705bc37261a7d4dbbb408
SHA256 e9ca123cee5ebfc2047101deecae5622870f3afe5cdc53c8c6ae71bb09ad19e9
SHA512 4f13f720d6be2cd635074a1fe92c3835d2d25b91d97fda81a3d60fd2b704ed8b1219ae8ca99b9a285e9e11967cf506a140847228c0ad0ea5980ac60796f70012

memory/3040-21-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1260-20-0x00000000021B0000-0x0000000002501000-memory.dmp

C:\Windows\system\JtDWUFd.exe

MD5 51e7c5f82a16e51453fd4f17535a1843
SHA1 a2bf584316a84e9d51185f2b93653d0ba8397220
SHA256 e2fc6a22fd818e9a9518dc140e75ce2db711a037197ce6544fb3ecf0cae3c226
SHA512 de14ac16c4a1858c3602ef4a5aad08d94cdb0f931e4fb8e1cc869a2c48d30f39f6a0b8afb8093dffcc399be9a634bac63767d430bebbb0fd2104b2f7d54d6a0f

C:\Windows\system\rRKcMFX.exe

MD5 707a804b407b9b18fc76c74c14a51327
SHA1 35217e90f205d21751fd1d9f95b52d15987dc1f2
SHA256 b671122a5d200f1bd726b902d2eaa9dfbeec7540bead01eed05e621a45db0aa2
SHA512 b72fa015515d0d5350c73889b32ea74a6aa99594277c59ae022ebc35dae0867fcce686a96e5ceae22d4e8ebcaa53d15958ee2ce729813255d460aa3d8d329e62

memory/2796-33-0x000000013FA90000-0x000000013FDE1000-memory.dmp

\Windows\system\rAsWdkJ.exe

MD5 970d7595b607acc4df01d939a6fa27a2
SHA1 2aea7687ae0c026bc53dc01fb29c40fc1bcd5409
SHA256 910c2e5e412e37788423355fe80df59b2f175e6e0f6c2d40ebf052ad656a97d7
SHA512 281a61f9ac4b6f6f45aeaf07cac16bc874ff8a5144b5415d91c07078eb669159b7f766e0ba374315de342ccb973ed83d2a84664e446ba71492977591493d5848

memory/1260-36-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2788-39-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2732-29-0x000000013F390000-0x000000013F6E1000-memory.dmp

\Windows\system\nuUciwd.exe

MD5 c36d44dddfa03149fe1085a09084bdf9
SHA1 1a96afb7b532fd80d056d66a1c041d4d3e981453
SHA256 54a0d7177b8cdca4cbf5436060d589b7b3ee3a5ed6cb890ddb1c1d471bb01ac6
SHA512 4476d5c0d45475a4f9896774976d186a7bddbfdbc91aa8be2fc562536bab7afe2f620f22621c8b0d4538025bdaf78d4c5f645a3fdd1304dc5425a93039590785

\Windows\system\apvnSwb.exe

MD5 0d689616c7b3bac900380e636048dbae
SHA1 0bf0cce85713004f7903dd55f345749576ce4d9c
SHA256 aa3d9b07a3c248910f62c7a98f91c051850e7542318cef52b190f2887d71a5f5
SHA512 eead0e94d264cd028f211f4271a16ad9a8b6224130a9cca3eadde7a34c51aa55b2fa5519bf223a14a076c72ff7cfd7c4f3326d160c6ccecae6a8029dc1b3d454

memory/3044-47-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/1260-42-0x000000013F620000-0x000000013F971000-memory.dmp

\Windows\system\nLqcKJZ.exe

MD5 9036af00e2efb6f8bbab67e826f9a5a4
SHA1 0a8162fac365e4cbb0731939be995efee5afc41c
SHA256 8f6075c193c7b3904237c8c6e97c1ad46455518a8ffc925974c0695beb8a2853
SHA512 1739e9921e89cfc2068b4c488bae77a6882b1c04571ea330021c29a0656925184c16350bfd99a8f5ae4718bcf1686ec3798452e575ff53a6b09c6152fd84b43d

memory/1260-67-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2700-63-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2552-69-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2968-75-0x000000013FBE0000-0x000000013FF31000-memory.dmp

C:\Windows\system\BnFdVRx.exe

MD5 a37739597bea2489b37321984022375e
SHA1 9665eda95a0d914087650eb2b2c9b2ddfa81c608
SHA256 dec57f0bce78ca81b4e14370f19ae4b1147479300ebcd5773eebc1160b6c9592
SHA512 99cd3e6d6d7da653979481cc368ba27d407f4d4e0bec32c907010da2cc81c8c027ff53fd415cf5fc0d9cc149a77069fe2beaaedceb2c151d4426d8772367877e

\Windows\system\SUNDXIF.exe

MD5 555fbc6016baddc498d996d67bdefef0
SHA1 5dab086beab2f7c70e3c24043be17b29a9ce9a63
SHA256 caac5dabdf78c7fc27595f4b8c953bd1e3c9fbcd7833be57f2f9ca11136b3c89
SHA512 10ba4e0a31b6f0f98b2ec787e40d555aa88db48afb148ecdf82506688e45dd97281e27697af4276a98cfa2bf104001a26a43e15d31172519ae807ff7e7591366

memory/3044-89-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2752-96-0x000000013FC70000-0x000000013FFC1000-memory.dmp

\Windows\system\kzimpTo.exe

MD5 b7eeeb3b8ebd352d2693538f71b70f86
SHA1 7c30e9290ec3fd7430260e210352e4389e57a441
SHA256 aba7b4ead645b45de4880900349207521f7da56c9e91a818d4bd638405baaa2f
SHA512 c0bb55b121dc98914aff23d50eca51a1cdcececabf982d87ee8622da5451001d0b1b8b9d174d9119d6ea37b02307bfb1b5242b5ecc48c7bbf36641bbbb4c07da

\Windows\system\BOGbRfZ.exe

MD5 6dfa8a0973cf8f21ad24fd0bc7bec6ae
SHA1 b7aba4ff65407df812db559cfa401ec3ac824df6
SHA256 051a3abd76f1023ffeee8b0af7397846f872951d3ab9991a04a25ba424e52e87
SHA512 f6f848dea629f034aefe5266aa0c138c3962967b24460b37f80d394dedfda71da46f7e2524b5249ad55c783ccc8ed67211bf14ec76cc453218dcd742d3c2610c

C:\Windows\system\CnoFHNp.exe

MD5 e2497bdcf07d478a13a30061aed63f51
SHA1 677200aaf8263da09142a6c6a8dba141b9eff6f0
SHA256 2598a11136125e4f431ff12da3d22fb887e501220acb7e09c219f84339c90ce3
SHA512 04e80e04065e0668060c90ca022a6e18454983b8d8ae273fc58f2fea5ec5fd012843ea9c23b687720fe604ae825d1ac5097b1726982ef51bfd917e2b4ffbb636

C:\Windows\system\nKWRkTY.exe

MD5 257e5a38bbb79cd4d9fe3f34c96a7d96
SHA1 57a1182de965e6d590294bebd9a563df6d513e26
SHA256 821eb211c26692ec6765cf6a636b237a53e3f7dd08a627c763f03cf11d992d64
SHA512 f9a8911b03ec4007271eee86eaabded9083444f4a816c6c0e0dfd5cab5d68c2d01895dc3a74200cc6423ae2c0f3ee0d5c89c5a8c1ff9b0a08b1f0a8e6fb28733

\Windows\system\SUuEYAj.exe

MD5 09235b7d5e2d5524d8b37a8849914ea0
SHA1 f7e5f39a197ab089837d3eba1b46e196fc540a78
SHA256 7fd191f66d85edb824692e35355f5e17ff454a96d8342b3587555ddccb6d9ec1
SHA512 0b1538628b485ceb042519d845503b59fc02c62d8d8d466acf9a0ed1cfc046136b89e02ac6f5d3af5abe98d47bcad0581591a98ef38d70b3cb90fa3f9faedd55

\Windows\system\FLVaQZc.exe

MD5 409b05d7ba8fde49314318791b63e333
SHA1 ae4ff2b8d1cd9b3c7c383ed922cecf836c3ef48f
SHA256 a51c2436045caaf6577f282b681c4d8e8208af61c14ada2438d432590e7224ba
SHA512 62b93763be75c88edee36c4cd96238a66171dccc3df7915ee9b9195143daf1b5040531f27debc3f514c580a21ad97757602bdb3acca98e4bc746dc7fc66f355a

memory/1260-102-0x000000013FF00000-0x0000000140251000-memory.dmp

C:\Windows\system\DFVYQvY.exe

MD5 4876da39455f7939dda1147ce6ba2dad
SHA1 e575bab02c6d19a1c8acce26a2661ed19243c9bd
SHA256 87f9748f7fdd38bcdc68613ead2b83684431eaf2f5b3a53cca9ca04f5d89350d
SHA512 85227e9bb3a1db6526b9076903bcb13586244e1f621b51a46d7f93ac6c2aab683ae8fdd48db031cbdce69ad8386e04d730f225c8e474024bd559c3b396b0ab5b

memory/2776-97-0x000000013F410000-0x000000013F761000-memory.dmp

C:\Windows\system\tSbMTAQ.exe

MD5 f1ffd1c96da67e79c4d94056a8a947c2
SHA1 c07f775c4f7bee2bddde83c8ce473aff6df94ead
SHA256 7dccb723fd22697449571bceed9588f5f9ed62ad6b66795d8c491bebd53e76f3
SHA512 f80689ee427c4dba76c6fdb71eaa11dd62e0d3f6822b42c140924bed947e8fe09a19f4465686c28b5e048fb42525b14a2be02ea082cea501f5fb320fecbaff66

memory/1260-92-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/1924-90-0x000000013F330000-0x000000013F681000-memory.dmp

memory/1260-139-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/1260-86-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2488-84-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/1260-79-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2788-78-0x000000013FF70000-0x00000001402C1000-memory.dmp

C:\Windows\system\mWzleJq.exe

MD5 119fdbc426efbcdaeff6add7bf19ca8f
SHA1 b6ea8ac300e1a53a4b05e9ea1a74f24fc351228e
SHA256 0f795825f6125eef4418a84dec3a9be78d0f4889f9d53c1fac684a9b7a04a302
SHA512 763bcfeaad6aca0218c1f12b2af86fb86fb2547e5e64d57b3dcfa5ea039114256bbf76e133360cdb01d03efb1aa915f36acf4dcf60504c07380fe5fdcfda0d0e

memory/1260-72-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2796-71-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/3040-62-0x000000013F7B0000-0x000000013FB01000-memory.dmp

C:\Windows\system\NiVgHNl.exe

MD5 6af730ef2db95367db94d1b7e99dfec3
SHA1 530e5534bc34afe4c01d4e96b2759da41e95cf3f
SHA256 ba1294d9889fcc6865edcf94f1a746aca0beab1c0b36ddc2d4a077d368b4d6a1
SHA512 f1cea73c3c3e759dace7b57a231fe802eb06b07a58f87c648862b97e5181903955ca52e381f22a8e3cd62fc2ce3b0fd174c90e0e9003a42dcf9f99d630d02b68

memory/2752-59-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2372-58-0x000000013F330000-0x000000013F681000-memory.dmp

memory/1260-57-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/1788-55-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2552-140-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/1260-141-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1260-142-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2968-152-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2700-151-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2776-157-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2844-158-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/1792-159-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1260-165-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2188-164-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2428-162-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/1264-161-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/1984-160-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2840-163-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/1924-156-0x000000013F330000-0x000000013F681000-memory.dmp

memory/2488-155-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/1260-166-0x000000013F620000-0x000000013F971000-memory.dmp

memory/1260-188-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/1788-214-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2372-216-0x000000013F330000-0x000000013F681000-memory.dmp

memory/3040-218-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2732-220-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2796-228-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2788-240-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2752-244-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/3044-243-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2552-246-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2776-250-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2488-249-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2700-254-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2968-256-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1924-259-0x000000013F330000-0x000000013F681000-memory.dmp