Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-dn4mtsfg61
Target 2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike
SHA256 cd34b8e00cb45d08dc75220bd1662e5d3ea507767e299be0e2a5f1372f13835a
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd34b8e00cb45d08dc75220bd1662e5d3ea507767e299be0e2a5f1372f13835a

Threat Level: Known bad

The file 2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Cobaltstrike family

Xmrig family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:10

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:10

Reported

2024-06-01 03:12

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gPvoOtE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vvCbclK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qRDWWeX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NsatQWA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ceMJisU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dRTJSFl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OzMWeof.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BnjdsRe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gEwOPZC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tGcyBse.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hSozHdm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pChntBH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zLwjeqD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PGOZoVV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AlNImhh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QRPxZAK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OWtJYXw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qZCBKrp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WrqGOZO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JCTchQi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Prfefkt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BnjdsRe.exe
PID 220 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BnjdsRe.exe
PID 220 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlNImhh.exe
PID 220 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlNImhh.exe
PID 220 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPvoOtE.exe
PID 220 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPvoOtE.exe
PID 220 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gEwOPZC.exe
PID 220 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gEwOPZC.exe
PID 220 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OWtJYXw.exe
PID 220 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OWtJYXw.exe
PID 220 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vvCbclK.exe
PID 220 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vvCbclK.exe
PID 220 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Prfefkt.exe
PID 220 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Prfefkt.exe
PID 220 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qRDWWeX.exe
PID 220 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qRDWWeX.exe
PID 220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGcyBse.exe
PID 220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGcyBse.exe
PID 220 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSozHdm.exe
PID 220 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSozHdm.exe
PID 220 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZCBKrp.exe
PID 220 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZCBKrp.exe
PID 220 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsatQWA.exe
PID 220 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsatQWA.exe
PID 220 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceMJisU.exe
PID 220 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceMJisU.exe
PID 220 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QRPxZAK.exe
PID 220 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QRPxZAK.exe
PID 220 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\dRTJSFl.exe
PID 220 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\dRTJSFl.exe
PID 220 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pChntBH.exe
PID 220 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pChntBH.exe
PID 220 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrqGOZO.exe
PID 220 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrqGOZO.exe
PID 220 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCTchQi.exe
PID 220 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCTchQi.exe
PID 220 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zLwjeqD.exe
PID 220 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zLwjeqD.exe
PID 220 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PGOZoVV.exe
PID 220 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PGOZoVV.exe
PID 220 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzMWeof.exe
PID 220 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzMWeof.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BnjdsRe.exe

C:\Windows\System\BnjdsRe.exe

C:\Windows\System\AlNImhh.exe

C:\Windows\System\AlNImhh.exe

C:\Windows\System\gPvoOtE.exe

C:\Windows\System\gPvoOtE.exe

C:\Windows\System\gEwOPZC.exe

C:\Windows\System\gEwOPZC.exe

C:\Windows\System\OWtJYXw.exe

C:\Windows\System\OWtJYXw.exe

C:\Windows\System\vvCbclK.exe

C:\Windows\System\vvCbclK.exe

C:\Windows\System\Prfefkt.exe

C:\Windows\System\Prfefkt.exe

C:\Windows\System\qRDWWeX.exe

C:\Windows\System\qRDWWeX.exe

C:\Windows\System\tGcyBse.exe

C:\Windows\System\tGcyBse.exe

C:\Windows\System\hSozHdm.exe

C:\Windows\System\hSozHdm.exe

C:\Windows\System\qZCBKrp.exe

C:\Windows\System\qZCBKrp.exe

C:\Windows\System\NsatQWA.exe

C:\Windows\System\NsatQWA.exe

C:\Windows\System\ceMJisU.exe

C:\Windows\System\ceMJisU.exe

C:\Windows\System\QRPxZAK.exe

C:\Windows\System\QRPxZAK.exe

C:\Windows\System\dRTJSFl.exe

C:\Windows\System\dRTJSFl.exe

C:\Windows\System\pChntBH.exe

C:\Windows\System\pChntBH.exe

C:\Windows\System\WrqGOZO.exe

C:\Windows\System\WrqGOZO.exe

C:\Windows\System\JCTchQi.exe

C:\Windows\System\JCTchQi.exe

C:\Windows\System\zLwjeqD.exe

C:\Windows\System\zLwjeqD.exe

C:\Windows\System\PGOZoVV.exe

C:\Windows\System\PGOZoVV.exe

C:\Windows\System\OzMWeof.exe

C:\Windows\System\OzMWeof.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/220-0-0x00007FF6DF2C0000-0x00007FF6DF614000-memory.dmp

memory/220-1-0x000002D01D170000-0x000002D01D180000-memory.dmp

memory/4408-8-0x00007FF72D110000-0x00007FF72D464000-memory.dmp

C:\Windows\System\gPvoOtE.exe

MD5 7f9c01dc5b554e8c3fb580379a0f0632
SHA1 b65fd8fa9fa0105fa8585e7ae583ad877f211d19
SHA256 cf623629bfecc4346bd935b2f367bdc59cb923a53fe16a4d79dbb3f0d6a59931
SHA512 a210e4594ea56c8d4a6e67c17ef4a1af64459f3bb87b69c9adfd0b10aae5210158ea9447248227bdd4329ced257a5f00e69c851b28abfc97da7e8e7e4a83f537

memory/4228-18-0x00007FF62F910000-0x00007FF62FC64000-memory.dmp

memory/2028-14-0x00007FF729E80000-0x00007FF72A1D4000-memory.dmp

C:\Windows\System\AlNImhh.exe

MD5 65c23169b2b4ffc9902f118d80a8ff93
SHA1 d8bc2f0f09c031751b63af4ceb3162294ae54197
SHA256 1d78914277aa6969fe4398b3f103428024de871eb84673e9ac7743ac621097c5
SHA512 c78380b835eb4ecef4f6987883dffac42f013ad22b994fbcd55fe9128c84305eb74ad9379c05c23a996f7ff925321fd7bb18949af26ed2d5b28f5b90407dab11

C:\Windows\System\BnjdsRe.exe

MD5 fdc78aa1f5403a26053e959f6096a193
SHA1 ccbf42422a23cf4016c7a11163bd7283286f6d92
SHA256 71c22e3dd868d8f2c2b69b304d51c42d35a405da58b8835714ccd28a36b29643
SHA512 792ea9d367a650c125de92febc0fd5e2af4c12b705bf9acfd5281ff29240da5255fa6bdacfc422a183dc8c1318170acec87a70ce0b4b529593c538ddd701baf0

C:\Windows\System\gEwOPZC.exe

MD5 1a06892bd220daff48a94daed8c14b9c
SHA1 ce1736d7553679b54274243dfc0f036e3315e175
SHA256 a691be5fdfce684d57f5cc112fe1ea38f0a9ce4523d4c88df8abda28fd9d7f4b
SHA512 586ab168ccf1647abf69b2bd908899f55fe9cc6cb55540b53fb7c4aa53026075052e5f47e13964b04a6e009d137b27c0ca843a996b8401ceeb6ff29f3888f3b2

memory/4124-26-0x00007FF736A20000-0x00007FF736D74000-memory.dmp

C:\Windows\System\OWtJYXw.exe

MD5 886e94560734670d61c22bb889c763a3
SHA1 163f60c6c980570bb6ec04853192795205277d2a
SHA256 a24f8cfbbc4d7ac30a93dc2ed495dcd370938c4ce2315382c16f073577badf0f
SHA512 bedd646aadab24e996ce9832000b0c4f91186d1628005a1d488b5cb13d67251ce310a03ab3f59424a47a85726d97894e24aaf65c35124e122bcb5b03d04d0f97

memory/4788-38-0x00007FF6593D0000-0x00007FF659724000-memory.dmp

C:\Windows\System\vvCbclK.exe

MD5 28e8e9a266668989683c90d98c290695
SHA1 779001dba62c705ea96520409fc798b48dc0a753
SHA256 70f73d8fcb789278199cae53bd448bd68ff93bd319ab7257ce9219e0aa5fcc20
SHA512 d3d9fbfdab38084ba3b79478d64855ac5b2a22ca4b6e77496a32767247063a833d188879d464717538f1dddbedc0dd49ca742db7205e7230d971f451e13095df

C:\Windows\System\Prfefkt.exe

MD5 05f99cd8feb91768b1d53a968f17f17d
SHA1 916938d5eebb7c60beddd3be3c1fb30a3ff0ce53
SHA256 f58186c8173f4c70225be6245c24908b01ab591ba8130b40e6c7c3897b8d74a5
SHA512 49db844c3b917ca5edde0ba681c2b979e771118f8ba58218b43c88ccd2b9f4ee1c999600ca5172b78612e2a950d3e92a5f5361895a1e0f78001981a93d3f4189

C:\Windows\System\qRDWWeX.exe

MD5 0e030cf73bbe0fd792a321c2aa7212bc
SHA1 2c0813d5684913d0414774fd19a5ec18d5414d35
SHA256 47fb3fb340643257bb7c80570177d3ef94fb5504735629e47eb3fb2e913a6343
SHA512 1fa36202797a3f4bbe4205c23de3b6e9a3808d636b5a59ad07322cc9303b7633c3235bf5eeace95d19ac5f71da8de82bdda61f1d34f9a72ea7361e3d99d484a8

memory/5068-48-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp

memory/3904-43-0x00007FF645FF0000-0x00007FF646344000-memory.dmp

memory/684-33-0x00007FF753B20000-0x00007FF753E74000-memory.dmp

memory/1044-57-0x00007FF748830000-0x00007FF748B84000-memory.dmp

C:\Windows\System\hSozHdm.exe

MD5 d8ad53448b733219c4ad2fb55e357a87
SHA1 fe716acfee84473de546ea4a558689add86b6491
SHA256 7ae2a7614da2edc7157f2ae8c7d07001950b5dc86de944a12301abf9fb8a48da
SHA512 f30ea7f8785721a056cff8cbec975a912c89ad640b5e4dfe38f8c107014bf56d68b4bcbece59af0e24f16b5b955c9f51cae9d34ce80cfa40f1184ad43639ec73

C:\Windows\System\tGcyBse.exe

MD5 540d05df016b0ee4f005638f029ad12b
SHA1 7c12246174748f6daa091376be92955a8213e490
SHA256 bc0ba02544910a4fb5c0b78395f350320a56412c7b5059c8afad0e6b8fcd18af
SHA512 cd7a21d33d478f7b40d2cd606e003857daa001caadd6dd494a6f054387e56b1ca00622e3799a30c6cc2f3ebbf79284aa166dcac4e8115a162ca7dc017982f8e4

C:\Windows\System\qZCBKrp.exe

MD5 ce0c16f9ec84d26511c6d2912396f228
SHA1 97e71346221071ee879aa86b30eb21af054fc593
SHA256 a8d5af4b0cd88d1fb3af423a86f16157ae15138d5822234b28fa6174a4b46424
SHA512 8d6cd1d4e70ae00cfd4e9c4b7275adfec4e0dc649cade97b6550ef3f9353915a361978886a141893e80d49c57c6b6ab4a20f187dcf66310fc69dee755960f496

memory/4108-70-0x00007FF788220000-0x00007FF788574000-memory.dmp

C:\Windows\System\NsatQWA.exe

MD5 2b260b2746db5c3ac9f10fd976599f8d
SHA1 703a0dc8ef80433b49c82da0ca7eae0ed6beb259
SHA256 ef3d56e6e9c36c90d25b76a9a540f1932f0df514fe573e082378eb23dcc6bdad
SHA512 9d98f7fc1da6bd9a63eb3c0dbab515e63d2e1080509cc4a53f2eb0cc4aa170e0fc807aee48bc0a917be4ea0d8aa5ff0d45b59a46d09d171ff22ae8935e40bddc

memory/4060-76-0x00007FF7E5ED0000-0x00007FF7E6224000-memory.dmp

memory/4408-67-0x00007FF72D110000-0x00007FF72D464000-memory.dmp

memory/4624-63-0x00007FF7DCED0000-0x00007FF7DD224000-memory.dmp

memory/220-61-0x00007FF6DF2C0000-0x00007FF6DF614000-memory.dmp

C:\Windows\System\QRPxZAK.exe

MD5 cb528f98a76bb462a9797f14fd2aaa81
SHA1 5462c4a94289be39bedb5befbb82b82f53b5ca10
SHA256 7a57aa679a048f1c5c15080f9ff62184bd9cc425242b03c22f978bc248c83cea
SHA512 e75697019dc755d85dc33de8963c52bc59f887fd68b24b1400bd93a50abbd9a65653e5c8527e28c32c6652d4438f65810c7f6fb7e76e256c011ae4235a8aaccb

C:\Windows\System\pChntBH.exe

MD5 0510bf5e4180f00b8beaf26c1ab9188f
SHA1 fc209056ed2b97317d5efe7003106fd44c3ef8c3
SHA256 c18735c08c1366f469fdebabc0c5867c63cc939149a1607137d4a0e44615c9f1
SHA512 5e3b29352477b82041375a422527d75cf385f7f3c44b49994d40b211846f0db3a1a90f1117a67fb47fe781a006e008aea054dd3f55caa6495d30c4ff4dd08c5c

memory/2008-111-0x00007FF6A0520000-0x00007FF6A0874000-memory.dmp

memory/4656-110-0x00007FF68AD80000-0x00007FF68B0D4000-memory.dmp

memory/4788-109-0x00007FF6593D0000-0x00007FF659724000-memory.dmp

memory/2500-108-0x00007FF715FE0000-0x00007FF716334000-memory.dmp

C:\Windows\System\JCTchQi.exe

MD5 63bd4735384cb1e318fffca82852449a
SHA1 03b387bb99c87aca117ec85f332d09eb0373034c
SHA256 62f34eb4b6e20ab1c8d8958838207d5156b863639026f9c9dc34ed1859a3649c
SHA512 7e55da18b501e7c404986d72ecf3880cb9885a6890bb98adf13e6499b0314c66e1c12e021bea16a6a3e57b44c68fed6eb4b44d25ee4e0c6a17e4116c95364f2e

memory/2984-102-0x00007FF7A6A60000-0x00007FF7A6DB4000-memory.dmp

memory/684-97-0x00007FF753B20000-0x00007FF753E74000-memory.dmp

C:\Windows\System\WrqGOZO.exe

MD5 59a41fec87d9705fd6c85c76f892dacb
SHA1 211a4f6fc89ac675ca49f65e2fdc71a54a272f3c
SHA256 0bd724d51e09bb59033cf89b9f926ebb06553b88c7b78dd726640482892288f3
SHA512 68b7b8db5b5ac5bbfca50b95247262adc574785b74415f05b028aa9aed5e0a00277af5b85d9cd1e8a65807f371fc6e33706fa689201a5f38976fe5430547f988

C:\Windows\System\dRTJSFl.exe

MD5 b522893dc31aa653a237e4c2db56f6cb
SHA1 57adda40a7c46f56dec15babff057c19d98ccd2a
SHA256 3ac2232f07db04d0cbb90ef15d19254111caaff72f4748c019cf59f98b457c2d
SHA512 f1bffe005aea86b0556abae0e73e8bab14246ed4ab5677dc2b814c3fb964aa862d9fc4440427c95d3b89926347c9d2a315f9def1d47a6731c5472f4343b87a85

memory/1632-91-0x00007FF618570000-0x00007FF6188C4000-memory.dmp

memory/2924-83-0x00007FF79C0C0000-0x00007FF79C414000-memory.dmp

memory/4228-82-0x00007FF62F910000-0x00007FF62FC64000-memory.dmp

C:\Windows\System\ceMJisU.exe

MD5 01a37e5a422dfec88ab7431e11bc2e2d
SHA1 27f0846ea2cc66b514834acef6ab8ed6c8b94436
SHA256 0f1361316deff8deab38d92bb3608536da8d104a479b97da5e333e65bee2c250
SHA512 f9dff287a49f7f24071c3a56d15bacd1d120084a692056a0e08cd4442dd6e7f89a8423a8907c7d9c26178855269b5c4a43edbc331661297c030540c39db2cffc

C:\Windows\System\PGOZoVV.exe

MD5 76f79506e4202d3fa4a9bb67c6bf9db2
SHA1 cced7cc66c03a45e924c1738e09e2c47b30fdcaf
SHA256 d62660ca4703e31e72a4f287152e81c66b4c4f92146143847bbd2899b774cc2b
SHA512 ff287cb514ff1f96752b9a618634bdee6d36004077636216465b9261b8186fb5622a0e6fcbc7f251bd058c1f5d7668063f306350e66f132cd120c7d3a1d9f658

C:\Windows\System\OzMWeof.exe

MD5 389c422864475e3bfbc81868556796fc
SHA1 d8e4ca52ff59c2900349bc380c20946ffe2b9cc1
SHA256 43db9693aaba4830216e0781b7f375fa2db5c5302cc58121fc582ed384228165
SHA512 c7a874d0182a4d0791097ce16761ca03bee0cbd2bce60c08ec5ddf6f70faeef84fb2a990945195ec52110ea8300c71a34f12f6d88a2f7390a7a184a04abbdbfb

memory/5068-129-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp

memory/3904-119-0x00007FF645FF0000-0x00007FF646344000-memory.dmp

C:\Windows\System\zLwjeqD.exe

MD5 8483979184c04b7469fd3f088323bd93
SHA1 8c3d5de8c537935584bd359fb6544dd4738d988a
SHA256 70dc64d516f7d7d150e85b13264ebbd393fc0520bc5b8bf7d4aa589e4abf1a08
SHA512 07877f0ff5daa4315e6a9497d731e6ab1ed444211347eaa2c547ec4bad4946d68bb234d7d902f7f5650b38e954d602fb545ea308b0a1eb91f05183bb237b6cf4

memory/4644-122-0x00007FF64FB90000-0x00007FF64FEE4000-memory.dmp

memory/3504-133-0x00007FF774480000-0x00007FF7747D4000-memory.dmp

memory/1044-135-0x00007FF748830000-0x00007FF748B84000-memory.dmp

memory/700-134-0x00007FF7423D0000-0x00007FF742724000-memory.dmp

memory/4624-136-0x00007FF7DCED0000-0x00007FF7DD224000-memory.dmp

memory/4108-137-0x00007FF788220000-0x00007FF788574000-memory.dmp

memory/2500-138-0x00007FF715FE0000-0x00007FF716334000-memory.dmp

memory/2008-139-0x00007FF6A0520000-0x00007FF6A0874000-memory.dmp

memory/4644-140-0x00007FF64FB90000-0x00007FF64FEE4000-memory.dmp

memory/4408-141-0x00007FF72D110000-0x00007FF72D464000-memory.dmp

memory/2028-142-0x00007FF729E80000-0x00007FF72A1D4000-memory.dmp

memory/4228-143-0x00007FF62F910000-0x00007FF62FC64000-memory.dmp

memory/4124-144-0x00007FF736A20000-0x00007FF736D74000-memory.dmp

memory/4788-146-0x00007FF6593D0000-0x00007FF659724000-memory.dmp

memory/684-145-0x00007FF753B20000-0x00007FF753E74000-memory.dmp

memory/3904-147-0x00007FF645FF0000-0x00007FF646344000-memory.dmp

memory/5068-148-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp

memory/1044-149-0x00007FF748830000-0x00007FF748B84000-memory.dmp

memory/4624-150-0x00007FF7DCED0000-0x00007FF7DD224000-memory.dmp

memory/4108-151-0x00007FF788220000-0x00007FF788574000-memory.dmp

memory/4060-152-0x00007FF7E5ED0000-0x00007FF7E6224000-memory.dmp

memory/2924-153-0x00007FF79C0C0000-0x00007FF79C414000-memory.dmp

memory/1632-154-0x00007FF618570000-0x00007FF6188C4000-memory.dmp

memory/2984-155-0x00007FF7A6A60000-0x00007FF7A6DB4000-memory.dmp

memory/4656-156-0x00007FF68AD80000-0x00007FF68B0D4000-memory.dmp

memory/2008-157-0x00007FF6A0520000-0x00007FF6A0874000-memory.dmp

memory/2500-158-0x00007FF715FE0000-0x00007FF716334000-memory.dmp

memory/4644-159-0x00007FF64FB90000-0x00007FF64FEE4000-memory.dmp

memory/3504-160-0x00007FF774480000-0x00007FF7747D4000-memory.dmp

memory/700-161-0x00007FF7423D0000-0x00007FF742724000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:10

Reported

2024-06-01 03:12

Platform

win7-20240221-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XKSaZUC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LFWcPEu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MGodZsc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OdwWnYd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\teYnOEx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NZeDknR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nMKSTVw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\etqLXzB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FqkXkDb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yKHxaym.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qWkjVac.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VrXqyZJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DGEzedP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VWwxOea.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\geBjeaM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AWhvAZY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gCUIkGk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYLJxjB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GESEuxR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yvwOCqB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FOiCnDr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKHxaym.exe
PID 2080 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKHxaym.exe
PID 2080 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKHxaym.exe
PID 2080 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gCUIkGk.exe
PID 2080 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gCUIkGk.exe
PID 2080 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gCUIkGk.exe
PID 2080 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYLJxjB.exe
PID 2080 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYLJxjB.exe
PID 2080 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYLJxjB.exe
PID 2080 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GESEuxR.exe
PID 2080 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GESEuxR.exe
PID 2080 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GESEuxR.exe
PID 2080 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\yvwOCqB.exe
PID 2080 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\yvwOCqB.exe
PID 2080 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\yvwOCqB.exe
PID 2080 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\teYnOEx.exe
PID 2080 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\teYnOEx.exe
PID 2080 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\teYnOEx.exe
PID 2080 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOiCnDr.exe
PID 2080 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOiCnDr.exe
PID 2080 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOiCnDr.exe
PID 2080 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XKSaZUC.exe
PID 2080 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XKSaZUC.exe
PID 2080 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XKSaZUC.exe
PID 2080 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWkjVac.exe
PID 2080 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWkjVac.exe
PID 2080 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWkjVac.exe
PID 2080 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VrXqyZJ.exe
PID 2080 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VrXqyZJ.exe
PID 2080 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VrXqyZJ.exe
PID 2080 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFWcPEu.exe
PID 2080 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFWcPEu.exe
PID 2080 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFWcPEu.exe
PID 2080 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NZeDknR.exe
PID 2080 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NZeDknR.exe
PID 2080 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NZeDknR.exe
PID 2080 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VWwxOea.exe
PID 2080 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VWwxOea.exe
PID 2080 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VWwxOea.exe
PID 2080 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMKSTVw.exe
PID 2080 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMKSTVw.exe
PID 2080 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMKSTVw.exe
PID 2080 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\etqLXzB.exe
PID 2080 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\etqLXzB.exe
PID 2080 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\etqLXzB.exe
PID 2080 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\geBjeaM.exe
PID 2080 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\geBjeaM.exe
PID 2080 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\geBjeaM.exe
PID 2080 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqkXkDb.exe
PID 2080 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqkXkDb.exe
PID 2080 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqkXkDb.exe
PID 2080 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGodZsc.exe
PID 2080 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGodZsc.exe
PID 2080 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGodZsc.exe
PID 2080 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdwWnYd.exe
PID 2080 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdwWnYd.exe
PID 2080 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdwWnYd.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWhvAZY.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWhvAZY.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWhvAZY.exe
PID 2080 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\DGEzedP.exe
PID 2080 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\DGEzedP.exe
PID 2080 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\DGEzedP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4faf6212a719ac648309e9ba3c83a1b6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\yKHxaym.exe

C:\Windows\System\yKHxaym.exe

C:\Windows\System\gCUIkGk.exe

C:\Windows\System\gCUIkGk.exe

C:\Windows\System\xYLJxjB.exe

C:\Windows\System\xYLJxjB.exe

C:\Windows\System\GESEuxR.exe

C:\Windows\System\GESEuxR.exe

C:\Windows\System\yvwOCqB.exe

C:\Windows\System\yvwOCqB.exe

C:\Windows\System\teYnOEx.exe

C:\Windows\System\teYnOEx.exe

C:\Windows\System\FOiCnDr.exe

C:\Windows\System\FOiCnDr.exe

C:\Windows\System\XKSaZUC.exe

C:\Windows\System\XKSaZUC.exe

C:\Windows\System\qWkjVac.exe

C:\Windows\System\qWkjVac.exe

C:\Windows\System\VrXqyZJ.exe

C:\Windows\System\VrXqyZJ.exe

C:\Windows\System\LFWcPEu.exe

C:\Windows\System\LFWcPEu.exe

C:\Windows\System\NZeDknR.exe

C:\Windows\System\NZeDknR.exe

C:\Windows\System\VWwxOea.exe

C:\Windows\System\VWwxOea.exe

C:\Windows\System\nMKSTVw.exe

C:\Windows\System\nMKSTVw.exe

C:\Windows\System\etqLXzB.exe

C:\Windows\System\etqLXzB.exe

C:\Windows\System\geBjeaM.exe

C:\Windows\System\geBjeaM.exe

C:\Windows\System\FqkXkDb.exe

C:\Windows\System\FqkXkDb.exe

C:\Windows\System\MGodZsc.exe

C:\Windows\System\MGodZsc.exe

C:\Windows\System\OdwWnYd.exe

C:\Windows\System\OdwWnYd.exe

C:\Windows\System\AWhvAZY.exe

C:\Windows\System\AWhvAZY.exe

C:\Windows\System\DGEzedP.exe

C:\Windows\System\DGEzedP.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2080-0-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2080-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\yKHxaym.exe

MD5 ec7e098d8ae23e6383dc6aade506d171
SHA1 8f067b44a9f9447b562ede87fbcebad01b10074e
SHA256 badf5529e3ab85404048343dbf17c159d465155459e5ec2c53cc9adb55383b1d
SHA512 1dc2c30c373a65ebeb7fc52ab6c2eb23aa380cf9f6004d9f49cef684ffb681fdf3614ccd63c46a95825b8eb55639eb0538d1ab360135e1fac592f15b93940375

C:\Windows\system\xYLJxjB.exe

MD5 7169cfd39b226188f48cbaded6150d1c
SHA1 8867c34eefd16b0171b4e8055dc74e1160626bff
SHA256 ead91792a8ec3ec00ad6fa4ea51ed8e5bee0ce292505e701052441784007a203
SHA512 33c4114a3d2cb4426941eb5b62a21a49ad43a265298fa9060939e9b50b65454d4f317fbb8e7c0181d6e4abd81e3f1ff5da3ca4315f3df8aebc3e9586f147db0a

memory/2636-15-0x000000013F6C0000-0x000000013FA14000-memory.dmp

C:\Windows\system\gCUIkGk.exe

MD5 98e7106fd0d105ea4823bf2f2b6c92f6
SHA1 e2ee5ccd85eada979cb9988def7d2c76a48b47dd
SHA256 a37a5b5b76f0c565bcbcea12bb5ca952c12ca5089e9408ebe8e443adeac38c51
SHA512 d92de766c780658d9ae7660d9ad0eb110d49ed58782b15cc07a46039e72e66b71d529cbc3fe3a1dd1d5cfac0623312545cc87295dc20a7fbeaad829886a9d00b

memory/3064-20-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2580-22-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2080-21-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2080-18-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\GESEuxR.exe

MD5 4f04421412367079bb9c4faaae839599
SHA1 5f16a02f9a4154d9477a4dc2323d30b7e8ba3370
SHA256 a9e58667933291717f3c651bb9e03f0033acd37406f1bc990eaf827e4bba38c3
SHA512 1e594c1deedc19750c8187a8f1c5dee7fe4d441eca5aee53e1373ad7fb98390c817a792560751867fd2f54fe8c84065ace36a7b23dd0edbe9272707b8ce56222

C:\Windows\system\yvwOCqB.exe

MD5 d80fcea7ad56329e8f1185514cc16833
SHA1 9f5711ec8e0540377ea80673dffa93b5b420eb1d
SHA256 3c23e83855be266fdcf96e5b0c8339fd34abf30ffef90974ec40b460b7710f0d
SHA512 47c26bc4ec28dc5f1245d0a22d37204e4b32ba9062e886ab56ab47d223179097b4bf0797ee43cf12b004dba342ba37b5e154bfaf9a93e6ddef6e0350b2c902a0

memory/2736-28-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2584-36-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2772-65-0x000000013F3E0000-0x000000013F734000-memory.dmp

C:\Windows\system\VrXqyZJ.exe

MD5 6374cf0f07b50c32579e3d4525f38842
SHA1 9f4bc0e15c49fee1cd16a75d35d02890cd24325d
SHA256 cae7cf0b2d35041194e357ec8654062f0a7f0e206084164a8910d57edadbc8a8
SHA512 3361c0f944f45e4a9cd60016af44157e46ff914355ef0dbaed36f363c0424cfd80a8226bc57a1dac71fae0cb76b7820e1ec0f10ae7838e9adc02ac11a8682c99

C:\Windows\system\teYnOEx.exe

MD5 61c3bf8566d1eb27b2a29a5abd7df277
SHA1 c246715d82719ce38da49d52f98b7968e8afb06a
SHA256 359b52df7e88592c7fb1c136d724ae20a1855ffb82ff0f33695125e58183cd93
SHA512 b750dec555e36696c4db2b546be14a61aa3c1d69a6badddcf3d4f8d670133c30d8e4825725013d2727492988f9b5aba9c0c8629b4e239235f505f7514095146e

\Windows\system\LFWcPEu.exe

MD5 bbda182e20d9a03ac5128bfa72cf9f83
SHA1 640fd716e9f335ec1ebb5f14123235b507795c1e
SHA256 dd2517ddc63c7e629cce0b2081c439c5dbfa9df417491c2d9af898abf83c9a90
SHA512 46e0ec902706cc8d702ba73981b953b0f2bd1f5ee6117c6762675ec1f683e05c56ff7a49315b75885d1ab623c842321cdfa4ab76e6b68f7a899a31dd71c327a3

memory/2080-56-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2844-55-0x000000013FE40000-0x0000000140194000-memory.dmp

C:\Windows\system\qWkjVac.exe

MD5 9ac55b898874895b21957b868123e330
SHA1 46295b46ac98d92d926ebeeab2745aff8a4f62f8
SHA256 13194219d00ec7c089e1e7a52a28f6df975e241e9a6aac8efe71bc98431623c2
SHA512 f5e385816574c6abc148b4ae495327e0fcf99f3460e9870118fd8def946ce226585ed680f74a2d55172895d25115566d1779ff7cfabf21d9ea541e99b9d33341

memory/2080-53-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2484-51-0x000000013F500000-0x000000013F854000-memory.dmp

\Windows\system\FOiCnDr.exe

MD5 210881f6c054d9b94d0353727b52d098
SHA1 1575ec8b765ce67e7ed3150ed2c364108c228286
SHA256 605f99993e992f7c861f7681dee825b05492c173f3442c047d2cc94c7183d7b9
SHA512 f6d85e8d5fee317e9746fd9c6f5ce8b1c58f5959568482b0cbb2c49703ed1308d6afc9e741f6ee51b4a0450472e4f4f35fe71c3871b325d97db5c7f8d39c75e0

C:\Windows\system\XKSaZUC.exe

MD5 114c0024ae084524d6a8029fb7f3cdff
SHA1 3bd288f867c7714274bd06ec15a561ea355f98a7
SHA256 34d45ba41546b0bbc901a5a153ea550d1084e3ff573e93f425de8e8ef7db2d2e
SHA512 31b847deebc779de8f417ca7c9bf3daa40361820e769ca913cadcf845fe60ea2fb5e6b57d4202c31f75de90635a408fe71030f6919aedf4aff8e01e3520fca54

memory/2524-83-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2272-84-0x000000013F940000-0x000000013FC94000-memory.dmp

\Windows\system\DGEzedP.exe

MD5 a37fa1498fbb88008b3a33b24e3af33b
SHA1 af57f2b540a3a2ba70180f0eb8b04b0bde815841
SHA256 1f7e8d4e85fa1d1ab43d867b8ea48881a697d6213eee26ce86da4ae39ccd47a7
SHA512 8b30e112d8921c2fa99f2c42bf33ee5b2dc75cb9c5d9bdfc0c0a42401ecebea36956f6e8b230a99aee473566d04f1f392891516b52833faf9ebf06b201562f1a

\Windows\system\AWhvAZY.exe

MD5 5ea0d9ce3d2c02c193b95c1f0df0f54a
SHA1 0218b9301757461143de06cf197922917e5eb372
SHA256 6f1b3093fefe76ae73bb71b62e3630657753b4af7fa0c319d96224ba67cf98d8
SHA512 646d705e7a49f643689bc6181f5000f78ae4fb8381adc4aa5610522a1b5ada98eb0bfc6d4009faa08eb51bf04cc2d901aa4517ca56b80693ca661f2975d70c5f

\Windows\system\MGodZsc.exe

MD5 ffa4e689c72943477c13df0006c8129c
SHA1 2d35cf889577d5547fd48d674f636d880bb13428
SHA256 dcadc49d41145381c726ca5da20a327b0f1e6364608eaf1dfe2097f923f09337
SHA512 649b0569a96c769a6efcc4841b5162711137f13e163c878784e0f2f25e9ff6bb14de178be8ba3a3b6ecbd2715426df3cec55df7979df291196d93e91795d16b9

C:\Windows\system\geBjeaM.exe

MD5 d433df1790868195e50f6086b9b49f51
SHA1 c4b51f235d2909e7d4db85edf6161404b863301e
SHA256 384c465870cc5c146f878515a1c654f54eed2b8c6ca3a9f8b27aab3e33661527
SHA512 852d65f8ce6a915ab35b207891f78e797549018ac6f05b046f17899b15cdda8077a54c4f6ebee329d06cf885ecb98043e5848fdd5125254ee427c41e529d6324

memory/2080-108-0x000000013FA70000-0x000000013FDC4000-memory.dmp

C:\Windows\system\OdwWnYd.exe

MD5 74ebab36d7af5cf2b5e099b10ad0d05a
SHA1 10421c400baad3bcd7990440c825afaa4dbb6b82
SHA256 25e0a5b5d0c323b0bb769dad6ba13f6619dd3a724f6083c4e7380a4c85029208
SHA512 ce9ee7f41ea4544e77eb0af5a184342198c4405378a1a8ae255a804f0731fcc3c64b24fa7a29645d07cbe39edb1c2606464230f0dc44bfb975101c374c49fbb6

memory/1532-99-0x000000013F0C0000-0x000000013F414000-memory.dmp

C:\Windows\system\FqkXkDb.exe

MD5 c0f8e61b3990c87290c129c4551f7fcc
SHA1 6c60fee77e44ef3b57d897277dd44a48e3e3a580
SHA256 997392bf04072846ceef5aacbfe3178e1cabbc7c4ec81c7853b3d97ca5a06c5b
SHA512 0c6bf654d386c125db23226c9ab7a8f875d4e611cc02d6916372ad58cb68c4a88da0d19ebab397e0d22d551d0497b1f5d843eefa26f76a2f83d9f34a159f958f

C:\Windows\system\etqLXzB.exe

MD5 b729f67da70172a4b7affdf4fcec0faa
SHA1 dbf0d65d532e374e2e2f0127d71919cfdefd2d45
SHA256 f6216396ad85ff05b6f26c8b87e53fa6a07587f4860ff2d8d9d31ee2396a79ec
SHA512 2733d57a8bb440c0f603ef534caf9d5eeb7282e4780ce804159898bc0b26545fa8b0dd2ebc40894a7bf302b46ba237315cdf0df904bb8ba4b8d875ba18e3624f

memory/2080-98-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\nMKSTVw.exe

MD5 b6c75d7c2979aaef6a08b5eacb8e8267
SHA1 0e2f3230f9f93a4ebae7626756b917862e1bbb2c
SHA256 c9ea3517bf5fedb30956f3dc59645521a1d2855c8b84b13db91e6f9e88bfaeff
SHA512 8a88505847c2381573f2b71e16f173a4460952995dc644b3d1b58733d508f626764d05aafb4fbdb6568fdda0e440d03066726894cece756459601679e1620168

memory/2684-91-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2080-90-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2080-89-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1624-82-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2080-81-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\NZeDknR.exe

MD5 795c801ffced024e2174d5c935002876
SHA1 018cb75a67eca5f0f135549541ca90e695636cd8
SHA256 c29ec0587cc86dbe587660876c0b8705b326e8d5a18323083ece8b6c89fb88a3
SHA512 a369b8d2ed4e1029497e095b2d8b9354c3a71f5a351ced8c26ce2b70311d74ca4f441fdfa942fbef87b736785fee6a2ff7b19f626b406afe7f98977775900449

C:\Windows\system\VWwxOea.exe

MD5 173aa17917aa3378021f0b93aebb4a85
SHA1 0bdb036e064acb64a6559cf2048a0ffafe59d947
SHA256 e932149500d3315aaaa36abb4038a2e037883a5c75b91cab892e4a291934e410
SHA512 84b3575666ff821f5f6ebbd6bd5b185c1b1bce50cab27de27d25b05f0707a09a28d89a76587fcbb6cde491e274399321ea7d7f540b65a4c1f96b45694806d8a6

memory/3020-74-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2080-73-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2080-70-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2080-69-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2736-135-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2080-33-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2080-27-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2484-137-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2584-136-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2080-138-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2684-139-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2080-140-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2636-141-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/3064-142-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2580-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2584-144-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2736-145-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2844-146-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2772-148-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2484-147-0x000000013F500000-0x000000013F854000-memory.dmp

memory/3020-149-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1624-150-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2524-151-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2272-152-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2684-154-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1532-153-0x000000013F0C0000-0x000000013F414000-memory.dmp