Malware Analysis Report

2025-01-22 19:34

Sample ID 240601-vn4fhaaa84
Target 2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike
SHA256 a09fca934447ed0d9adfb3dce7c09b977eea76b545693e59c8147cc02fdcf5bc
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a09fca934447ed0d9adfb3dce7c09b977eea76b545693e59c8147cc02fdcf5bc

Threat Level: Known bad

The file 2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

xmrig

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 17:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 17:09

Reported

2024-06-01 17:11

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kswGPrY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EwmWNpc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SHBpDsT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xtEsFQk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ODSlFrK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yarXqBo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ReNIctR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IvhpLsv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EkEAEat.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HFpVRTm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FnvzmZW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HXDZKRa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RfTeOaB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BpdIlWS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jiLeNRV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rNJttqv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SgSyKvL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RnKMBxP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HuPKthf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZQHyMPR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pHGdVcQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BpdIlWS.exe
PID 5104 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BpdIlWS.exe
PID 5104 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SHBpDsT.exe
PID 5104 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SHBpDsT.exe
PID 5104 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jiLeNRV.exe
PID 5104 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jiLeNRV.exe
PID 5104 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvhpLsv.exe
PID 5104 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvhpLsv.exe
PID 5104 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yarXqBo.exe
PID 5104 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yarXqBo.exe
PID 5104 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ReNIctR.exe
PID 5104 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ReNIctR.exe
PID 5104 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkEAEat.exe
PID 5104 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkEAEat.exe
PID 5104 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtEsFQk.exe
PID 5104 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtEsFQk.exe
PID 5104 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFpVRTm.exe
PID 5104 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFpVRTm.exe
PID 5104 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQHyMPR.exe
PID 5104 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQHyMPR.exe
PID 5104 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pHGdVcQ.exe
PID 5104 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pHGdVcQ.exe
PID 5104 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnvzmZW.exe
PID 5104 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnvzmZW.exe
PID 5104 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXDZKRa.exe
PID 5104 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXDZKRa.exe
PID 5104 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kswGPrY.exe
PID 5104 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kswGPrY.exe
PID 5104 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgSyKvL.exe
PID 5104 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgSyKvL.exe
PID 5104 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnKMBxP.exe
PID 5104 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnKMBxP.exe
PID 5104 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuPKthf.exe
PID 5104 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuPKthf.exe
PID 5104 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfTeOaB.exe
PID 5104 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfTeOaB.exe
PID 5104 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ODSlFrK.exe
PID 5104 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ODSlFrK.exe
PID 5104 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNJttqv.exe
PID 5104 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNJttqv.exe
PID 5104 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwmWNpc.exe
PID 5104 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwmWNpc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BpdIlWS.exe

C:\Windows\System\BpdIlWS.exe

C:\Windows\System\SHBpDsT.exe

C:\Windows\System\SHBpDsT.exe

C:\Windows\System\jiLeNRV.exe

C:\Windows\System\jiLeNRV.exe

C:\Windows\System\IvhpLsv.exe

C:\Windows\System\IvhpLsv.exe

C:\Windows\System\yarXqBo.exe

C:\Windows\System\yarXqBo.exe

C:\Windows\System\ReNIctR.exe

C:\Windows\System\ReNIctR.exe

C:\Windows\System\EkEAEat.exe

C:\Windows\System\EkEAEat.exe

C:\Windows\System\xtEsFQk.exe

C:\Windows\System\xtEsFQk.exe

C:\Windows\System\HFpVRTm.exe

C:\Windows\System\HFpVRTm.exe

C:\Windows\System\ZQHyMPR.exe

C:\Windows\System\ZQHyMPR.exe

C:\Windows\System\pHGdVcQ.exe

C:\Windows\System\pHGdVcQ.exe

C:\Windows\System\FnvzmZW.exe

C:\Windows\System\FnvzmZW.exe

C:\Windows\System\HXDZKRa.exe

C:\Windows\System\HXDZKRa.exe

C:\Windows\System\kswGPrY.exe

C:\Windows\System\kswGPrY.exe

C:\Windows\System\SgSyKvL.exe

C:\Windows\System\SgSyKvL.exe

C:\Windows\System\RnKMBxP.exe

C:\Windows\System\RnKMBxP.exe

C:\Windows\System\HuPKthf.exe

C:\Windows\System\HuPKthf.exe

C:\Windows\System\RfTeOaB.exe

C:\Windows\System\RfTeOaB.exe

C:\Windows\System\ODSlFrK.exe

C:\Windows\System\ODSlFrK.exe

C:\Windows\System\rNJttqv.exe

C:\Windows\System\rNJttqv.exe

C:\Windows\System\EwmWNpc.exe

C:\Windows\System\EwmWNpc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5104-0-0x00007FF6789F0000-0x00007FF678D44000-memory.dmp

memory/5104-1-0x000001342B110000-0x000001342B120000-memory.dmp

C:\Windows\System\BpdIlWS.exe

MD5 8f6a7ac86f06960154e48f5e177c6a55
SHA1 ff95d64bafe9f38d40dd6254bc2a8ab59883279e
SHA256 58daee94056043ca2759d85580fe82d242117a773706d1f1df3d6bdfc02666b9
SHA512 3e1678f629490944ef6e83714a72f5f8dd4f81d5adcab68c9c0954da9716c94894340f5a2737ab51d1537943d73b38f76152e8287550d31a61d14f09a63839d3

memory/2292-7-0x00007FF7627F0000-0x00007FF762B44000-memory.dmp

C:\Windows\System\SHBpDsT.exe

MD5 200db842ac6216b0ea2c9f16211837f6
SHA1 fdd5837fb2c55d3dfde87b5d2d0323177c88366a
SHA256 168ae97a3eaafbd9b9749d2ae05046ad53f398f5488baaf081694d80b7291dcc
SHA512 815a7bf6e3fb01f64f1c3c03e04e914f95d4b53b5a81821f6bf1ef8fa03facdc6a74b287c5d3d2cb61ce95860f924c290a8205717c16be517126b60b39ceb604

C:\Windows\System\jiLeNRV.exe

MD5 bf79a61b266fd196acd20a1afbb2afa1
SHA1 caeb716a4e95b4249da0b84fe894a8878f9c4a20
SHA256 e6af57f514dae907ff55d60ce468f231db8f82dbb341153de56e0554c899b7b9
SHA512 d37c0417098759069796fe608331c1b290312fa8fec86f83fee35db521eb9ac1f6ee524467a38f92db2654b57fcb6082f6fdceceee02af67e147f35ab5b6e62a

memory/3184-14-0x00007FF619910000-0x00007FF619C64000-memory.dmp

C:\Windows\System\IvhpLsv.exe

MD5 97dc7505412aa64e7f3e6b8414684019
SHA1 fb6dd04517084ecdcd605b92a00763c8a1566385
SHA256 5903f02897682c1fe4e5dd7c1ba782b36f578e681e669c6adda34f0a0fd966ed
SHA512 992e86916c02e596e8c7edfb397e9d7b392e2a4871af19b4f079203caf32a1e35e97b537ac38700d9dd3e9de17b25cfcfc256f173c00b4022453595302874f9a

memory/1636-25-0x00007FF76A7D0000-0x00007FF76AB24000-memory.dmp

memory/4876-26-0x00007FF671010000-0x00007FF671364000-memory.dmp

C:\Windows\System\yarXqBo.exe

MD5 9e4695cdde22e061ef21d1056429b2b5
SHA1 08587a4ca569f2209e3538addd485b59e903ef00
SHA256 59d2dc18960da61f805fb6793652502468cdd4395c92429f211cc9b5353c4401
SHA512 9f2580341355e1ee5cac2eae48f21c84f7a3996d41c19d3d2386c4959b3ca0097c28c12a603e85c94ee5d24bec4168a0eff2424bf10c95227e25d034e6cb4455

memory/3956-30-0x00007FF68FC90000-0x00007FF68FFE4000-memory.dmp

C:\Windows\System\ReNIctR.exe

MD5 569b269c61dd5da7560b7ce0b7619c92
SHA1 e1536de90aa4c34f1b2a309643e4aaae01cf6d4f
SHA256 84c7af10794d04b24719aaa3f80e6d38423ae6a8234fd786ffd65a41be34d457
SHA512 40bb7dfe1f80b1811f6be1e69cfdb3edf2d729249fde5f46be2227b0694039887449cac40197af76ff02d3f1e6a4663caa33971ebad4e33b3537c3d0b3f426ef

memory/3856-38-0x00007FF6D9ED0000-0x00007FF6DA224000-memory.dmp

C:\Windows\System\EkEAEat.exe

MD5 1a10f2315f69600d8eaabda22fd403a3
SHA1 1bad39087fb571f74f913fd70d811052dfc469ef
SHA256 86a4128057140310c4f710834070818ec31c9414ccee15dd731d24e00678daeb
SHA512 1db4ace24984ee0ecb9fd5c3e754b8b71b47a7a21f173eab01e00280bcd0b6a0d872be71eabda7e142227b577bcf4216a9de0a3c436a3b5a82931c58f655cfb8

memory/2088-42-0x00007FF6E9FB0000-0x00007FF6EA304000-memory.dmp

C:\Windows\System\xtEsFQk.exe

MD5 475cbb6ba3cd5257258607e06ad2ceba
SHA1 6ad0da43aaa7fa8cb91230b220ae011c8097ca8a
SHA256 9d383803842536c9b219c133ba8610d08881106db416b008a19a7794a8010a4e
SHA512 24ecf7180506da0f2cc3a7c7e72d7c29fd0950c967cd4246684cc48e8eae7a1418cc697b0e0a9565cb4c788686540fefd0c39f34d4d6a79a940fc6c7514b9b82

C:\Windows\System\HFpVRTm.exe

MD5 0aa701792f597b6c1c10575f3e6c740b
SHA1 ec5ebe0c8e369f903aa64b721c5a3d2df4eeccaa
SHA256 2720ed4582c534e796c8cc62c15c7b05fc320bfecb76aa10f21c046d7ccb354d
SHA512 e3e36faa0f3d87c0d6e98e280725b02f8d9502e2a74f3a2265a1b77e735b25d31164bf7c88107bbf3103fe1a16601ece6bf456f2a683c7e11e9b2df230b92878

memory/2384-54-0x00007FF7BDCE0000-0x00007FF7BE034000-memory.dmp

memory/1404-50-0x00007FF614170000-0x00007FF6144C4000-memory.dmp

C:\Windows\System\ZQHyMPR.exe

MD5 37688faa72d84feb57ec28b5e1d7bd7e
SHA1 b102a0b4562a67d45e4f3ba74ac7ab9974aaa47b
SHA256 318809eaa84f7caec5499ae2c4bcf32387b8b6d4e96e3e753d6885fdeb0f0271
SHA512 0b380381bf33edbff6f4e85ea0af8d7c9084077f01bf06a383e48cf1ab6be1ec0f427231c916fd95f2a539dfda1909171b6e6727ac8a0c973ea76c3ac9bd9a8f

memory/4508-72-0x00007FF71FDE0000-0x00007FF720134000-memory.dmp

C:\Windows\System\HXDZKRa.exe

MD5 2bf0204f23edfd3b3685d4db3094c064
SHA1 2fd9df8f030cfa98a914bfebd8d04e23899fa27e
SHA256 8df38f2fe389cac88fe21eaaed054f3763c9c7e019425a93f804e89db60f900b
SHA512 5cd3bfd632a17cc6a47a806abaafd8f551b3f9c24f9661441aab2f26eb911d30d570ef29a5f7a5991371c98953c1ff98300edbc178908071b54612972cd91b8f

C:\Windows\System\pHGdVcQ.exe

MD5 c20760546402bdf70870324055792388
SHA1 d8972859a01e3f9071740ec79739b5f6d899bb45
SHA256 b27edb74f6fdc2ddaf0ab349e73f29c6d972d5aac7e64c119a5328c9c5d1ab4b
SHA512 d1ea25aa72dfd92173c8ce3fcb914ea1caa07929c2f2bec2cc87c42860bd5884537ddd56baa84d0f7f213728909b9e143de9fe90de5db69dde38395ca8354867

memory/3888-82-0x00007FF6F2840000-0x00007FF6F2B94000-memory.dmp

C:\Windows\System\SgSyKvL.exe

MD5 10bcfb675a578a936d7937f7c6ee542d
SHA1 75dafeff18bfd69d3638ffd33d9335f7d66bbadf
SHA256 e8632a3c1053ff507f90318c632f7d1a9e2f94a04b48f78cdcfed29c94f6bd54
SHA512 249f19884720602902815864d290d05854d1f7d93aa52e9eb0fac7a059a23253059c6ef9a8bb4c56a1b0a30db0282b19ec205e335c9d29971202682eed2ddf7d

C:\Windows\System\RnKMBxP.exe

MD5 42b02aaf49ccbe7fb97dfdadc37365ba
SHA1 1c016e35145a85b553ccff634445dc18b30451b8
SHA256 aed6990d278c3eae86f2ed7be84710b14e0c71d77e43c825e8ce35b3282b6c3d
SHA512 8f956a45f0d9e90c5fac66504fd803f363ab389b52900a2155ccd2529bded78cc5755f7fe444aa6a1cd46826bde3f9d8b9154850477701ddcade4c60647f23f7

memory/3956-99-0x00007FF68FC90000-0x00007FF68FFE4000-memory.dmp

memory/1380-98-0x00007FF6DC0C0000-0x00007FF6DC414000-memory.dmp

C:\Windows\System\kswGPrY.exe

MD5 7a7cf50bd1706482030d6086903cad41
SHA1 fd1b9000aa352ea70836d97c7b1a9277f35ebabc
SHA256 2ee543f9b069a02b44a672f32d063dae443ae77d1382f6ecf9d1016a85e349e3
SHA512 772cb2b8a360a97ca5a05599b028b9ac6ada4577013ce9aa77614171a0c3243be0dfe7392aeda9b5c89ae30f4bae6254448848d3cb38b3f6a27a18a89b99f2bc

memory/2072-93-0x00007FF77C4F0000-0x00007FF77C844000-memory.dmp

memory/4140-91-0x00007FF770910000-0x00007FF770C64000-memory.dmp

memory/3184-86-0x00007FF619910000-0x00007FF619C64000-memory.dmp

C:\Windows\System\FnvzmZW.exe

MD5 885ac89e9baa687282ba1eb8fa598fc8
SHA1 a39be646a6f4ae69936e2c77588573ec21427df1
SHA256 0e72bf4d5d32063cc70b6e542608bbeb2256eaebd88239ad5dbe5dd65866d815
SHA512 b0066d2f531d4a1753f8828d7d16a14cf107f28d2aaa883f888f56b1640487a328f126eec335b1d47b3f6435c43b89cfb7110f927d1acd87f729d0aaf2699611

memory/3260-77-0x00007FF624F30000-0x00007FF625284000-memory.dmp

memory/2292-74-0x00007FF7627F0000-0x00007FF762B44000-memory.dmp

memory/2388-69-0x00007FF74FAF0000-0x00007FF74FE44000-memory.dmp

memory/5104-64-0x00007FF6789F0000-0x00007FF678D44000-memory.dmp

C:\Windows\System\HuPKthf.exe

MD5 d469877ab18e136e55e3c87d997a33bc
SHA1 9a640c4dc2ee351d43b67d563bfb4ea97b25b105
SHA256 cf1f5eff33e71565a581b2194ebffd6603a852048ea8e9ad6237ff83a4c54b7c
SHA512 91916822636c79c6f29e36f04b53aef14ca590f1156bb303eb1ec7b8498e2613ceb2affce65813aac0c04a2d998bd9f436a507983bdd927f07f2fa089703f68b

memory/4816-110-0x00007FF7DD9E0000-0x00007FF7DDD34000-memory.dmp

C:\Windows\System\RfTeOaB.exe

MD5 de36c2cacff944ca0d243afd78b4582a
SHA1 e9eda7c4dc09b72bae36f514a12f97c671ccd678
SHA256 eba5963aa5be215d7750e2634c74c2468aa2397430d445559c3773733a0b4e28
SHA512 52e900963e19de1ba9d97a0566a59a01c4e86d436d4168e29db621d71c9fe00fb9fdc3ccf3a46510ec1edaa83ebe6739df320de14a0977c066ccb2bfd7f9f6ce

memory/4176-113-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp

memory/2088-112-0x00007FF6E9FB0000-0x00007FF6EA304000-memory.dmp

C:\Windows\System\ODSlFrK.exe

MD5 c30e52a6e5fa0eb40548dbd42d97e4eb
SHA1 83678a65cbb44fa7b1cd77179c50af7530457f67
SHA256 5dfbc738d1a2e486147a45f5f30357bda342720d071a979f1e6f3d1f9fbbb809
SHA512 8d8c84169b05e7f093d9457abdc04a69a2acc3761aebe6149fb9c1357746afb250fac10e37ff286f3c690be9319f891a5e08ed8ff1a0612735e98a0ac7bd4ca0

memory/2384-125-0x00007FF7BDCE0000-0x00007FF7BE034000-memory.dmp

C:\Windows\System\rNJttqv.exe

MD5 7a4cc78b65f18106a0605a0b6880fe9b
SHA1 2dd6c0e25ae638ffc83c730c3c41790997b2605c
SHA256 6615cbf5148c1e5a0f81da604d1428d23aa74bdf15f48449079da585916b644d
SHA512 246bf7d6630b0c6b900021d33867d1a2d6b237dc2dcc2fb14d9e264985c1dc4df87f643ece25f632efb61dab1ce940870bbbbc924d6febbdafb1a52051d16e5f

memory/4064-126-0x00007FF7A8FC0000-0x00007FF7A9314000-memory.dmp

memory/4708-119-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp

C:\Windows\System\EwmWNpc.exe

MD5 3078c2f366ee72ffd1546f85bcb0d083
SHA1 eb729bbd5ff3ab9d8acbf246255915be9ad1170b
SHA256 ebf903e5b63cbf7d503363de5b9446f535ea73065cba1bc3a10f6b2aa59c0451
SHA512 a61516c7d20753eeb61c01daf299cf4f0154ebba4cec3d602cefac0605d211bbc6e909f41384663ed8afd64c0f3bf47c689021751cc97aa873e72935ec7ac722

memory/1220-134-0x00007FF6DAE10000-0x00007FF6DB164000-memory.dmp

memory/4508-133-0x00007FF71FDE0000-0x00007FF720134000-memory.dmp

memory/3260-135-0x00007FF624F30000-0x00007FF625284000-memory.dmp

memory/3888-136-0x00007FF6F2840000-0x00007FF6F2B94000-memory.dmp

memory/4140-137-0x00007FF770910000-0x00007FF770C64000-memory.dmp

memory/2072-138-0x00007FF77C4F0000-0x00007FF77C844000-memory.dmp

memory/1380-139-0x00007FF6DC0C0000-0x00007FF6DC414000-memory.dmp

memory/4176-140-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp

memory/4708-141-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp

memory/4064-142-0x00007FF7A8FC0000-0x00007FF7A9314000-memory.dmp

memory/2292-143-0x00007FF7627F0000-0x00007FF762B44000-memory.dmp

memory/3184-144-0x00007FF619910000-0x00007FF619C64000-memory.dmp

memory/1636-145-0x00007FF76A7D0000-0x00007FF76AB24000-memory.dmp

memory/4876-146-0x00007FF671010000-0x00007FF671364000-memory.dmp

memory/3956-147-0x00007FF68FC90000-0x00007FF68FFE4000-memory.dmp

memory/3856-148-0x00007FF6D9ED0000-0x00007FF6DA224000-memory.dmp

memory/2088-149-0x00007FF6E9FB0000-0x00007FF6EA304000-memory.dmp

memory/1404-150-0x00007FF614170000-0x00007FF6144C4000-memory.dmp

memory/2384-151-0x00007FF7BDCE0000-0x00007FF7BE034000-memory.dmp

memory/2388-152-0x00007FF74FAF0000-0x00007FF74FE44000-memory.dmp

memory/3260-153-0x00007FF624F30000-0x00007FF625284000-memory.dmp

memory/3888-154-0x00007FF6F2840000-0x00007FF6F2B94000-memory.dmp

memory/4508-155-0x00007FF71FDE0000-0x00007FF720134000-memory.dmp

memory/1380-156-0x00007FF6DC0C0000-0x00007FF6DC414000-memory.dmp

memory/2072-158-0x00007FF77C4F0000-0x00007FF77C844000-memory.dmp

memory/4140-157-0x00007FF770910000-0x00007FF770C64000-memory.dmp

memory/4816-159-0x00007FF7DD9E0000-0x00007FF7DDD34000-memory.dmp

memory/4176-160-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp

memory/4708-161-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp

memory/4064-162-0x00007FF7A8FC0000-0x00007FF7A9314000-memory.dmp

memory/1220-163-0x00007FF6DAE10000-0x00007FF6DB164000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 17:09

Reported

2024-06-01 17:11

Platform

win7-20240419-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yEBdTvZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AqkzwGR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FNAIGrf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\deaYOZt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cVbPxtq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BOnFqMo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IfqbJUJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TIhBHok.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GQHpBJe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\inveqQK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hzucUUt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FUxGlBk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NqqpDLo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UiofGBv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\emTwIOH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qtJbXMs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sCfHGeL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PNjUGME.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uHHXMkk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TnaNihV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IHWIuOM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEBdTvZ.exe
PID 2392 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEBdTvZ.exe
PID 2392 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEBdTvZ.exe
PID 2392 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQHpBJe.exe
PID 2392 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQHpBJe.exe
PID 2392 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQHpBJe.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AqkzwGR.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AqkzwGR.exe
PID 2392 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AqkzwGR.exe
PID 2392 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\inveqQK.exe
PID 2392 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\inveqQK.exe
PID 2392 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\inveqQK.exe
PID 2392 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzucUUt.exe
PID 2392 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzucUUt.exe
PID 2392 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzucUUt.exe
PID 2392 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNjUGME.exe
PID 2392 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNjUGME.exe
PID 2392 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNjUGME.exe
PID 2392 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uHHXMkk.exe
PID 2392 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uHHXMkk.exe
PID 2392 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uHHXMkk.exe
PID 2392 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\emTwIOH.exe
PID 2392 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\emTwIOH.exe
PID 2392 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\emTwIOH.exe
PID 2392 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUxGlBk.exe
PID 2392 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUxGlBk.exe
PID 2392 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUxGlBk.exe
PID 2392 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqqpDLo.exe
PID 2392 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqqpDLo.exe
PID 2392 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqqpDLo.exe
PID 2392 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnaNihV.exe
PID 2392 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnaNihV.exe
PID 2392 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnaNihV.exe
PID 2392 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNAIGrf.exe
PID 2392 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNAIGrf.exe
PID 2392 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNAIGrf.exe
PID 2392 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOnFqMo.exe
PID 2392 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOnFqMo.exe
PID 2392 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOnFqMo.exe
PID 2392 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IfqbJUJ.exe
PID 2392 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IfqbJUJ.exe
PID 2392 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IfqbJUJ.exe
PID 2392 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIhBHok.exe
PID 2392 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIhBHok.exe
PID 2392 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIhBHok.exe
PID 2392 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHWIuOM.exe
PID 2392 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHWIuOM.exe
PID 2392 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHWIuOM.exe
PID 2392 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtJbXMs.exe
PID 2392 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtJbXMs.exe
PID 2392 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtJbXMs.exe
PID 2392 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UiofGBv.exe
PID 2392 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UiofGBv.exe
PID 2392 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UiofGBv.exe
PID 2392 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\deaYOZt.exe
PID 2392 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\deaYOZt.exe
PID 2392 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\deaYOZt.exe
PID 2392 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\cVbPxtq.exe
PID 2392 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\cVbPxtq.exe
PID 2392 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\cVbPxtq.exe
PID 2392 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCfHGeL.exe
PID 2392 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCfHGeL.exe
PID 2392 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCfHGeL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_dcb4230a34199612d912db956abdd48d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\yEBdTvZ.exe

C:\Windows\System\yEBdTvZ.exe

C:\Windows\System\GQHpBJe.exe

C:\Windows\System\GQHpBJe.exe

C:\Windows\System\AqkzwGR.exe

C:\Windows\System\AqkzwGR.exe

C:\Windows\System\inveqQK.exe

C:\Windows\System\inveqQK.exe

C:\Windows\System\hzucUUt.exe

C:\Windows\System\hzucUUt.exe

C:\Windows\System\PNjUGME.exe

C:\Windows\System\PNjUGME.exe

C:\Windows\System\uHHXMkk.exe

C:\Windows\System\uHHXMkk.exe

C:\Windows\System\emTwIOH.exe

C:\Windows\System\emTwIOH.exe

C:\Windows\System\FUxGlBk.exe

C:\Windows\System\FUxGlBk.exe

C:\Windows\System\NqqpDLo.exe

C:\Windows\System\NqqpDLo.exe

C:\Windows\System\TnaNihV.exe

C:\Windows\System\TnaNihV.exe

C:\Windows\System\FNAIGrf.exe

C:\Windows\System\FNAIGrf.exe

C:\Windows\System\BOnFqMo.exe

C:\Windows\System\BOnFqMo.exe

C:\Windows\System\IfqbJUJ.exe

C:\Windows\System\IfqbJUJ.exe

C:\Windows\System\TIhBHok.exe

C:\Windows\System\TIhBHok.exe

C:\Windows\System\IHWIuOM.exe

C:\Windows\System\IHWIuOM.exe

C:\Windows\System\qtJbXMs.exe

C:\Windows\System\qtJbXMs.exe

C:\Windows\System\UiofGBv.exe

C:\Windows\System\UiofGBv.exe

C:\Windows\System\deaYOZt.exe

C:\Windows\System\deaYOZt.exe

C:\Windows\System\cVbPxtq.exe

C:\Windows\System\cVbPxtq.exe

C:\Windows\System\sCfHGeL.exe

C:\Windows\System\sCfHGeL.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2392-0-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2392-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\yEBdTvZ.exe

MD5 5b3865a54a4ca480e3829b07b8a68501
SHA1 1c9d92040f2fe9ac75d0fb1769334ac49f0f5f05
SHA256 d9d2224298804aaf3388c3f7fff2849a72fc7b50dea47df9d3cc38166b950608
SHA512 43d89acc3f9654deac9fdda3e9c3d98ebeba0dc1b5f85089b60dddc5a31f7285acd1acd4ff35d2b411345f1eaa22ff3ab3ddbe4602bc36d6d6390b68f5a354da

memory/2392-6-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/2916-8-0x000000013F890000-0x000000013FBE4000-memory.dmp

\Windows\system\GQHpBJe.exe

MD5 b8d5092547c508b15bb8b479cff26ca6
SHA1 e045a72b70ab95b55de760e3ba43f3acfce9467e
SHA256 f2e161338b3f77281f423842ac927de872acb304ca45a61d40afc6beec297df0
SHA512 6fa59ca660860e3bbd12c147405e3d52ad24211da76c95e0079b06f3ef79597c7ff57d58e358f9c85da883fac08fff58cd8a771d65f0e895eba953931bc708f8

C:\Windows\system\AqkzwGR.exe

MD5 2651f7f050c6471c4f0b4c7a27170e44
SHA1 80fb018a51127573b2dcc671b64b5d8b69d6c5f0
SHA256 854acbad4e7d479d74a82bef4a79b0a17ece850a8152e28aed05b4630619e6e7
SHA512 e4646774777a420ecf0c032292cc31c829044fe0321d646fcd28778757576c72c7f0a995ed49c95d3f5f52c6f7b38a520db1e10a136dea97584c2456b8a0b3a8

memory/2820-21-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2392-18-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/2224-15-0x000000013F080000-0x000000013F3D4000-memory.dmp

\Windows\system\inveqQK.exe

MD5 03f2bebcf1c7d01b5bd98086634227c6
SHA1 248d72d5ec200b385468f0d17d04382c9fcbf075
SHA256 00e025132ea4c7e9bdab43d4c10558f4a78b6e5aedea7b8d62ecc89f6d2b56ab
SHA512 f1d3cdde7a935816defec748438a4faade6629cab85dd3fd8d24fc1bb7a8804915b7319ba456f018748c1f0343951b323cd15ba2627f398b25df8a965f31017c

memory/2440-29-0x000000013F310000-0x000000013F664000-memory.dmp

\Windows\system\PNjUGME.exe

MD5 a4169c281672c6961baa0217fdcd0d3c
SHA1 b911f7d1ecdc5266c47cc0a96d50bcc108b0f9af
SHA256 89f28dcaf22396a9095e66385229b06eae81bb0c5f6233cffc89876634318ffe
SHA512 9f2e1c9deae1d8c0227f052456783a10975e1df5a9e64832e89b9da6ceb8f784d3fd7fb98566cbfd160154a87fa116679fa7415557a25fab0d3b2ff5808c4896

C:\Windows\system\hzucUUt.exe

MD5 42082cf725da57120c1019273c180f25
SHA1 bc7e373cb4c3fef77bbb3d550d51abbc92e139db
SHA256 96a2606bbc6e8580085a977fb850235c95a81c4f053fe08d3852ee406571f916
SHA512 d1f350b3e606941311a193a204a8a2d7bb5ce23933895e28ea7b465d3b4cd24fae368c31c74d04d345438487a3c91a73f4b03453b9b2c40a0769c0d3ece09f77

memory/2700-42-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2392-41-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2928-38-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2392-36-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2392-26-0x000000013F310000-0x000000013F664000-memory.dmp

\Windows\system\uHHXMkk.exe

MD5 6cc7f8f70e1a81401eb4c537711d0920
SHA1 689bb07d68d1aba589b327b420f23fef8813111b
SHA256 91b7bf78d4919e37d7a3913e6b37dea58f0090aa6d849821c9703c3a64ae6e8c
SHA512 6988315e29d4f4658d31989b3b1d7cef16fb04dac78a731881bdd60936a7a77d0529ffe119b0809b74a59619b3cf2c4dbb14b58e9bb5ca41b5eb773f81f29356

C:\Windows\system\emTwIOH.exe

MD5 7f3a3ed48161dbb546a02f2a3434665d
SHA1 3099d39e39016d5517bb0a8b6dd0a98ee5df718c
SHA256 a5bdd064a2e861ab19e37f39ffcd5f90f90ab8f2c1287bf72715a8de39a6fe95
SHA512 ffe7390ae46a1510def6bb27e7170cf49773b9f457b6697e6d67e57260e6d527964e2aa793a48b83ce4db23ca81f0d2cc6b1be47bdfb8f130ea2646230e21066

memory/2392-56-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1292-57-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2916-54-0x000000013F890000-0x000000013FBE4000-memory.dmp

\Windows\system\FUxGlBk.exe

MD5 d289691f541edb11a1fe33cc158ea855
SHA1 1656e4f1cf097b3d3ecff70f96e6dc42afc47d9b
SHA256 ff53b61affb21fb209b049759c53385898823ed49b7ab74ed9ae9c71f290e288
SHA512 7819e25081dfbbd2ecd7f9c05c3cd6cf10be51339c001cc46a7520240ec27464e21044333f40ba511213bd7392729adddabbecf3199062b2cc52081e369ec9ce

memory/2720-65-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2392-64-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2224-63-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2392-62-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2688-49-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\NqqpDLo.exe

MD5 6fe3c0972bea98cad9763fca2bef21b1
SHA1 be7dee314157ba2b25723e47c9c7ebf1f4dc1672
SHA256 6c99ceb70b98f9e9ab024b824d205950e36c13c35d2e02d3f9031b9cf82f99d6
SHA512 210da21e15f16a536c5cb3bab9e31d07889f95b72471c84e91d7eb05ac11ba1e24e0e800a1feb6a6833ebecfff48b24ea1c369eb4e9459388ce6d758264ec14e

memory/2572-73-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2392-86-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/1900-87-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2600-94-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

C:\Windows\system\UiofGBv.exe

MD5 fbb556d207dbe07b8450fddddaeeb153
SHA1 677ece9e5e9f604719a849e7436c04314a6717b6
SHA256 2f3a0b15027dda00b64abe525000c11920076a6562403319301175c0ab333cfd
SHA512 3d292e44e17ab6d1c2a22f7c7106217416091305fd17dc14bb6868fabcd22306b33a6baddf19ba0a61c22ceb9c95ec8cb47f5426153b4873811e3936affac0b9

C:\Windows\system\cVbPxtq.exe

MD5 5a7b06ea90e40c66c09b5700497ef10b
SHA1 a3c804cc46c5751b9eb2df64b4a00371e6870e82
SHA256 e215b6a37985fbcb94939768d5d9bdebc0d2ee860245dfc428b6e33572e22101
SHA512 5813a62190dfc522c67f5e7fc48ab2ac2ff82a36ab89adaf200889522d024144ac2eae08e24755c11853bef03d4bb3100c936f76dccbc9ed227c437b83f9de0f

\Windows\system\sCfHGeL.exe

MD5 a6360e9d2baa05f81ffb79e85a2e66b5
SHA1 22cf3a4ede6095cf40b833885ce4af16de85c51b
SHA256 8a53103405b6fc77631b374cd2307acfd0788fca011ab88f541e793f6daa746e
SHA512 218c6fa79cc69528cea7ce1dafe9ae243a849ca5a4f8a552d797d77203755b2975291ad50646ea3a2db57d5be0da9d0f272645955962c0d2cf50bd6d728cacc7

C:\Windows\system\deaYOZt.exe

MD5 de09e567ee757e98301edd6b16fa4c1c
SHA1 7b6142f381204df12bcf7f83954133cb32a7cd28
SHA256 ee086d6ea81f842c17a51c3907d0cf9838f8d5e334598f4a6fe8fcf2c32f4a4a
SHA512 2ce532a78ba2553185d564fb1700786ba4a5cafc1b672320499ac1dc99b83980f70b3ce0c2ca1a2ca33fd84e2239790ca9ef88a77ba0b5ffc1a4c079605fcd25

C:\Windows\system\qtJbXMs.exe

MD5 d0a7911cd0b43264250a19776df042f8
SHA1 802b3475051cffb22e9ffc74c4ee79d3a2ea1b61
SHA256 4b712480a3d4765f3123f4423c6857b01eac1e4100978730e8f13859fc2d9f84
SHA512 e6b167ffd3a54d83005b232862fc1495440ab71c6ff5c48d9181ce895b2fcd08d261c52f7fa196f354fa0ffb46c9fbe3e7b5018b097c464c2c698edb48b46849

memory/2392-108-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/2928-107-0x000000013FED0000-0x0000000140224000-memory.dmp

\Windows\system\TIhBHok.exe

MD5 db5759122ba99f4fb3e4b04e62c013d9
SHA1 ab726921e99c65e4ed308d726732cde69f5fb372
SHA256 77647a037a88e6806c20483ad92e901f7219d8ee29e6a61594637fbde7710835
SHA512 b0b2ee36ea5e0429c441947cf39bbc4dc33d5a3d72c5202bcc71dfa6e1e705a037332842078d9f55d2c3d8928efa192f4f65dd7ec2ffd569787269a3057ea811

C:\Windows\system\IHWIuOM.exe

MD5 31675ae8ed63288d5fce9ffe7b02c5f7
SHA1 56f8019d69df29e24c0852f9c8e0db6cb1a2e994
SHA256 5c31348fd780fe160db3dfc97ca9eeedfb5c4a5bb08e70e66fd2b7ee20085bcc
SHA512 8a653e0c092093a0462424edceaf0bdbcad8cac7e5a4ad1eedf27b3f9d6a3596daa8ca339ae8d34528bcd41e03ce4492b263dff93f800b72cb1bea9fc3d39cfb

memory/2700-140-0x000000013F400000-0x000000013F754000-memory.dmp

memory/3004-103-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2392-102-0x0000000002480000-0x00000000027D4000-memory.dmp

C:\Windows\system\IfqbJUJ.exe

MD5 ddba4687134e6f87ab1c7fb245397851
SHA1 cc21a3d9ffe63df2a6e847be47598f11d18ae6f4
SHA256 e9b9e7883763be3475d18781f190fd7e74872ecfc07dd2571223c1fa4a7d1b4b
SHA512 07adb57c2da213c3efc918d58c4bb956e7b393e848a447fba51b0e2c19641a23fb7701cbc5d9f20a86fb346e55631db6cab039ba0dba85c0b9cc2d494ce03dd2

memory/2392-93-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2440-92-0x000000013F310000-0x000000013F664000-memory.dmp

C:\Windows\system\BOnFqMo.exe

MD5 a8b4fc6e078f3d21f6fd7add901be330
SHA1 f328301e5988bbd54de4b3f923532f85cfc72ccb
SHA256 b4790020771d810f02aa6ae5406902fc9237fe2c19aa11ca17e82dad1a8953cd
SHA512 950fc00fcf77fd2ad944fad3e31ef46052ea744733b4f14eca2aac206a3e103665ca9521313cb967306cb69beda5bf5583044c6952125494502bd833b6ec32dc

memory/2820-85-0x000000013F840000-0x000000013FB94000-memory.dmp

C:\Windows\system\FNAIGrf.exe

MD5 6b343e6c6f054f0f699dfefd01c43350
SHA1 ad318d5ea9105c8848716d5879ded0ecfd613d60
SHA256 66921312c6387105d05ffb288b4b5b979e39d088b2ca55192776105e2473d148
SHA512 3e8346c9d242d0ef3d0bdeff7f6a58944b3a53c70032ac4e92f9f1f021c7dad6b144ee3e0a08c57eaa5e4875ad3b6ad06588d3a44e867dc79e880e524ac5a4e3

memory/3024-79-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2392-78-0x0000000002480000-0x00000000027D4000-memory.dmp

C:\Windows\system\TnaNihV.exe

MD5 5c3a718550083d03ecb109f5ecd267b4
SHA1 a52a62b4aa17463f1fe956d480529dc5e412d759
SHA256 7d110be7e5ece8fa137454aa75112e419417d9974ae8173bd4fab610916edb92
SHA512 0311ee36544aaab9700ee4b3e568b2ed9d7b6e98bb8d6c9d38b68236b8010bd12e1764ebaff6f496c65aac858cda17f63cbb17074cb543a26cc4947075f49b2d

memory/2392-72-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2392-141-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2392-142-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2720-143-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2392-144-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/3024-145-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/1900-146-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2392-147-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2600-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2916-149-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2224-150-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2820-151-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2440-152-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2928-153-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2700-154-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2688-155-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1292-156-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2720-157-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2572-158-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/3024-159-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/1900-160-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2600-161-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/3004-162-0x000000013F770000-0x000000013FAC4000-memory.dmp