Malware Analysis Report

2025-01-22 19:46

Sample ID 240601-r5njtseh7v
Target 2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike
SHA256 4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d0fe077997c8d1c5babdf821a0a6a231d5616ae0c7a600960575f2dae940f30

Threat Level: Known bad

The file 2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Cobaltstrike family

Xmrig family

Cobaltstrike

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 14:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 14:46

Reported

2024-06-01 14:49

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YyNsFuS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pRYdzJU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KeIylgm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\POsRmvq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gaYClVa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dgKmKYs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WcpOSdX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GQxGCAQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jQGsgBy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\szlgMxj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WOdNksf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hLdQWto.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UmKNpKA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DkBPadJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DJUqaSs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rjjPMGs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ipKhOxz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\blFAiRZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\svHkTaV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hvKvGyd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QzbTEwD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQxGCAQ.exe
PID 4100 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQxGCAQ.exe
PID 4100 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ipKhOxz.exe
PID 4100 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ipKhOxz.exe
PID 4100 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQGsgBy.exe
PID 4100 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQGsgBy.exe
PID 4100 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\blFAiRZ.exe
PID 4100 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\blFAiRZ.exe
PID 4100 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\svHkTaV.exe
PID 4100 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\svHkTaV.exe
PID 4100 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRYdzJU.exe
PID 4100 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRYdzJU.exe
PID 4100 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KeIylgm.exe
PID 4100 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KeIylgm.exe
PID 4100 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmKNpKA.exe
PID 4100 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmKNpKA.exe
PID 4100 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\POsRmvq.exe
PID 4100 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\POsRmvq.exe
PID 4100 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\szlgMxj.exe
PID 4100 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\szlgMxj.exe
PID 4100 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gaYClVa.exe
PID 4100 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gaYClVa.exe
PID 4100 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hvKvGyd.exe
PID 4100 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hvKvGyd.exe
PID 4100 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WOdNksf.exe
PID 4100 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WOdNksf.exe
PID 4100 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DkBPadJ.exe
PID 4100 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DkBPadJ.exe
PID 4100 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dgKmKYs.exe
PID 4100 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dgKmKYs.exe
PID 4100 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLdQWto.exe
PID 4100 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLdQWto.exe
PID 4100 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DJUqaSs.exe
PID 4100 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DJUqaSs.exe
PID 4100 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YyNsFuS.exe
PID 4100 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YyNsFuS.exe
PID 4100 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzbTEwD.exe
PID 4100 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzbTEwD.exe
PID 4100 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rjjPMGs.exe
PID 4100 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rjjPMGs.exe
PID 4100 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WcpOSdX.exe
PID 4100 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WcpOSdX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\GQxGCAQ.exe

C:\Windows\System\GQxGCAQ.exe

C:\Windows\System\ipKhOxz.exe

C:\Windows\System\ipKhOxz.exe

C:\Windows\System\jQGsgBy.exe

C:\Windows\System\jQGsgBy.exe

C:\Windows\System\blFAiRZ.exe

C:\Windows\System\blFAiRZ.exe

C:\Windows\System\svHkTaV.exe

C:\Windows\System\svHkTaV.exe

C:\Windows\System\pRYdzJU.exe

C:\Windows\System\pRYdzJU.exe

C:\Windows\System\KeIylgm.exe

C:\Windows\System\KeIylgm.exe

C:\Windows\System\UmKNpKA.exe

C:\Windows\System\UmKNpKA.exe

C:\Windows\System\POsRmvq.exe

C:\Windows\System\POsRmvq.exe

C:\Windows\System\szlgMxj.exe

C:\Windows\System\szlgMxj.exe

C:\Windows\System\gaYClVa.exe

C:\Windows\System\gaYClVa.exe

C:\Windows\System\hvKvGyd.exe

C:\Windows\System\hvKvGyd.exe

C:\Windows\System\WOdNksf.exe

C:\Windows\System\WOdNksf.exe

C:\Windows\System\DkBPadJ.exe

C:\Windows\System\DkBPadJ.exe

C:\Windows\System\dgKmKYs.exe

C:\Windows\System\dgKmKYs.exe

C:\Windows\System\hLdQWto.exe

C:\Windows\System\hLdQWto.exe

C:\Windows\System\DJUqaSs.exe

C:\Windows\System\DJUqaSs.exe

C:\Windows\System\YyNsFuS.exe

C:\Windows\System\YyNsFuS.exe

C:\Windows\System\QzbTEwD.exe

C:\Windows\System\QzbTEwD.exe

C:\Windows\System\rjjPMGs.exe

C:\Windows\System\rjjPMGs.exe

C:\Windows\System\WcpOSdX.exe

C:\Windows\System\WcpOSdX.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4100-0-0x00007FF767E90000-0x00007FF7681E4000-memory.dmp

memory/4100-1-0x000001BBF48F0000-0x000001BBF4900000-memory.dmp

C:\Windows\System\GQxGCAQ.exe

MD5 7e369b8d2b8185867d2156b239ecccea
SHA1 034625d1e2c572f0496b70468aa27d546402d3ef
SHA256 98e5ea3e7435d5c7134e8242268d595d0f8b713a13d7cc855bca754d90f7b1b5
SHA512 a7e053f0095c1b8672656c315cd410cf70b52f1faab43035b77f0d07b51feab15b0e07105f1cab096d9be462d030d2274656f2f6832b4988abf29cc6ab278826

memory/4312-6-0x00007FF7C8150000-0x00007FF7C84A4000-memory.dmp

memory/5112-15-0x00007FF759680000-0x00007FF7599D4000-memory.dmp

C:\Windows\System\jQGsgBy.exe

MD5 eea506da6f4f58df8527234cacd615fc
SHA1 a23adb1558e49d0c368521968d5a33bc35684bf5
SHA256 0ee6e393a6ac1a18c180e68354c8be7f58d602506e7763d5067f8bca28f2a3e2
SHA512 88ffea7bf47c9a3ada0f39e42671c609729db2346831cfc0a20fa39f61d89ec2703678413bf9e70b7d519c121c0695bb9a950cb38194a2f9bc8eeca9f36e9a56

memory/4368-17-0x00007FF7A7A20000-0x00007FF7A7D74000-memory.dmp

C:\Windows\System\ipKhOxz.exe

MD5 811b745be83ac839a8c1a8bfd9f159bf
SHA1 4f3d7380131507ecbdee55b964b1bb4bb233783d
SHA256 54723f0c1f774acbf83801411ffa9ea69c3c7abea82d0ea5178901aababe3960
SHA512 47df4673e648b6179d4bc8c054f65562ccc1e2a499cd9d9f7ebbb671233c97764dab1a3da413d69dfc1474121c7088bc7eb27a7fbead2c49a9bcd30e7e3d899d

C:\Windows\System\blFAiRZ.exe

MD5 acfecbf1d1d6845174abc28621395f60
SHA1 63613144944596d542b8ee0f338a656d384ac827
SHA256 74bd59c17a7bbf2f6be26b7f64eb6291a9946521d84aa0af1c7c457d7b546312
SHA512 71bc991a0a4e61689bb797a98a25ccc5f6d7f7e81ad88ff90edb2bb1cc6b2853cc13de8b73742d2ff9bf96892530d0c6ce97292600a5a67ba8a4010115479a61

memory/3188-28-0x00007FF76BCD0000-0x00007FF76C024000-memory.dmp

C:\Windows\System\svHkTaV.exe

MD5 eb27a21fa5255aedde82e81f9d14d279
SHA1 39da2c219aec47f0d83b97b368afa1968026baf5
SHA256 617c24c24f0aed96a86fa72d817f9f6b6c36a4a39a790d214932a5d580b12137
SHA512 183f16b7e5c427754c26b1f3b0f54bcd98afbee16d0850df0d6bb894e681b0bc440e2c4e9898cc14c3a23f9552b646f611b9463098ac9539120f0a2e00e321dc

C:\Windows\System\pRYdzJU.exe

MD5 b7c8fa84a6af8cb6b25a939c6f2d7eb8
SHA1 c0c2bf5469c3650903d0b13223e6fe47045644ce
SHA256 bbdd094df340a42e74453bb200a96c692ce05bf0c41b2ab99a59289607ab1d0e
SHA512 2d59e19d94f7b393bf5b6f6bcd35c6543b668488f63b0578d8bd7d3f21b8bc4d9791278b6f117030c869484076ed09eb4b40c42744d5f9eeeeb3400c1b33613d

memory/2968-31-0x00007FF67F370000-0x00007FF67F6C4000-memory.dmp

memory/2576-38-0x00007FF7B2E00000-0x00007FF7B3154000-memory.dmp

C:\Windows\System\KeIylgm.exe

MD5 92e81316b77e9221209540c6b24db5ff
SHA1 9e9882acd9dd4975ee3b276740aada37c7b9751d
SHA256 42176d74b6d7d954133c1800c9842a7ed18e3821375e9b7a2aa86e4e769a27c5
SHA512 0b93eb1c52f1a3a16e300200ed4b591449e06b6c5febc13f1363a1bd86b59c5ffdd116d6264015586acbec3dbfa361b4fb7aa0436308784bdd6e8ebaaa48157b

C:\Windows\System\UmKNpKA.exe

MD5 aefe43f865ff46d8ab43d4b91cec7b31
SHA1 d641d54db834e6b565dd81a6182b181e3f2e7968
SHA256 5bc63052f848cdad60a03926aef9750612aff860249c5abbafb5e956912eaf4b
SHA512 d43da00eda33889cd210f765efc5dc83236e8621d596a96206bdcab6f7fb5f0742e7994c6527359fc247cbd8aab4fc0910c5b804f05704b2ca406913cdffb2f8

memory/1688-42-0x00007FF7BB5F0000-0x00007FF7BB944000-memory.dmp

memory/2184-50-0x00007FF69B0A0000-0x00007FF69B3F4000-memory.dmp

C:\Windows\System\POsRmvq.exe

MD5 797d32724958453e2e6befc90bf7e9c9
SHA1 427711899251755f7a9f32982696cc1d5f5614d7
SHA256 ff4f0c29ccea0f34e3c54ee7b5a4508c14a950c7949a5c68a162165d2773739d
SHA512 6616e9bc8dd93c5b069e5c6c048846914ce47b8ed7292813c0afce8f25b3353bfc697880c959444b00d7414ba6c28c8419b99d77853d1672dcc0b60cd2381f05

C:\Windows\System\szlgMxj.exe

MD5 3e654088c1ebcbf56c647e36df16d995
SHA1 db3cc12d567aa286583c6197bc29277c7148aa32
SHA256 758d6990112c066298e667391e14532a3b2827c2771bff4565011fc19260d9e5
SHA512 fe9854e28a9ca6d809eae016b34f178242e7954c2167cc36c93bfc86dc698a634f5e17c12c13c604538f91737f2ff4485425fcc9548f768dc8f07e306bdcef84

memory/3756-57-0x00007FF706F70000-0x00007FF7072C4000-memory.dmp

memory/4100-60-0x00007FF767E90000-0x00007FF7681E4000-memory.dmp

C:\Windows\System\gaYClVa.exe

MD5 e831516941392a1b53c9a6725ec8911a
SHA1 a5fa05144be10fcf109c1f4f86409ac57da2a9fc
SHA256 24189a728eea80376de5f2c6f7bf0ce873aadfd38754722513c31cd78cf21877
SHA512 8c9547b208a563396cc48260a97b1fdd26b97f506a09d261e17e742f5f70896f8919a8983bf9ca1434fdf8a3ae6ec8112f0f89d76718f93f91f077897661fdf6

memory/948-68-0x00007FF766960000-0x00007FF766CB4000-memory.dmp

C:\Windows\System\hvKvGyd.exe

MD5 7d7f7b7073949ea16c0add0b02657b22
SHA1 2ac1e7c5d7f1cbc4d9f5b87ec80604aae216366d
SHA256 407c2242f6b968eddfb6fa1a0156d3c46b31a972711cee5e94713df30c95ed11
SHA512 b10f5072c2f24265e5ada721f05d39f7b51ecd17fa93c86147365151f4666c6c8a4ccf8717735f5c19e3c32a165efadbe789ca52dd630d840c2b633390bd3b3c

C:\Windows\System\WOdNksf.exe

MD5 224191d2e3ca5f159a226484a7d1f1ba
SHA1 6b7d76feae259c586cfd8cf0fb2cee9202a8b91e
SHA256 cff9e73679ed46e198ac517eb60c57553af84f9679de80813aec3e8b5d219ea9
SHA512 8da8e3ae2f9e655a4917d8f5529ede983d580761fc593f62989083aec21c146b2ce6ebab277001e17721663c5b651ed51e6571d42c9a8f784d7510068e921f33

memory/4524-73-0x00007FF60F310000-0x00007FF60F664000-memory.dmp

memory/4312-70-0x00007FF7C8150000-0x00007FF7C84A4000-memory.dmp

memory/4368-83-0x00007FF7A7A20000-0x00007FF7A7D74000-memory.dmp

memory/2020-85-0x00007FF774BF0000-0x00007FF774F44000-memory.dmp

C:\Windows\System\DkBPadJ.exe

MD5 d022b56b891454d663b5223e4b18442a
SHA1 843ac87a5236af7169a42f3a2fad8b97f0464d98
SHA256 d26a84eee28142bf02cbb4ae798c82cd94abc575484ccc827028b35588de77ba
SHA512 8e3ee8a3e3a513c0774be4c3245c7b9decab1d2052b27cf46da45cb81b76f2246964150033043046dda4fcd5808107fa158ebb5313c88ccde898df29e47cba5c

memory/4940-87-0x00007FF7D78D0000-0x00007FF7D7C24000-memory.dmp

memory/2968-93-0x00007FF67F370000-0x00007FF67F6C4000-memory.dmp

C:\Windows\System\dgKmKYs.exe

MD5 e947d0853edbf6f033d525f42ea90e40
SHA1 aa77ee75ba08501118148d90ab4b80a0474f0690
SHA256 d8bb7fa33891c8a3609160bb9ee5d447ef23146765ca1fe730a77da083de0998
SHA512 e5101bb8570b62972cafd228c9cb812c81764ea476fd213b7e5ae3f9d25216a174d29846552f1cd58ff50fde60650bf0d86d7e689c4c3fceadc8e9c74bf06a75

memory/1556-94-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp

memory/4624-82-0x00007FF7274F0000-0x00007FF727844000-memory.dmp

C:\Windows\System\hLdQWto.exe

MD5 3f80b823954e33aebd639208a12b90cc
SHA1 c821ad72b79b9c0564663d31e9ac300f90e749e5
SHA256 c8320af00c3406811797c2596fd4a70967366b0395d7287dae37106528424aa8
SHA512 2751ac00f72b87b35a3d4e58b072100bc77e26ee41a5c01c2c62209e15ab729871d2a2db63608c961d238dbc6417a0c4473bd3bc747ac8b4cd8415fa7a1298a6

C:\Windows\System\DJUqaSs.exe

MD5 55cf32d2586d23e59674814e1a4ff930
SHA1 b037a6b9f436f1736aa0b22fd1b7a8b5824374ec
SHA256 288a39850e11141cdece3fcd90970b79751908ef423999eb46c0ca42d69c7118
SHA512 d72e9a4120bd10a0854fa5889a043f67211a2469548fed69a4886f312e8fc11ced37d8b6d4eb75d6c1f928bc4eac82ff224ed6672f10aa828738e3fd0c634ec8

C:\Windows\System\YyNsFuS.exe

MD5 94964f8705957ece09cbbe5c7c61dcff
SHA1 0bbed891e4ce22397081c5f6a0cd47f0f04325ce
SHA256 8ca172ef14700cf83ae5f274674b77c379de88e8f15d53327ee71a3a4726e767
SHA512 bb37f3305655894b1901885426bf7e69b4049e99feb0732a1ad3645b83548a02ddef2554787787eb56192922daa502e8bfb53f93cf59ff9a61983d47344da20e

memory/1724-111-0x00007FF64D7D0000-0x00007FF64DB24000-memory.dmp

memory/1688-110-0x00007FF7BB5F0000-0x00007FF7BB944000-memory.dmp

C:\Windows\System\rjjPMGs.exe

MD5 6d617771e903315567441789465faa8a
SHA1 bfdaa6689079a7402103f7beeb66921411b669fc
SHA256 e85d8992b9a00d393306909bff4fd7b9ec55cf3ccf4c4980d253003ebe2ac38c
SHA512 c7b13d54035d798b4a0a1da3f3f6897b0b780d1ac3306e03d96cca34b1485e7ed15c9f14f550fdad099939b42c315c068c7129102154b5235167a509b1eada97

C:\Windows\System\QzbTEwD.exe

MD5 ec7732169381578be83657bda8c1e851
SHA1 e9a696009e58dc8fcbfb1a697b1d51eab63a3fc2
SHA256 24bf40c5abbd8222f050b6be1b310eac2bcaa32d4ff610045501f06cdfc4492e
SHA512 9e2206a901ab96105210e3703222858393bd935305ca64658e49f9fc4eed103326a5c7c95bdb3403115ae9e638f83be76708dfa27de9f4e0fa761153f119f411

memory/3516-126-0x00007FF6D0E90000-0x00007FF6D11E4000-memory.dmp

C:\Windows\System\WcpOSdX.exe

MD5 d6c48139dff072dc9fa8a5c6d4e7bcae
SHA1 cbcf8955509cefbd2e24abffd99ac9928c5feaef
SHA256 475c4677eb1b3e47367094aefd451efdefe5c4608b364e506cf67a9b9483f786
SHA512 93d08c54c71ac2f5f69c59f3d13f5e8de15a96e209707705388d2b5188e6151b1124472d157105450f4ff9b3c8327ad5f2f2cdf9ba4241b546a69f3913173712

memory/3576-129-0x00007FF69D2D0000-0x00007FF69D624000-memory.dmp

memory/948-125-0x00007FF766960000-0x00007FF766CB4000-memory.dmp

memory/2984-115-0x00007FF6D6180000-0x00007FF6D64D4000-memory.dmp

memory/4972-104-0x00007FF640880000-0x00007FF640BD4000-memory.dmp

memory/3792-133-0x00007FF66FF90000-0x00007FF6702E4000-memory.dmp

memory/4624-134-0x00007FF7274F0000-0x00007FF727844000-memory.dmp

memory/4940-135-0x00007FF7D78D0000-0x00007FF7D7C24000-memory.dmp

memory/1556-136-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp

memory/2984-137-0x00007FF6D6180000-0x00007FF6D64D4000-memory.dmp

memory/3576-138-0x00007FF69D2D0000-0x00007FF69D624000-memory.dmp

memory/4312-139-0x00007FF7C8150000-0x00007FF7C84A4000-memory.dmp

memory/5112-140-0x00007FF759680000-0x00007FF7599D4000-memory.dmp

memory/4368-141-0x00007FF7A7A20000-0x00007FF7A7D74000-memory.dmp

memory/3188-142-0x00007FF76BCD0000-0x00007FF76C024000-memory.dmp

memory/2968-143-0x00007FF67F370000-0x00007FF67F6C4000-memory.dmp

memory/2576-144-0x00007FF7B2E00000-0x00007FF7B3154000-memory.dmp

memory/2184-145-0x00007FF69B0A0000-0x00007FF69B3F4000-memory.dmp

memory/1688-146-0x00007FF7BB5F0000-0x00007FF7BB944000-memory.dmp

memory/3756-147-0x00007FF706F70000-0x00007FF7072C4000-memory.dmp

memory/948-148-0x00007FF766960000-0x00007FF766CB4000-memory.dmp

memory/4524-149-0x00007FF60F310000-0x00007FF60F664000-memory.dmp

memory/4624-150-0x00007FF7274F0000-0x00007FF727844000-memory.dmp

memory/2020-151-0x00007FF774BF0000-0x00007FF774F44000-memory.dmp

memory/4940-152-0x00007FF7D78D0000-0x00007FF7D7C24000-memory.dmp

memory/1556-153-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp

memory/4972-154-0x00007FF640880000-0x00007FF640BD4000-memory.dmp

memory/1724-155-0x00007FF64D7D0000-0x00007FF64DB24000-memory.dmp

memory/2984-156-0x00007FF6D6180000-0x00007FF6D64D4000-memory.dmp

memory/3516-157-0x00007FF6D0E90000-0x00007FF6D11E4000-memory.dmp

memory/3792-159-0x00007FF66FF90000-0x00007FF6702E4000-memory.dmp

memory/3576-158-0x00007FF69D2D0000-0x00007FF69D624000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 14:46

Reported

2024-06-01 14:49

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tLkVpYx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JsizMJs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pcoaSif.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VjOIbbp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bPVekkP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jlofsdR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TwDSyaY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RfSLppm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qoQgNJZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IwqiuNP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYyPsYS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CVmZoMt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bikTaYq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YXAJIcK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OdWfzNt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lQtZuPi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hFcIIUp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lQEbjyJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XdskhYU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cWwOrXG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BvULLqZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlofsdR.exe
PID 2424 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlofsdR.exe
PID 2424 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlofsdR.exe
PID 2424 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwDSyaY.exe
PID 2424 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwDSyaY.exe
PID 2424 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwDSyaY.exe
PID 2424 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XdskhYU.exe
PID 2424 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XdskhYU.exe
PID 2424 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XdskhYU.exe
PID 2424 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cWwOrXG.exe
PID 2424 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cWwOrXG.exe
PID 2424 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cWwOrXG.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bikTaYq.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bikTaYq.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bikTaYq.exe
PID 2424 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfSLppm.exe
PID 2424 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfSLppm.exe
PID 2424 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfSLppm.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tLkVpYx.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tLkVpYx.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tLkVpYx.exe
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQtZuPi.exe
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQtZuPi.exe
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQtZuPi.exe
PID 2424 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JsizMJs.exe
PID 2424 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JsizMJs.exe
PID 2424 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JsizMJs.exe
PID 2424 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hFcIIUp.exe
PID 2424 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hFcIIUp.exe
PID 2424 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hFcIIUp.exe
PID 2424 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YXAJIcK.exe
PID 2424 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YXAJIcK.exe
PID 2424 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YXAJIcK.exe
PID 2424 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pcoaSif.exe
PID 2424 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pcoaSif.exe
PID 2424 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pcoaSif.exe
PID 2424 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQEbjyJ.exe
PID 2424 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQEbjyJ.exe
PID 2424 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQEbjyJ.exe
PID 2424 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VjOIbbp.exe
PID 2424 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VjOIbbp.exe
PID 2424 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VjOIbbp.exe
PID 2424 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvULLqZ.exe
PID 2424 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvULLqZ.exe
PID 2424 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvULLqZ.exe
PID 2424 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdWfzNt.exe
PID 2424 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdWfzNt.exe
PID 2424 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdWfzNt.exe
PID 2424 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qoQgNJZ.exe
PID 2424 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qoQgNJZ.exe
PID 2424 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qoQgNJZ.exe
PID 2424 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPVekkP.exe
PID 2424 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPVekkP.exe
PID 2424 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPVekkP.exe
PID 2424 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwqiuNP.exe
PID 2424 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwqiuNP.exe
PID 2424 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwqiuNP.exe
PID 2424 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYyPsYS.exe
PID 2424 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYyPsYS.exe
PID 2424 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYyPsYS.exe
PID 2424 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CVmZoMt.exe
PID 2424 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CVmZoMt.exe
PID 2424 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CVmZoMt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e36a16f737e7910ae80f38ad6338b45f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jlofsdR.exe

C:\Windows\System\jlofsdR.exe

C:\Windows\System\TwDSyaY.exe

C:\Windows\System\TwDSyaY.exe

C:\Windows\System\XdskhYU.exe

C:\Windows\System\XdskhYU.exe

C:\Windows\System\cWwOrXG.exe

C:\Windows\System\cWwOrXG.exe

C:\Windows\System\bikTaYq.exe

C:\Windows\System\bikTaYq.exe

C:\Windows\System\RfSLppm.exe

C:\Windows\System\RfSLppm.exe

C:\Windows\System\tLkVpYx.exe

C:\Windows\System\tLkVpYx.exe

C:\Windows\System\lQtZuPi.exe

C:\Windows\System\lQtZuPi.exe

C:\Windows\System\JsizMJs.exe

C:\Windows\System\JsizMJs.exe

C:\Windows\System\hFcIIUp.exe

C:\Windows\System\hFcIIUp.exe

C:\Windows\System\YXAJIcK.exe

C:\Windows\System\YXAJIcK.exe

C:\Windows\System\pcoaSif.exe

C:\Windows\System\pcoaSif.exe

C:\Windows\System\lQEbjyJ.exe

C:\Windows\System\lQEbjyJ.exe

C:\Windows\System\VjOIbbp.exe

C:\Windows\System\VjOIbbp.exe

C:\Windows\System\BvULLqZ.exe

C:\Windows\System\BvULLqZ.exe

C:\Windows\System\OdWfzNt.exe

C:\Windows\System\OdWfzNt.exe

C:\Windows\System\qoQgNJZ.exe

C:\Windows\System\qoQgNJZ.exe

C:\Windows\System\bPVekkP.exe

C:\Windows\System\bPVekkP.exe

C:\Windows\System\IwqiuNP.exe

C:\Windows\System\IwqiuNP.exe

C:\Windows\System\xYyPsYS.exe

C:\Windows\System\xYyPsYS.exe

C:\Windows\System\CVmZoMt.exe

C:\Windows\System\CVmZoMt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2424-0-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2424-1-0x0000000000100000-0x0000000000110000-memory.dmp

C:\Windows\system\jlofsdR.exe

MD5 55c2f0c4a4c640ac66ec9d04155e90e6
SHA1 82b2d1e266ebfa8ec25278cb55ed2e35502f9989
SHA256 bd473291536239da1a98014fcde8b2e4e0a7b76871908edf6810ec32ba7aa68e
SHA512 84c334ef1a97febda4dfc0e915aa7c83c3f4821f900304ba58b58de275d951856e2f11686228deb9509cee5489abc6163094bd382f3a36039538876baf3fd4d8

memory/2424-8-0x0000000002380000-0x00000000026D4000-memory.dmp

C:\Windows\system\TwDSyaY.exe

MD5 54fb96af44dc060a1e5d026b423977c3
SHA1 4d0e6e2c06c898951639bd5c95b2205c1019c1f6
SHA256 21241c28bc13212b30931330ccd89f6e48cb7975cf16f0f383fb621e06dd5d95
SHA512 9c1236c88004e79bb7497d75dc748c8a90d0bedcd6e55e1c2f7a71b60f7029be2bd408d79cd9602d5bf359762ff4cec6bb19007de1b1b4acd9523ab07775c3e9

memory/2424-16-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2920-14-0x000000013FD50000-0x00000001400A4000-memory.dmp

C:\Windows\system\XdskhYU.exe

MD5 6ea8e2e756b922501740a9e2bf65bbd0
SHA1 d9fd9f4e497c99c25a800298d0eb310af9788979
SHA256 50dad08aee5b02b35b7e8d92471e82ca90b006590fe6546675e199cc240619a5
SHA512 9ac47455eafd4a8ce7082f8d508603db6ced5507fa13f6c9e1bfbb036be6d52705b2967ae4a172d955356d75ad58821463d5db5dab69bb6f4165b197f6e75661

memory/2280-22-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2424-21-0x000000013FF10000-0x0000000140264000-memory.dmp

C:\Windows\system\cWwOrXG.exe

MD5 18a362da92522d809e0248fe70271cbb
SHA1 b1c69cc9fb93742d7d7b7ddb65257d5b908cdb73
SHA256 61f2b307bc8e87dad2c135dad207989e6e064f1d0b259878263d37503c7dc41c
SHA512 48acdc8f3388f4c27bee1b683d9a011e0a582087872aafad17ed2f64fa539d67d1e93463882e27c35ee3440d947832290b33e55ea36b5d4b1c2c862d407bef6b

C:\Windows\system\bikTaYq.exe

MD5 3add9ac68d5b16be757a19669a6bfba7
SHA1 11cfded4c42b1cb0099326361a5cde4c91d096aa
SHA256 ef76032d12d90178e83a285d21a4c0bb9ecf30d2f88899ca28227a4149790f25
SHA512 f676a7fe8e8350a62d297d943ddd29c793e07222ad680498af865438b34b39f3224a98f7ca792fb2b9d82fa14f998cdd963ddb0218f8e9fa07aaac97a45914b6

\Windows\system\RfSLppm.exe

MD5 d17f37b013089c1de1c587d605017855
SHA1 4a266715cbc94e3f15e93ddbac1b71825a237afe
SHA256 cab08e07ef6fc1aef49f41dc08cebe5f7f55c37dc021cfc5fa8a4cce58e442a9
SHA512 1fa2fd9e80f3743432dc83e156282913a56b3b4d0c57678578ef4a2855c08ac76badbf22b34fe2b676d392f42f8f27251ddbe567e8994c44881a9b4d123d0a45

C:\Windows\system\tLkVpYx.exe

MD5 a6df9915b29b542fb940e62282b409d9
SHA1 c513677242181f34cc30f5ea3b7575f9fc55bd76
SHA256 3f10c230cd8eedc71abc21be4c531a6c6efd86c9171f1e1c671ce85906554a41
SHA512 9c379ce7737051e5b832fbd88252f2e704b388fd4f79bc46df51944fa273b7391db9990bcd5f779c4f358f081bc4dbb31fac14b19ea628ba712b19316dc5dad1

C:\Windows\system\lQtZuPi.exe

MD5 11c4fc8eda943b4f7dfb235c697b011b
SHA1 8b970d06900ec4cb8224315d1b99609aebc52900
SHA256 da754ffb56077604bad69516e206cf3e868f51af518aec7575c8b8bbb269a956
SHA512 c4328f8b3ec275f42d61ea51bace2243e1e3329e2c731e4b4fcf5df1a3a507ed5f571f204dffa02e288ea6846dab265923a370072ad457f087f9de4eb113db6e

memory/2856-58-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2492-85-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1824-92-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2584-98-0x000000013F980000-0x000000013FCD4000-memory.dmp

C:\Windows\system\OdWfzNt.exe

MD5 69a7df3f3b25688c86dcb266aa5a4760
SHA1 e0423761a1ed29ba9fbe30766aa1ee550061b079
SHA256 2d49311725d31b7cad23a668f810854a1a6a802aeffdcdbeccb019f10590cf2e
SHA512 75b69322cc53f3da0c363d83d6562058a6dc74a74269aac4923450fed6b11484d4412511a003a5bc8e5f7490fb4d1b11623398a872b1d513476445699575c74a

\Windows\system\xYyPsYS.exe

MD5 b1c25544cecaba42ab6833b1515824b9
SHA1 6787bc60e57be4384b9047d0d7513fb2326ea005
SHA256 a202d14ecf2652ab2a5dbd8339b1efc4b42bcb81041bb2f0eb9be5e2dce4777b
SHA512 2dcaee2e58ca3092ac700970b7b54da9a2bef22469dd666befc16d6225e593f2845a52e167ddaeea3b01d52c77701235ac9a15e0525149e84038dac57a06a9e3

C:\Windows\system\CVmZoMt.exe

MD5 17552b65d25a524ed3bfa27ca6f706c9
SHA1 ef52e2462c3455407a07287211574043df557495
SHA256 7353228881cb14bcf40fe9f37e2f686c6d737c34c90b982cc02888a8da8298ed
SHA512 fd5f1bfd2e8226b5eb2cd7ecd801c9f705ea858c1db24d226d9c21fd76a95d33e52537222ad7c873fe7623d167b82b5db1eab5a64122914e5b856a4c2ae1482f

C:\Windows\system\IwqiuNP.exe

MD5 6105cadde08cd464dda42562a693fb8e
SHA1 557b7ff33bf62a4da74cd21eb89afff07777a88a
SHA256 9c29f25cdee5438957162fdba7443455f1b261a47107a5f61745b1afc42db28e
SHA512 4be8af52fd02856ca3a3969bec041e28a822c3b07fe6693b244f2ec1a07869a66e6e37ed45315224f44b11dfab48bf5b46efb4ff8d0f352144ef5bbe2788d88c

C:\Windows\system\bPVekkP.exe

MD5 0431492a86285d06802a7c37af511eda
SHA1 9a219473ea25732623b2e2e0954738cee2ed8889
SHA256 37bcf328e8add634946d2abf7da2558306293110c3e5a3c8facccbd86bc4ce54
SHA512 82d34892007f5d51f786edaa1ece897cf17c575a0025046f05853833040bfdbdca297ea70d22eff5e43808b4d9c3dcce165956ad56d3b0be27f16183743af225

C:\Windows\system\qoQgNJZ.exe

MD5 a966b0578cd40195043149aa113799ef
SHA1 b3c627893beeb95b65176a0644c85842ec40b800
SHA256 fb8b7b9a50d7dab1e116f13148a967e42dffa5db4093bc3b9f3e227da2731e34
SHA512 3068a08d79200f088224b863ac505b0f6428fa7ca6710e54ee54fcd8201a125469fc10808955c81210441f8c1707c485f1ec222b7b3b3301dcfcab43bc45d9bf

C:\Windows\system\BvULLqZ.exe

MD5 ac93f1a8f0a8c04a0a84479cf2b535fa
SHA1 ed0cdb54ab445199a35747712384948f6d13339e
SHA256 1012a80c4a0550ed6e15c85595e8595836375f7391cdba2dc63e296e0e590b09
SHA512 23fd254cb2f723924530be0fccaece414447daf9a5490214ed1e03519718a1a43513eeaba46c2af7151bc3192486c3fa733a64a377a269dd0e93622f28823b41

memory/2424-97-0x0000000002380000-0x00000000026D4000-memory.dmp

C:\Windows\system\VjOIbbp.exe

MD5 b53637b41f3fa2fa30669d0e694532d7
SHA1 5a1ff2d6404060dd2b0dc4ce4bde0bfb7ce2f180
SHA256 3cb31021c24aa6ec8f1b99022598d762ece1c560721d08b55ab6bff4c292b1a0
SHA512 35fa75a2eab615cf0974ce4997263f82b16458295dcc6ab22b64e8ca46474e58a3e74710d373e6041433686e96759b15ec79fb1e288ec85fa579b9cf1df072be

memory/2424-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\lQEbjyJ.exe

MD5 4b60485c228d79c887176fdc048d1616
SHA1 85474a9cbfd5541e8a5c593f9ee94a14de7d1f16
SHA256 c35ed620b2ea88dc031f890a613dd6a8caa76a8b51d9b9c786411aa3d26d3963
SHA512 31b7367f0f9913e2ff066e55faeb1f69cd0d6dbd3e72a3c779b31faf873d711ceda439b07f450b1581a7ae8d654be4e785d8eba24036fc269a48b1d4d9bff5db

memory/3032-86-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

C:\Windows\system\pcoaSif.exe

MD5 916dcaf6409d704fae1bfbb740388c75
SHA1 281069f17eb0ccaad01419ce53631e75b57fe761
SHA256 96d7094d5391f5d80be86dc653a59d57c2f738f3dec58d4c0b356bad939d211f
SHA512 80948c0ca64da893cc386600b8ee10447184eb8075a0a407bfc7a42431ac69cfa7e77662541f16c0e8c10213a3c623614de68a6b7c0d29a22288c48de9f424f8

C:\Windows\system\hFcIIUp.exe

MD5 81891d73c2980f15348806ca34e509f8
SHA1 e9413e8a00adc5356fd731387209d808270eea73
SHA256 62bd6b7bfdf2d7651fcda7cf99e1ba5561a892251a860e1e3ef46a80cd46f55a
SHA512 e81dfbdda1ace927a915a6b2abfc34a0be01ddc44d14eba84e672ed297c3354bdf344ed787cecbf4e2f73b2e1391c6c87d9bdc00fa62dfe50f2ff0ff243b714f

memory/2424-82-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2280-81-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/1668-80-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2660-68-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2424-57-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2424-76-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2424-75-0x0000000002380000-0x00000000026D4000-memory.dmp

C:\Windows\system\YXAJIcK.exe

MD5 bb9c5aec55906a529e1c9717f5581390
SHA1 b60cadc9c35825b83a2d26d2766ef7fb20e21380
SHA256 7a77c211f477e39a332c9a6b32e4394529a6a130ac96aab2b2d125ab5d4cec70
SHA512 f8724a9aaec8c56750f5931c8c9ad22359a9fb16e683e3ac350eacac72414400c8e553c3f9a26c939ec2ffb08e4144558440424805098860c00ac939af01375c

memory/2920-73-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2424-72-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2424-64-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

C:\Windows\system\JsizMJs.exe

MD5 3fc8f5e214a1916fda6aaa4469a9f628
SHA1 fe565e69c2d54465824d6091a740f429b805793b
SHA256 7ef10bf763b1b4093a5b2d966d1c9327bd70fe862c0378c14e68c69ab71df8db
SHA512 365436e9f36e7a897bcf67e47d319584f53f4881cdc629fed4197351719ec1852507645dcf59e55aaa68928bb7b5bd81ef17a86cd8c90ff962d6f5cf7919a808

memory/2808-51-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2424-50-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2624-44-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2424-43-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2712-37-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2424-36-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2076-30-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2424-26-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2416-12-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/1668-139-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2424-138-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2424-140-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2492-141-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/3032-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2424-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1824-144-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2424-145-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2584-146-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2424-147-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2416-148-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2920-149-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2076-150-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2280-151-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2712-152-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2624-153-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2808-154-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2856-155-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2660-156-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/1668-158-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/1824-157-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/3032-160-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2492-159-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2584-161-0x000000013F980000-0x000000013FCD4000-memory.dmp