Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-hzlzdaec78
Target 2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike
SHA256 d66066b015540d58cd29c7a0fd45de79a910fa030ce2f5306db180aed421ecaf
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d66066b015540d58cd29c7a0fd45de79a910fa030ce2f5306db180aed421ecaf

Threat Level: Known bad

The file 2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

xmrig

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Cobaltstrike

Xmrig family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:10

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:10

Reported

2024-06-01 07:13

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VxHrIBq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ruykizz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gPieZXo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IySehsC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kSPXtBD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AEfrqRg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eOPJhjW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iMdBUIB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PPuVgYE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sOcVNkP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZgIrgkq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NuzbXZs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zHdZObn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FBcCPxK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\taDxAxQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GdxxlEs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xSksBod.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qfrnDHo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IwMeUqM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BdoYMuH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CYpfQJD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NuzbXZs.exe
PID 4188 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NuzbXZs.exe
PID 4188 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AEfrqRg.exe
PID 4188 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AEfrqRg.exe
PID 4188 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOPJhjW.exe
PID 4188 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOPJhjW.exe
PID 4188 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iMdBUIB.exe
PID 4188 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iMdBUIB.exe
PID 4188 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qfrnDHo.exe
PID 4188 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qfrnDHo.exe
PID 4188 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPuVgYE.exe
PID 4188 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPuVgYE.exe
PID 4188 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPieZXo.exe
PID 4188 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPieZXo.exe
PID 4188 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zHdZObn.exe
PID 4188 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zHdZObn.exe
PID 4188 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FBcCPxK.exe
PID 4188 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FBcCPxK.exe
PID 4188 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\taDxAxQ.exe
PID 4188 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\taDxAxQ.exe
PID 4188 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwMeUqM.exe
PID 4188 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwMeUqM.exe
PID 4188 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IySehsC.exe
PID 4188 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IySehsC.exe
PID 4188 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdoYMuH.exe
PID 4188 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdoYMuH.exe
PID 4188 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VxHrIBq.exe
PID 4188 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VxHrIBq.exe
PID 4188 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOcVNkP.exe
PID 4188 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOcVNkP.exe
PID 4188 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYpfQJD.exe
PID 4188 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYpfQJD.exe
PID 4188 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GdxxlEs.exe
PID 4188 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GdxxlEs.exe
PID 4188 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSksBod.exe
PID 4188 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSksBod.exe
PID 4188 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSPXtBD.exe
PID 4188 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSPXtBD.exe
PID 4188 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruykizz.exe
PID 4188 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruykizz.exe
PID 4188 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgIrgkq.exe
PID 4188 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgIrgkq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NuzbXZs.exe

C:\Windows\System\NuzbXZs.exe

C:\Windows\System\AEfrqRg.exe

C:\Windows\System\AEfrqRg.exe

C:\Windows\System\eOPJhjW.exe

C:\Windows\System\eOPJhjW.exe

C:\Windows\System\iMdBUIB.exe

C:\Windows\System\iMdBUIB.exe

C:\Windows\System\qfrnDHo.exe

C:\Windows\System\qfrnDHo.exe

C:\Windows\System\PPuVgYE.exe

C:\Windows\System\PPuVgYE.exe

C:\Windows\System\gPieZXo.exe

C:\Windows\System\gPieZXo.exe

C:\Windows\System\zHdZObn.exe

C:\Windows\System\zHdZObn.exe

C:\Windows\System\FBcCPxK.exe

C:\Windows\System\FBcCPxK.exe

C:\Windows\System\taDxAxQ.exe

C:\Windows\System\taDxAxQ.exe

C:\Windows\System\IwMeUqM.exe

C:\Windows\System\IwMeUqM.exe

C:\Windows\System\IySehsC.exe

C:\Windows\System\IySehsC.exe

C:\Windows\System\BdoYMuH.exe

C:\Windows\System\BdoYMuH.exe

C:\Windows\System\VxHrIBq.exe

C:\Windows\System\VxHrIBq.exe

C:\Windows\System\sOcVNkP.exe

C:\Windows\System\sOcVNkP.exe

C:\Windows\System\CYpfQJD.exe

C:\Windows\System\CYpfQJD.exe

C:\Windows\System\GdxxlEs.exe

C:\Windows\System\GdxxlEs.exe

C:\Windows\System\xSksBod.exe

C:\Windows\System\xSksBod.exe

C:\Windows\System\kSPXtBD.exe

C:\Windows\System\kSPXtBD.exe

C:\Windows\System\ruykizz.exe

C:\Windows\System\ruykizz.exe

C:\Windows\System\ZgIrgkq.exe

C:\Windows\System\ZgIrgkq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/4188-0-0x00007FF686560000-0x00007FF6868B4000-memory.dmp

memory/4188-1-0x0000017DF88B0000-0x0000017DF88C0000-memory.dmp

C:\Windows\System\NuzbXZs.exe

MD5 6dee589603a188f849419a9cb305e68c
SHA1 7afbf7beb89afedee216419bd391d54bed00800d
SHA256 4fdfcc0914b18c783f54ac49c76f128810e2be591f0ea411f0fb871e29309d7c
SHA512 bea0bc7c3bca0a8ad1102d7a8a7d9712d675cc63a8e729ad96b4be8738efb58119ee21a93ab05bf18fa37d1c032391d94033bee7033b7a7c8442b307d575e69e

memory/3496-7-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp

C:\Windows\System\eOPJhjW.exe

MD5 a3ea85434f0ee7674207b97e76cf3775
SHA1 a1483aa83bbe7dbe7aec18fea4ecd611e2f772b0
SHA256 8bee33a6e061a8e9e5d3325e4f92479b1a032427e0c304df4c07ceeeedb032bc
SHA512 b99fa98a112a94831215269c37daffffb5abda14f80662f118cd1cb12385578c8d6420f95e61d1e109b66e129386eeea194c2952e63f9d95060ff3e0a0541b2a

memory/704-14-0x00007FF7B1CC0000-0x00007FF7B2014000-memory.dmp

C:\Windows\System\AEfrqRg.exe

MD5 dde70bd27b4d64e0148727fbe400e6ee
SHA1 0701e77083b354501d0780fde1364e2d10777b8e
SHA256 ce1c5390d99482d5982a98c632348658c08497596cba6d9c41d93c7269f6b258
SHA512 b40be983c573bc9c54a06dffb8835daacee74f58d031fa1819e6bead134725225f74155065953110e3a0a3232cf2cac54644f194ad3cd978ca19377b49d4d420

memory/1184-20-0x00007FF6AF9F0000-0x00007FF6AFD44000-memory.dmp

C:\Windows\System\iMdBUIB.exe

MD5 ac9aaf6b576717a5b4e7e91e33dff8c9
SHA1 0f6ba2f04fe93375c42a9714ce2f2d1c4efe34b5
SHA256 d69319ffd2de69c4ea5716870feab63bff692e8785fe78eab79907b16fa7027c
SHA512 15fc4865c63d046ad0886a2d9d866c9274e2d2477a907a0a16f2f75901d8d1b4940ae369b82af4973bc5afe81dae55097b32ce01d50d05dd37ab1311fe6556fa

memory/1056-28-0x00007FF73B090000-0x00007FF73B3E4000-memory.dmp

C:\Windows\System\qfrnDHo.exe

MD5 2796ead894ffbde5f3f4ad6f8989a530
SHA1 32057434b1804f7031dcd106ee549ed98869c1cb
SHA256 3a0473f05fed080b2ebfa260f6c0613a534f976d41d7620051b1334430eaa327
SHA512 6aff3b5512958260b46188761ee052f7caa459588ba70587f5ed14e941ca6be42c990cc944097c76a0937f2096c89d34d96a79bab1b5990746ade4e6c4de6051

C:\Windows\System\PPuVgYE.exe

MD5 21f47f9d1941000e2132f19a9d81f461
SHA1 637e9b30f624c612b89f3728591d569ff4961e7c
SHA256 42e51a7f828e384858edcaf90d381b26323efa8c040c736239434b93474555aa
SHA512 17703b74dffe876eac83b981eea77de3f2ab58ad9e37b34638f1b4917bbce77f60efc7a37fdf4117bae6392fb436252e33724cda405fcdd0cd3a02037ec1a913

memory/3256-36-0x00007FF62FB40000-0x00007FF62FE94000-memory.dmp

memory/1620-32-0x00007FF6630A0000-0x00007FF6633F4000-memory.dmp

C:\Windows\System\gPieZXo.exe

MD5 4b365f3502c7511a2a892147e216e0ea
SHA1 e3c9881ab2953522166a2b31ed1034f5bf674163
SHA256 7726ac1039bc40657045246554bfd81908dd9a6066eaa09e9e3cd02c5f4d89fd
SHA512 e8de649b0dfbdb9ac8a2fa62e0165c76c20f751e24adf363d7310702042f3fb17dde2fa6f303a60e329e30ed14edd2a71cee9296f854cfd7ea8ea08082e2435a

C:\Windows\System\zHdZObn.exe

MD5 13ebecd255bc678761024ac4a7a67e9c
SHA1 0bf1eca8d93d96d1fa326ce5df1baca68cddf32a
SHA256 673d9691ba54f495bd00ff56ce939128ed3d03c442709b72cef6d86c6d8ce655
SHA512 e1407e650ad2da05f5158ec02e9460ee896f0544079679eb38e2596b040e9c71a5dd120277c88fffbc8d1474ede53de4ebadd61e0928ad0db3c257e2d97e1dac

memory/4996-44-0x00007FF6A94D0000-0x00007FF6A9824000-memory.dmp

C:\Windows\System\FBcCPxK.exe

MD5 e8bcff000fb6d796fbdc7943b69cb8f2
SHA1 29bbfa52ba14aa874defeafc3cd722fcad93ed2a
SHA256 e276716287b86af80b2ca77baf44c87d19d4217a310466a59c466c47dbdc3fe2
SHA512 1b80c4c1bc9f22758939a78f12791d8dc6716e69efa6c35fcc286c32a8601f4bef53894df5a5df8181e824deb1db6c57a0e2056c0e01f3ed7d00666e765c9f0a

memory/3172-59-0x00007FF6ECC10000-0x00007FF6ECF64000-memory.dmp

C:\Windows\System\taDxAxQ.exe

MD5 3ce5fcb34801c8ce3dd83cb3566c9947
SHA1 cf06088f24b65d0861eecfd276c4112ac817f347
SHA256 1ebc3eb95f8299dec44cb531d4e0e0a0e1e189afb15324b5ffa61fd8a5eadaae
SHA512 efc2c0a34d7e9ca4707f555361f8bb8f595c9b759a31018758fbe86863047744d8774a17a9b81242b86644aa03b1f2811868c5f630e65e26747571dedda0d159

memory/1544-60-0x00007FF68B770000-0x00007FF68BAC4000-memory.dmp

memory/872-57-0x00007FF7F7DF0000-0x00007FF7F8144000-memory.dmp

C:\Windows\System\IwMeUqM.exe

MD5 778587e887020145f461a096772e161b
SHA1 b187da06c1949a44f41d300db4ffdeb364f0a55c
SHA256 8f2412e6da84a740674d4d118597b6d9e5a9ab69c7127f9f3e814e24f36ae37c
SHA512 786b4ab4e1a75525e7316907b9b3ba87ef1243130081a322209d481924b76472a3ae640f223da32edb889bf616f05f98d23f1566010ac4edc638e4a789c734c9

memory/3488-67-0x00007FF684DD0000-0x00007FF685124000-memory.dmp

C:\Windows\System\IySehsC.exe

MD5 efbc9dffac468d1bef42f49be97b6cd4
SHA1 16082337d6fb9eb22fdf647de8f0e2d17c63fb6d
SHA256 1bf4f05434bb3e52ff070f9aa8f0b93d049f50640069827c64c219d039d15afe
SHA512 01598f20f85769c512a0ba507774788ea9018ccb4787b03b8a66bac7af982945ecffa9bc41dec9a0ca84ec696b475548bab7a82d9a3b57088a56ca48fee43298

memory/4188-66-0x00007FF686560000-0x00007FF6868B4000-memory.dmp

memory/2712-77-0x00007FF7017D0000-0x00007FF701B24000-memory.dmp

C:\Windows\System\BdoYMuH.exe

MD5 d8d3f577bc07963afb5261a52c70baaf
SHA1 ea72cd2aaf3e48a23e6ab33efc1f4762473af0ed
SHA256 4a157eac5bbd9fc94a6c6272b255b8ff10728492cbb900b0f16ba81fde74cdac
SHA512 7a2e296ab69926d3eaa0cefbd9dc0de041553e29f5a71cf53ac3987d9ac92c83b2f4215e7a6f9875c74ea1e2d0b3c54ebd2e6557129048ac1aaa93852e84e10a

memory/3496-75-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp

C:\Windows\System\VxHrIBq.exe

MD5 f97d4bfb3f029b468a47ceb2195e01b6
SHA1 edd7e793360bdeea54042059fc394746ee270119
SHA256 ac9b17b328b2e4fb6c15ca4f92c01ed182c87d9110f51cc0a38b53f15e0fbec7
SHA512 833b70725159bc77d7e1fb7b2c0f7d39a473df2cf3992df43f64c1a757579516599a279c5b85baa146030f0c46f2df5b84d9cf6f0e6f07c7487a1e00e19a5506

memory/1584-82-0x00007FF644A50000-0x00007FF644DA4000-memory.dmp

C:\Windows\System\sOcVNkP.exe

MD5 d38110df71cce51fa4a018fe9089f5c5
SHA1 54df4a1e413ea5055af75a1d714e032ca2e0f978
SHA256 771cb7fd06a2d1776492da351b97a7838bbd79b2a4d9ec12064a879608afd64c
SHA512 e07f2e76e4cb1d54c65244693a54c9f4fc0d10f5ec725c1ec5edef314fcff656bb6b220f7abefb6b6a064d219cf7b8114236b094071741b67ec59339294ee011

memory/4800-86-0x00007FF7B2330000-0x00007FF7B2684000-memory.dmp

memory/1056-94-0x00007FF73B090000-0x00007FF73B3E4000-memory.dmp

memory/1820-95-0x00007FF6617C0000-0x00007FF661B14000-memory.dmp

C:\Windows\System\CYpfQJD.exe

MD5 b4dc529791113ca3a7f17dfd751b40db
SHA1 2bf4a48578e653244021a5bf9bec8ecb78e8e95f
SHA256 cc120951c755537b4253c5fcb93de2f6a23e738374576937c43b8b5b58f009b0
SHA512 052f0c3cd6b0ee9fed8eb356562139663ed68c3b42c9d67735b81a3609682727ee3d6cfd9072fe47a6c82489071f4fa76920056f9409b9a5fd993faf3742b646

memory/1084-101-0x00007FF70C400000-0x00007FF70C754000-memory.dmp

C:\Windows\System\GdxxlEs.exe

MD5 a06cb1100020704c34f3c095400dc258
SHA1 5daedc44b5621f0d910550714c50d05d91b473f1
SHA256 53526ca3627d74578a3710fe0f8c2192610db4d65680ea47c8298c7b9a8c5a2f
SHA512 f8c86f633d31273f32ae24bf103e360243c7edce0dcb37c8654c21a523fafc89ec6b0fb1288511675cdbf14218371e2055f9ddf826aec612352d9543f8b3201d

memory/2884-107-0x00007FF664B70000-0x00007FF664EC4000-memory.dmp

C:\Windows\System\xSksBod.exe

MD5 82e6fe5b47c0496173e447fe67b405a7
SHA1 2536c730fb2d0bb9a72d32adea12ba4d8ad0b0b2
SHA256 90c3bf30321e10018bcae916cca49d8dc4af2587ffaa919a5269ade22e6e23f0
SHA512 a88baf3731ebc859c10e36524bf1838820cf23091d85c13b85a84eb09c08f115def5f39f7ac0f270f42bd3545530295f102759f53d6ae247978d51238109434e

memory/3256-106-0x00007FF62FB40000-0x00007FF62FE94000-memory.dmp

memory/4040-114-0x00007FF7ADBC0000-0x00007FF7ADF14000-memory.dmp

C:\Windows\System\kSPXtBD.exe

MD5 f7b7c6ee3bc0ec0d86bfaf8e3c7adab1
SHA1 f8e229b3b55559d5cce337ec1ca46b8fa0ea5146
SHA256 7c8a67e9cd8cc55cce9dbd6888f70a5942d36a9e41acf78dae27d4f1387aa6be
SHA512 7d590dc10b27e3653c961bd81b83c4c2b8266ace0e4285d0350dc88976b096874e8cf06cc33eeb4f498c77c9b37958f90ad0fb41b81a3ceb81bbed25f3e477e7

C:\Windows\System\ruykizz.exe

MD5 da3298ca1e81916aef01ca9957376fee
SHA1 33413c577c444eb6433d73866872e3787920536c
SHA256 93cb7785987ecef822e2b3466b883970a5e3c0c57f31521281e9414298312eb4
SHA512 2e9a3a18cc075c82d356f04e589f6ec094359886ef00bef2a04d9a35db75d55e3a110d9d02fdefed6c1553fbf6790e775c3a20ea41a722ba3eee680e22042c22

memory/884-122-0x00007FF60C3D0000-0x00007FF60C724000-memory.dmp

memory/4020-127-0x00007FF64ED10000-0x00007FF64F064000-memory.dmp

memory/1544-125-0x00007FF68B770000-0x00007FF68BAC4000-memory.dmp

C:\Windows\System\ZgIrgkq.exe

MD5 db4cc54d40e951a2828b32883bab48f8
SHA1 0ee3098e142ab21e01f1f709ba5991330df48716
SHA256 f2ff4ce75c484f5b863c09e6a148ca63106c3d7f25029931e504118354ee0311
SHA512 72bc98624500dcfc4b2963625abdc10ee3ca83acabb6fc9e1a9e18db6fb3ac705c913ae4a595e7f555da1a49559514607d5a73f81065231b7cb9a69d17f15d77

memory/3488-132-0x00007FF684DD0000-0x00007FF685124000-memory.dmp

memory/5012-133-0x00007FF671B20000-0x00007FF671E74000-memory.dmp

memory/4800-134-0x00007FF7B2330000-0x00007FF7B2684000-memory.dmp

memory/2884-135-0x00007FF664B70000-0x00007FF664EC4000-memory.dmp

memory/884-136-0x00007FF60C3D0000-0x00007FF60C724000-memory.dmp

memory/4020-137-0x00007FF64ED10000-0x00007FF64F064000-memory.dmp

memory/3496-138-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp

memory/704-139-0x00007FF7B1CC0000-0x00007FF7B2014000-memory.dmp

memory/1184-140-0x00007FF6AF9F0000-0x00007FF6AFD44000-memory.dmp

memory/1056-141-0x00007FF73B090000-0x00007FF73B3E4000-memory.dmp

memory/1620-142-0x00007FF6630A0000-0x00007FF6633F4000-memory.dmp

memory/3256-143-0x00007FF62FB40000-0x00007FF62FE94000-memory.dmp

memory/4996-144-0x00007FF6A94D0000-0x00007FF6A9824000-memory.dmp

memory/872-145-0x00007FF7F7DF0000-0x00007FF7F8144000-memory.dmp

memory/3172-146-0x00007FF6ECC10000-0x00007FF6ECF64000-memory.dmp

memory/1544-147-0x00007FF68B770000-0x00007FF68BAC4000-memory.dmp

memory/3488-148-0x00007FF684DD0000-0x00007FF685124000-memory.dmp

memory/2712-149-0x00007FF7017D0000-0x00007FF701B24000-memory.dmp

memory/1584-150-0x00007FF644A50000-0x00007FF644DA4000-memory.dmp

memory/4800-151-0x00007FF7B2330000-0x00007FF7B2684000-memory.dmp

memory/1820-152-0x00007FF6617C0000-0x00007FF661B14000-memory.dmp

memory/1084-153-0x00007FF70C400000-0x00007FF70C754000-memory.dmp

memory/2884-154-0x00007FF664B70000-0x00007FF664EC4000-memory.dmp

memory/4040-155-0x00007FF7ADBC0000-0x00007FF7ADF14000-memory.dmp

memory/884-156-0x00007FF60C3D0000-0x00007FF60C724000-memory.dmp

memory/4020-157-0x00007FF64ED10000-0x00007FF64F064000-memory.dmp

memory/5012-158-0x00007FF671B20000-0x00007FF671E74000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:10

Reported

2024-06-01 07:13

Platform

win7-20240220-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NuzbXZs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AEfrqRg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FBcCPxK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GdxxlEs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kSPXtBD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CYpfQJD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xSksBod.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ruykizz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eOPJhjW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qfrnDHo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gPieZXo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\taDxAxQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IwMeUqM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sOcVNkP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iMdBUIB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PPuVgYE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zHdZObn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IySehsC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VxHrIBq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BdoYMuH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZgIrgkq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NuzbXZs.exe
PID 2204 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NuzbXZs.exe
PID 2204 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NuzbXZs.exe
PID 2204 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AEfrqRg.exe
PID 2204 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AEfrqRg.exe
PID 2204 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AEfrqRg.exe
PID 2204 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOPJhjW.exe
PID 2204 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOPJhjW.exe
PID 2204 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOPJhjW.exe
PID 2204 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iMdBUIB.exe
PID 2204 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iMdBUIB.exe
PID 2204 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iMdBUIB.exe
PID 2204 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qfrnDHo.exe
PID 2204 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qfrnDHo.exe
PID 2204 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qfrnDHo.exe
PID 2204 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPuVgYE.exe
PID 2204 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPuVgYE.exe
PID 2204 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPuVgYE.exe
PID 2204 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPieZXo.exe
PID 2204 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPieZXo.exe
PID 2204 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPieZXo.exe
PID 2204 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zHdZObn.exe
PID 2204 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zHdZObn.exe
PID 2204 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zHdZObn.exe
PID 2204 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FBcCPxK.exe
PID 2204 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FBcCPxK.exe
PID 2204 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FBcCPxK.exe
PID 2204 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\taDxAxQ.exe
PID 2204 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\taDxAxQ.exe
PID 2204 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\taDxAxQ.exe
PID 2204 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwMeUqM.exe
PID 2204 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwMeUqM.exe
PID 2204 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwMeUqM.exe
PID 2204 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IySehsC.exe
PID 2204 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IySehsC.exe
PID 2204 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IySehsC.exe
PID 2204 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdoYMuH.exe
PID 2204 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdoYMuH.exe
PID 2204 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdoYMuH.exe
PID 2204 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VxHrIBq.exe
PID 2204 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VxHrIBq.exe
PID 2204 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VxHrIBq.exe
PID 2204 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOcVNkP.exe
PID 2204 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOcVNkP.exe
PID 2204 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOcVNkP.exe
PID 2204 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYpfQJD.exe
PID 2204 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYpfQJD.exe
PID 2204 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYpfQJD.exe
PID 2204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GdxxlEs.exe
PID 2204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GdxxlEs.exe
PID 2204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GdxxlEs.exe
PID 2204 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSksBod.exe
PID 2204 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSksBod.exe
PID 2204 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSksBod.exe
PID 2204 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSPXtBD.exe
PID 2204 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSPXtBD.exe
PID 2204 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSPXtBD.exe
PID 2204 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruykizz.exe
PID 2204 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruykizz.exe
PID 2204 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruykizz.exe
PID 2204 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgIrgkq.exe
PID 2204 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgIrgkq.exe
PID 2204 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgIrgkq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_171657f688380e181e93a1a8ad9057b6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NuzbXZs.exe

C:\Windows\System\NuzbXZs.exe

C:\Windows\System\AEfrqRg.exe

C:\Windows\System\AEfrqRg.exe

C:\Windows\System\eOPJhjW.exe

C:\Windows\System\eOPJhjW.exe

C:\Windows\System\iMdBUIB.exe

C:\Windows\System\iMdBUIB.exe

C:\Windows\System\qfrnDHo.exe

C:\Windows\System\qfrnDHo.exe

C:\Windows\System\PPuVgYE.exe

C:\Windows\System\PPuVgYE.exe

C:\Windows\System\gPieZXo.exe

C:\Windows\System\gPieZXo.exe

C:\Windows\System\zHdZObn.exe

C:\Windows\System\zHdZObn.exe

C:\Windows\System\FBcCPxK.exe

C:\Windows\System\FBcCPxK.exe

C:\Windows\System\taDxAxQ.exe

C:\Windows\System\taDxAxQ.exe

C:\Windows\System\IwMeUqM.exe

C:\Windows\System\IwMeUqM.exe

C:\Windows\System\IySehsC.exe

C:\Windows\System\IySehsC.exe

C:\Windows\System\BdoYMuH.exe

C:\Windows\System\BdoYMuH.exe

C:\Windows\System\VxHrIBq.exe

C:\Windows\System\VxHrIBq.exe

C:\Windows\System\sOcVNkP.exe

C:\Windows\System\sOcVNkP.exe

C:\Windows\System\CYpfQJD.exe

C:\Windows\System\CYpfQJD.exe

C:\Windows\System\GdxxlEs.exe

C:\Windows\System\GdxxlEs.exe

C:\Windows\System\xSksBod.exe

C:\Windows\System\xSksBod.exe

C:\Windows\System\kSPXtBD.exe

C:\Windows\System\kSPXtBD.exe

C:\Windows\System\ruykizz.exe

C:\Windows\System\ruykizz.exe

C:\Windows\System\ZgIrgkq.exe

C:\Windows\System\ZgIrgkq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2204-0-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2204-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\NuzbXZs.exe

MD5 6dee589603a188f849419a9cb305e68c
SHA1 7afbf7beb89afedee216419bd391d54bed00800d
SHA256 4fdfcc0914b18c783f54ac49c76f128810e2be591f0ea411f0fb871e29309d7c
SHA512 bea0bc7c3bca0a8ad1102d7a8a7d9712d675cc63a8e729ad96b4be8738efb58119ee21a93ab05bf18fa37d1c032391d94033bee7033b7a7c8442b307d575e69e

memory/3048-9-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2204-7-0x0000000002230000-0x0000000002584000-memory.dmp

\Windows\system\AEfrqRg.exe

MD5 dde70bd27b4d64e0148727fbe400e6ee
SHA1 0701e77083b354501d0780fde1364e2d10777b8e
SHA256 ce1c5390d99482d5982a98c632348658c08497596cba6d9c41d93c7269f6b258
SHA512 b40be983c573bc9c54a06dffb8835daacee74f58d031fa1819e6bead134725225f74155065953110e3a0a3232cf2cac54644f194ad3cd978ca19377b49d4d420

memory/2204-13-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2524-15-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2204-20-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\eOPJhjW.exe

MD5 a3ea85434f0ee7674207b97e76cf3775
SHA1 a1483aa83bbe7dbe7aec18fea4ecd611e2f772b0
SHA256 8bee33a6e061a8e9e5d3325e4f92479b1a032427e0c304df4c07ceeeedb032bc
SHA512 b99fa98a112a94831215269c37daffffb5abda14f80662f118cd1cb12385578c8d6420f95e61d1e109b66e129386eeea194c2952e63f9d95060ff3e0a0541b2a

memory/2668-22-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\iMdBUIB.exe

MD5 ac9aaf6b576717a5b4e7e91e33dff8c9
SHA1 0f6ba2f04fe93375c42a9714ce2f2d1c4efe34b5
SHA256 d69319ffd2de69c4ea5716870feab63bff692e8785fe78eab79907b16fa7027c
SHA512 15fc4865c63d046ad0886a2d9d866c9274e2d2477a907a0a16f2f75901d8d1b4940ae369b82af4973bc5afe81dae55097b32ce01d50d05dd37ab1311fe6556fa

memory/2204-33-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\qfrnDHo.exe

MD5 2796ead894ffbde5f3f4ad6f8989a530
SHA1 32057434b1804f7031dcd106ee549ed98869c1cb
SHA256 3a0473f05fed080b2ebfa260f6c0613a534f976d41d7620051b1334430eaa327
SHA512 6aff3b5512958260b46188761ee052f7caa459588ba70587f5ed14e941ca6be42c990cc944097c76a0937f2096c89d34d96a79bab1b5990746ade4e6c4de6051

memory/2688-39-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2204-43-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2656-44-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2204-41-0x0000000002230000-0x0000000002584000-memory.dmp

C:\Windows\system\PPuVgYE.exe

MD5 21f47f9d1941000e2132f19a9d81f461
SHA1 637e9b30f624c612b89f3728591d569ff4961e7c
SHA256 42e51a7f828e384858edcaf90d381b26323efa8c040c736239434b93474555aa
SHA512 17703b74dffe876eac83b981eea77de3f2ab58ad9e37b34638f1b4917bbce77f60efc7a37fdf4117bae6392fb436252e33724cda405fcdd0cd3a02037ec1a913

memory/2560-37-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2204-48-0x000000013F960000-0x000000013FCB4000-memory.dmp

\Windows\system\gPieZXo.exe

MD5 4b365f3502c7511a2a892147e216e0ea
SHA1 e3c9881ab2953522166a2b31ed1034f5bf674163
SHA256 7726ac1039bc40657045246554bfd81908dd9a6066eaa09e9e3cd02c5f4d89fd
SHA512 e8de649b0dfbdb9ac8a2fa62e0165c76c20f751e24adf363d7310702042f3fb17dde2fa6f303a60e329e30ed14edd2a71cee9296f854cfd7ea8ea08082e2435a

memory/2460-52-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/3048-51-0x000000013FB40000-0x000000013FE94000-memory.dmp

\Windows\system\zHdZObn.exe

MD5 13ebecd255bc678761024ac4a7a67e9c
SHA1 0bf1eca8d93d96d1fa326ce5df1baca68cddf32a
SHA256 673d9691ba54f495bd00ff56ce939128ed3d03c442709b72cef6d86c6d8ce655
SHA512 e1407e650ad2da05f5158ec02e9460ee896f0544079679eb38e2596b040e9c71a5dd120277c88fffbc8d1474ede53de4ebadd61e0928ad0db3c257e2d97e1dac

memory/2584-59-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2204-56-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2524-65-0x000000013FBD0000-0x000000013FF24000-memory.dmp

C:\Windows\system\FBcCPxK.exe

MD5 e8bcff000fb6d796fbdc7943b69cb8f2
SHA1 29bbfa52ba14aa874defeafc3cd722fcad93ed2a
SHA256 e276716287b86af80b2ca77baf44c87d19d4217a310466a59c466c47dbdc3fe2
SHA512 1b80c4c1bc9f22758939a78f12791d8dc6716e69efa6c35fcc286c32a8601f4bef53894df5a5df8181e824deb1db6c57a0e2056c0e01f3ed7d00666e765c9f0a

memory/2832-67-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2204-66-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2204-73-0x000000013F410000-0x000000013F764000-memory.dmp

C:\Windows\system\taDxAxQ.exe

MD5 3ce5fcb34801c8ce3dd83cb3566c9947
SHA1 cf06088f24b65d0861eecfd276c4112ac817f347
SHA256 1ebc3eb95f8299dec44cb531d4e0e0a0e1e189afb15324b5ffa61fd8a5eadaae
SHA512 efc2c0a34d7e9ca4707f555361f8bb8f595c9b759a31018758fbe86863047744d8774a17a9b81242b86644aa03b1f2811868c5f630e65e26747571dedda0d159

memory/1656-74-0x000000013F410000-0x000000013F764000-memory.dmp

C:\Windows\system\IwMeUqM.exe

MD5 778587e887020145f461a096772e161b
SHA1 b187da06c1949a44f41d300db4ffdeb364f0a55c
SHA256 8f2412e6da84a740674d4d118597b6d9e5a9ab69c7127f9f3e814e24f36ae37c
SHA512 786b4ab4e1a75525e7316907b9b3ba87ef1243130081a322209d481924b76472a3ae640f223da32edb889bf616f05f98d23f1566010ac4edc638e4a789c734c9

memory/1196-81-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2204-80-0x000000013F240000-0x000000013F594000-memory.dmp

C:\Windows\system\IySehsC.exe

MD5 efbc9dffac468d1bef42f49be97b6cd4
SHA1 16082337d6fb9eb22fdf647de8f0e2d17c63fb6d
SHA256 1bf4f05434bb3e52ff070f9aa8f0b93d049f50640069827c64c219d039d15afe
SHA512 01598f20f85769c512a0ba507774788ea9018ccb4787b03b8a66bac7af982945ecffa9bc41dec9a0ca84ec696b475548bab7a82d9a3b57088a56ca48fee43298

memory/1044-88-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2204-87-0x000000013F390000-0x000000013F6E4000-memory.dmp

C:\Windows\system\BdoYMuH.exe

MD5 d8d3f577bc07963afb5261a52c70baaf
SHA1 ea72cd2aaf3e48a23e6ab33efc1f4762473af0ed
SHA256 4a157eac5bbd9fc94a6c6272b255b8ff10728492cbb900b0f16ba81fde74cdac
SHA512 7a2e296ab69926d3eaa0cefbd9dc0de041553e29f5a71cf53ac3987d9ac92c83b2f4215e7a6f9875c74ea1e2d0b3c54ebd2e6557129048ac1aaa93852e84e10a

memory/2204-97-0x0000000002230000-0x0000000002584000-memory.dmp

C:\Windows\system\CYpfQJD.exe

MD5 b4dc529791113ca3a7f17dfd751b40db
SHA1 2bf4a48578e653244021a5bf9bec8ecb78e8e95f
SHA256 cc120951c755537b4253c5fcb93de2f6a23e738374576937c43b8b5b58f009b0
SHA512 052f0c3cd6b0ee9fed8eb356562139663ed68c3b42c9d67735b81a3609682727ee3d6cfd9072fe47a6c82489071f4fa76920056f9409b9a5fd993faf3742b646

\Windows\system\ruykizz.exe

MD5 da3298ca1e81916aef01ca9957376fee
SHA1 33413c577c444eb6433d73866872e3787920536c
SHA256 93cb7785987ecef822e2b3466b883970a5e3c0c57f31521281e9414298312eb4
SHA512 2e9a3a18cc075c82d356f04e589f6ec094359886ef00bef2a04d9a35db75d55e3a110d9d02fdefed6c1553fbf6790e775c3a20ea41a722ba3eee680e22042c22

\Windows\system\ZgIrgkq.exe

MD5 db4cc54d40e951a2828b32883bab48f8
SHA1 0ee3098e142ab21e01f1f709ba5991330df48716
SHA256 f2ff4ce75c484f5b863c09e6a148ca63106c3d7f25029931e504118354ee0311
SHA512 72bc98624500dcfc4b2963625abdc10ee3ca83acabb6fc9e1a9e18db6fb3ac705c913ae4a595e7f555da1a49559514607d5a73f81065231b7cb9a69d17f15d77

C:\Windows\system\kSPXtBD.exe

MD5 f7b7c6ee3bc0ec0d86bfaf8e3c7adab1
SHA1 f8e229b3b55559d5cce337ec1ca46b8fa0ea5146
SHA256 7c8a67e9cd8cc55cce9dbd6888f70a5942d36a9e41acf78dae27d4f1387aa6be
SHA512 7d590dc10b27e3653c961bd81b83c4c2b8266ace0e4285d0350dc88976b096874e8cf06cc33eeb4f498c77c9b37958f90ad0fb41b81a3ceb81bbed25f3e477e7

C:\Windows\system\xSksBod.exe

MD5 82e6fe5b47c0496173e447fe67b405a7
SHA1 2536c730fb2d0bb9a72d32adea12ba4d8ad0b0b2
SHA256 90c3bf30321e10018bcae916cca49d8dc4af2587ffaa919a5269ade22e6e23f0
SHA512 a88baf3731ebc859c10e36524bf1838820cf23091d85c13b85a84eb09c08f115def5f39f7ac0f270f42bd3545530295f102759f53d6ae247978d51238109434e

C:\Windows\system\GdxxlEs.exe

MD5 a06cb1100020704c34f3c095400dc258
SHA1 5daedc44b5621f0d910550714c50d05d91b473f1
SHA256 53526ca3627d74578a3710fe0f8c2192610db4d65680ea47c8298c7b9a8c5a2f
SHA512 f8c86f633d31273f32ae24bf103e360243c7edce0dcb37c8654c21a523fafc89ec6b0fb1288511675cdbf14218371e2055f9ddf826aec612352d9543f8b3201d

C:\Windows\system\sOcVNkP.exe

MD5 d38110df71cce51fa4a018fe9089f5c5
SHA1 54df4a1e413ea5055af75a1d714e032ca2e0f978
SHA256 771cb7fd06a2d1776492da351b97a7838bbd79b2a4d9ec12064a879608afd64c
SHA512 e07f2e76e4cb1d54c65244693a54c9f4fc0d10f5ec725c1ec5edef314fcff656bb6b220f7abefb6b6a064d219cf7b8114236b094071741b67ec59339294ee011

memory/2204-106-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2204-105-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1776-103-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1632-100-0x000000013F940000-0x000000013FC94000-memory.dmp

C:\Windows\system\VxHrIBq.exe

MD5 f97d4bfb3f029b468a47ceb2195e01b6
SHA1 edd7e793360bdeea54042059fc394746ee270119
SHA256 ac9b17b328b2e4fb6c15ca4f92c01ed182c87d9110f51cc0a38b53f15e0fbec7
SHA512 833b70725159bc77d7e1fb7b2c0f7d39a473df2cf3992df43f64c1a757579516599a279c5b85baa146030f0c46f2df5b84d9cf6f0e6f07c7487a1e00e19a5506

memory/2204-138-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2204-139-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2204-140-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2204-141-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2204-142-0x0000000002230000-0x0000000002584000-memory.dmp

memory/1776-143-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2204-144-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/3048-145-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2668-146-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2524-147-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2560-148-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2688-149-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2656-150-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2460-151-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2584-152-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2832-153-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/1656-154-0x000000013F410000-0x000000013F764000-memory.dmp

memory/1196-155-0x000000013F240000-0x000000013F594000-memory.dmp

memory/1044-156-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/1632-157-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/1776-158-0x000000013F280000-0x000000013F5D4000-memory.dmp