Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-qxmrwseg7z
Target 2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike
SHA256 13c8a79a22d5034b55634ca96fa57030388a098a60dfc92e86a0613ed36f2206
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13c8a79a22d5034b55634ca96fa57030388a098a60dfc92e86a0613ed36f2206

Threat Level: Known bad

The file 2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Cobaltstrike

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Xmrig family

XMRig Miner payload

Detects Reflective DLL injection artifacts

xmrig

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 13:38

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 13:38

Reported

2024-06-06 13:41

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FoWysuA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sYNecfF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gFTwpVK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mOMVNbP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ysdhCSu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RpHKQjp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wbbUtOz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dQjLEop.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tNhoQkT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BfOwunl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AOvmNkV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CFZLBqk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zbRwSvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dTRDOVZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sHJPkFE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pOzczpW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GrAgMuS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sZJtuYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DtReISB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TgtKoxa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UVebHov.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\pOzczpW.exe
PID 2168 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\pOzczpW.exe
PID 2168 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\FoWysuA.exe
PID 2168 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\FoWysuA.exe
PID 2168 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtReISB.exe
PID 2168 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtReISB.exe
PID 2168 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgtKoxa.exe
PID 2168 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgtKoxa.exe
PID 2168 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYNecfF.exe
PID 2168 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYNecfF.exe
PID 2168 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrAgMuS.exe
PID 2168 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrAgMuS.exe
PID 2168 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFTwpVK.exe
PID 2168 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFTwpVK.exe
PID 2168 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\mOMVNbP.exe
PID 2168 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\mOMVNbP.exe
PID 2168 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\dQjLEop.exe
PID 2168 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\dQjLEop.exe
PID 2168 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\tNhoQkT.exe
PID 2168 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\tNhoQkT.exe
PID 2168 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysdhCSu.exe
PID 2168 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysdhCSu.exe
PID 2168 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\BfOwunl.exe
PID 2168 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\BfOwunl.exe
PID 2168 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVebHov.exe
PID 2168 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVebHov.exe
PID 2168 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpHKQjp.exe
PID 2168 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpHKQjp.exe
PID 2168 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZJtuYg.exe
PID 2168 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZJtuYg.exe
PID 2168 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\AOvmNkV.exe
PID 2168 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\AOvmNkV.exe
PID 2168 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\CFZLBqk.exe
PID 2168 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\CFZLBqk.exe
PID 2168 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbbUtOz.exe
PID 2168 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbbUtOz.exe
PID 2168 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\zbRwSvw.exe
PID 2168 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\zbRwSvw.exe
PID 2168 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTRDOVZ.exe
PID 2168 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTRDOVZ.exe
PID 2168 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHJPkFE.exe
PID 2168 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHJPkFE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pOzczpW.exe

C:\Windows\System\pOzczpW.exe

C:\Windows\System\FoWysuA.exe

C:\Windows\System\FoWysuA.exe

C:\Windows\System\DtReISB.exe

C:\Windows\System\DtReISB.exe

C:\Windows\System\TgtKoxa.exe

C:\Windows\System\TgtKoxa.exe

C:\Windows\System\sYNecfF.exe

C:\Windows\System\sYNecfF.exe

C:\Windows\System\GrAgMuS.exe

C:\Windows\System\GrAgMuS.exe

C:\Windows\System\gFTwpVK.exe

C:\Windows\System\gFTwpVK.exe

C:\Windows\System\mOMVNbP.exe

C:\Windows\System\mOMVNbP.exe

C:\Windows\System\dQjLEop.exe

C:\Windows\System\dQjLEop.exe

C:\Windows\System\tNhoQkT.exe

C:\Windows\System\tNhoQkT.exe

C:\Windows\System\ysdhCSu.exe

C:\Windows\System\ysdhCSu.exe

C:\Windows\System\BfOwunl.exe

C:\Windows\System\BfOwunl.exe

C:\Windows\System\UVebHov.exe

C:\Windows\System\UVebHov.exe

C:\Windows\System\RpHKQjp.exe

C:\Windows\System\RpHKQjp.exe

C:\Windows\System\sZJtuYg.exe

C:\Windows\System\sZJtuYg.exe

C:\Windows\System\AOvmNkV.exe

C:\Windows\System\AOvmNkV.exe

C:\Windows\System\CFZLBqk.exe

C:\Windows\System\CFZLBqk.exe

C:\Windows\System\wbbUtOz.exe

C:\Windows\System\wbbUtOz.exe

C:\Windows\System\zbRwSvw.exe

C:\Windows\System\zbRwSvw.exe

C:\Windows\System\dTRDOVZ.exe

C:\Windows\System\dTRDOVZ.exe

C:\Windows\System\sHJPkFE.exe

C:\Windows\System\sHJPkFE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 218.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2168-0-0x00007FF7D3880000-0x00007FF7D3BD4000-memory.dmp

memory/2168-1-0x0000022C7A080000-0x0000022C7A090000-memory.dmp

C:\Windows\System\pOzczpW.exe

MD5 204225c59ed2325f02c092958f8b7440
SHA1 d7048857440a57d4cb59a8ce52ac81db74d2b9c9
SHA256 5a10a9cf7294d5d7f0ac604dab6622729a1ad5dd8ab521d45bc46257530af28f
SHA512 c14edf988f35118ff6cf87ea5ef02f8e4910738aa7f1a55b90bc47356e787bf9a0f68794bae9f5b0e2f930f4dd1f14979b1164407b323d82af6ddf242d9f1be7

memory/1440-8-0x00007FF7D0980000-0x00007FF7D0CD4000-memory.dmp

C:\Windows\System\FoWysuA.exe

MD5 c6ad592960972f0c892cd77e70ebb9d9
SHA1 88cbb9335540fc4a9491714cef18d27e73e05b1e
SHA256 9000e272e8fd79d9b476e6876fee0ecb8a43a9e7c489a8b5235babc898a597df
SHA512 55dfe66bb35ffa44136dd0334f739c430d1cacc1e898b977418a4e14d396472ce5b6b9999220ed2df4b6e8eabbe4653b05045216a2e6513fec47a0237e43db2d

C:\Windows\System\DtReISB.exe

MD5 69025f096572a08701c1ac351f0286f9
SHA1 0d87e0b1f417b3ac27aaccc0ecd4bc340c3f9037
SHA256 3e2d6b1511d526358ed730db49b54dd3e6fbe1002e1b831bd20dccbd35a86244
SHA512 793a20c30bc854cb4fe2fe0ba32c2c5e5e234930189c48e6f0522851f9ca5e0f93cc822ef5dc904b688b8c94c60da7ec0ace5e68b314c6edd0c9568c3c2136de

memory/4596-19-0x00007FF657C40000-0x00007FF657F94000-memory.dmp

memory/4516-13-0x00007FF678D60000-0x00007FF6790B4000-memory.dmp

C:\Windows\System\TgtKoxa.exe

MD5 e7bb397bffc21ee20d79bd6cf612a93c
SHA1 a608dd8a1b8cd33011d090438097b9aed9dc11e0
SHA256 74a1d1da97383ddb448c33bda8afe521ca2a2597d970b3c0988d481f6b09e163
SHA512 f31f2ef401197219c3d78fbbd3b231b7aaf66ee183ac52702e478d47af48498dbe44764a4fca84a909fbb8db6c2893b5e2cc75b6e6f0c24a0ba038465950edfe

C:\Windows\System\sYNecfF.exe

MD5 d943c424ef76722dd7c453ca315ae8aa
SHA1 5ddfdf4a452b0b4f10c7ee1984451660e3a52e0f
SHA256 a1606c4f28b1f5a8dcc26cd207738aed3ffec2a34012bcf8c0721b0fd2be2209
SHA512 01c90226fcb98e461e3cf7228fa36bf6c725f1492b75e1608cef5d187a082237fa6db5195fada2f96f46159f986c21424e3ae43f5458bb6f1c2f862fcea91d92

memory/2992-32-0x00007FF711140000-0x00007FF711494000-memory.dmp

C:\Windows\System\GrAgMuS.exe

MD5 1360d147d1c50780b0666bf64fcb8ff0
SHA1 d2ba011085d0374d2ac9e458b8d5728f4478dd84
SHA256 7da175438929ad781d7b17599b0b1269b20bc8e296b1eec6605ac5830faed8f7
SHA512 8516695fb513aff4c487dceb777cbfa890e6c197dca5980c6587cd12f498687a2f8551109146978d12d692d9f8372a0418a3fb23610b9a5b544f314bc6d23755

memory/1704-36-0x00007FF6BCDD0000-0x00007FF6BD124000-memory.dmp

C:\Windows\System\mOMVNbP.exe

MD5 fcdd9a41ec94d050534818d4ba424dff
SHA1 6c02ac2a929b37ef41002461a36dd698e315a47b
SHA256 c206858e0e2e13d520e3a55f40ae29314bbccf2c5ee6d94121f6d822f3acea77
SHA512 f53a35ab79c5b6c096bea3cabfb9bc6bec5583a6713ed98ae3cc95deb6d2820819f325a6be35c0497cd10cb81f6b1f8ff5659e61259c39cd8e66b3a6e2577657

memory/1572-51-0x00007FF61F030000-0x00007FF61F384000-memory.dmp

C:\Windows\System\dQjLEop.exe

MD5 3dbe1e6ac591103808f4f4dd81c1d45a
SHA1 bb0c0fbea2e8ff4d0d635c73329bd27711695efe
SHA256 59e66f95091a8d8e8b0fe37a63c6edc1833ee979ce593cb5c2bef59de699ab95
SHA512 cacd2df798b5532453a96eb5ca064e05f118cb1068162ac2effe55c67dec78af11f1c05c281f0f6641497b1a4b34e96b0d705b2a2d3408835537bd9aa767a353

C:\Windows\System\ysdhCSu.exe

MD5 a2035159eccc2e054be6248898635e57
SHA1 55d8c5f6dc48aed31db53cdc21766384fdc62bb0
SHA256 d0f6836f201b2f4b0db273ae24db2376cbbe441274e2ef309f9eb16a5c87fa09
SHA512 5b9402d78ef60899b74f1dc8cc6c0768d88b679b6e99b012e6d5a52e7dbd2da4371e4b1f8afa799315df1cbbecc9053e2c1085cce8290d8b09dd19e9014255ae

memory/1252-73-0x00007FF70A100000-0x00007FF70A454000-memory.dmp

memory/4964-79-0x00007FF7615B0000-0x00007FF761904000-memory.dmp

memory/3800-80-0x00007FF64EB60000-0x00007FF64EEB4000-memory.dmp

C:\Windows\System\UVebHov.exe

MD5 20e636f799184ef2ec2caa6edc4c30dc
SHA1 a10e36fb83de47c1c7ef42f34e102d4025f8b291
SHA256 e3e9bc6a346e8ffa89472164a7b523d8362bc4d952b5ed1854664b669b5f6190
SHA512 a208ac2ab36133da75f12a72956b3e2dbb859143e5bfa7151280e3e85c641b788df27308839e0696446550d54d48a7c3e1f3fc8cf1333d8751c96fa1cc5fd4df

memory/4160-76-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp

C:\Windows\System\BfOwunl.exe

MD5 9f1e1741bf25fa89fd40055cde6553d9
SHA1 09bba4aeb28c3dfd8ea4b52b7ae1b82b18f4e0a2
SHA256 730f0293929905a76d02ecb7da3a0359dfc635ab66db2df98974eb137e30330a
SHA512 d5c29e881440c1d6477ca700b10828cb3005a134ffe48bea3c6d8bb47560022696c590a2b07b4b9f9f34e7bb89f76affd23e2f142b5cb4a978b541e518894257

C:\Windows\System\tNhoQkT.exe

MD5 1581a6a1c840bfa5e6f8592261a3a2a0
SHA1 f4cdb22dcb3154f6f16a86e137addf1cecdf1f0f
SHA256 20c94acd77bb28e460ef86a35e7c8f3c4eeb6fb92846e0faadde92225ca268f0
SHA512 74fbc3a326cf9c2002930cf847d4c4dac1f17f1cc0b294c442082eb8a8ca3892dd231fef6ab0f135a0e003e9effa56430bc288e7848bc2916edcc5010cf7ea4b

memory/4356-58-0x00007FF68C6F0000-0x00007FF68CA44000-memory.dmp

memory/3908-55-0x00007FF674590000-0x00007FF6748E4000-memory.dmp

C:\Windows\System\gFTwpVK.exe

MD5 5acfeb55faf67d1b5c02f19f39e63706
SHA1 1224963d1114ebd8db7306a28c9628a81c2b523e
SHA256 388120bb4ab0fec90c23d8b3844e9602cee2347f40c12bc24b0f73567f61a65b
SHA512 5fd43ee7cbf9f7260a45c975a015746955078941fa3cee7758af6303f58531a33e821d0dbba7bdec65223fe45f70abee49fd22599a13d7cb4fd6affd0f5781b8

memory/4788-26-0x00007FF7AC4B0000-0x00007FF7AC804000-memory.dmp

C:\Windows\System\RpHKQjp.exe

MD5 b899e5e7cf845bc5fefe8024594ccd25
SHA1 5d74041d176533603cafd1cebb3f06daa743ec3d
SHA256 ffae1a0ed08396b8fb27c8966b26df2471aff4f618c003c3450e1f6312119433
SHA512 f229a7cdfbca30b6577e665bbf0c416ed3a6cd74e36c98553b708fb55feda0cfaae7440b51ea97caf5c6c74da5ae72546f950811d13d8c4f768410f04179b2b8

memory/800-86-0x00007FF7EEC60000-0x00007FF7EEFB4000-memory.dmp

C:\Windows\System\sZJtuYg.exe

MD5 79c93d85fde280928e948f184bf4ec7c
SHA1 6426ed181466c889203da3c7c2a6a6fcf01d8960
SHA256 c7758e78c3ed23d3f0f7db6729d19432dbc5f06ede42d3473cc7f793e10bae1e
SHA512 c7eead7718fe269f7b422dc52cadab3e421f5b89b2ca6fe4c22886527505d13b285f76ddef58e9d8bf8d74f69332a5701c3dfb304c57f058321a4bc185900246

C:\Windows\System\AOvmNkV.exe

MD5 47561c21a44b9303534a83f16c239605
SHA1 f8603990614a47cd4868285a929a278a7c46c6bc
SHA256 f0a6a08521b3e6f604408eb96eff219239a74ba990a9f5b37f0769078b8c37c7
SHA512 dbff86047b36daa83efc2150d942496235e84cbd5104f8f389029ef94b265f62e1e26b5e698fc80781881433da473cb28eca07f2caa3e93214a74bbed75ab74e

memory/440-95-0x00007FF720630000-0x00007FF720984000-memory.dmp

memory/2168-90-0x00007FF7D3880000-0x00007FF7D3BD4000-memory.dmp

C:\Windows\System\CFZLBqk.exe

MD5 642260d5fe3cf70418abeef1e846bdc7
SHA1 78eb9ea9c9c12e946fd6545b341db3fb00e1c70e
SHA256 d30362860f8cd364b2cd045dd54acda0c391f6930a7c7327c5755d2e5e0f2f3f
SHA512 85098b9ed9f6d43c3347f47e54d0135e774d652aa1ef581859d492277273e4a1912ba2bbf59afb9c22859043966ad0e664c1e1d62b3f4a4e0aeac89ae74e7c21

C:\Windows\System\wbbUtOz.exe

MD5 d939c5e9d5db4ca44def63eaa5d6383c
SHA1 cfa61e42fa45f62b90e5cc8fbd41b76583d61c08
SHA256 d8a6c28fd153c1c573b8132817ca708288c39abc3e8ff5861f791c664f31f90c
SHA512 a8338910be4b0802c06baab5dc30c12abdeb8bc9f57315de2dabd1ca2e2a0761943fc97270b6f41170d2f0f6b18a316ba39fe4e85f95a8a2afa875b2f8296ec4

C:\Windows\System\zbRwSvw.exe

MD5 71f0fb5c5f79e512b4c1adfce2e1e655
SHA1 67f1081c52de881ea65a06c4013e216ed6502fef
SHA256 b5788142c62fa64a50e95c50b3934433cdabb606dce64cc4ea9a252710bce26e
SHA512 a524c3f959adbbb311eca9489edcf92c5e5c2cd36656e7ed4b360acc362b7eff6f01d15fa7e89a9ecbce80610267bd1a312cb57c22e3a4c71219f78d529a241f

memory/4436-121-0x00007FF7548C0000-0x00007FF754C14000-memory.dmp

C:\Windows\System\sHJPkFE.exe

MD5 8300aef93ffc905fc29d78f8db79d6ec
SHA1 70d048169a9d873f093955c840af4babb07c9cc9
SHA256 196b739adaf259abe35d3f78e216d49ca1d589738c0132384047a26cf91c0835
SHA512 61b4de087e6865c96693fe0400e948c28595d28092690fe931588c4cbd8595f060f0dcdbc23c4b358866a77509436811235d05548a04ac049029201ff0e822ea

memory/2544-125-0x00007FF6FEAA0000-0x00007FF6FEDF4000-memory.dmp

C:\Windows\System\dTRDOVZ.exe

MD5 09355fbd1b399d71ba8f50877dfa583c
SHA1 012b3dfd4734cd84ad97537e92659bf11dde7b54
SHA256 1a3b40b734e2acb12d20133a1d7b8c39bb591b486031aba7546d3aa2176e4e09
SHA512 c16da86946beeb4fd1fa7cec695c647152057f2830cbd90fc604b4f9e69ea6cc09e153f30f754cefc5445439c2c8da73a440e22ceff386d82e6c66f3f1d4e6a3

memory/400-111-0x00007FF7D32D0000-0x00007FF7D3624000-memory.dmp

memory/2976-108-0x00007FF6C9920000-0x00007FF6C9C74000-memory.dmp

memory/4516-104-0x00007FF678D60000-0x00007FF6790B4000-memory.dmp

memory/2388-99-0x00007FF6C6F10000-0x00007FF6C7264000-memory.dmp

memory/2756-130-0x00007FF6BDB90000-0x00007FF6BDEE4000-memory.dmp

memory/1704-129-0x00007FF6BCDD0000-0x00007FF6BD124000-memory.dmp

memory/4356-131-0x00007FF68C6F0000-0x00007FF68CA44000-memory.dmp

memory/800-132-0x00007FF7EEC60000-0x00007FF7EEFB4000-memory.dmp

memory/2388-133-0x00007FF6C6F10000-0x00007FF6C7264000-memory.dmp

memory/2976-134-0x00007FF6C9920000-0x00007FF6C9C74000-memory.dmp

memory/400-135-0x00007FF7D32D0000-0x00007FF7D3624000-memory.dmp

memory/4436-136-0x00007FF7548C0000-0x00007FF754C14000-memory.dmp

memory/1440-137-0x00007FF7D0980000-0x00007FF7D0CD4000-memory.dmp

memory/4596-138-0x00007FF657C40000-0x00007FF657F94000-memory.dmp

memory/4516-139-0x00007FF678D60000-0x00007FF6790B4000-memory.dmp

memory/4788-140-0x00007FF7AC4B0000-0x00007FF7AC804000-memory.dmp

memory/2992-141-0x00007FF711140000-0x00007FF711494000-memory.dmp

memory/1572-142-0x00007FF61F030000-0x00007FF61F384000-memory.dmp

memory/1704-143-0x00007FF6BCDD0000-0x00007FF6BD124000-memory.dmp

memory/3908-144-0x00007FF674590000-0x00007FF6748E4000-memory.dmp

memory/4356-145-0x00007FF68C6F0000-0x00007FF68CA44000-memory.dmp

memory/4160-146-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp

memory/1252-147-0x00007FF70A100000-0x00007FF70A454000-memory.dmp

memory/4964-148-0x00007FF7615B0000-0x00007FF761904000-memory.dmp

memory/3800-149-0x00007FF64EB60000-0x00007FF64EEB4000-memory.dmp

memory/800-150-0x00007FF7EEC60000-0x00007FF7EEFB4000-memory.dmp

memory/440-151-0x00007FF720630000-0x00007FF720984000-memory.dmp

memory/2388-152-0x00007FF6C6F10000-0x00007FF6C7264000-memory.dmp

memory/2976-153-0x00007FF6C9920000-0x00007FF6C9C74000-memory.dmp

memory/4436-154-0x00007FF7548C0000-0x00007FF754C14000-memory.dmp

memory/2544-156-0x00007FF6FEAA0000-0x00007FF6FEDF4000-memory.dmp

memory/400-155-0x00007FF7D32D0000-0x00007FF7D3624000-memory.dmp

memory/2756-157-0x00007FF6BDB90000-0x00007FF6BDEE4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 13:38

Reported

2024-06-06 13:41

Platform

win7-20240419-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cgxIHfA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mEMcfVE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pOBsdCn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\THbRIZu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tgHrTVp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hmQgHgq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BFSNONv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NMGPfjJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tAZwzJE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sxdqqKL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EiVsqMF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bosoYWn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rqHiGAa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UKqzrIy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cxQjHyC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WUWUxgI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pbugCEb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zfwUdqt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OtRjcdf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NjjZRYU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mmXxoOd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\mmXxoOd.exe
PID 2052 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\mmXxoOd.exe
PID 2052 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\mmXxoOd.exe
PID 2052 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxdqqKL.exe
PID 2052 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxdqqKL.exe
PID 2052 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\sxdqqKL.exe
PID 2052 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKqzrIy.exe
PID 2052 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKqzrIy.exe
PID 2052 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKqzrIy.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgHrTVp.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgHrTVp.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgHrTVp.exe
PID 2052 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxQjHyC.exe
PID 2052 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxQjHyC.exe
PID 2052 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxQjHyC.exe
PID 2052 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiVsqMF.exe
PID 2052 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiVsqMF.exe
PID 2052 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiVsqMF.exe
PID 2052 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\WUWUxgI.exe
PID 2052 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\WUWUxgI.exe
PID 2052 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\WUWUxgI.exe
PID 2052 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\THbRIZu.exe
PID 2052 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\THbRIZu.exe
PID 2052 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\THbRIZu.exe
PID 2052 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\bosoYWn.exe
PID 2052 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\bosoYWn.exe
PID 2052 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\bosoYWn.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmQgHgq.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmQgHgq.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmQgHgq.exe
PID 2052 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgxIHfA.exe
PID 2052 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgxIHfA.exe
PID 2052 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgxIHfA.exe
PID 2052 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFSNONv.exe
PID 2052 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFSNONv.exe
PID 2052 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFSNONv.exe
PID 2052 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\NMGPfjJ.exe
PID 2052 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\NMGPfjJ.exe
PID 2052 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\NMGPfjJ.exe
PID 2052 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\pbugCEb.exe
PID 2052 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\pbugCEb.exe
PID 2052 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\pbugCEb.exe
PID 2052 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAZwzJE.exe
PID 2052 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAZwzJE.exe
PID 2052 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAZwzJE.exe
PID 2052 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqHiGAa.exe
PID 2052 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqHiGAa.exe
PID 2052 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqHiGAa.exe
PID 2052 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\mEMcfVE.exe
PID 2052 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\mEMcfVE.exe
PID 2052 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\mEMcfVE.exe
PID 2052 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfwUdqt.exe
PID 2052 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfwUdqt.exe
PID 2052 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfwUdqt.exe
PID 2052 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\OtRjcdf.exe
PID 2052 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\OtRjcdf.exe
PID 2052 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\OtRjcdf.exe
PID 2052 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\NjjZRYU.exe
PID 2052 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\NjjZRYU.exe
PID 2052 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\NjjZRYU.exe
PID 2052 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\pOBsdCn.exe
PID 2052 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\pOBsdCn.exe
PID 2052 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe C:\Windows\System\pOBsdCn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\mmXxoOd.exe

C:\Windows\System\mmXxoOd.exe

C:\Windows\System\sxdqqKL.exe

C:\Windows\System\sxdqqKL.exe

C:\Windows\System\UKqzrIy.exe

C:\Windows\System\UKqzrIy.exe

C:\Windows\System\tgHrTVp.exe

C:\Windows\System\tgHrTVp.exe

C:\Windows\System\cxQjHyC.exe

C:\Windows\System\cxQjHyC.exe

C:\Windows\System\EiVsqMF.exe

C:\Windows\System\EiVsqMF.exe

C:\Windows\System\WUWUxgI.exe

C:\Windows\System\WUWUxgI.exe

C:\Windows\System\THbRIZu.exe

C:\Windows\System\THbRIZu.exe

C:\Windows\System\bosoYWn.exe

C:\Windows\System\bosoYWn.exe

C:\Windows\System\hmQgHgq.exe

C:\Windows\System\hmQgHgq.exe

C:\Windows\System\cgxIHfA.exe

C:\Windows\System\cgxIHfA.exe

C:\Windows\System\BFSNONv.exe

C:\Windows\System\BFSNONv.exe

C:\Windows\System\NMGPfjJ.exe

C:\Windows\System\NMGPfjJ.exe

C:\Windows\System\pbugCEb.exe

C:\Windows\System\pbugCEb.exe

C:\Windows\System\tAZwzJE.exe

C:\Windows\System\tAZwzJE.exe

C:\Windows\System\rqHiGAa.exe

C:\Windows\System\rqHiGAa.exe

C:\Windows\System\mEMcfVE.exe

C:\Windows\System\mEMcfVE.exe

C:\Windows\System\zfwUdqt.exe

C:\Windows\System\zfwUdqt.exe

C:\Windows\System\OtRjcdf.exe

C:\Windows\System\OtRjcdf.exe

C:\Windows\System\NjjZRYU.exe

C:\Windows\System\NjjZRYU.exe

C:\Windows\System\pOBsdCn.exe

C:\Windows\System\pOBsdCn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2052-0-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2052-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\mmXxoOd.exe

MD5 67fccfc30c4c0ce5505b4c060f97c91c
SHA1 d0f14133036f3b8c2ca41033d45012dee43622eb
SHA256 7eb9f2d0f616082045deb593d181a4bcb6fc9ffe41d92b10374dfd2bdbb1eeaa
SHA512 ab0664aa9ea877fa45c94834c9e6394fef901cff4b4c42eb51fad2aa45765e651a9f94e6088b025904cec386b89d97cc58bbec099e877403c903db5018b2c403

memory/2052-6-0x0000000002300000-0x0000000002654000-memory.dmp

C:\Windows\system\sxdqqKL.exe

MD5 875defcc01609e8f936139baec22b0d3
SHA1 ed0650b5f4b24bb50d12a8bd4c7bd69ff62631a6
SHA256 74d4741833b1ded0a1053bf96675434d4fb9f563ef087ec25bbff6a890a6be64
SHA512 8d898749b07e78273395cd97ac67f928cd4987f1775eb1e73a10c90281bfe56920eb19f9b6f9b7d8b1fe5ff59d38e8a6fb997f8fd67485fd0e8ec81fe60d11ea

C:\Windows\system\UKqzrIy.exe

MD5 524754471568355b633a3cd50c159417
SHA1 92e1f964986e1277d393c4ad2fe56125a2d886f2
SHA256 2389a471635e69e04ea0bde4e0f9f8a16149f458d7d7a1ad11352d9145b93fb4
SHA512 00617201262780056a908613f173a647ab4013d5d329ee097cfeea0d9bf33910d95dbacf285ea3aa38c283879b6710cd6673a26babce73496954f92cee1eef37

memory/3060-15-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2052-14-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2364-21-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2052-19-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2448-11-0x000000013FBD0000-0x000000013FF24000-memory.dmp

\Windows\system\tgHrTVp.exe

MD5 09fb6b8af24dc421117b4fb5b37bbfd8
SHA1 8964b42edcf76de2bf6f9ceb66e6c1cc7bceb00a
SHA256 bbebf15642223a07a88f0d5cbc4e49b474faed2d218c5891fe98e6296e154937
SHA512 719d5572396497f5179f066d08d8943d4f4cb835860a1435cef8a1c37d4b21f1a73360b40b3d41fadc520618ef4e2eabb80b2498ec526a03214379ddf2cffb07

memory/2688-29-0x000000013FF80000-0x00000001402D4000-memory.dmp

\Windows\system\cxQjHyC.exe

MD5 6cbd0278b47db5232bbf8e0fa4db72b8
SHA1 050d8f4416732a34757be8981581cd6b7c39ee28
SHA256 13350f331d5cc3208336eb598848de370a674bbc4ace33281153f2fd1d308d1b
SHA512 09fdb783f21ffe1ee2ba8901e82286f57db331bf852db6912858b38068993c07a1c023e8d47c1a8c1396255e996c1ad8f89338c7c9d365a689b50939ba1e83e3

memory/2052-31-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2448-43-0x000000013FBD0000-0x000000013FF24000-memory.dmp

C:\Windows\system\EiVsqMF.exe

MD5 8770f865993e770f6a0032d4d2c046d2
SHA1 3714c50780c44f6a1e0e5d3399b5c3dfcd59a52e
SHA256 449b4a4189013e400b3c1de3a378ce2fb737a87eb781daf067df60c03f36211a
SHA512 0d93ce923ffdacaa8715af1ad481814ed380e308105f824bc2ef7056f27fb5fad079c6d6d836a844b757e970f9b479c9506894ace42ed54b261fa74a357c0b7e

memory/2772-47-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2052-46-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2052-42-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2052-41-0x0000000002300000-0x0000000002654000-memory.dmp

memory/1984-40-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2052-36-0x000000013FEF0000-0x0000000140244000-memory.dmp

\Windows\system\WUWUxgI.exe

MD5 296cc3b069cd30558ecac19c339353a5
SHA1 03545075c30c7d8cc7ac62b31366dc76aa1c42eb
SHA256 af5d5db2d5b79622bf4ca92c23537d10bcf7e096323fc335f5b0426364d0b11a
SHA512 7a9d2e4047a63c9eb60f7329c0316f9c016e6ac7ef6c5d6392b022393cad13f7a02d0dba7bf1da6603b535f1c75973005a928e1c4a2cc831f4dcd4ca04f401eb

memory/2700-54-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/3060-52-0x000000013F6C0000-0x000000013FA14000-memory.dmp

\Windows\system\THbRIZu.exe

MD5 bd02c2d6bda6a5ee110124755e322aea
SHA1 0e490e4a9aed352decfc9cd3980239040df28257
SHA256 c4043e97aebdcecccb110b220a9d484bdb57f3addff2592fc5f1799bcff1506a
SHA512 83996caad3f3bb139b663b0dce1fef8726ea56427f86624266776c98e22c570ea8335c027b5b6977dce73e2f5131fe201b1b8f8e582030b7cdc002dfe54738e7

memory/2052-60-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2528-61-0x000000013F790000-0x000000013FAE4000-memory.dmp

\Windows\system\bosoYWn.exe

MD5 ebfd2887dd669b6616b8c95cb9ee89ea
SHA1 9d4d75b430e388c3abd72787df5da40a2e34b770
SHA256 021f8a98c19b550e3fd0850fc041391440f18b3dac4b23e558e49ddf870110bd
SHA512 6fd16115dfa75a35edb1d51b3708bd8247da760fe11e27fddc0692c5dc7c5dda1802f38a7df5ccda5b67a714fbdea1126dbdb27454bf06793f0ea7be3e2b62ad

memory/2364-65-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2052-66-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/3024-70-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2052-68-0x0000000002300000-0x0000000002654000-memory.dmp

\Windows\system\hmQgHgq.exe

MD5 895db499307793bcd16bb18b3cf3ad3a
SHA1 7a4300e4cb012c62ae0146a3ebfe602070d54b49
SHA256 e300efb613eca10f6e224a91961dca728f6aaff62cd1ff6a9098a9c3fb44f501
SHA512 ae4ff04c75df24c84bb1926aa4404c0ec11733a908e96e0804303940cbd7141f985babf884501a1ca40e2ca53458e220052ee98f52f6b971bea565dec2167415

memory/2580-78-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2052-76-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2688-75-0x000000013FF80000-0x00000001402D4000-memory.dmp

C:\Windows\system\cgxIHfA.exe

MD5 5ff243d7cf8d120136360278ad83d710
SHA1 1a33b5f2105b1377a24a991e89aa635edada5acb
SHA256 6770c3773ba71103ebfab626fb1c2c49e27f6ef3e57fece645f656d14c6172f5
SHA512 605242c16e92749cb515da3c4dfa05b908dbdee9e1ee8c2eec0ee23d8bd07414f2228947e7bf5cde0824bb8a3548397bf3216593845a67e88c52cd829bcf0d2d

C:\Windows\system\BFSNONv.exe

MD5 79ad6eb0a524978d654bd7c073fa38e0
SHA1 07b096aaa76f7353aff74f1a59b524e0e87e832c
SHA256 269a8110647986e202e18d1493d9713abe3290af0d6cef13b4cf050ff54f76cf
SHA512 7ae5c188db73aee50b1122baef7ad5a1afa8a5e7aa15cd8bad5daa10c52fc4b1bc186807bd0a6ac611101fb56ad7da640f7c156155caacf3dfa798bd832188e0

memory/1984-90-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2880-91-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2860-85-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2052-84-0x000000013F180000-0x000000013F4D4000-memory.dmp

\Windows\system\NMGPfjJ.exe

MD5 39b74d3a200f8f65e8f54aadb0911795
SHA1 bc6575b306e2472ba1a1619909d60bf09056e71b
SHA256 78382c9caa12b7fb683285bbf20ce788b151a229805dc353930b2c6da4c46ef1
SHA512 c259212d9328eeae1791b77f4dded11bd46e9881ef1fa2d9f36f15cbb995e9545ec101a1519d28a6e6a30758b92afafcce0859a2de521f5404b76192bb1e79a3

memory/2888-97-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2052-96-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2052-95-0x0000000002300000-0x0000000002654000-memory.dmp

\Windows\system\pbugCEb.exe

MD5 b4ba6844c27b86d934c0be43b0ddd311
SHA1 8bf1a5653618596d963171907e577c4ab898fb43
SHA256 6ce90a6bc1d9b1d1e9aef4fb0e30e23498e9407d3ea39f7e99cd9e394fdbbbd6
SHA512 0bd09c411b8f4cb58e2967d7806a88249461587f9e13e1a4d1738f1442de8bdd6ecabe581b56d39c6b907dd1def270cdb66c530f368c0a2fb44f30a37b728545

C:\Windows\system\rqHiGAa.exe

MD5 47aac041121e45327b9c259717454351
SHA1 b9fd0155751cce7237735a7fa21b5674cc97dcb6
SHA256 d3f32c59d305aaec13519e65e27e99092491456acd0a56728a88f91b0861d195
SHA512 6cd528693ffc1af48a04c3bcbb50edf6fe422a657e96dc313d68306dd8a4a69318a15566005f9e2eb43971526e37f9ad76dca0248ec539703255ace5c5cd91e8

memory/2052-113-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2052-112-0x000000013F790000-0x000000013FAE4000-memory.dmp

C:\Windows\system\tAZwzJE.exe

MD5 9ec4c9ee325a8f81071fe859720afd41
SHA1 8109c34bf4b1566b9d8b24e8adf6adea7aa2d46a
SHA256 fa241e6097043def421b1be17bd0b92ef149056e50aa25d0d7887924743a6853
SHA512 93ec0f5f0ca7a7a7690c9e99209fa601334e08db7f9e906d68c6a22789eac1f26e7ec38f3feb3b09e20e13284d476e3301b2244b938285ef49e67f2b60fe00ab

C:\Windows\system\zfwUdqt.exe

MD5 c485a447107b603bcc0f0dfb794b01d1
SHA1 e9352c708756828f8facafb34a47e052180ebf63
SHA256 3bbf70b4347a5cb6a8807e68b28515071aabba559ca6a81138134203e0d016b6
SHA512 d59c59da14c6dc55c0c46af19379d4f020172ee8087a43b4c0ed0bccd2a5ff188a0c6b3ab0347e78178dcf414c43f18ca151956e477042be772510439e4b4a8c

C:\Windows\system\mEMcfVE.exe

MD5 37676825c1a194d99b5d0d1efee9ff9e
SHA1 3a14c4306d92797a3568b6733e8027191d73cbf1
SHA256 be6075318c75f25b0cd5e22e9d704152c088d4ab70d0d28c7effd29ba03fb16c
SHA512 0eb059c63ab1f862106db4faab589eaa64263888000c6675239b98c762444ec29a5fd64dc5f38989efc4e6dbaebdd7bb347093d8682f23e4edcd679e9c9f9409

memory/2052-128-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\OtRjcdf.exe

MD5 09b890779c3e886465f58b4f2686aa02
SHA1 8c680badbb6187e04ed08b3f19c5dc7bcac9463e
SHA256 b813551b8ed7d3c5c5213a7245012636c31fb954509fb1bee7364d4f80cf4a95
SHA512 09797f6fc560d136a08ff4bd0f49ea420fb98768dff13e25ebe4eb0fd4183f9a6306a41b86d75cf26e34cd56ee2efd457bc8aaafbab53e93b7a1f29f8a50b4e2

C:\Windows\system\NjjZRYU.exe

MD5 601bd8af8556b58d660db6a412767eb7
SHA1 b56a9f6b0f077a739709b9c4cf7d2b76bb5dfbdd
SHA256 154102f0f567b569dee145eb22c5f187f3ed2b227a0e30a0ae78cbd9eb3af4a1
SHA512 23242c14381262369052d13a97aab9994f6defcd967f219568b5452222f5e695683a41df8513cd50cdfd66288b0a4d39bed487d7e7c7a67514a05212ec3b5bac

\Windows\system\pOBsdCn.exe

MD5 ef5a7d4aef4f689f6012c92784cf16b3
SHA1 dc1b9ff2f7623829d579842dfffc55766bdfc417
SHA256 0fdbdb5e57920b5b0b12e81e666082335789f79f603111c530f5589f071a77f6
SHA512 8abee50f2490274aa52226cd34e466790fd51a7f3465acce666525e77c432dc15807778568345ad4f825716f020cdbef44e4d79404ca5a1bc9c955f8aeff5bc9

memory/3024-143-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2052-144-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2580-145-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2052-146-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2880-147-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2052-148-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2888-149-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2052-150-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2448-151-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/3060-152-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2364-153-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2688-154-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/1984-155-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2772-156-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2700-157-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2528-158-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/3024-159-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2580-160-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2860-161-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2888-163-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2880-162-0x000000013F770000-0x000000013FAC4000-memory.dmp