Malware Analysis Report

2025-01-22 19:42

Sample ID 240601-na1zwsbf94
Target 2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike
SHA256 3f25f73a4c48f9825d762994fe8ecd3f4c803830a3cfbde063f3cbbef39a866f
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f25f73a4c48f9825d762994fe8ecd3f4c803830a3cfbde063f3cbbef39a866f

Threat Level: Known bad

The file 2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 11:12

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 11:12

Reported

2024-06-01 11:15

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JZKgtPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uxyLhAy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sdpYFct.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fkDNByv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gXKslNa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FXZCOSx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\khexOof.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YtQSPkB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eIkmxjq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KHEDNGB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PXVwgMI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XgfxncT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UcynNQz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qYMAPAK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xgeBjpr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IgoyBHj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CoUyJVx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Znmjsve.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xpxltbS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TBAFYFj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gssVMJC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIkmxjq.exe
PID 2860 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIkmxjq.exe
PID 2860 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHEDNGB.exe
PID 2860 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHEDNGB.exe
PID 2860 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXKslNa.exe
PID 2860 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXKslNa.exe
PID 2860 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FXZCOSx.exe
PID 2860 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\FXZCOSx.exe
PID 2860 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\khexOof.exe
PID 2860 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\khexOof.exe
PID 2860 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\xgeBjpr.exe
PID 2860 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\xgeBjpr.exe
PID 2860 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgoyBHj.exe
PID 2860 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgoyBHj.exe
PID 2860 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YtQSPkB.exe
PID 2860 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YtQSPkB.exe
PID 2860 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CoUyJVx.exe
PID 2860 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CoUyJVx.exe
PID 2860 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JZKgtPQ.exe
PID 2860 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JZKgtPQ.exe
PID 2860 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uxyLhAy.exe
PID 2860 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uxyLhAy.exe
PID 2860 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\Znmjsve.exe
PID 2860 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\Znmjsve.exe
PID 2860 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXVwgMI.exe
PID 2860 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXVwgMI.exe
PID 2860 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpxltbS.exe
PID 2860 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpxltbS.exe
PID 2860 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\UcynNQz.exe
PID 2860 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\UcynNQz.exe
PID 2860 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdpYFct.exe
PID 2860 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdpYFct.exe
PID 2860 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\qYMAPAK.exe
PID 2860 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\qYMAPAK.exe
PID 2860 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgfxncT.exe
PID 2860 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgfxncT.exe
PID 2860 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TBAFYFj.exe
PID 2860 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TBAFYFj.exe
PID 2860 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkDNByv.exe
PID 2860 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkDNByv.exe
PID 2860 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gssVMJC.exe
PID 2860 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gssVMJC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\eIkmxjq.exe

C:\Windows\System\eIkmxjq.exe

C:\Windows\System\KHEDNGB.exe

C:\Windows\System\KHEDNGB.exe

C:\Windows\System\gXKslNa.exe

C:\Windows\System\gXKslNa.exe

C:\Windows\System\FXZCOSx.exe

C:\Windows\System\FXZCOSx.exe

C:\Windows\System\khexOof.exe

C:\Windows\System\khexOof.exe

C:\Windows\System\xgeBjpr.exe

C:\Windows\System\xgeBjpr.exe

C:\Windows\System\IgoyBHj.exe

C:\Windows\System\IgoyBHj.exe

C:\Windows\System\YtQSPkB.exe

C:\Windows\System\YtQSPkB.exe

C:\Windows\System\CoUyJVx.exe

C:\Windows\System\CoUyJVx.exe

C:\Windows\System\JZKgtPQ.exe

C:\Windows\System\JZKgtPQ.exe

C:\Windows\System\uxyLhAy.exe

C:\Windows\System\uxyLhAy.exe

C:\Windows\System\Znmjsve.exe

C:\Windows\System\Znmjsve.exe

C:\Windows\System\PXVwgMI.exe

C:\Windows\System\PXVwgMI.exe

C:\Windows\System\xpxltbS.exe

C:\Windows\System\xpxltbS.exe

C:\Windows\System\UcynNQz.exe

C:\Windows\System\UcynNQz.exe

C:\Windows\System\sdpYFct.exe

C:\Windows\System\sdpYFct.exe

C:\Windows\System\qYMAPAK.exe

C:\Windows\System\qYMAPAK.exe

C:\Windows\System\XgfxncT.exe

C:\Windows\System\XgfxncT.exe

C:\Windows\System\TBAFYFj.exe

C:\Windows\System\TBAFYFj.exe

C:\Windows\System\fkDNByv.exe

C:\Windows\System\fkDNByv.exe

C:\Windows\System\gssVMJC.exe

C:\Windows\System\gssVMJC.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp

Files

memory/2860-0-0x00007FF656320000-0x00007FF656674000-memory.dmp

memory/2860-1-0x0000025A59FA0000-0x0000025A59FB0000-memory.dmp

C:\Windows\System\eIkmxjq.exe

MD5 c6df3ce96432920c90342581acee21ec
SHA1 05736d4114b634b52503ac1b5bc54a1c45b576cc
SHA256 bc95dd5c8e904e0d2a95fe984a9ab6d73b54f9733046372e6b9d4babc774b24b
SHA512 cda857e691587881796ea33f07bee120f95dcb145ad72a9ad6854069ca89078a05bd26dd9df99469891e866733055d2f0250b55910d2f8516b0bbfd22b0daf5d

memory/1724-8-0x00007FF7375B0000-0x00007FF737904000-memory.dmp

C:\Windows\System\gXKslNa.exe

MD5 c2aa23466f2a8af4f0cb06d12962a990
SHA1 94b34659eeec1c4aa433620a8533228aa0295046
SHA256 bf388145b7f1b6b23673958d997af3d05e7def84ab1d791e8ac31c544dfaccc6
SHA512 3cb2aa4805f2f7df208d91730c64190740e8f28d77b6a92506533f22d49bd020b65157341f39026a16cee0bd37378e5df222f5700b438187229b0d9e47fb4075

C:\Windows\System\KHEDNGB.exe

MD5 b6f4f7de9d58de7a4d887ecabc1d476d
SHA1 bede74d7c5b3b9468d585496dd8ed9781c5463d4
SHA256 e527e88a113aac0a7228ac62654729fcb4f8d884fe348adc2c7f6f0d1ebab845
SHA512 1ae8202c5a91669bc5dd68650d1e9de0156f77ae06551423724c3d2a739301129c99e1400dfe60e9b51fbb77e8f180bfdaf8285b548711730efc98bbf7a35df8

memory/4428-12-0x00007FF6A1960000-0x00007FF6A1CB4000-memory.dmp

C:\Windows\System\FXZCOSx.exe

MD5 86a02c02e962ad73ce47cd4b7e69edcf
SHA1 d6d311f8948dabdf9c56d8a0b2cf837a7c77e645
SHA256 76762c9d889e930eb6fb33db4d265a6f3c7712954cadadaecf3e4c3f9df6f3be
SHA512 99ff59f02160da33e26029e5cd0b350eb31880b3638e6d886929c1b40ba04e88bf809ee2bb98e28ccf9895b67d87c801124151e8a244cf64410fb29553940b4c

memory/4060-18-0x00007FF6300F0000-0x00007FF630444000-memory.dmp

memory/1468-29-0x00007FF76AB00000-0x00007FF76AE54000-memory.dmp

C:\Windows\System\xgeBjpr.exe

MD5 aabd5246a56605a3104b2a39520440a7
SHA1 7e8f7d90f2018516c966a22b3c9a73d2380c0314
SHA256 0bddb0ab7d9a6e1ae230d6c7bf6169661256108acfcaefc855568c687a2cd1ba
SHA512 14b44055ee47721e0c6feb6a4fb90679044206ded9ee76ad0f9740a528803668a0d987a57d9856089c1a08dce3014efea35314b7b0eb49abb161c994a5f568ac

C:\Windows\System\IgoyBHj.exe

MD5 88cf33c5c33cef7eb46326fcc5b5a86b
SHA1 e5988feb464da3fb12f2cd94ce3872ebf6d04980
SHA256 87f166dd7327cd0f8b72387afbe1f50040ef62580d78a5ecfa36b163ff79660b
SHA512 08a54cc44267281fb1544639361e6656487cf9c2c7a2a15f8a8abb80bce35466e410bc02d0baae2bda77ef63ac596c661cc3e5ad25f89d6c638f046010adc25a

memory/2920-38-0x00007FF79E140000-0x00007FF79E494000-memory.dmp

C:\Windows\System\khexOof.exe

MD5 803e6c77347161f32acc10368eb042c8
SHA1 d5476c1c6b74fab22536c90cbc487b2f3c2242f7
SHA256 1542f5af36ee9da3e0ff2e6312b5f33750f4494cc396e6dd691b62d37ace3c22
SHA512 69f5d93eba25b2c95d4152b9fd4dd78108ab542d7444aeccd6d0632c8e13ab5f235a4d1988da3976f945519ad4d97c83b8b6d23ebd930283f1b04efb94b78e66

memory/3828-32-0x00007FF797010000-0x00007FF797364000-memory.dmp

C:\Windows\System\YtQSPkB.exe

MD5 7a9d72b0a719c0e9a26603736fe609c4
SHA1 bf9383a0cb803d26ae323c94320e703182137fcb
SHA256 8ec517d8f8b280bef40459fdba2815e2f1df93b8ae65f6b14c66e81219bed783
SHA512 d26388a2d4577501756d606ec9710cb913a014b9f035ae1f0315f4132e25ec629c6a5ed4029d7d1337a86ba1332fb08f28cba60d138bcae21533109a0b760f0d

memory/3056-46-0x00007FF6A1D90000-0x00007FF6A20E4000-memory.dmp

memory/3952-52-0x00007FF7D15B0000-0x00007FF7D1904000-memory.dmp

C:\Windows\System\CoUyJVx.exe

MD5 4cd91475398a4f8c163917b665613ee7
SHA1 f122b058d95702737fb871a9dc19942e7a3e79e3
SHA256 42583780d393e857f4837a0c2bc51c878d35c800f708ab5e587ef787c0ba1c12
SHA512 ffe35f981f4bcaba5b5f61c1b3a3872610a049d9364a8345c0326bf0c5b08affb4e18ff7027c6d40d36ee6340282f30c3fe0af1f94b58fc4ba0d4b3b23359030

C:\Windows\System\JZKgtPQ.exe

MD5 ad8fbfde5b721279838a645daaea73ae
SHA1 dd9117b972228617c26d37d5f45cb258fdc36db6
SHA256 98937d236ec4e27da51b7b7718e6f7864df3a7445240826663351fa6f8a5e361
SHA512 e082d29c8a1030033633c15e36c8bbc1dcc33fc6edf310337c39e9aff705901d76b163c885806613580f40a7ddc05a48fffaf0c876b8b0d83a767395e5705924

memory/2708-56-0x00007FF7D3FB0000-0x00007FF7D4304000-memory.dmp

memory/2860-62-0x00007FF656320000-0x00007FF656674000-memory.dmp

memory/2168-65-0x00007FF6B1C60000-0x00007FF6B1FB4000-memory.dmp

C:\Windows\System\uxyLhAy.exe

MD5 87ae549097a6d4283cd4ec712f89472f
SHA1 9e6d5d57e9a87abd924c3b7a833378f5ef49fa25
SHA256 fc24999f0e4bf272d2f536d5f6ed3b00feba055a61730651553e04f8a4fa1380
SHA512 c03c152e245c643d2b159671b1ca84ea98319b67e18d8ba4935329d5042a4e91e5fd3615fde24a7910a7cd431409b5961265c65426aa6156577d7e17e18cd10b

C:\Windows\System\Znmjsve.exe

MD5 4f305ac1c5411d4043d51dcee06604c3
SHA1 6576f89d8bfc7f0692332de49b7956d965d47724
SHA256 71470032ba92c62e2235b2af392bfb1375b0cb94c8e0df172f648004f90a75a9
SHA512 60cc5cea0172632a94e9e1ac96201b423a0cf4d63067e41deafb0ac48b6d39a193477e522e4a917bc3449729f4f1620599ad1f28147ee62c053f1852a250f80f

memory/3624-70-0x00007FF6E0470000-0x00007FF6E07C4000-memory.dmp

memory/1724-69-0x00007FF7375B0000-0x00007FF737904000-memory.dmp

memory/2360-79-0x00007FF766020000-0x00007FF766374000-memory.dmp

C:\Windows\System\PXVwgMI.exe

MD5 0548aaab15c7dad1b27d48e68a5de9d1
SHA1 77636d9bb085ea59b1667d9fc8cfc535aac15fac
SHA256 4c03f9f4870c12a48da40138a55b889b3e0a121ce0bca6948a6ef66e221334f4
SHA512 14694c35fa58262aa86e8bb7f2b1ffabe30e25d892ae6fd07dc80d062a08d8164b2f3e446908e50f465d5e95b91ce8d333ab3090e725c79dd54810a31eec8af1

memory/4428-76-0x00007FF6A1960000-0x00007FF6A1CB4000-memory.dmp

memory/4832-93-0x00007FF7BD650000-0x00007FF7BD9A4000-memory.dmp

memory/3828-102-0x00007FF797010000-0x00007FF797364000-memory.dmp

memory/3372-106-0x00007FF7CF840000-0x00007FF7CFB94000-memory.dmp

C:\Windows\System\qYMAPAK.exe

MD5 b9eab6a14aa8c4b9a63c2fff8e4e9856
SHA1 6fdedbec213a43a19124969338ac5707f5453fed
SHA256 af610408aa18a1e97948a7ee605b5432ac0995bb95b7f27a12e74947a9a4977c
SHA512 b88770041e594a098eb3a4ef164f466711843940cf3eecb0ed21f4f244bcefba1778d3ca55677cc77d93be426f0f68e50572e0b3671a201257b933e6055db4ef

C:\Windows\System\sdpYFct.exe

MD5 d6c99769c44bbef77062c6a5d4994edf
SHA1 1d5518eff7f22594d1a9cdbea2d5575c23cfdcea
SHA256 69a0a50612e6805b46f7c79535d86b67937442d17d8afb820baf294134934bc2
SHA512 45b723de85925c06e26ab6da6c4e9430e7112a059495f890c9dcd0c1d450d158418877dbb554d8f6249dc6a62b49d7d715f7f333afcd7cd11bc5f57e3a5e6bbd

memory/2920-105-0x00007FF79E140000-0x00007FF79E494000-memory.dmp

memory/2244-117-0x00007FF752DF0000-0x00007FF753144000-memory.dmp

C:\Windows\System\gssVMJC.exe

MD5 a129efe608badf863044882920d73e52
SHA1 816e15f1174df5770e9b0a8cc9124155bfc2efd1
SHA256 d60479bacf4429fada985bb45763197cc0fccc64ac65f3188cd44d200efeb32d
SHA512 0a6c325a3ce6c0da2d686bed23406ddc321565bdb383a4de9035da4bca8f44196d4452137032329ff8062fedf23f43df8d1f74965a81fd481b2583ac01909be5

C:\Windows\System\fkDNByv.exe

MD5 291558a0407dd6aa5416cbb213eda16e
SHA1 5bf9d87a2162b1abb06ec39c5a01a43842f624bb
SHA256 46efd810ac25cae0505f340d120be9b2e38df7956a85f69685bbaec6202c5237
SHA512 6cd66f407573adf275a0a6916812c4eaff8c7b0f854216b19b62fc1c0f8b7cbb8beed480be09f1a432460fc9b5ede24cb39bf0007cdc3a7edfb6df7b5b3cc6f2

C:\Windows\System\TBAFYFj.exe

MD5 4a7f77520b349c3d82815193e6c419ce
SHA1 4ac10f24ee842254318e1184ba05418aadb6afa4
SHA256 23975415352b05ceb8b522cd02b00fa4fb715fe183765167979363b3bc405f1b
SHA512 d84bc6f5d8f1947296528b33adcd7d5cb6774fcd576d7548dd389af585f17e3fc717ce5c4b42f005826c8c4baa2e8fa78c9a290a0f601dd308011fb79470e96b

C:\Windows\System\XgfxncT.exe

MD5 5a1c2f6b55015d5419029d5fb0d54855
SHA1 8c5cb588e6ac3da0129d9becaa615486d1470f10
SHA256 c48a287b09273c4dd28db61d05979e74d51b6c00cc83b318f61dd74470a8c14b
SHA512 0cc46155071cc663adc211fc46d8cbddcf2ff58c2b88b0ff65cd3803975b7c6eabe9cb9aff3ee71e6aee389408c6d6e1439d4fb14f8e33857948c31463111a84

memory/4728-121-0x00007FF60DBE0000-0x00007FF60DF34000-memory.dmp

memory/372-103-0x00007FF790500000-0x00007FF790854000-memory.dmp

C:\Windows\System\UcynNQz.exe

MD5 17aed9b1a39770d79fd6217b28c07a77
SHA1 8eae64350eef847f068088a551626a76af0b2eaa
SHA256 4d1c2748bce0fe2b15cfb04bb686424c1fed3bea280b088957f5887b774887cf
SHA512 5fd4d0c80676b29f79c4a843a0b9b6e7ba2dbd834d820575838362894dfd333ff526690ca8cd33d382400423d1ce91239c2e588bc08f106a6ea50a83bd6b9a02

memory/1512-96-0x00007FF666340000-0x00007FF666694000-memory.dmp

C:\Windows\System\xpxltbS.exe

MD5 65c4469b314e9f3e368e6be86380452c
SHA1 3224ca883367356380507866c6de7ba995297318
SHA256 9148191fa8a93e0d65cdfeadd794b1a258550d03351891b2eeba81db280b8b16
SHA512 504fbfeb95e6797bf3c9edf5a7966fdf0a4fe624f8f69b929793042915e3e5d22f57a5b1b09c2b484c346900d7cb7b542e4f0c6cbad232f8d808832b5b8f95e4

memory/2240-132-0x00007FF7DD1A0000-0x00007FF7DD4F4000-memory.dmp

memory/4704-84-0x00007FF653BB0000-0x00007FF653F04000-memory.dmp

memory/4060-83-0x00007FF6300F0000-0x00007FF630444000-memory.dmp

memory/744-133-0x00007FF696330000-0x00007FF696684000-memory.dmp

memory/3624-134-0x00007FF6E0470000-0x00007FF6E07C4000-memory.dmp

memory/4704-135-0x00007FF653BB0000-0x00007FF653F04000-memory.dmp

memory/1512-136-0x00007FF666340000-0x00007FF666694000-memory.dmp

memory/372-137-0x00007FF790500000-0x00007FF790854000-memory.dmp

memory/3372-138-0x00007FF7CF840000-0x00007FF7CFB94000-memory.dmp

memory/2244-139-0x00007FF752DF0000-0x00007FF753144000-memory.dmp

memory/4728-140-0x00007FF60DBE0000-0x00007FF60DF34000-memory.dmp

memory/1724-141-0x00007FF7375B0000-0x00007FF737904000-memory.dmp

memory/4428-142-0x00007FF6A1960000-0x00007FF6A1CB4000-memory.dmp

memory/4060-143-0x00007FF6300F0000-0x00007FF630444000-memory.dmp

memory/1468-144-0x00007FF76AB00000-0x00007FF76AE54000-memory.dmp

memory/3828-145-0x00007FF797010000-0x00007FF797364000-memory.dmp

memory/3056-146-0x00007FF6A1D90000-0x00007FF6A20E4000-memory.dmp

memory/2920-147-0x00007FF79E140000-0x00007FF79E494000-memory.dmp

memory/3952-148-0x00007FF7D15B0000-0x00007FF7D1904000-memory.dmp

memory/2708-149-0x00007FF7D3FB0000-0x00007FF7D4304000-memory.dmp

memory/2168-150-0x00007FF6B1C60000-0x00007FF6B1FB4000-memory.dmp

memory/2360-151-0x00007FF766020000-0x00007FF766374000-memory.dmp

memory/3624-152-0x00007FF6E0470000-0x00007FF6E07C4000-memory.dmp

memory/4832-153-0x00007FF7BD650000-0x00007FF7BD9A4000-memory.dmp

memory/4704-154-0x00007FF653BB0000-0x00007FF653F04000-memory.dmp

memory/1512-155-0x00007FF666340000-0x00007FF666694000-memory.dmp

memory/372-156-0x00007FF790500000-0x00007FF790854000-memory.dmp

memory/3372-157-0x00007FF7CF840000-0x00007FF7CFB94000-memory.dmp

memory/2244-158-0x00007FF752DF0000-0x00007FF753144000-memory.dmp

memory/4728-160-0x00007FF60DBE0000-0x00007FF60DF34000-memory.dmp

memory/2240-159-0x00007FF7DD1A0000-0x00007FF7DD4F4000-memory.dmp

memory/744-161-0x00007FF696330000-0x00007FF696684000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 11:12

Reported

2024-06-01 11:15

Platform

win7-20240221-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dNWZLQR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RMFYHAv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gFIksDL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZzEhdAk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AJCNVcz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nfKhZFO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\efgveUD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AlDAJfD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iwZnwka.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XVTwTzt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jitrMRq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cXfOOHV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JpqaDVj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QOZysll.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bMysjWt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oilJlUI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QxAriwK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PhPWjqI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LIlLTAU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gSNiadX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MQSRhlc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFIksDL.exe
PID 1704 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFIksDL.exe
PID 1704 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFIksDL.exe
PID 1704 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIlLTAU.exe
PID 1704 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIlLTAU.exe
PID 1704 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIlLTAU.exe
PID 1704 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZzEhdAk.exe
PID 1704 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZzEhdAk.exe
PID 1704 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZzEhdAk.exe
PID 1704 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nfKhZFO.exe
PID 1704 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nfKhZFO.exe
PID 1704 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nfKhZFO.exe
PID 1704 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSNiadX.exe
PID 1704 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSNiadX.exe
PID 1704 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSNiadX.exe
PID 1704 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQSRhlc.exe
PID 1704 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQSRhlc.exe
PID 1704 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQSRhlc.exe
PID 1704 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\efgveUD.exe
PID 1704 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\efgveUD.exe
PID 1704 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\efgveUD.exe
PID 1704 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXfOOHV.exe
PID 1704 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXfOOHV.exe
PID 1704 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXfOOHV.exe
PID 1704 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlDAJfD.exe
PID 1704 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlDAJfD.exe
PID 1704 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlDAJfD.exe
PID 1704 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJCNVcz.exe
PID 1704 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJCNVcz.exe
PID 1704 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJCNVcz.exe
PID 1704 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpqaDVj.exe
PID 1704 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpqaDVj.exe
PID 1704 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpqaDVj.exe
PID 1704 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QOZysll.exe
PID 1704 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QOZysll.exe
PID 1704 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QOZysll.exe
PID 1704 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iwZnwka.exe
PID 1704 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iwZnwka.exe
PID 1704 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\iwZnwka.exe
PID 1704 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\dNWZLQR.exe
PID 1704 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\dNWZLQR.exe
PID 1704 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\dNWZLQR.exe
PID 1704 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMFYHAv.exe
PID 1704 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMFYHAv.exe
PID 1704 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMFYHAv.exe
PID 1704 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMysjWt.exe
PID 1704 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMysjWt.exe
PID 1704 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMysjWt.exe
PID 1704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\oilJlUI.exe
PID 1704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\oilJlUI.exe
PID 1704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\oilJlUI.exe
PID 1704 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XVTwTzt.exe
PID 1704 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XVTwTzt.exe
PID 1704 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XVTwTzt.exe
PID 1704 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jitrMRq.exe
PID 1704 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jitrMRq.exe
PID 1704 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jitrMRq.exe
PID 1704 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QxAriwK.exe
PID 1704 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QxAriwK.exe
PID 1704 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QxAriwK.exe
PID 1704 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PhPWjqI.exe
PID 1704 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PhPWjqI.exe
PID 1704 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PhPWjqI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gFIksDL.exe

C:\Windows\System\gFIksDL.exe

C:\Windows\System\LIlLTAU.exe

C:\Windows\System\LIlLTAU.exe

C:\Windows\System\ZzEhdAk.exe

C:\Windows\System\ZzEhdAk.exe

C:\Windows\System\nfKhZFO.exe

C:\Windows\System\nfKhZFO.exe

C:\Windows\System\gSNiadX.exe

C:\Windows\System\gSNiadX.exe

C:\Windows\System\MQSRhlc.exe

C:\Windows\System\MQSRhlc.exe

C:\Windows\System\efgveUD.exe

C:\Windows\System\efgveUD.exe

C:\Windows\System\cXfOOHV.exe

C:\Windows\System\cXfOOHV.exe

C:\Windows\System\AlDAJfD.exe

C:\Windows\System\AlDAJfD.exe

C:\Windows\System\AJCNVcz.exe

C:\Windows\System\AJCNVcz.exe

C:\Windows\System\JpqaDVj.exe

C:\Windows\System\JpqaDVj.exe

C:\Windows\System\QOZysll.exe

C:\Windows\System\QOZysll.exe

C:\Windows\System\iwZnwka.exe

C:\Windows\System\iwZnwka.exe

C:\Windows\System\dNWZLQR.exe

C:\Windows\System\dNWZLQR.exe

C:\Windows\System\RMFYHAv.exe

C:\Windows\System\RMFYHAv.exe

C:\Windows\System\bMysjWt.exe

C:\Windows\System\bMysjWt.exe

C:\Windows\System\oilJlUI.exe

C:\Windows\System\oilJlUI.exe

C:\Windows\System\XVTwTzt.exe

C:\Windows\System\XVTwTzt.exe

C:\Windows\System\jitrMRq.exe

C:\Windows\System\jitrMRq.exe

C:\Windows\System\QxAriwK.exe

C:\Windows\System\QxAriwK.exe

C:\Windows\System\PhPWjqI.exe

C:\Windows\System\PhPWjqI.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1704-0-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/1704-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\gFIksDL.exe

MD5 a5d177ba88b830aa38f33b936a2b2268
SHA1 16e773fb1918d761167e08f16c8be922e19deedc
SHA256 6fd9d3ec98412ebd5db399393a5c6c5b2a467ca5ed2999da576971381bd43adc
SHA512 273dd5f50ff2ac0f21d6b33b08b9169e5562170927c33196c15a8a9a90cbf2a010a9729f1ec6e0e9f6146f060f70b404a849d1278f42024a463a61a88a4e701e

\Windows\system\LIlLTAU.exe

MD5 85927ce66af07da8675b3152baf47c4d
SHA1 e1145b0cd257885d7471f55c4f06c85319b3af35
SHA256 c28a7a57c43002daa7f208cea7a6f956c12284c74c81c119ba331dfb9e52953d
SHA512 50eada528d19e70c2e802d386536f3e7b4d44aeb6b08680cc326d154bea093cb7f3a3bd4e220e958f1f239b90d10765e4653c7f2542a8a7a59f36651540b01a9

\Windows\system\nfKhZFO.exe

MD5 1f69550bbbc0fd815162003b54ccfeaa
SHA1 8255dc311f5224029c75cba11b5b62fae41b5ed3
SHA256 95a39d79b5408ac9d3e63d2a1362457b86e435ba63996fec5141aba4cd8f0b00
SHA512 9c7db8305738ac6bc563e3e0c83761615975539cddc09e6d57bd7bc23a4c6f0046102744d141d854f92b6f99c7cd0a3a0a9c5bee771f5d8c0a99e11c6cb14abe

memory/2264-23-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/1704-25-0x0000000002410000-0x0000000002764000-memory.dmp

memory/1704-17-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2652-26-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2528-27-0x000000013FF60000-0x00000001402B4000-memory.dmp

C:\Windows\system\gSNiadX.exe

MD5 703619a00a6a7030c0788b330aa62ba6
SHA1 9c135489067277cf0f2981d481d050468e34d85d
SHA256 151606723dd707396d842cf999429b6c9ef38907020b2ae9ea002df4368f6034
SHA512 38c725237aba7add2d535d5e11cc858b07cadaf7af9514b29454e4ce9e6b518822af76ea4b03ab2a3456acfe75b7ce235fc47ed16de25370724d1e4b1cf9036b

memory/2584-38-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\MQSRhlc.exe

MD5 13c48bdbec9bb28d68f618bdfae6e162
SHA1 93a1e761e3ea93ed3cc1958ea0cc61813b71c6ff
SHA256 a08dd86019a0cdb94602b4cbad0b3a9f10b13deadb6d2e7fd164bc4a951232dc
SHA512 72a56e9286c01aa2f37e1947844045e7a96b12ebcf5bccd6661028d8ff23f8c98d87bbf780fa13fed04c78bc4ed47d4d13431a301e03f90abcc477dc4084b869

C:\Windows\system\QOZysll.exe

MD5 72df18a48fbf6afdc8626b50dfcaef30
SHA1 b0b992b2abc23b04fd0279fe44726b9e720462bf
SHA256 0687a25b78398e928e63f64ee20acb281f2bc6bcad3bbec015715520a42d63d2
SHA512 2eede05f208c0ca04ca181c84b86af39d2f690e45d6a6192225f2330767d34f7b7dd1ba821d883c5a0a90cba1a3e915566a70d4edc6a53de4ce8bd7467fca647

C:\Windows\system\dNWZLQR.exe

MD5 3845bedea022eda06b36564c0d4d2ce2
SHA1 944ee8e46a2f5d21e935a87058b8c0790f46a03d
SHA256 695dac841efe00c1e1bff31d85047c403d438770d50bb5a82ed69f05ed69ba2b
SHA512 c490bb97c69dc2b149f9400fda3e0bcef0de4276fa73970e64dd4028e3b228a8211d262d497a568b4598a45e5efcca8012261736659cd6417f86708ede607509

C:\Windows\system\jitrMRq.exe

MD5 ff62dd306a1bd0301a78a7023fa25163
SHA1 d5c720e8e8fba9699cc180be3b579ed3d71fb274
SHA256 724a6445e366a940162700f3f7732b79a83a5b9fc9f687df75ca06c66d64149c
SHA512 a2a8430dfc84d759c68eef8998060355503092de6bcbb7e5a131a875fea2c63b163fc7652ea6388e705771c247f7f2453e08634c325b14f8b99256e08fb8899e

\Windows\system\QxAriwK.exe

MD5 b26e20e0a43d9b25a40c053fdfa6544f
SHA1 9bdf1a0f4dc9fd4d3b23a9a5b6aa6a6dac7a4722
SHA256 4349ea039e42c48b2affaf511727b5e08068c3d396434424267c1cde7e6fca41
SHA512 257656adde2b4f28f0a9e124b0709982641c15a828a89f4129d02173ee85ef3f612d8a5b21410bcb8c37bf6510e4678ec84c2a577471f57543410bf23a7b263c

memory/2448-101-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

\Windows\system\XVTwTzt.exe

MD5 56c16071d227591219c621c73057992f
SHA1 0b125cc64351ff533baa3976b8dabd5b4f9acb73
SHA256 9a1a995e66d286b3f0aa462fc61e9ac07d2167c443d954c87460b32e8129e80a
SHA512 faf1cf417b3428820175d22c77e762b28cd0c8451e451f857a7a716fce7121fe86cc48349a275889f8ff8cc9ee9f3f746e16118f969547274dec6567ceece665

memory/1704-92-0x0000000002410000-0x0000000002764000-memory.dmp

\Windows\system\bMysjWt.exe

MD5 45eeb6a1253f9db8a9b9e84956862bd8
SHA1 3484e0d59bccd82a0571180b9ab9d39ae4f16282
SHA256 96e3ac302c6f8aa7740694e33ef1d38cee6d959a513c4430378660bbfacc7200
SHA512 0096adc6b332bb1871393dcb15e8ef09bd16046063143d68b61fc9e012e5a5f65d2c029f84c0af7659e17d1669c4eb44dbb1cb8e117216aeec95e7031f887501

memory/532-79-0x000000013F240000-0x000000013F594000-memory.dmp

memory/1704-77-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2420-67-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/1704-54-0x0000000002410000-0x0000000002764000-memory.dmp

C:\Windows\system\AlDAJfD.exe

MD5 308c2da785288e2d7b63f6c2f6443307
SHA1 fd32e18ce58e72dd0bb90b850381abffd6db12e2
SHA256 cfeebe4351f09372b3a180a6c26e00415f59f1c22b5288efb4fb299a4bfed86f
SHA512 00ec30fa7eb532fd6208ed3ad142043d194fc9aa474763977f0f3e89743b115afb182674ed5c327366a5c2555a5d9f4c0af84e85ff98f9d1712d6266589633a0

C:\Windows\system\efgveUD.exe

MD5 1505ff001f7872e00a987b4fb67f3dc2
SHA1 ff2dd72e3a08164fa66a9260b36863a63df89fcb
SHA256 e518ae590b84b6985a73fd188540c2e3a78a4ed614ea4a4425051da79bf6b933
SHA512 f8f5dacc977192d8399c4ea5ca56e557517a7805abd7e75853f9f7911aabf137599797ec26338eb4e6dd4d1ff335257b5882da7ae5304e6e7183bbf5cfcf8a74

\Windows\system\AJCNVcz.exe

MD5 3503ecfa2572f368eb7b38cb854bd071
SHA1 db264c09a3ce4ff20e7ec011569572c5c605530a
SHA256 145381ea9d8033760e56709d3f1e7443f1f381962deb30a384aa13716ef3a603
SHA512 a130e208374ccf7f077c1db6df9028c854e1155bb6d7cf198bbde274cf215ae536150d0fcf9b66936ca8a61e3f77b038d0c716d2c16481fd727f82614b71ca5c

memory/1704-118-0x0000000002410000-0x0000000002764000-memory.dmp

memory/1704-117-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2468-116-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1704-115-0x0000000002410000-0x0000000002764000-memory.dmp

memory/1956-114-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

C:\Windows\system\PhPWjqI.exe

MD5 7ecbef52eabead9450d532cbde805c71
SHA1 523786acf228f1b157d0c1af038d89584c9e9be3
SHA256 14531445e20e5da02e24289fcddf08f47c62d232938b99f656f85bd4ccbe84ab
SHA512 fdd7a3b6d4425de843071b94382d8feef2552e75ede57749538cceb0890ad497457015d69ee403d5561ead9043f347d6b4827b4a59b49e84e85c6f2baf4f0495

memory/1704-106-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1704-105-0x000000013F240000-0x000000013F594000-memory.dmp

C:\Windows\system\oilJlUI.exe

MD5 4d32222696effb95d6d21102b91864cd
SHA1 74f7437f3772162f9041eb09ee50985031c92d98
SHA256 d2ced64b106cc5563082146eb0b861ffea7ffe64e38057bb05a3bd08187d226e
SHA512 c8ef116c66aa035dbbedc9ee02ec50ffa085100be1299244d1f2281a025f7220b4d4eaaef15786a689dd896d44767ef5b0d97d994c4d50611fa077fd0aace159

memory/1704-94-0x000000013F630000-0x000000013F984000-memory.dmp

memory/1704-88-0x000000013F730000-0x000000013FA84000-memory.dmp

C:\Windows\system\RMFYHAv.exe

MD5 1034d610f4f433727d955cd0cd1491ad
SHA1 d707d5228d1263ab1cbcebaa0222494bf2c449e4
SHA256 f0f2e31749611ae794da6976e5bdb6ed525cffce067609439218a2accee66bfc
SHA512 eff4e8f8aed7b616b4f188ebcffe41aa12b0e7e4d773bfe2eb5037bc9b9404d0207d8ec0c551f35518c4893b8f8acafd239e6534105b2068b506edea417a636b

C:\Windows\system\cXfOOHV.exe

MD5 ab3468985890aec886680110a3b2fc2e
SHA1 b74f5e9a76baea9adde7e8c3e6da79e9b9f9b2be
SHA256 62a6d4f4e53724e3e89df2890becd9644071121f0a834e044512e97ad9a2e639
SHA512 78d03fd0cbdba91992f463dfabe3e8632e26f00c245fcdae9052b7f8e56f7168c95b0b4798d43f832a44293ad46861d6dc628a704c18bcb42ef7091244c3e460

memory/1704-81-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2944-73-0x000000013F630000-0x000000013F984000-memory.dmp

C:\Windows\system\iwZnwka.exe

MD5 e6794ed851b267afd1712fdf7e729e0c
SHA1 325a996eb2050d8a5b44d4763d3116ebfd0db88d
SHA256 cab36c48b61951f1128b29c4561913846c125b5b6c69ced9ca6005f1bbb82e0a
SHA512 0a5eff8171e37ce988e2a3b426154b811537cdead261eb72b9e718c0526b34c074299e01f9b5be14a749fc7cea7728ad3e46b8249a0f2d64911389188cd7a530

memory/2464-59-0x000000013F060000-0x000000013F3B4000-memory.dmp

C:\Windows\system\JpqaDVj.exe

MD5 8567dbbd5676d3964a006e165efa825f
SHA1 959fc9ed48db4aa275e4c3ed1843134314d3e5ac
SHA256 14f07777deb44a3ce3ed2466e148dcf3f4ba1fb3a9a9d52257bce8adf930833e
SHA512 811574d76bc1e32f06dc4fa7fa009d177c8724639806739ee6df54100f1541dbe7194824b20294e3a6cd07e6916ffaae23bc70bbc64ec57c847c4f156470e38d

memory/1704-34-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1704-29-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2032-28-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/1704-134-0x000000013FC10000-0x000000013FF64000-memory.dmp

C:\Windows\system\ZzEhdAk.exe

MD5 faf0263a2de49d475683c100c8cbf0e4
SHA1 3878642ff67c6317c1758e6927e9b7454794cdee
SHA256 750651b12c51ea5812f226ac10f8758ee9859f0847934056d87e5e7c1f6d49aa
SHA512 848db99798bc0536217ac8e392ac46a9ffb1eebdf4df979ab5197f76a74a7817dde05560eab7e691d784f2bb94cc2401a2903114e9c50f795c1a87d2452bf97f

memory/2584-135-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2464-136-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2420-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2032-138-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2264-139-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2652-140-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2528-141-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2584-142-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2944-145-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2420-144-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2464-143-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2448-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/532-147-0x000000013F240000-0x000000013F594000-memory.dmp

memory/1956-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2468-149-0x000000013F730000-0x000000013FA84000-memory.dmp