Malware Analysis Report

2025-01-22 19:33

Sample ID 240601-s5v5cafh3x
Target 2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike
SHA256 fdce2eda06cba3d141cc12371c3cdc9129bb861ef58b07f9d393a4e690787116
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fdce2eda06cba3d141cc12371c3cdc9129bb861ef58b07f9d393a4e690787116

Threat Level: Known bad

The file 2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

UPX dump on OEP (original entry point)

Cobaltstrike

xmrig

Xmrig family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:43

Reported

2024-06-01 15:45

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qOXpwic.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYRiwyx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AxNYslH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\shOZywh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZbeOASX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dbiHPvK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DEAuyLa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tuJtjaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ugyxqcV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yasJEoz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\onlvaeY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAOVlwZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qkDdZFN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BCXDqQs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lhsUacM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\geUeyPB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KtYqUtq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXmjQih.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EcPgtfC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zJTvZmE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZpXYIih.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qOXpwic.exe
PID 5072 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qOXpwic.exe
PID 5072 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAOVlwZ.exe
PID 5072 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAOVlwZ.exe
PID 5072 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYRiwyx.exe
PID 5072 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYRiwyx.exe
PID 5072 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkDdZFN.exe
PID 5072 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkDdZFN.exe
PID 5072 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCXDqQs.exe
PID 5072 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCXDqQs.exe
PID 5072 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\lhsUacM.exe
PID 5072 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\lhsUacM.exe
PID 5072 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\geUeyPB.exe
PID 5072 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\geUeyPB.exe
PID 5072 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxNYslH.exe
PID 5072 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxNYslH.exe
PID 5072 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtYqUtq.exe
PID 5072 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtYqUtq.exe
PID 5072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXmjQih.exe
PID 5072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXmjQih.exe
PID 5072 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\shOZywh.exe
PID 5072 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\shOZywh.exe
PID 5072 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuJtjaw.exe
PID 5072 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuJtjaw.exe
PID 5072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugyxqcV.exe
PID 5072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugyxqcV.exe
PID 5072 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\EcPgtfC.exe
PID 5072 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\EcPgtfC.exe
PID 5072 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbeOASX.exe
PID 5072 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbeOASX.exe
PID 5072 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbiHPvK.exe
PID 5072 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbiHPvK.exe
PID 5072 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\zJTvZmE.exe
PID 5072 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\zJTvZmE.exe
PID 5072 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEAuyLa.exe
PID 5072 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEAuyLa.exe
PID 5072 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\yasJEoz.exe
PID 5072 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\yasJEoz.exe
PID 5072 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpXYIih.exe
PID 5072 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpXYIih.exe
PID 5072 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\onlvaeY.exe
PID 5072 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\onlvaeY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qOXpwic.exe

C:\Windows\System\qOXpwic.exe

C:\Windows\System\NAOVlwZ.exe

C:\Windows\System\NAOVlwZ.exe

C:\Windows\System\xYRiwyx.exe

C:\Windows\System\xYRiwyx.exe

C:\Windows\System\qkDdZFN.exe

C:\Windows\System\qkDdZFN.exe

C:\Windows\System\BCXDqQs.exe

C:\Windows\System\BCXDqQs.exe

C:\Windows\System\lhsUacM.exe

C:\Windows\System\lhsUacM.exe

C:\Windows\System\geUeyPB.exe

C:\Windows\System\geUeyPB.exe

C:\Windows\System\AxNYslH.exe

C:\Windows\System\AxNYslH.exe

C:\Windows\System\KtYqUtq.exe

C:\Windows\System\KtYqUtq.exe

C:\Windows\System\kXmjQih.exe

C:\Windows\System\kXmjQih.exe

C:\Windows\System\shOZywh.exe

C:\Windows\System\shOZywh.exe

C:\Windows\System\tuJtjaw.exe

C:\Windows\System\tuJtjaw.exe

C:\Windows\System\ugyxqcV.exe

C:\Windows\System\ugyxqcV.exe

C:\Windows\System\EcPgtfC.exe

C:\Windows\System\EcPgtfC.exe

C:\Windows\System\ZbeOASX.exe

C:\Windows\System\ZbeOASX.exe

C:\Windows\System\dbiHPvK.exe

C:\Windows\System\dbiHPvK.exe

C:\Windows\System\zJTvZmE.exe

C:\Windows\System\zJTvZmE.exe

C:\Windows\System\DEAuyLa.exe

C:\Windows\System\DEAuyLa.exe

C:\Windows\System\yasJEoz.exe

C:\Windows\System\yasJEoz.exe

C:\Windows\System\ZpXYIih.exe

C:\Windows\System\ZpXYIih.exe

C:\Windows\System\onlvaeY.exe

C:\Windows\System\onlvaeY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5072-0-0x00007FF71FE20000-0x00007FF720174000-memory.dmp

memory/5072-1-0x000002631E560000-0x000002631E570000-memory.dmp

C:\Windows\System\qOXpwic.exe

MD5 1bfd5934e63eba29d81444c31c1cb39a
SHA1 59fa01c38b3ab580dc30b892a010bd7175c00691
SHA256 f7bc72c0af28fb023d3a38a8a22c4e66fb954f85d5a4fc6b0fc1b5b8fb12c6bd
SHA512 cc342cb774df543e3dfe59331360d3b625fd857c50e93d409efcd47f45fd7c33704f953aa1381e5e690f282e4ea71dd662f5b1c64a39ae940689cbdfa6471a45

memory/636-10-0x00007FF6C8E00000-0x00007FF6C9154000-memory.dmp

C:\Windows\System\NAOVlwZ.exe

MD5 b08de410c48ab166f1953ed15d3c8fc5
SHA1 5803ddb70869fe4e7497789ac9e8ac9d168e20b7
SHA256 4e354c5adee6944ff602f2b65638155062a57be0cd8dea637e27e3131b03bd9b
SHA512 00018d54a5898f63c008d997149e416ce11d3b741500c7cc623c49266f0fe54422f6e61ef2f5270e6361affbb17534fb1b8401a5717e6d87cb891eaab9ca638f

C:\Windows\System\xYRiwyx.exe

MD5 bfd46266a24a99564d745f90f5bce68f
SHA1 d28211c0b19633d32e89369bad10ae4fd9abd987
SHA256 7b604a00afa52c68d3c2bc3ca515b246438405b4d8b4553ca273630503e2782c
SHA512 967b37230cd05934a2299cfde28b610ab87f1047209e811975d3b23cc09ba306e369dc2ea6b9ec60c5f7ce7423295735d0612167b212d71a6829d7ee8aea74a0

memory/1128-19-0x00007FF64E690000-0x00007FF64E9E4000-memory.dmp

C:\Windows\System\BCXDqQs.exe

MD5 e09b6dbf4af554fa273421f70b85a178
SHA1 4ee0f7baa0b41207f7b544a998c3676f488e94bd
SHA256 57758e0a98175bfd903a7a8729abc02cf9b16d454ea148e248749e0e80b3d860
SHA512 a4de8af60e748fa1fc29b9ce6d265c7c61c5863d4b0bf6fbe5ec90a7c11f8109bccca521d3c813c6c5fb7791a28862a26686dcd03c952b736297949c5894986f

C:\Windows\System\geUeyPB.exe

MD5 0eb6a2801746b1606911ef51b2b2405d
SHA1 f476e639a78c6019e482f96333d2ce64829752d1
SHA256 559b486cb788d3e64f56ec3bf800a6b513813c0286491213beaf6346b0e95534
SHA512 ac454fcebe8763acdae7d6a6fa85b8d1dbd41e13a24eb16dab63d136f1998a30bebe32c743e8011edf2551625b184d17d3ea4e1c157f1e73abc987f0bc0408b7

memory/2528-40-0x00007FF691670000-0x00007FF6919C4000-memory.dmp

memory/4232-43-0x00007FF69BE70000-0x00007FF69C1C4000-memory.dmp

memory/32-48-0x00007FF672320000-0x00007FF672674000-memory.dmp

C:\Windows\System\kXmjQih.exe

MD5 db3fc19e3f6480d4213d353097291779
SHA1 de8e4515af7c221e18fa75488e07854127bdb0fd
SHA256 3a6772942ecca5953d56734b9bb28a2e5b6469bf4b38800980813a16e0e38aa5
SHA512 f74e46d3d5c068ab74a4faf05b4b42b2985c679936aa5e8f1308b9a957d259f7fd1838770702ea52923a091484b0c7143d7ed8a4120c75f3cce841a71996913d

C:\Windows\System\KtYqUtq.exe

MD5 bdee44517a2a3bb90444f2f1f2c7c96b
SHA1 02ac19389300a81df5364f3128cff2704bd52e8f
SHA256 bd44a3e73a18406c567a37d790a2622e43ba10fe0a3465f2cb6f12b6a79ec41b
SHA512 9af1e1621aae39492930f657926a65189351b127009dff52e3bae1019692ac3948a77728df4e3bc51cef0efd6bb8406107d34f36713895eeb92c5d3b8e537e5f

C:\Windows\System\shOZywh.exe

MD5 16efdedbd62fa7ce7b7a006201d689e6
SHA1 180c47d46c523826be8d34ea409973e53a5d13c6
SHA256 c7ef2a938c55815323d87619f2341927b45f5ba60cbab9848c7d931cdbfc8188
SHA512 bb32b99d8e1389082622d3219c936030ce3b88e92772dc193aea3b73b7f463dc73b17a4a38758d7554c501f5487a65d4b94c75d3de84f0694d6598615005ea04

memory/1976-69-0x00007FF6EA750000-0x00007FF6EAAA4000-memory.dmp

memory/704-70-0x00007FF67C140000-0x00007FF67C494000-memory.dmp

C:\Windows\System\ugyxqcV.exe

MD5 6b6b5aaf621a3930f7a9be04a70cc3b8
SHA1 b8cb3b8ed3435bfd69e75fb6e85bd4e583b9dca5
SHA256 2493b6d646e93b4ad89d8ba9b55beccdf8e48de5168d009966ef4b0414e599da
SHA512 6420794290d436892ae9a8165fb097e45ce5abdaac1276e6fd74d264a754485f1ddbd0f9d58e4722cc0c5c227d2cdc0103cff6f2a71b96a5780b1b67c452888a

memory/3476-77-0x00007FF673760000-0x00007FF673AB4000-memory.dmp

C:\Windows\System\tuJtjaw.exe

MD5 9e3047f25904b6f1774e6fb571b38089
SHA1 e4d3f55a7354d42d427c62eb039ffeaa8523f9f2
SHA256 2029c6e55739922252d4023b9e3e43a3a1b0e88032d9a8efb9eb01b275b3bec5
SHA512 e509c8065c632261111346a3415acb61d5358def1f2b63d3604327d27fa98e83570b1c2d8c7e760e9c9c7c11d9c273b0ba74d89b3968b3d30d55c8a77f38c64d

memory/2500-58-0x00007FF757DC0000-0x00007FF758114000-memory.dmp

memory/4124-55-0x00007FF771990000-0x00007FF771CE4000-memory.dmp

memory/548-54-0x00007FF7EE6A0000-0x00007FF7EE9F4000-memory.dmp

C:\Windows\System\AxNYslH.exe

MD5 46e6c11beebf7238362789e81edf0805
SHA1 75a3aeaa90892febee42d55554471b471d89c90f
SHA256 4e0ee746e68d3723dd551150dbf42cb256a294638d7e3cf8f12f2e12e7cad815
SHA512 8859176059ee7fa9478aa2b32b4fdeb6a6df8e8827a7867b0322775a39c8f145ae66b359613b15b5f7b66e5d4e82c24b60e4bea9414ebde1616be2bc76138dd9

C:\Windows\System\lhsUacM.exe

MD5 adb2ca87e5597466c1803b248275fd28
SHA1 5606ab2f6772d27c49b3ab80f6467c1b26eb0a59
SHA256 614affacfcf5ef6ad0d3bfe206e54f14db617a2e3d1be8bef9779e238c4ad8da
SHA512 6acf8674933468b9b4c50897b4cd4ce0b1d5ed1235fc48a9362d412fd55fb8e383457aeb779efc25f46774c1190c05589ae841793d3759a569be3b7345f79c41

memory/4668-34-0x00007FF7AC2C0000-0x00007FF7AC614000-memory.dmp

C:\Windows\System\qkDdZFN.exe

MD5 34314d261de0e7ccba1c856f75cb1155
SHA1 5a331b47a32e5cb65bde83adce5b5457b726b587
SHA256 50779bd77af5ac22ecb82436d0854f2d5d9de20821fb964f18fd28695b10f394
SHA512 954b5c55c039469c10bef1e1eb1451ac9ce8de450e09a3b1bf85a78daaee099c0a06fb4fa11c3eb952bfc0bae6b086363fb4ca4063bf904f533aef0acd73002f

memory/2152-24-0x00007FF771C10000-0x00007FF771F64000-memory.dmp

C:\Windows\System\EcPgtfC.exe

MD5 b88a952c090763e6ec9ee7f31158791d
SHA1 409e5a6280576c1fb5bf1b84f5422168b971bd67
SHA256 424098759e08746130f1d6a97235f842adcf355b0b1e6ac1257b54c0f7cfdb67
SHA512 f51971278ccbbcef7f91b0b24276adafa0b85ae7f20f2917ca2361392386506427a5542be3b03a13e2b31d6e17dd2a82773d3b6e4f1701304a6092b6d3a2581c

memory/5072-84-0x00007FF71FE20000-0x00007FF720174000-memory.dmp

memory/1892-88-0x00007FF694790000-0x00007FF694AE4000-memory.dmp

C:\Windows\System\ZbeOASX.exe

MD5 2c34413827947ecd03dce7f8848d9c36
SHA1 8e7cf5112006f2a5c3e268b5187d7edd682aa7a8
SHA256 64ec00ea7671082ef4343f55645649c93011dbfb7c6e465b110df1d82807a81c
SHA512 3c57901c411a37d9ff1f947f203e18d687533302899ee284cff326d6e9f24fee8fd54aef3d83b08c52202cc4c0f8c6bdc556e5fbb6ee72ab2f5bcd38ed7848fd

C:\Windows\System\zJTvZmE.exe

MD5 eef0961413de564d4e633583885e5a37
SHA1 ac9f874c6f1a1b30d0e78945884d4d9c000fc096
SHA256 71a2a5686a9770c8c5c10cf1c66bec2244e727c8fcb265b503402c87ec0289b4
SHA512 1487e2af642664e235ac674f4467dde2830a1dca5da63ff37c610cdca257b3b81c484e261e80c8ae721101a0a55b1d67556887d467953189ce2649dff2b6dd4e

C:\Windows\System\DEAuyLa.exe

MD5 fa4af4349895fb60110461b303c0c372
SHA1 0b9ea57995e613a4fa81ae7b9d988525fd1850ea
SHA256 96f3af7817c991a179e4a7455ebc4d29e725c3370c6933580b24c189bee810a8
SHA512 3aa067837d2ef71a7de79100e79af17f30236f5ee9b5c879222cb3863b27a79e9248a3074949c15cf086ac86954167edf12beffd8fc7986624a561775400af4e

C:\Windows\System\yasJEoz.exe

MD5 20c5b3c73cd490e32858d82ca087b784
SHA1 87e08f556812b30827fffb32a42b6ef40dd08429
SHA256 83c371220418ccab94a6ca4f90d77a8e9e99eb97e1ec7f31c847d511b946b6fa
SHA512 774ba0a48b40749fb5d0846e38ba568cac6180921940feae42c68caf2b76f322082080c06cc05e1b84e1124753e59364f5ea484e044b77fd0ae44a26486d1a49

memory/3532-117-0x00007FF6D7E10000-0x00007FF6D8164000-memory.dmp

C:\Windows\System\ZpXYIih.exe

MD5 ce5223de0c8d5e7b569a748dd57f83b3
SHA1 8c9d8c275fde1659a827560b826005f0e684e84f
SHA256 5f35f4dc9b99099d145502908ac5d91f5b49f01de0999448d10c53728d397474
SHA512 0d5c4db8e1e2ac17dda4fbc78a77e3bbf9e5fd63e1295a7f97ca19de8004046145b0afcd7262ca5c3befe4a4b8bbee27638646e1852a6547afba5d4f27c9598a

memory/1088-126-0x00007FF656450000-0x00007FF6567A4000-memory.dmp

memory/548-125-0x00007FF7EE6A0000-0x00007FF7EE9F4000-memory.dmp

memory/32-124-0x00007FF672320000-0x00007FF672674000-memory.dmp

memory/3800-119-0x00007FF6994E0000-0x00007FF699834000-memory.dmp

memory/4480-111-0x00007FF6BE9B0000-0x00007FF6BED04000-memory.dmp

memory/1072-110-0x00007FF6FCAA0000-0x00007FF6FCDF4000-memory.dmp

memory/2984-106-0x00007FF663D40000-0x00007FF664094000-memory.dmp

memory/2152-101-0x00007FF771C10000-0x00007FF771F64000-memory.dmp

memory/1128-100-0x00007FF64E690000-0x00007FF64E9E4000-memory.dmp

memory/636-99-0x00007FF6C8E00000-0x00007FF6C9154000-memory.dmp

C:\Windows\System\dbiHPvK.exe

MD5 7171c55a224ddcc646492ca55143374e
SHA1 f63815edbd935811b2c35c15463a221da44fe016
SHA256 7a951ceefb8d254d2760983e50b882ef63d9bca6fd6d2c262ddd7d3a8a145dc7
SHA512 d1596a7f23a789cb274f4917a020095e795cc1db04fa84f29d873a8a5efd46ccb003f1acc5a8f78772ef280b1ebd58bee9fcbd601c0b7e516fdd51c518bb3ef9

C:\Windows\System\onlvaeY.exe

MD5 0c1f3c0b629430f02f60666badfc851a
SHA1 1e74a416394362ce0be6afbf151eb4019e0fa330
SHA256 aa7980154adf973d5a1e9fd3d4438d96c8bc5bb2b2db14c478f9bcd48651c673
SHA512 dee6b8165432242206b4864aadb99405a6e6703c8648785f2aaff6e4dd86521e2fb5402f9d6380450f78e8000149a3694ef738c33f40becc80ff30a2acdcd250

memory/4124-133-0x00007FF771990000-0x00007FF771CE4000-memory.dmp

memory/1744-134-0x00007FF6E5A70000-0x00007FF6E5DC4000-memory.dmp

memory/2500-135-0x00007FF757DC0000-0x00007FF758114000-memory.dmp

memory/1976-136-0x00007FF6EA750000-0x00007FF6EAAA4000-memory.dmp

memory/704-137-0x00007FF67C140000-0x00007FF67C494000-memory.dmp

memory/3476-138-0x00007FF673760000-0x00007FF673AB4000-memory.dmp

memory/1892-139-0x00007FF694790000-0x00007FF694AE4000-memory.dmp

memory/3800-140-0x00007FF6994E0000-0x00007FF699834000-memory.dmp

memory/1088-141-0x00007FF656450000-0x00007FF6567A4000-memory.dmp

memory/636-142-0x00007FF6C8E00000-0x00007FF6C9154000-memory.dmp

memory/1128-143-0x00007FF64E690000-0x00007FF64E9E4000-memory.dmp

memory/2528-144-0x00007FF691670000-0x00007FF6919C4000-memory.dmp

memory/2152-145-0x00007FF771C10000-0x00007FF771F64000-memory.dmp

memory/4232-146-0x00007FF69BE70000-0x00007FF69C1C4000-memory.dmp

memory/4668-147-0x00007FF7AC2C0000-0x00007FF7AC614000-memory.dmp

memory/548-149-0x00007FF7EE6A0000-0x00007FF7EE9F4000-memory.dmp

memory/4124-148-0x00007FF771990000-0x00007FF771CE4000-memory.dmp

memory/1976-152-0x00007FF6EA750000-0x00007FF6EAAA4000-memory.dmp

memory/704-154-0x00007FF67C140000-0x00007FF67C494000-memory.dmp

memory/2500-153-0x00007FF757DC0000-0x00007FF758114000-memory.dmp

memory/32-150-0x00007FF672320000-0x00007FF672674000-memory.dmp

memory/3476-151-0x00007FF673760000-0x00007FF673AB4000-memory.dmp

memory/1892-156-0x00007FF694790000-0x00007FF694AE4000-memory.dmp

memory/1072-155-0x00007FF6FCAA0000-0x00007FF6FCDF4000-memory.dmp

memory/3532-158-0x00007FF6D7E10000-0x00007FF6D8164000-memory.dmp

memory/2984-157-0x00007FF663D40000-0x00007FF664094000-memory.dmp

memory/4480-159-0x00007FF6BE9B0000-0x00007FF6BED04000-memory.dmp

memory/1088-160-0x00007FF656450000-0x00007FF6567A4000-memory.dmp

memory/3800-161-0x00007FF6994E0000-0x00007FF699834000-memory.dmp

memory/1744-162-0x00007FF6E5A70000-0x00007FF6E5DC4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:43

Reported

2024-06-01 15:45

Platform

win7-20240220-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KtYqUtq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZbeOASX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yasJEoz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\onlvaeY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYRiwyx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qkDdZFN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lhsUacM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AxNYslH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EcPgtfC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qOXpwic.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\geUeyPB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tuJtjaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ugyxqcV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZpXYIih.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAOVlwZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BCXDqQs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXmjQih.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\shOZywh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dbiHPvK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zJTvZmE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DEAuyLa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qOXpwic.exe
PID 840 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qOXpwic.exe
PID 840 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qOXpwic.exe
PID 840 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAOVlwZ.exe
PID 840 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAOVlwZ.exe
PID 840 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAOVlwZ.exe
PID 840 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYRiwyx.exe
PID 840 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYRiwyx.exe
PID 840 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYRiwyx.exe
PID 840 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkDdZFN.exe
PID 840 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkDdZFN.exe
PID 840 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkDdZFN.exe
PID 840 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCXDqQs.exe
PID 840 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCXDqQs.exe
PID 840 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCXDqQs.exe
PID 840 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\lhsUacM.exe
PID 840 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\lhsUacM.exe
PID 840 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\lhsUacM.exe
PID 840 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\geUeyPB.exe
PID 840 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\geUeyPB.exe
PID 840 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\geUeyPB.exe
PID 840 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxNYslH.exe
PID 840 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxNYslH.exe
PID 840 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxNYslH.exe
PID 840 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtYqUtq.exe
PID 840 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtYqUtq.exe
PID 840 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtYqUtq.exe
PID 840 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXmjQih.exe
PID 840 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXmjQih.exe
PID 840 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXmjQih.exe
PID 840 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\shOZywh.exe
PID 840 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\shOZywh.exe
PID 840 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\shOZywh.exe
PID 840 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuJtjaw.exe
PID 840 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuJtjaw.exe
PID 840 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuJtjaw.exe
PID 840 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugyxqcV.exe
PID 840 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugyxqcV.exe
PID 840 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugyxqcV.exe
PID 840 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\EcPgtfC.exe
PID 840 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\EcPgtfC.exe
PID 840 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\EcPgtfC.exe
PID 840 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbeOASX.exe
PID 840 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbeOASX.exe
PID 840 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbeOASX.exe
PID 840 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbiHPvK.exe
PID 840 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbiHPvK.exe
PID 840 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbiHPvK.exe
PID 840 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\zJTvZmE.exe
PID 840 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\zJTvZmE.exe
PID 840 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\zJTvZmE.exe
PID 840 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEAuyLa.exe
PID 840 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEAuyLa.exe
PID 840 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEAuyLa.exe
PID 840 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\yasJEoz.exe
PID 840 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\yasJEoz.exe
PID 840 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\yasJEoz.exe
PID 840 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpXYIih.exe
PID 840 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpXYIih.exe
PID 840 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpXYIih.exe
PID 840 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\onlvaeY.exe
PID 840 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\onlvaeY.exe
PID 840 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe C:\Windows\System\onlvaeY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9e36cf0081e9dd28f30a4dbcf3774d33_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qOXpwic.exe

C:\Windows\System\qOXpwic.exe

C:\Windows\System\NAOVlwZ.exe

C:\Windows\System\NAOVlwZ.exe

C:\Windows\System\xYRiwyx.exe

C:\Windows\System\xYRiwyx.exe

C:\Windows\System\qkDdZFN.exe

C:\Windows\System\qkDdZFN.exe

C:\Windows\System\BCXDqQs.exe

C:\Windows\System\BCXDqQs.exe

C:\Windows\System\lhsUacM.exe

C:\Windows\System\lhsUacM.exe

C:\Windows\System\geUeyPB.exe

C:\Windows\System\geUeyPB.exe

C:\Windows\System\AxNYslH.exe

C:\Windows\System\AxNYslH.exe

C:\Windows\System\KtYqUtq.exe

C:\Windows\System\KtYqUtq.exe

C:\Windows\System\kXmjQih.exe

C:\Windows\System\kXmjQih.exe

C:\Windows\System\shOZywh.exe

C:\Windows\System\shOZywh.exe

C:\Windows\System\tuJtjaw.exe

C:\Windows\System\tuJtjaw.exe

C:\Windows\System\ugyxqcV.exe

C:\Windows\System\ugyxqcV.exe

C:\Windows\System\EcPgtfC.exe

C:\Windows\System\EcPgtfC.exe

C:\Windows\System\ZbeOASX.exe

C:\Windows\System\ZbeOASX.exe

C:\Windows\System\dbiHPvK.exe

C:\Windows\System\dbiHPvK.exe

C:\Windows\System\zJTvZmE.exe

C:\Windows\System\zJTvZmE.exe

C:\Windows\System\DEAuyLa.exe

C:\Windows\System\DEAuyLa.exe

C:\Windows\System\yasJEoz.exe

C:\Windows\System\yasJEoz.exe

C:\Windows\System\ZpXYIih.exe

C:\Windows\System\ZpXYIih.exe

C:\Windows\System\onlvaeY.exe

C:\Windows\System\onlvaeY.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/840-0-0x0000000000100000-0x0000000000110000-memory.dmp

memory/840-1-0x000000013F370000-0x000000013F6C4000-memory.dmp

C:\Windows\system\qOXpwic.exe

MD5 1bfd5934e63eba29d81444c31c1cb39a
SHA1 59fa01c38b3ab580dc30b892a010bd7175c00691
SHA256 f7bc72c0af28fb023d3a38a8a22c4e66fb954f85d5a4fc6b0fc1b5b8fb12c6bd
SHA512 cc342cb774df543e3dfe59331360d3b625fd857c50e93d409efcd47f45fd7c33704f953aa1381e5e690f282e4ea71dd662f5b1c64a39ae940689cbdfa6471a45

memory/1996-9-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/840-7-0x000000013FDD0000-0x0000000140124000-memory.dmp

\Windows\system\NAOVlwZ.exe

MD5 b08de410c48ab166f1953ed15d3c8fc5
SHA1 5803ddb70869fe4e7497789ac9e8ac9d168e20b7
SHA256 4e354c5adee6944ff602f2b65638155062a57be0cd8dea637e27e3131b03bd9b
SHA512 00018d54a5898f63c008d997149e416ce11d3b741500c7cc623c49266f0fe54422f6e61ef2f5270e6361affbb17534fb1b8401a5717e6d87cb891eaab9ca638f

memory/2572-21-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/1796-20-0x000000013FE00000-0x0000000140154000-memory.dmp

C:\Windows\system\xYRiwyx.exe

MD5 bfd46266a24a99564d745f90f5bce68f
SHA1 d28211c0b19633d32e89369bad10ae4fd9abd987
SHA256 7b604a00afa52c68d3c2bc3ca515b246438405b4d8b4553ca273630503e2782c
SHA512 967b37230cd05934a2299cfde28b610ab87f1047209e811975d3b23cc09ba306e369dc2ea6b9ec60c5f7ce7423295735d0612167b212d71a6829d7ee8aea74a0

memory/840-22-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/840-24-0x0000000002520000-0x0000000002874000-memory.dmp

\Windows\system\qkDdZFN.exe

MD5 34314d261de0e7ccba1c856f75cb1155
SHA1 5a331b47a32e5cb65bde83adce5b5457b726b587
SHA256 50779bd77af5ac22ecb82436d0854f2d5d9de20821fb964f18fd28695b10f394
SHA512 954b5c55c039469c10bef1e1eb1451ac9ce8de450e09a3b1bf85a78daaee099c0a06fb4fa11c3eb952bfc0bae6b086363fb4ca4063bf904f533aef0acd73002f

memory/2060-28-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/840-34-0x0000000002520000-0x0000000002874000-memory.dmp

\Windows\system\lhsUacM.exe

MD5 adb2ca87e5597466c1803b248275fd28
SHA1 5606ab2f6772d27c49b3ab80f6467c1b26eb0a59
SHA256 614affacfcf5ef6ad0d3bfe206e54f14db617a2e3d1be8bef9779e238c4ad8da
SHA512 6acf8674933468b9b4c50897b4cd4ce0b1d5ed1235fc48a9362d412fd55fb8e383457aeb779efc25f46774c1190c05589ae841793d3759a569be3b7345f79c41

memory/2520-41-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2604-39-0x000000013F500000-0x000000013F854000-memory.dmp

C:\Windows\system\AxNYslH.exe

MD5 46e6c11beebf7238362789e81edf0805
SHA1 75a3aeaa90892febee42d55554471b471d89c90f
SHA256 4e0ee746e68d3723dd551150dbf42cb256a294638d7e3cf8f12f2e12e7cad815
SHA512 8859176059ee7fa9478aa2b32b4fdeb6a6df8e8827a7867b0322775a39c8f145ae66b359613b15b5f7b66e5d4e82c24b60e4bea9414ebde1616be2bc76138dd9

memory/840-55-0x0000000002520000-0x0000000002874000-memory.dmp

\Windows\system\KtYqUtq.exe

MD5 bdee44517a2a3bb90444f2f1f2c7c96b
SHA1 02ac19389300a81df5364f3128cff2704bd52e8f
SHA256 bd44a3e73a18406c567a37d790a2622e43ba10fe0a3465f2cb6f12b6a79ec41b
SHA512 9af1e1621aae39492930f657926a65189351b127009dff52e3bae1019692ac3948a77728df4e3bc51cef0efd6bb8406107d34f36713895eeb92c5d3b8e537e5f

memory/1996-60-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/840-59-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2736-56-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2548-50-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/840-49-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/840-47-0x000000013F710000-0x000000013FA64000-memory.dmp

C:\Windows\system\geUeyPB.exe

MD5 0eb6a2801746b1606911ef51b2b2405d
SHA1 f476e639a78c6019e482f96333d2ce64829752d1
SHA256 559b486cb788d3e64f56ec3bf800a6b513813c0286491213beaf6346b0e95534
SHA512 ac454fcebe8763acdae7d6a6fa85b8d1dbd41e13a24eb16dab63d136f1998a30bebe32c743e8011edf2551625b184d17d3ea4e1c157f1e73abc987f0bc0408b7

C:\Windows\system\BCXDqQs.exe

MD5 e09b6dbf4af554fa273421f70b85a178
SHA1 4ee0f7baa0b41207f7b544a998c3676f488e94bd
SHA256 57758e0a98175bfd903a7a8729abc02cf9b16d454ea148e248749e0e80b3d860
SHA512 a4de8af60e748fa1fc29b9ce6d265c7c61c5863d4b0bf6fbe5ec90a7c11f8109bccca521d3c813c6c5fb7791a28862a26686dcd03c952b736297949c5894986f

\Windows\system\kXmjQih.exe

MD5 db3fc19e3f6480d4213d353097291779
SHA1 de8e4515af7c221e18fa75488e07854127bdb0fd
SHA256 3a6772942ecca5953d56734b9bb28a2e5b6469bf4b38800980813a16e0e38aa5
SHA512 f74e46d3d5c068ab74a4faf05b4b42b2985c679936aa5e8f1308b9a957d259f7fd1838770702ea52923a091484b0c7143d7ed8a4120c75f3cce841a71996913d

memory/2552-70-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2400-72-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/840-71-0x000000013FA40000-0x000000013FD94000-memory.dmp

C:\Windows\system\shOZywh.exe

MD5 16efdedbd62fa7ce7b7a006201d689e6
SHA1 180c47d46c523826be8d34ea409973e53a5d13c6
SHA256 c7ef2a938c55815323d87619f2341927b45f5ba60cbab9848c7d931cdbfc8188
SHA512 bb32b99d8e1389082622d3219c936030ce3b88e92772dc193aea3b73b7f463dc73b17a4a38758d7554c501f5487a65d4b94c75d3de84f0694d6598615005ea04

memory/808-79-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/840-78-0x0000000002520000-0x0000000002874000-memory.dmp

C:\Windows\system\tuJtjaw.exe

MD5 9e3047f25904b6f1774e6fb571b38089
SHA1 e4d3f55a7354d42d427c62eb039ffeaa8523f9f2
SHA256 2029c6e55739922252d4023b9e3e43a3a1b0e88032d9a8efb9eb01b275b3bec5
SHA512 e509c8065c632261111346a3415acb61d5358def1f2b63d3604327d27fa98e83570b1c2d8c7e760e9c9c7c11d9c273b0ba74d89b3968b3d30d55c8a77f38c64d

memory/2372-87-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/840-86-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2060-85-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2604-93-0x000000013F500000-0x000000013F854000-memory.dmp

memory/840-94-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2692-95-0x000000013FB40000-0x000000013FE94000-memory.dmp

C:\Windows\system\ugyxqcV.exe

MD5 6b6b5aaf621a3930f7a9be04a70cc3b8
SHA1 b8cb3b8ed3435bfd69e75fb6e85bd4e583b9dca5
SHA256 2493b6d646e93b4ad89d8ba9b55beccdf8e48de5168d009966ef4b0414e599da
SHA512 6420794290d436892ae9a8165fb097e45ce5abdaac1276e6fd74d264a754485f1ddbd0f9d58e4722cc0c5c227d2cdc0103cff6f2a71b96a5780b1b67c452888a

C:\Windows\system\EcPgtfC.exe

MD5 b88a952c090763e6ec9ee7f31158791d
SHA1 409e5a6280576c1fb5bf1b84f5422168b971bd67
SHA256 424098759e08746130f1d6a97235f842adcf355b0b1e6ac1257b54c0f7cfdb67
SHA512 f51971278ccbbcef7f91b0b24276adafa0b85ae7f20f2917ca2361392386506427a5542be3b03a13e2b31d6e17dd2a82773d3b6e4f1701304a6092b6d3a2581c

memory/1920-103-0x000000013F210000-0x000000013F564000-memory.dmp

memory/840-102-0x0000000002520000-0x0000000002874000-memory.dmp

C:\Windows\system\ZbeOASX.exe

MD5 2c34413827947ecd03dce7f8848d9c36
SHA1 8e7cf5112006f2a5c3e268b5187d7edd682aa7a8
SHA256 64ec00ea7671082ef4343f55645649c93011dbfb7c6e465b110df1d82807a81c
SHA512 3c57901c411a37d9ff1f947f203e18d687533302899ee284cff326d6e9f24fee8fd54aef3d83b08c52202cc4c0f8c6bdc556e5fbb6ee72ab2f5bcd38ed7848fd

memory/2520-101-0x000000013F710000-0x000000013FA64000-memory.dmp

C:\Windows\system\ZpXYIih.exe

MD5 ce5223de0c8d5e7b569a748dd57f83b3
SHA1 8c9d8c275fde1659a827560b826005f0e684e84f
SHA256 5f35f4dc9b99099d145502908ac5d91f5b49f01de0999448d10c53728d397474
SHA512 0d5c4db8e1e2ac17dda4fbc78a77e3bbf9e5fd63e1295a7f97ca19de8004046145b0afcd7262ca5c3befe4a4b8bbee27638646e1852a6547afba5d4f27c9598a

\Windows\system\onlvaeY.exe

MD5 0c1f3c0b629430f02f60666badfc851a
SHA1 1e74a416394362ce0be6afbf151eb4019e0fa330
SHA256 aa7980154adf973d5a1e9fd3d4438d96c8bc5bb2b2db14c478f9bcd48651c673
SHA512 dee6b8165432242206b4864aadb99405a6e6703c8648785f2aaff6e4dd86521e2fb5402f9d6380450f78e8000149a3694ef738c33f40becc80ff30a2acdcd250

C:\Windows\system\yasJEoz.exe

MD5 20c5b3c73cd490e32858d82ca087b784
SHA1 87e08f556812b30827fffb32a42b6ef40dd08429
SHA256 83c371220418ccab94a6ca4f90d77a8e9e99eb97e1ec7f31c847d511b946b6fa
SHA512 774ba0a48b40749fb5d0846e38ba568cac6180921940feae42c68caf2b76f322082080c06cc05e1b84e1124753e59364f5ea484e044b77fd0ae44a26486d1a49

C:\Windows\system\DEAuyLa.exe

MD5 fa4af4349895fb60110461b303c0c372
SHA1 0b9ea57995e613a4fa81ae7b9d988525fd1850ea
SHA256 96f3af7817c991a179e4a7455ebc4d29e725c3370c6933580b24c189bee810a8
SHA512 3aa067837d2ef71a7de79100e79af17f30236f5ee9b5c879222cb3863b27a79e9248a3074949c15cf086ac86954167edf12beffd8fc7986624a561775400af4e

C:\Windows\system\zJTvZmE.exe

MD5 eef0961413de564d4e633583885e5a37
SHA1 ac9f874c6f1a1b30d0e78945884d4d9c000fc096
SHA256 71a2a5686a9770c8c5c10cf1c66bec2244e727c8fcb265b503402c87ec0289b4
SHA512 1487e2af642664e235ac674f4467dde2830a1dca5da63ff37c610cdca257b3b81c484e261e80c8ae721101a0a55b1d67556887d467953189ce2649dff2b6dd4e

C:\Windows\system\dbiHPvK.exe

MD5 7171c55a224ddcc646492ca55143374e
SHA1 f63815edbd935811b2c35c15463a221da44fe016
SHA256 7a951ceefb8d254d2760983e50b882ef63d9bca6fd6d2c262ddd7d3a8a145dc7
SHA512 d1596a7f23a789cb274f4917a020095e795cc1db04fa84f29d873a8a5efd46ccb003f1acc5a8f78772ef280b1ebd58bee9fcbd601c0b7e516fdd51c518bb3ef9

memory/2736-139-0x000000013F340000-0x000000013F694000-memory.dmp

memory/840-138-0x0000000002520000-0x0000000002874000-memory.dmp

memory/840-140-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/840-141-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/840-142-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1996-143-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/1796-144-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2572-145-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2060-146-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2604-147-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2548-149-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2520-148-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2736-150-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2552-151-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2400-152-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/808-153-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2372-154-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2692-155-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1920-156-0x000000013F210000-0x000000013F564000-memory.dmp