Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-b2f3ksah32
Target 2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike
SHA256 05d842f4c9d7b00ce8c1fc17eb6f92ea6f8ef732d8d918dff1f1e6672457d48a
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05d842f4c9d7b00ce8c1fc17eb6f92ea6f8ef732d8d918dff1f1e6672457d48a

Threat Level: Known bad

The file 2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Cobaltstrike family

Xmrig family

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 01:39

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 01:38

Reported

2024-06-10 01:41

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ugLpLxS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LFUHVVN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hmlwyKM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JutyFTL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pZAFoLC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CiPAHPK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tbVkEyw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kNlZLir.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rxoPrfM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LoErQCg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jZZVnes.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gpkvmJA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qJZdNby.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hYnZHEU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CJSQZmp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SvBdyZX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nBoAcBG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nGdQVYO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uRGNDDe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UYzKvUK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JpBEIdc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugLpLxS.exe
PID 4764 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugLpLxS.exe
PID 4764 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\SvBdyZX.exe
PID 4764 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\SvBdyZX.exe
PID 4764 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbVkEyw.exe
PID 4764 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbVkEyw.exe
PID 4764 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\kNlZLir.exe
PID 4764 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\kNlZLir.exe
PID 4764 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\nBoAcBG.exe
PID 4764 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\nBoAcBG.exe
PID 4764 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxoPrfM.exe
PID 4764 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxoPrfM.exe
PID 4764 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGdQVYO.exe
PID 4764 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGdQVYO.exe
PID 4764 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uRGNDDe.exe
PID 4764 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uRGNDDe.exe
PID 4764 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoErQCg.exe
PID 4764 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoErQCg.exe
PID 4764 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJZdNby.exe
PID 4764 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJZdNby.exe
PID 4764 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFUHVVN.exe
PID 4764 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFUHVVN.exe
PID 4764 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jZZVnes.exe
PID 4764 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jZZVnes.exe
PID 4764 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UYzKvUK.exe
PID 4764 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UYzKvUK.exe
PID 4764 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmlwyKM.exe
PID 4764 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmlwyKM.exe
PID 4764 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYnZHEU.exe
PID 4764 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYnZHEU.exe
PID 4764 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JutyFTL.exe
PID 4764 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JutyFTL.exe
PID 4764 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZAFoLC.exe
PID 4764 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZAFoLC.exe
PID 4764 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gpkvmJA.exe
PID 4764 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gpkvmJA.exe
PID 4764 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiPAHPK.exe
PID 4764 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiPAHPK.exe
PID 4764 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpBEIdc.exe
PID 4764 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpBEIdc.exe
PID 4764 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJSQZmp.exe
PID 4764 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJSQZmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ugLpLxS.exe

C:\Windows\System\ugLpLxS.exe

C:\Windows\System\SvBdyZX.exe

C:\Windows\System\SvBdyZX.exe

C:\Windows\System\tbVkEyw.exe

C:\Windows\System\tbVkEyw.exe

C:\Windows\System\kNlZLir.exe

C:\Windows\System\kNlZLir.exe

C:\Windows\System\nBoAcBG.exe

C:\Windows\System\nBoAcBG.exe

C:\Windows\System\rxoPrfM.exe

C:\Windows\System\rxoPrfM.exe

C:\Windows\System\nGdQVYO.exe

C:\Windows\System\nGdQVYO.exe

C:\Windows\System\uRGNDDe.exe

C:\Windows\System\uRGNDDe.exe

C:\Windows\System\LoErQCg.exe

C:\Windows\System\LoErQCg.exe

C:\Windows\System\qJZdNby.exe

C:\Windows\System\qJZdNby.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8

C:\Windows\System\LFUHVVN.exe

C:\Windows\System\LFUHVVN.exe

C:\Windows\System\jZZVnes.exe

C:\Windows\System\jZZVnes.exe

C:\Windows\System\UYzKvUK.exe

C:\Windows\System\UYzKvUK.exe

C:\Windows\System\hmlwyKM.exe

C:\Windows\System\hmlwyKM.exe

C:\Windows\System\hYnZHEU.exe

C:\Windows\System\hYnZHEU.exe

C:\Windows\System\JutyFTL.exe

C:\Windows\System\JutyFTL.exe

C:\Windows\System\pZAFoLC.exe

C:\Windows\System\pZAFoLC.exe

C:\Windows\System\gpkvmJA.exe

C:\Windows\System\gpkvmJA.exe

C:\Windows\System\CiPAHPK.exe

C:\Windows\System\CiPAHPK.exe

C:\Windows\System\JpBEIdc.exe

C:\Windows\System\JpBEIdc.exe

C:\Windows\System\CJSQZmp.exe

C:\Windows\System\CJSQZmp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4764-0-0x00007FF728B90000-0x00007FF728EE4000-memory.dmp

memory/4764-1-0x000002381D9E0000-0x000002381D9F0000-memory.dmp

C:\Windows\System\ugLpLxS.exe

MD5 a4e78cdd162fe5cfa369b4e80416eb9d
SHA1 b6f880421542c1c66903bfdb29e235208a105646
SHA256 80eee1cdfe044d33a97841db2eb13134b3f2f8e5d6ad0bb7ffd55e8bcac1a20a
SHA512 08ddcab13fc2b6aabb19383bfab78c6083b59f4edf7f9ca26550354b88b6b25767abc2935547b8bd2c4d7a998e6ade1d5d7021920dd2477f67438c81ab0ece13

memory/4996-8-0x00007FF726670000-0x00007FF7269C4000-memory.dmp

C:\Windows\System\tbVkEyw.exe

MD5 bc420ae3ce972dd078a101adf40f8aa2
SHA1 b87fb43f5fba2ad04d23ad54b9102d760e5c190a
SHA256 b1ae3de994fb71382c91296c2c75bda221d6343483d110e74df804d67a557840
SHA512 1b7bbba91690036bc66cb4d6580a836a4ed545f16a9d7a8c6875850275774240af8b45889da6418a64aed6254a108bc68531ec54afb2d6e02ba965122697bd3f

C:\Windows\System\SvBdyZX.exe

MD5 69a7a53b9624898afea42f7f25e5a801
SHA1 01904a2b788be6f2559e3e1bc6672274263b5f13
SHA256 d53117ba84ed16306d747169a6a0963c266515798744fcbc54f8205fbc66c168
SHA512 ffe052c07d612cf185080fb741d350c55b422b00a79cd436d82ede5e77a37195dab57bf19026627e08cab09dc5cd56fc14ef9ff1be69ddef299ca6b3e5a15f77

memory/4768-14-0x00007FF6A8570000-0x00007FF6A88C4000-memory.dmp

memory/2832-21-0x00007FF6D67A0000-0x00007FF6D6AF4000-memory.dmp

memory/1932-23-0x00007FF7E54C0000-0x00007FF7E5814000-memory.dmp

C:\Windows\System\nBoAcBG.exe

MD5 3ab0520253a3e6344a13361d92ca442b
SHA1 29c72f87474cb9e58e21ce582bba277ba6cd25cf
SHA256 a627e529b564d31f82b623950d65ea53bdcaa9980c7615a9b46f6db71bc2476d
SHA512 ca36eafe31c431c1779833c4fbf515647efa80591eecbfb58cc12f8e23b0db9629b76904d58dba877dc4c074c5a3c9867b2eef5a7daf37cf061b01bcd7b88d34

C:\Windows\System\kNlZLir.exe

MD5 aa14b2a38e5492ebefac4658c3b8288e
SHA1 2b571264d20e42cfce6620f1e2d29c0ad5022a73
SHA256 01c325aea2ea342df63a183a3b038dd1a4918ae745c29dbbb6f07de7e0f23a4a
SHA512 a0a81ae276fce96669c8c4ff6be80fcfbf5eda614066b1e4c5611f003e570d521fa107adee5b8dd18e9e0f9deff884dcfd72b9ae750b2f1ad49735f38b487db6

memory/3344-32-0x00007FF6DC570000-0x00007FF6DC8C4000-memory.dmp

C:\Windows\System\rxoPrfM.exe

MD5 83d189ccf7877bc215a7edef5dfaddf8
SHA1 90e9b40f66236cf1fa7863e43507f531368681cf
SHA256 5463af9dded1221331300996148c25676ecbccf8c9f3bf2855da1b8fa5562fe9
SHA512 1f6a564113b594217dd61fad7ef80b96354d608d5dc87290b10c7be889261785f7f0e8b46442b0d8b5d8e84b2061bef37e751b6fb0a70a9ce20aa33ac8edb4c4

memory/3688-38-0x00007FF7766D0000-0x00007FF776A24000-memory.dmp

C:\Windows\System\nGdQVYO.exe

MD5 62bf12c0e4c2897a7bcd4961e5169f33
SHA1 0b5530a1fd97600443d97b13c13d48786b677983
SHA256 95ce733c769c87c91ddaea32047e56e0a4bd67003e0d83e513094580d31fc4c3
SHA512 cfab9827e87bf90d022d9c822a70730cee96b3a487123364514f6882fa3b46dd43f982ebbd3f428b1fe9e4d695e066377c3579fec8f3db4c2219e76a37ddd52b

C:\Windows\System\uRGNDDe.exe

MD5 bdcc37fc6277d449522cc8968351f0d8
SHA1 0be7923ac564168b15eb5dabde1a3621c053f80a
SHA256 ed2d19715ea544fd9e0ec4a82bf00a601d9b355e8c0c8559c98872b3f8649eeb
SHA512 a350f4c77383775466b9ae10a7588bbdd55fcaff682f253beba35f7562b16129bfac68f0808003f71f22648f996003ddaae07c0133907c8c6297dbc25a476a01

memory/968-48-0x00007FF797960000-0x00007FF797CB4000-memory.dmp

C:\Windows\System\LoErQCg.exe

MD5 93038be59a956187ac8629138c4e55aa
SHA1 f02538b5d8a2427d5617642d5c556b4fd19878cc
SHA256 8a44b23036415658c9d04ddf51f3d5e390035c384a442c96429e7a8403dbf35e
SHA512 3f1e902b1d4e393d870593fa83d1b02fe0f423a45543495ab2ef59a156cb600df6eee9c87ee30f0d5a32221d370806ed19954875a501fb4bd3c9214968045be8

memory/4312-45-0x00007FF617C40000-0x00007FF617F94000-memory.dmp

memory/4572-56-0x00007FF7B00A0000-0x00007FF7B03F4000-memory.dmp

C:\Windows\System\qJZdNby.exe

MD5 5511501316d4ba406846a522d6ce8803
SHA1 fefc41fde5a0732dd355e209403c84fcf1bb8048
SHA256 1198bf0e899d7bc4059bdb8f136fafbb2984a779019fee24e1a51f871afb3e6f
SHA512 369c9279bcdbb779057ec16b8e865dad32120c8c3853d037dae90e1785402b3223016fabf41f820817fc1e2e666fe83dfc7fffce11ff365bd7fa531b909034a3

memory/1108-70-0x00007FF673160000-0x00007FF6734B4000-memory.dmp

C:\Windows\System\jZZVnes.exe

MD5 02e3ca95778bb1a6acfbf84c69b62d97
SHA1 230d9e4f44c37b8eeaa8c95237859eaa5b2291ae
SHA256 cda3dcae630f81df6c9fcde2af9267d99cb71a1804a1ffda480173c2a99a9edf
SHA512 e61d4eb0abe878de732b5976d289f633fe1be527a0e605b7d0aeffef1e58477f96d7ce4532916e69a2a6fc35dd5540ac9bb423462e3febe3f2d315f877c82951

C:\Windows\System\UYzKvUK.exe

MD5 996204e5890c9ffc67471e47d207b85c
SHA1 d647be7feb6701c1c86e79212c142c15ac0837f0
SHA256 e46804689167eb8676016452a9f24312b6b3eb6c5e133c252c6f8314567e99e6
SHA512 d349221b135bb3b64746152e80f1f78ef0107b1e976cf4af925bd4b70b5a78d026510da8eb87bfa25519d1fefa5b62cd27755a11df9b9171253b2732e2766d26

C:\Windows\System\hmlwyKM.exe

MD5 bbfb472c8c8b26332c065ab842c68661
SHA1 04440089cbe264c8a55945c722eb8d5333b1965b
SHA256 b76f584f42045ee403eea15e5de72b72a9ca766cf4c28dfdd2c4e04fcb53c3c0
SHA512 3451eb0c679c478d15ba721290218d6d726b417dedabf3569595fb0632012eec2d1cec5ac5781c9b9abef71d27415dc6662f2030d6fed29b964e7f747e77e8cd

memory/4660-82-0x00007FF7EA130000-0x00007FF7EA484000-memory.dmp

memory/4580-86-0x00007FF7E6910000-0x00007FF7E6C64000-memory.dmp

memory/4768-83-0x00007FF6A8570000-0x00007FF6A88C4000-memory.dmp

memory/1284-81-0x00007FF733470000-0x00007FF7337C4000-memory.dmp

C:\Windows\System\LFUHVVN.exe

MD5 e7041aee17ef514918d8984ea0a0f68c
SHA1 f43fe038475cbb240263b611da76faffa98fe163
SHA256 cd73abb338cb07df993cdba6e469ddda5afd30d270e1a34caee447f4e0baed9b
SHA512 66d5359de6b0dfbb04d99f6fbd468a12ce0eb9af8662697945f892dd07fbc8e8adfa84a5ad0b74f76b990cd34949e3411d2b097ada565e5b1d9d1ae836601206

memory/4764-68-0x00007FF728B90000-0x00007FF728EE4000-memory.dmp

memory/4376-60-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp

C:\Windows\System\hYnZHEU.exe

MD5 ab85d786f8647e25f7d6a5b5e83ba5fa
SHA1 c17495067edcba9978e519dcf6caed5a3fdb98cb
SHA256 b682c75d023dc49ce95d9220f91eaac4a403818c008e8fed664358c8c7ce98a0
SHA512 9b6b2d644e23f4a5cfd98a7874a58a260b6b294b34e347806a5660470617633f8cd86d10760de826e896f65fca5a5152d56975b03b5aaf9fc1eaa83ab17cb3e5

memory/2832-93-0x00007FF6D67A0000-0x00007FF6D6AF4000-memory.dmp

C:\Windows\System\JutyFTL.exe

MD5 f995a8fbe74a280b323fb0fca76d50b0
SHA1 1d73fbf2abee66496963faccd48b05ff473544e1
SHA256 b7492ec4d25c2a9e8505b1f686490dffaab324e65adbe72bc3704e75b614b003
SHA512 f125185d6f2cd5a48b0305283cf472478838c9005e901cac8204149ec7e30f68d847c03c86511385548b0ef4f1550490f8f8df76ef9933ea40211f1b5ec7c844

C:\Windows\System\pZAFoLC.exe

MD5 63798d64e7824655ed8053dd3ddd30f5
SHA1 b62d16656f1a0147c2f6bbdf938b0dfd720fb8e8
SHA256 07b31418a337335095a1c6a44409b6c120610810c1c04bf5bf4d9fbdd60ba0f2
SHA512 55ab9f24e9c768415da6b34c6cf0f0bbb591f2851483c07b1712230485a2bc1e68368f80f6883bd98c67bac3c4c42ed52cc57f7bccdbd1e474f3d3ed5cafa583

memory/3688-111-0x00007FF7766D0000-0x00007FF776A24000-memory.dmp

C:\Windows\System\CiPAHPK.exe

MD5 cae9279ffaf7f0a33f3833d6bea101b9
SHA1 ec1f6f4e00eccb370676b2f0dc293e25165c7bcd
SHA256 c0b516f3cc7a653bf8c74b9a368c61e3f96c3bd22d0b5b799943a7479aea42b0
SHA512 da0bfa48aa86ce6665fc2164cd89eefd8de360af6667c8eb99904c6a12ace3f336ed792ac20d6020f9fbcd805a529b31274bde09fc9a1b6ddbbe72fe62196ae5

C:\Windows\System\gpkvmJA.exe

MD5 172f547dfae036cf7cbee18a44eed717
SHA1 267889c8c399449c12f13fe1787cf67b212803fc
SHA256 7736fc1a168aefc46eca7fe57a722ce57561d5ca5a13d58a4a974f4649ba86c9
SHA512 48acc7650c8a0190234cbbf15d0feb5e926b723e7dbc8cb51cdff527217465756a35d60f3ad9944ad7605cec2d96213c68094bf16dae94f6570a6e371d97cfe8

memory/4308-105-0x00007FF6B86E0000-0x00007FF6B8A34000-memory.dmp

memory/4392-101-0x00007FF7656B0000-0x00007FF765A04000-memory.dmp

memory/1932-96-0x00007FF7E54C0000-0x00007FF7E5814000-memory.dmp

memory/1080-119-0x00007FF77CC50000-0x00007FF77CFA4000-memory.dmp

memory/4844-124-0x00007FF70F9D0000-0x00007FF70FD24000-memory.dmp

memory/1984-129-0x00007FF675810000-0x00007FF675B64000-memory.dmp

C:\Windows\System\JpBEIdc.exe

MD5 258d3fd84bee986440e9739775e579df
SHA1 ab6c6903f06c69d4349206ad21d0c005cec5babd
SHA256 d2b8722d496ae48ab69b8c468041ccfad4f6350ffe4b4fb3bf0b14c3bbcea7fb
SHA512 07f637b50be6c8c683858b55e7c9e9f89295e35050fcf443ec2ce7da2907836f19ea4ce040d400119c861a50aab61e6f15092c24729b8674053d5e8a40803aee

C:\Windows\System\CJSQZmp.exe

MD5 6532831afc59b8b8fa9188bcf37e1e57
SHA1 501d9b07dca60e9f3b671696e30e54630637be49
SHA256 0bd4e88b51938d85c763c02dd00ee4dc6130ea6bc7dedfb092d6e3d423038589
SHA512 0f8de1af61063c48043e2a77fa8f6dc70343cfa4b0b52554d01a79995055e1f933bde98404ef521d0c23cb2b120293e636e8b18644cba884bffc7fc986baa332

memory/968-125-0x00007FF797960000-0x00007FF797CB4000-memory.dmp

memory/4760-121-0x00007FF60BD50000-0x00007FF60C0A4000-memory.dmp

memory/4788-133-0x00007FF7CE1B0000-0x00007FF7CE504000-memory.dmp

memory/4376-134-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp

memory/1108-135-0x00007FF673160000-0x00007FF6734B4000-memory.dmp

memory/4660-136-0x00007FF7EA130000-0x00007FF7EA484000-memory.dmp

memory/4580-137-0x00007FF7E6910000-0x00007FF7E6C64000-memory.dmp

memory/1984-138-0x00007FF675810000-0x00007FF675B64000-memory.dmp

memory/4996-139-0x00007FF726670000-0x00007FF7269C4000-memory.dmp

memory/4768-140-0x00007FF6A8570000-0x00007FF6A88C4000-memory.dmp

memory/2832-141-0x00007FF6D67A0000-0x00007FF6D6AF4000-memory.dmp

memory/3344-143-0x00007FF6DC570000-0x00007FF6DC8C4000-memory.dmp

memory/1932-142-0x00007FF7E54C0000-0x00007FF7E5814000-memory.dmp

memory/3688-144-0x00007FF7766D0000-0x00007FF776A24000-memory.dmp

memory/4312-145-0x00007FF617C40000-0x00007FF617F94000-memory.dmp

memory/4572-147-0x00007FF7B00A0000-0x00007FF7B03F4000-memory.dmp

memory/968-146-0x00007FF797960000-0x00007FF797CB4000-memory.dmp

memory/4376-148-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp

memory/1284-150-0x00007FF733470000-0x00007FF7337C4000-memory.dmp

memory/1108-149-0x00007FF673160000-0x00007FF6734B4000-memory.dmp

memory/4580-151-0x00007FF7E6910000-0x00007FF7E6C64000-memory.dmp

memory/4660-152-0x00007FF7EA130000-0x00007FF7EA484000-memory.dmp

memory/4392-154-0x00007FF7656B0000-0x00007FF765A04000-memory.dmp

memory/4308-153-0x00007FF6B86E0000-0x00007FF6B8A34000-memory.dmp

memory/1080-155-0x00007FF77CC50000-0x00007FF77CFA4000-memory.dmp

memory/4844-157-0x00007FF70F9D0000-0x00007FF70FD24000-memory.dmp

memory/4760-156-0x00007FF60BD50000-0x00007FF60C0A4000-memory.dmp

memory/4788-158-0x00007FF7CE1B0000-0x00007FF7CE504000-memory.dmp

memory/1984-159-0x00007FF675810000-0x00007FF675B64000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 01:38

Reported

2024-06-10 01:41

Platform

win7-20240221-en

Max time kernel

137s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BVIXqxB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\biRxhbj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZBzFzcU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\myTFoyO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iPPPfeh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HGESRAf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRIbTDi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\djvCTwf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CEIrmuj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FQtmdlt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zNUYKPt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UhXHwCz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BBjXywO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DjfFgAX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JmgTmOn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VuqEMwQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JzGTDKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LNfIxmf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BUiTyAK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wjxooWM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\onblGCn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\HGESRAf.exe
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\HGESRAf.exe
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\HGESRAf.exe
PID 2904 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\onblGCn.exe
PID 2904 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\onblGCn.exe
PID 2904 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\onblGCn.exe
PID 2904 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\VuqEMwQ.exe
PID 2904 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\VuqEMwQ.exe
PID 2904 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\VuqEMwQ.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BVIXqxB.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BVIXqxB.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BVIXqxB.exe
PID 2904 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNUYKPt.exe
PID 2904 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNUYKPt.exe
PID 2904 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNUYKPt.exe
PID 2904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JzGTDKJ.exe
PID 2904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JzGTDKJ.exe
PID 2904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JzGTDKJ.exe
PID 2904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\biRxhbj.exe
PID 2904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\biRxhbj.exe
PID 2904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\biRxhbj.exe
PID 2904 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBzFzcU.exe
PID 2904 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBzFzcU.exe
PID 2904 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBzFzcU.exe
PID 2904 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNfIxmf.exe
PID 2904 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNfIxmf.exe
PID 2904 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNfIxmf.exe
PID 2904 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUiTyAK.exe
PID 2904 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUiTyAK.exe
PID 2904 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUiTyAK.exe
PID 2904 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQtmdlt.exe
PID 2904 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQtmdlt.exe
PID 2904 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQtmdlt.exe
PID 2904 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRIbTDi.exe
PID 2904 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRIbTDi.exe
PID 2904 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRIbTDi.exe
PID 2904 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\myTFoyO.exe
PID 2904 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\myTFoyO.exe
PID 2904 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\myTFoyO.exe
PID 2904 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\iPPPfeh.exe
PID 2904 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\iPPPfeh.exe
PID 2904 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\iPPPfeh.exe
PID 2904 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UhXHwCz.exe
PID 2904 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UhXHwCz.exe
PID 2904 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UhXHwCz.exe
PID 2904 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBjXywO.exe
PID 2904 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBjXywO.exe
PID 2904 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBjXywO.exe
PID 2904 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjfFgAX.exe
PID 2904 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjfFgAX.exe
PID 2904 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjfFgAX.exe
PID 2904 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\djvCTwf.exe
PID 2904 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\djvCTwf.exe
PID 2904 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\djvCTwf.exe
PID 2904 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEIrmuj.exe
PID 2904 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEIrmuj.exe
PID 2904 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEIrmuj.exe
PID 2904 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JmgTmOn.exe
PID 2904 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JmgTmOn.exe
PID 2904 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JmgTmOn.exe
PID 2904 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjxooWM.exe
PID 2904 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjxooWM.exe
PID 2904 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjxooWM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HGESRAf.exe

C:\Windows\System\HGESRAf.exe

C:\Windows\System\onblGCn.exe

C:\Windows\System\onblGCn.exe

C:\Windows\System\VuqEMwQ.exe

C:\Windows\System\VuqEMwQ.exe

C:\Windows\System\BVIXqxB.exe

C:\Windows\System\BVIXqxB.exe

C:\Windows\System\zNUYKPt.exe

C:\Windows\System\zNUYKPt.exe

C:\Windows\System\JzGTDKJ.exe

C:\Windows\System\JzGTDKJ.exe

C:\Windows\System\biRxhbj.exe

C:\Windows\System\biRxhbj.exe

C:\Windows\System\ZBzFzcU.exe

C:\Windows\System\ZBzFzcU.exe

C:\Windows\System\LNfIxmf.exe

C:\Windows\System\LNfIxmf.exe

C:\Windows\System\BUiTyAK.exe

C:\Windows\System\BUiTyAK.exe

C:\Windows\System\FQtmdlt.exe

C:\Windows\System\FQtmdlt.exe

C:\Windows\System\bRIbTDi.exe

C:\Windows\System\bRIbTDi.exe

C:\Windows\System\myTFoyO.exe

C:\Windows\System\myTFoyO.exe

C:\Windows\System\iPPPfeh.exe

C:\Windows\System\iPPPfeh.exe

C:\Windows\System\UhXHwCz.exe

C:\Windows\System\UhXHwCz.exe

C:\Windows\System\BBjXywO.exe

C:\Windows\System\BBjXywO.exe

C:\Windows\System\DjfFgAX.exe

C:\Windows\System\DjfFgAX.exe

C:\Windows\System\djvCTwf.exe

C:\Windows\System\djvCTwf.exe

C:\Windows\System\CEIrmuj.exe

C:\Windows\System\CEIrmuj.exe

C:\Windows\System\JmgTmOn.exe

C:\Windows\System\JmgTmOn.exe

C:\Windows\System\wjxooWM.exe

C:\Windows\System\wjxooWM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2904-0-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2904-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\HGESRAf.exe

MD5 58f2cd684f152333a60b0d34bcdaa4fd
SHA1 773a78e11e0b1830514f363f74def1474c14fed6
SHA256 b1eff3967f2ebd97ead74bb29d8b81c5c912dd458f130541d4281db00b841828
SHA512 d61fbaf8b1ada272a39e84ad9ce1b65f2eba158f5e0ce5cefc71fff244dfa4db1eb1e8d8d69f289fcca5b02f25f9f0fead892c90e882d8c1c9e309d5058cd82e

\Windows\system\onblGCn.exe

MD5 d99d174b84b1bd8a4effe2536623325f
SHA1 b5d9afc557a1832a5fa097adac8a2ed0d0678980
SHA256 f1b183d9fd83a9baeb5c41803d03640a80493abf835f30d084774e1ffe0cc32e
SHA512 8f7f87c7760cf41cfedf8afc715c8da1a674f9a654d4ef52aef570b7c5973a85ef581bd6860d49219ba92e4b9a6b789564a77a0dc30046283069a691351d2541

memory/2904-21-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2904-15-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\BVIXqxB.exe

MD5 f9bcdfd233d4aedd7f75fb26c432e09f
SHA1 b23a19323f92ce1c8b26d9d908d4501adbce2edf
SHA256 81329595d59f692828ec79f1e9fff7da24418a0afb77c3e7083e949b89abad2f
SHA512 5b80f8809e5bceb8e2848ba9bf152dc0f34ccf2398d1981f5b416148345cbb3c6003c21ded246c8dda4253cb5d3f7d60e22d697771df858b8ec27aea08dceca4

\Windows\system\zNUYKPt.exe

MD5 25624ca23221c712770d77d9aecfc94d
SHA1 2f1ba1bb3ec7a853e3089c7e3b40e8716cfdafa4
SHA256 93478d6b4a7045328552dedcc300cb146a601268adad7f5bc258bf37b5a62ca8
SHA512 9e6214f6435c9ed69c677dd914349da5d7e4eb4372cc78afaf841cf7cf270e0721aadbc2b77d9d0e5d174b63a8964ff76600bc78776f67d273028e5a91b53055

memory/2904-30-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2520-28-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2904-26-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2640-25-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2960-13-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\VuqEMwQ.exe

MD5 f83b915e1e24894e4d3d6badf76c47d1
SHA1 639c212cca7d57e38589f7176dd1b1684b027f34
SHA256 003d6c46a45b2c2a3f02d6ff375f0ce7adb960b06af52108c8f583c24842c483
SHA512 559cc7ccdc244dbc405cafd3e3c24d81d83c51446b9bbdc682e31af712e6a9f90a4771acb8e4ac7ebf04ef45e8f76092aa7748bcdd5a364c465609b860a1c4be

memory/2864-12-0x000000013F400000-0x000000013F754000-memory.dmp

C:\Windows\system\ZBzFzcU.exe

MD5 b61663c6e5c95c90005a10818ad04dde
SHA1 f9bbccb29c439cfcffe8e91170b4fc45b4024dfa
SHA256 558cdadc51ed56d63b32eac80d12b48792b36ea84f445131529f591571f30e7d
SHA512 7c9df3915f5bc3a7985ff999c3c57c600bd68734f0e0d0a2fe3d230654050463ac18a3d8ef000f1c7df1ff4bc503f3c2f8bdc0030cb37cf95005510d76948641

C:\Windows\system\LNfIxmf.exe

MD5 9f42f719982f19bde99dcc643d34c2a4
SHA1 c7d53d9dcec6101d1dd0eac20abdc6079d466d51
SHA256 60aa864e65ac78c9139aea380343dd93aec0a097a3c91f81a49e799f3fe35293
SHA512 c65f40122ec75ca9aee0ddc5cba6a68a62600c0fc2ee0661d5b67858ba2fdf1a8bec9eb657a03870ffe6395e76348ed5f3101e3065b87cb59d5b1a0172396085

memory/2904-122-0x000000013F7D0000-0x000000013FB24000-memory.dmp

C:\Windows\system\myTFoyO.exe

MD5 480ebb265c8c8b31e34aaf4b48405911
SHA1 2f1ba29f911a292f1a8b91cc21420981a7c49368
SHA256 0ba6d0a6a3d9e9f2d1152cbf7372b55b9e3f06772462f81ff283dbcd6fa8f092
SHA512 4e5462056291bda68a2d1cc99b20cd136f6788347593491da2d48e7030b9a272263f157a3c5b14ee7637153a4b0b3ad8d0d699451a628e6d7e540753c7d7879f

memory/1388-109-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2384-108-0x000000013F910000-0x000000013FC64000-memory.dmp

\Windows\system\JmgTmOn.exe

MD5 0a57b43f3f20ac327599a2b9c2503c28
SHA1 8ab2add71368c26c891e200e8dc58579b9aa3e43
SHA256 e19c89c8f0d04527d0bf5437900875516a6d2070821c5d0fa12cec0a9a589173
SHA512 afcc391efe83ba7d9345d2027193033f31fb3be646e5f48d0e269480d2fd3b40a8b418e75cca4b3b351c8a4632e09e10f7393d1b54fabbff00fa57188401544f

C:\Windows\system\DjfFgAX.exe

MD5 e86b8b7355c66f281211091a937ed308
SHA1 395f57e0cffd55c60806fd90d9a52ea09879d8ff
SHA256 0aeec469527cf0b56136684d576f8c5f7cd9c06f4eccc32f8a2144e22fa662d0
SHA512 0ea7b1f4ad8c5b07e7f1f59a20d3d788e9bda9e716c569bc73ea7db4d3de273b95c45b5c16b3800233f9086a0b1faaef8d54d3403142d4a62b3776ee5e269275

\Windows\system\djvCTwf.exe

MD5 075020d56bc0f832b761d608596458bc
SHA1 ba73dc48417bfc62ff94951855fe8d385bfb6d3c
SHA256 4e88384bdb900ac11a4c06f83765519317db35e3feba5113583e230559938865
SHA512 27026925d349c44c314672d97e29fc0cc1b6a2d82223c0be4a9fbf2e39d8dc7a68a10ad817b3f5460b13e0365d932dc5cf5a5287c65dbc013634cc453891ca47

\Windows\system\BBjXywO.exe

MD5 cf56e59a5f56b2fc8b96de897c5bdeff
SHA1 cd370916373c5ea321aece4ccef7401056274eef
SHA256 f58eff14a79fe847a1c8ded7b03eb4797721735757c22f102cf5440d60f262c2
SHA512 a9d4628dbc39ac29a42b07c306444752684a3c33713e8386c4ecdce595480dfe663829232daa8b0b8adf93bd75086abfc466781b38fa784bce142b78d1562b1d

memory/2904-125-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2904-124-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2904-123-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2400-121-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2904-120-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2904-119-0x0000000002210000-0x0000000002564000-memory.dmp

memory/572-118-0x000000013F0E0000-0x000000013F434000-memory.dmp

C:\Windows\system\wjxooWM.exe

MD5 c3c16666b8f8e771bc5500a2d8a0795b
SHA1 54f350edb236d9163a8c8a5eda4ebad7c7a1b25d
SHA256 7687e4886a5071cb8cbe7e68ff474ea9cce46ad33dcc5b8eadabe162878a1422
SHA512 54b4e4fe23404d8590b3ae0b5634b0bb72afd6ad6d320981fd040852b210897e36652bc473fb3ea7ec893e216bbce791ac297221c8f6d5d3066fbade850a5d46

C:\Windows\system\iPPPfeh.exe

MD5 32e348e02d7e1f5471d82301b4184938
SHA1 e9fb09eea2b57372899629b528ee6c4742c0611a
SHA256 4c30baee276bba20ea2a95dc065a6d72fb0ec1eea23b696a09867fc9675f09c9
SHA512 9589fd82d6743432b10f276bca0e66902c3d5e4cf1e18eae946b406daba55448439928374332677a71c06fa66a7819b3893c129e43222b5ecce5162991190348

C:\Windows\system\bRIbTDi.exe

MD5 bf752aec4f56bce0e395f498286a7b4f
SHA1 9d490f85f292aca86419cc780ebab8520ae5c96c
SHA256 9ba40dfe7c716b1f984e8a7dd2559e09ea5d9f283c902bb37c2b51507e7a09d2
SHA512 594796219057a7fac050b358e28e3eaa69b7e2e00d22ddf117ac38cf25a1fac7b8ad4ace0cd294015af7c2e35214a99fb2adf75725629ace38189219587de436

C:\Windows\system\BUiTyAK.exe

MD5 06f88b4045f17aecfa49dc4a45394b9a
SHA1 187c39207534481017933fba62f096038fc8184f
SHA256 a846d3eb311a2a6f96d96af73b267e856e8dc7a1731c5c4ac1901dbddda5da57
SHA512 828418cb322fb328e9d8759dac2d5a0d99ecdae0f369aba4ed23c840c01768abb1d6eddba1200dfb8b7d03137483a6aee44179b4448d17371f37fcb9023f207b

memory/2904-106-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2904-133-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

C:\Windows\system\CEIrmuj.exe

MD5 e8e4860a21df1e8298371708c3eea0fb
SHA1 675696560bab9c3e53c4359db9ee86f486445364
SHA256 229b4e9159d75d2fda6910156ab33dc3991218ec91361df42a8f8e772b81af92
SHA512 781c4d310b62655725e3e06b9e20c21d91e161ba778426abbd054e1377ff3198934b3b9df4f7c0160e97954fcb3c48078c287a10d33b1058a7505f94571260a4

memory/2876-103-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2420-102-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2364-93-0x000000013FD10000-0x0000000140064000-memory.dmp

C:\Windows\system\UhXHwCz.exe

MD5 7b505a7d9ce4a65639e1965adbc5ccd6
SHA1 b2e65982da875e1fa2216218d672d76c0e5700cf
SHA256 65d2191d2004bcebabdf4908ae64385f280eab4a9d2bae44eafc891a800a8abb
SHA512 96940180aa105e2a1d5f74527bfe84b51087ce1475bc90d718d087b049b967b4395862c6c079d89758aa0e840f2c2fcc3d73e4e284a09179507d590712f1e6c5

memory/2904-75-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2904-58-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2904-64-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2960-134-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2716-63-0x000000013F0E0000-0x000000013F434000-memory.dmp

C:\Windows\system\FQtmdlt.exe

MD5 71308f16bf2b568db09e60ae402425f8
SHA1 ee80b99258375cc84108dc998496e27997657978
SHA256 59fbc0482758c07fb84fd989289a80b550fa3a2d67ef5968768a173e60bd405f
SHA512 9ad8ce1188d84327081c181c99ccbf277eada12671d3621b9c5942f4feac178d91a05e68cfbfd8aa800bed33d0fc0e4048a404d66511fb761e517b6f98c29455

memory/2672-46-0x000000013FF50000-0x00000001402A4000-memory.dmp

C:\Windows\system\biRxhbj.exe

MD5 02040d8978e84f9d3d2de1f3786cf4e8
SHA1 a29ef10ea67042718f313fa5e5745f788a66b515
SHA256 356258f570bf70d6745c0fcf4ca36c0d5cfc4224109aa8efcbd05700072f6c57
SHA512 338e6e76b0cf543f076c87f860381ed3d89a64c04b3666b7d68a7389e0eebbd1f2f766eda563afc0004e9a0bd645d175626d602d2b0142c034cb311a61ea1f23

C:\Windows\system\JzGTDKJ.exe

MD5 5ccfc0abd734e4b5d863c560fa80f704
SHA1 a49b44e48cdaa76c8d04b139fe06206f3fc3828e
SHA256 e2485aa6c745f3b644adf324c3b35e38914103588bd2d6bda95d60306b734a4a
SHA512 7da9aeb73320d5c91b277aef2e0b7fb91eb22f602541b994647b6e722efa37384b6c2d07f3799a68abadbeed772c558690b93379d4c5874d4f7293982793cedc

memory/2904-136-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2520-137-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2672-138-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2864-139-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2960-140-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2640-141-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2520-142-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2400-145-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2672-144-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2716-143-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2364-148-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2876-147-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/572-151-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1388-150-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2384-149-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2420-146-0x000000013F7D0000-0x000000013FB24000-memory.dmp