Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-bmn5msaf49
Target 2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike
SHA256 2e5ede3a0a1efd26cea95a269008368ad9d376e80f3cbcab01f5665d32cc4074
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e5ede3a0a1efd26cea95a269008368ad9d376e80f3cbcab01f5665d32cc4074

Threat Level: Known bad

The file 2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Cobaltstrike family

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 01:15

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 01:15

Reported

2024-06-10 01:18

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\REKwFnY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wmphibY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UPVxJBu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cwXmtVN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qEdLikS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yCLwzFU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zFJRhcI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LpfcxJZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\anQhADE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\crygtgs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XhTBwEP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TlALFKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YEboFkx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\peQmdVk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iWglrnh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UJubOTj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YLBCZiv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SbgSoBh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TViSjzh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XrdKsoo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNKfEkU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TlALFKQ.exe
PID 3672 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TlALFKQ.exe
PID 3672 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\REKwFnY.exe
PID 3672 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\REKwFnY.exe
PID 3672 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJubOTj.exe
PID 3672 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJubOTj.exe
PID 3672 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLBCZiv.exe
PID 3672 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLBCZiv.exe
PID 3672 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFJRhcI.exe
PID 3672 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\zFJRhcI.exe
PID 3672 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmphibY.exe
PID 3672 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmphibY.exe
PID 3672 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SbgSoBh.exe
PID 3672 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SbgSoBh.exe
PID 3672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpfcxJZ.exe
PID 3672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpfcxJZ.exe
PID 3672 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YEboFkx.exe
PID 3672 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YEboFkx.exe
PID 3672 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\anQhADE.exe
PID 3672 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\anQhADE.exe
PID 3672 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TViSjzh.exe
PID 3672 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TViSjzh.exe
PID 3672 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrdKsoo.exe
PID 3672 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrdKsoo.exe
PID 3672 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\crygtgs.exe
PID 3672 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\crygtgs.exe
PID 3672 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhTBwEP.exe
PID 3672 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhTBwEP.exe
PID 3672 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UPVxJBu.exe
PID 3672 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UPVxJBu.exe
PID 3672 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNKfEkU.exe
PID 3672 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNKfEkU.exe
PID 3672 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\peQmdVk.exe
PID 3672 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\peQmdVk.exe
PID 3672 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\iWglrnh.exe
PID 3672 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\iWglrnh.exe
PID 3672 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwXmtVN.exe
PID 3672 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwXmtVN.exe
PID 3672 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEdLikS.exe
PID 3672 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEdLikS.exe
PID 3672 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCLwzFU.exe
PID 3672 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCLwzFU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TlALFKQ.exe

C:\Windows\System\TlALFKQ.exe

C:\Windows\System\REKwFnY.exe

C:\Windows\System\REKwFnY.exe

C:\Windows\System\UJubOTj.exe

C:\Windows\System\UJubOTj.exe

C:\Windows\System\YLBCZiv.exe

C:\Windows\System\YLBCZiv.exe

C:\Windows\System\zFJRhcI.exe

C:\Windows\System\zFJRhcI.exe

C:\Windows\System\wmphibY.exe

C:\Windows\System\wmphibY.exe

C:\Windows\System\SbgSoBh.exe

C:\Windows\System\SbgSoBh.exe

C:\Windows\System\LpfcxJZ.exe

C:\Windows\System\LpfcxJZ.exe

C:\Windows\System\YEboFkx.exe

C:\Windows\System\YEboFkx.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8

C:\Windows\System\anQhADE.exe

C:\Windows\System\anQhADE.exe

C:\Windows\System\TViSjzh.exe

C:\Windows\System\TViSjzh.exe

C:\Windows\System\XrdKsoo.exe

C:\Windows\System\XrdKsoo.exe

C:\Windows\System\crygtgs.exe

C:\Windows\System\crygtgs.exe

C:\Windows\System\XhTBwEP.exe

C:\Windows\System\XhTBwEP.exe

C:\Windows\System\UPVxJBu.exe

C:\Windows\System\UPVxJBu.exe

C:\Windows\System\pNKfEkU.exe

C:\Windows\System\pNKfEkU.exe

C:\Windows\System\peQmdVk.exe

C:\Windows\System\peQmdVk.exe

C:\Windows\System\iWglrnh.exe

C:\Windows\System\iWglrnh.exe

C:\Windows\System\cwXmtVN.exe

C:\Windows\System\cwXmtVN.exe

C:\Windows\System\qEdLikS.exe

C:\Windows\System\qEdLikS.exe

C:\Windows\System\yCLwzFU.exe

C:\Windows\System\yCLwzFU.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3672-0-0x00007FF7A20D0000-0x00007FF7A2424000-memory.dmp

memory/3672-1-0x000002B7AEB10000-0x000002B7AEB20000-memory.dmp

C:\Windows\System\TlALFKQ.exe

MD5 56c528babba6f089bbcfa0ab60657af2
SHA1 3dd996f83984c925be61f7ee46ad7819caee41a5
SHA256 a979e0e5cc4d6d4cd5849bca4ba5bcd9ae1af9b3a4241694ad13ebd732d0533d
SHA512 01808dee78eab47d02e0a61b1793a8863f0c12aea3fb338ac25261298dc67240fea5ca923e3473c6279ab7037612f727ad5a09c4f96832c449d6852b2fec6018

memory/5044-6-0x00007FF6FB540000-0x00007FF6FB894000-memory.dmp

C:\Windows\System\REKwFnY.exe

MD5 508c7c7b2245eae4543f87aed401979e
SHA1 4dd3d667c0dd83b2b2430574fc07a7e5a9765694
SHA256 f06548e2154462252353c47e1dade28c5182c9658e739210bcafa6673243b554
SHA512 7154e1451a2633993b1bb30be2ca8fe7f19a0c64a6303f2e0e11921b99e042482fb7b3d71bf45b7599965e6e356e022163190e1b1057c524c0cebe35878df786

C:\Windows\System\UJubOTj.exe

MD5 37e9209d153de47215d4f1a08bb7b10d
SHA1 e6dc24ebc2c79d4e806e101084a851a2540c0b48
SHA256 8c06f8e76b972ea4369b764a87dc10f50685b835b67b4ae8f21eb70b08b3fa2e
SHA512 fab4bb461e4924b30855af8d845d2085ed3de785393117481b507aaf402d83e1dffd3529a15137d454428fc6bd2597874bb97d71f886cb5ffef7255cb21b6d85

memory/5112-14-0x00007FF60AAB0000-0x00007FF60AE04000-memory.dmp

C:\Windows\System\YLBCZiv.exe

MD5 f7e9ee2ad8bfaeff5419309b11b89973
SHA1 5b170dbdcb7b4b303b9436be74b86f9141ef7fef
SHA256 09f26be7cad9c003266512da8018e22e69dc6f3ca726582d03e141333b2ceda1
SHA512 4eceec56759e4d379cc749760eb9935b61aeead16555f2c02ca700eacf70e4cd1c7ae58c8704e5b33b82c065fb42fdb7840f48eddb7434bcc78b7945c4b74e62

memory/628-20-0x00007FF6D3250000-0x00007FF6D35A4000-memory.dmp

memory/212-26-0x00007FF6702A0000-0x00007FF6705F4000-memory.dmp

C:\Windows\System\zFJRhcI.exe

MD5 968c2d90b7e1c954f6d94bff217c828e
SHA1 d8ac2c8f9470daa34a374d8facabe09b28b96430
SHA256 c6e14dc3b146f1ecbf587def1110a179e245a45489585c326bcd756ad07fbbc8
SHA512 de3ac7e14b127228ca6fb89b55fd006ee13606dc62519fea6cb3bab019ec9e7d7887481b4a4d4948f7a8d5824757e847de398a0e88dbd690d4df626663b4cb48

memory/4212-32-0x00007FF7AE7D0000-0x00007FF7AEB24000-memory.dmp

C:\Windows\System\wmphibY.exe

MD5 625b202e3002a3c66254f68f8cdeb707
SHA1 acb7fc6bca5547bc0fbf1d66681009533232d585
SHA256 df8bf5aca2ed46543e4c0a14d6c6fec7f9243bf521eef5669231e53c83845ccf
SHA512 93c6a68f9399eeed8978aa2ae32dc0de8af10b1ef508293007c314c5b29c43b873f457c6f370b4c786c4d9ba90211c788b457b935405448b5f5a50fbe8fb1b78

memory/3184-38-0x00007FF681410000-0x00007FF681764000-memory.dmp

C:\Windows\System\SbgSoBh.exe

MD5 ae963f3ce79e9dda31893b78ab489fbe
SHA1 92bb7eac5a6896e1478dea9223cf216edc82e1ae
SHA256 5e5aba8f2906e17d14ac08b787c764b6460443d2908fe8e70ec824a8cf453000
SHA512 6919dc44b75e70f5ac8687fa2a81c2bdd6b5cc34b2ca0016928e4ada28e3664eaf62315b42d7b45f0973bf7826068fb5e8e304727a675d6e80270e8a0c20d59a

memory/3940-44-0x00007FF6F2690000-0x00007FF6F29E4000-memory.dmp

C:\Windows\System\LpfcxJZ.exe

MD5 6474f33be65f7936576d1181fffab333
SHA1 70629063187915dfb913598cf22677814ecda5ea
SHA256 c96a5dc5b452f1ec49ddab5d687ff496c6b48b96ca217ed6db8f6b3747195d75
SHA512 4b7539d0aebbf3ce789c5165988002dcb5a5d91d26b18055928fa5846995429497c904df33e5fa21903e929202f5174c2c144b6daf5fcdbbc53fb0b1cc2b8ed0

memory/2056-50-0x00007FF632670000-0x00007FF6329C4000-memory.dmp

C:\Windows\System\YEboFkx.exe

MD5 9f9d418b9dd85661c67e6bfebc1f4f77
SHA1 435db83d09275d610910a84417a8045d40617676
SHA256 80fc9589778acffa5728530d16c4be61c79f325ae206d854701cd1b27fbb6aef
SHA512 9f04b4e81ae2ac358936fe323209d50eded80fb05388ba987da79a6d7f96a10eec497a0452cbfe4116f949c2551fbfb11140c59ddc4d3cd8d2a38af42ec2813c

memory/3644-54-0x00007FF686590000-0x00007FF6868E4000-memory.dmp

memory/3672-62-0x00007FF7A20D0000-0x00007FF7A2424000-memory.dmp

memory/4272-63-0x00007FF7ED700000-0x00007FF7EDA54000-memory.dmp

C:\Windows\System\TViSjzh.exe

MD5 1d00e33bd3fc7e42f60b0b642d53adc3
SHA1 833fbd7897ec4d8a37cfffdd663cac3e6586beec
SHA256 f90d4ec70823615267a414750eec3d32593b9991e97b9e48554291518231711c
SHA512 13252f0bc67834ed5f0a8b949c2f4989d64101411d7e70091105e172e150bc29c5c6909357c5f569955db03ef61eb178935b084567be3bee20fd5981f68595e9

C:\Windows\System\XrdKsoo.exe

MD5 aa624cc52584afa9a8f85ad457c5c2da
SHA1 9ceb9d592427589c3a33426ab255612b5298746b
SHA256 c10b6bf24c707275646f57b6276ed4a301af838db7a6b7f6e14209e32f0180d3
SHA512 f597cabd2a51cfa49fb7f589c22f7f7f2d303a2c16bccbe318ec4f271bee7f568f05f7a7f59cbb8c76cdbbb77de3d67b51aeeba65e351581ac1c0c1f154cd0a8

C:\Windows\System\XhTBwEP.exe

MD5 7438ca30b79b9b989236197364853f55
SHA1 0b707d912812a8d3089aa5c64cdae20bf6ac922a
SHA256 2691ddeb4cd7cc705166743d36cc001ded2686249ffe38a0debb014e24de2ce8
SHA512 77a40c31a42f8c7b3615bd4a9286cb73ed5e859c6e0560e532917f0bea494f4d83d821f4b5a4d76649d39c4e4bda6123a4ee62e84517ed324348613262ee119a

memory/2416-84-0x00007FF731F50000-0x00007FF7322A4000-memory.dmp

memory/3916-86-0x00007FF6D20F0000-0x00007FF6D2444000-memory.dmp

C:\Windows\System\crygtgs.exe

MD5 99f3357654e540b6d50a656ec5bdb2b8
SHA1 ac82a4adc94a8c1f40a63a2b06044ab87b2dd73c
SHA256 38096b782cd55b8961c4bc1c0e68da9474410b4e393b10eb16ba18b064ecad88
SHA512 30f816eceec701f7e016e4cb1bdc42687c1444f576992d91f35055ad62e510c1ab5f3b8622c04816142eb28529def96cd1e0a8b1b957949e69433e4b6c4d0afa

memory/408-80-0x00007FF6D0B00000-0x00007FF6D0E54000-memory.dmp

memory/4744-78-0x00007FF799680000-0x00007FF7999D4000-memory.dmp

memory/5044-69-0x00007FF6FB540000-0x00007FF6FB894000-memory.dmp

C:\Windows\System\anQhADE.exe

MD5 dc3df3ec774842067a9b92efd3c57fad
SHA1 fd4ad595a7abf48e4a12ede62866d623ac23379c
SHA256 cb5e9fecdfa1fad60d06be870762ad0e847db8c7fe12550672c5eec3a660defc
SHA512 0485bc80072794719b94e902937a2496aef2875c81c779f6128be4af8cea203196568ee37c44997e236d65dd0679210af55a54229b9597e05914272dcbae438f

C:\Windows\System\UPVxJBu.exe

MD5 0530aa31815f135d5711cf65887af7be
SHA1 dfda18404e3fb503187b9cdbee8e6211ced060c3
SHA256 37431f0b3661dfaa266b65be28e94dcd44b55f28a5ce7cb198631d74e6cb7191
SHA512 bf8ab5573b87a3c5ee084668bf541b0877fcab97d1658650fbe6ed7328b10b5d1167cf22cbe645de6d12affdccdbb4c391860b164d3381ca32ecbb0ceaa885cd

C:\Windows\System\pNKfEkU.exe

MD5 b2119fe0d44be126b0127a68273d4e0c
SHA1 0fcf2280c836ab714a696790a1f43877cf4810b7
SHA256 1df8ecf252a09de59a69de4565850813b8248fe7da10fd8169fe4d5cf4c983b4
SHA512 c937fddc8dd50c24db396e15e0469ebd4594b0b515873d91c4d80742561272d0ee23f5b7b99b8d4a98e66742de4cf41ffeb939b5f73566ca6c214c9f91d1d41b

C:\Windows\System\peQmdVk.exe

MD5 0acf4c2d3e32b5f7913021c7cf367ac5
SHA1 920fe9ec950d98583ff5c5dac6836ffb763e1a30
SHA256 1ca531a69dd4ab74eb328e4e4f3c97bb901e535dad1497e33e28b37de23c65ae
SHA512 d97e5bbf5f52967f6889765d988a0468988de3477d4eedcfaa2fa9128fb9e7fae6619dd4ef8cc424281cb9609fd7436d307cd33e112f6d64a8e17ae5389f1634

C:\Windows\System\iWglrnh.exe

MD5 e639487040d2b63292ea458ecb6defa5
SHA1 1309668539821e2d791b3649990d36c0e85e4a3c
SHA256 9956011ff5a35b35f89ba1f7f2302c0f05c48691ba2cb983b6c532c6f84106af
SHA512 920b380d4b0a175a94c2f72cca3e6aacda5e5dc1d606ed05b77110f8dec792df4deb0c544a7734b4aa94737634f2ca5760b8015007b989c51c4290fdcc41ce03

memory/2152-104-0x00007FF6BD7B0000-0x00007FF6BDB04000-memory.dmp

memory/2648-103-0x00007FF60CFC0000-0x00007FF60D314000-memory.dmp

memory/2504-99-0x00007FF6DD8F0000-0x00007FF6DDC44000-memory.dmp

memory/3940-112-0x00007FF6F2690000-0x00007FF6F29E4000-memory.dmp

memory/3544-113-0x00007FF637060000-0x00007FF6373B4000-memory.dmp

C:\Windows\System\cwXmtVN.exe

MD5 e66facc710f5769850342c587bb0621e
SHA1 a681e7bec803849b402f99176bfe3bbb21e27419
SHA256 05aad3f084369577db5e7120afdf255949e952a6c43895abe347702556604e4f
SHA512 2ffa24d9ae3e1aa88d930814414045f563bd662ce5c3392c9181e2b97e2e52aa24251cd5f44ac0b5c0fabb699f2f846ae66da2916a9889ace89d4792cda6a66f

C:\Windows\System\qEdLikS.exe

MD5 a1268ed3757e8bb9f99983715f5815ca
SHA1 7040161ad0fcef39b2f982a897fe9a2f43d37928
SHA256 357af2fe088eb42e70b05dd392d0cabcb41d4fe66292071d07481e8eac6e0b2e
SHA512 052f00e0531c72e88f7df7b5dcdd2d3b59c9d6e56d064f0f03037f1d9d5645883b1597c31b07a911abb9be53bd46edd3ef1ab4de0d90c673fee979a4d054460c

C:\Windows\System\yCLwzFU.exe

MD5 686d196eb4ae3e12c776cf153790fa51
SHA1 276a35cd001dc1dad6d26319fbd72e2dcde38394
SHA256 968a81d42a52c2552abd06c4b12d734f8c610092d85a4033e2743040b1cc78d3
SHA512 a7f550192c678463d95c408ce550728f95fc7c819aec104545ecc353ebf005655ab268b24d2abaaa87e5c23b99645c2a0c58a59cb31e51b7a7a641f99e940443

memory/3236-127-0x00007FF66DA60000-0x00007FF66DDB4000-memory.dmp

memory/3644-124-0x00007FF686590000-0x00007FF6868E4000-memory.dmp

memory/1992-118-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp

memory/2984-131-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp

memory/3916-132-0x00007FF6D20F0000-0x00007FF6D2444000-memory.dmp

memory/2152-133-0x00007FF6BD7B0000-0x00007FF6BDB04000-memory.dmp

memory/1992-134-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp

memory/5044-135-0x00007FF6FB540000-0x00007FF6FB894000-memory.dmp

memory/5112-136-0x00007FF60AAB0000-0x00007FF60AE04000-memory.dmp

memory/628-137-0x00007FF6D3250000-0x00007FF6D35A4000-memory.dmp

memory/212-138-0x00007FF6702A0000-0x00007FF6705F4000-memory.dmp

memory/4212-139-0x00007FF7AE7D0000-0x00007FF7AEB24000-memory.dmp

memory/3184-140-0x00007FF681410000-0x00007FF681764000-memory.dmp

memory/3940-141-0x00007FF6F2690000-0x00007FF6F29E4000-memory.dmp

memory/2056-142-0x00007FF632670000-0x00007FF6329C4000-memory.dmp

memory/3644-143-0x00007FF686590000-0x00007FF6868E4000-memory.dmp

memory/4272-144-0x00007FF7ED700000-0x00007FF7EDA54000-memory.dmp

memory/408-145-0x00007FF6D0B00000-0x00007FF6D0E54000-memory.dmp

memory/4744-146-0x00007FF799680000-0x00007FF7999D4000-memory.dmp

memory/2416-147-0x00007FF731F50000-0x00007FF7322A4000-memory.dmp

memory/3916-148-0x00007FF6D20F0000-0x00007FF6D2444000-memory.dmp

memory/2504-149-0x00007FF6DD8F0000-0x00007FF6DDC44000-memory.dmp

memory/2648-150-0x00007FF60CFC0000-0x00007FF60D314000-memory.dmp

memory/3544-152-0x00007FF637060000-0x00007FF6373B4000-memory.dmp

memory/2152-151-0x00007FF6BD7B0000-0x00007FF6BDB04000-memory.dmp

memory/3236-154-0x00007FF66DA60000-0x00007FF66DDB4000-memory.dmp

memory/2984-155-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp

memory/1992-153-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 01:15

Reported

2024-06-10 01:18

Platform

win7-20240215-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kmXwBVu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QMlZjfQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yNtyEeX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\umiIquy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XrudYYP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ygWMEjf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rLgFyUz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PjSIxVU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aTJkvxa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eKIKLgj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XJhXiZO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fdXeTyO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MbNDprI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bPEKjre.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IdxLmXR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NQEscJn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KikRgyd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LvXbqUT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UjjKtsB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bpWcBRr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SXIskue.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NQEscJn.exe
PID 2740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NQEscJn.exe
PID 2740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NQEscJn.exe
PID 2740 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmXwBVu.exe
PID 2740 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmXwBVu.exe
PID 2740 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmXwBVu.exe
PID 2740 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\KikRgyd.exe
PID 2740 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\KikRgyd.exe
PID 2740 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\KikRgyd.exe
PID 2740 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QMlZjfQ.exe
PID 2740 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QMlZjfQ.exe
PID 2740 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QMlZjfQ.exe
PID 2740 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LvXbqUT.exe
PID 2740 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LvXbqUT.exe
PID 2740 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LvXbqUT.exe
PID 2740 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\rLgFyUz.exe
PID 2740 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\rLgFyUz.exe
PID 2740 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\rLgFyUz.exe
PID 2740 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNtyEeX.exe
PID 2740 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNtyEeX.exe
PID 2740 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNtyEeX.exe
PID 2740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTJkvxa.exe
PID 2740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTJkvxa.exe
PID 2740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTJkvxa.exe
PID 2740 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UjjKtsB.exe
PID 2740 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UjjKtsB.exe
PID 2740 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UjjKtsB.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\umiIquy.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\umiIquy.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\umiIquy.exe
PID 2740 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bpWcBRr.exe
PID 2740 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bpWcBRr.exe
PID 2740 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bpWcBRr.exe
PID 2740 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrudYYP.exe
PID 2740 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrudYYP.exe
PID 2740 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrudYYP.exe
PID 2740 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\PjSIxVU.exe
PID 2740 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\PjSIxVU.exe
PID 2740 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\PjSIxVU.exe
PID 2740 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXIskue.exe
PID 2740 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXIskue.exe
PID 2740 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXIskue.exe
PID 2740 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKIKLgj.exe
PID 2740 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKIKLgj.exe
PID 2740 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKIKLgj.exe
PID 2740 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJhXiZO.exe
PID 2740 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJhXiZO.exe
PID 2740 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJhXiZO.exe
PID 2740 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\IdxLmXR.exe
PID 2740 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\IdxLmXR.exe
PID 2740 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\IdxLmXR.exe
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdXeTyO.exe
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdXeTyO.exe
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdXeTyO.exe
PID 2740 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygWMEjf.exe
PID 2740 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygWMEjf.exe
PID 2740 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygWMEjf.exe
PID 2740 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbNDprI.exe
PID 2740 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbNDprI.exe
PID 2740 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbNDprI.exe
PID 2740 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPEKjre.exe
PID 2740 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPEKjre.exe
PID 2740 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\bPEKjre.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NQEscJn.exe

C:\Windows\System\NQEscJn.exe

C:\Windows\System\kmXwBVu.exe

C:\Windows\System\kmXwBVu.exe

C:\Windows\System\KikRgyd.exe

C:\Windows\System\KikRgyd.exe

C:\Windows\System\QMlZjfQ.exe

C:\Windows\System\QMlZjfQ.exe

C:\Windows\System\LvXbqUT.exe

C:\Windows\System\LvXbqUT.exe

C:\Windows\System\rLgFyUz.exe

C:\Windows\System\rLgFyUz.exe

C:\Windows\System\yNtyEeX.exe

C:\Windows\System\yNtyEeX.exe

C:\Windows\System\aTJkvxa.exe

C:\Windows\System\aTJkvxa.exe

C:\Windows\System\UjjKtsB.exe

C:\Windows\System\UjjKtsB.exe

C:\Windows\System\umiIquy.exe

C:\Windows\System\umiIquy.exe

C:\Windows\System\bpWcBRr.exe

C:\Windows\System\bpWcBRr.exe

C:\Windows\System\XrudYYP.exe

C:\Windows\System\XrudYYP.exe

C:\Windows\System\PjSIxVU.exe

C:\Windows\System\PjSIxVU.exe

C:\Windows\System\SXIskue.exe

C:\Windows\System\SXIskue.exe

C:\Windows\System\eKIKLgj.exe

C:\Windows\System\eKIKLgj.exe

C:\Windows\System\XJhXiZO.exe

C:\Windows\System\XJhXiZO.exe

C:\Windows\System\IdxLmXR.exe

C:\Windows\System\IdxLmXR.exe

C:\Windows\System\fdXeTyO.exe

C:\Windows\System\fdXeTyO.exe

C:\Windows\System\ygWMEjf.exe

C:\Windows\System\ygWMEjf.exe

C:\Windows\System\MbNDprI.exe

C:\Windows\System\MbNDprI.exe

C:\Windows\System\bPEKjre.exe

C:\Windows\System\bPEKjre.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2740-0-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2740-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\NQEscJn.exe

MD5 80ea5efb81dd4e0050dfd8d85509ad85
SHA1 e49d09913369b691f10ab8d28527011f4da256a6
SHA256 fd8c3779c5c92160a71235a7043d26870ac84d8f50b977ab5c80870cd4230d5c
SHA512 851acf59ce1e767eba8e513f9bebcf1af45a869cec2667f0be0cae8123713189388f97ebe7756c3d451c600956c18a71a3946012bd56cea386f31860ee7eec63

\Windows\system\kmXwBVu.exe

MD5 09c00138f8f9c1be9ccdf16cea9a3d5a
SHA1 1fb345fef5f5876beb24fb1a585bdc87a35556cb
SHA256 1c9d07f55a6abdfd82856e1b5fb9e369f8ea58d6f81716a14c9c02baa1debaf7
SHA512 e57abbe3ca95cb047b4b8d8ed5429fabe09e07e43a8506cf9063598fbc1ad3790e47f0e7ba764531168a8a8be17fed99c87dd830f594d978c1f4cb8431f3a31e

memory/2204-14-0x000000013F360000-0x000000013F6B4000-memory.dmp

\Windows\system\QMlZjfQ.exe

MD5 f56acf89a525f4356cf9dde56340cc30
SHA1 fad8cf94e8901de955d1bb2a1b066065134ff967
SHA256 f96986241839215a01d68d9f37d09949e49a9b26c32207adb9853a732d107015
SHA512 263a059fe544f0975a1a3bc12dcd0dd3a6ff25f8371b7b3ce7c57fa693fd21b615fc8af5a488a34badcf9fb67cb6adea217c000551110761c8c15c3ffc474ef3

C:\Windows\system\rLgFyUz.exe

MD5 c4a8b3cf306a2ad94a7d9729f6eb3a24
SHA1 b62cc89f2ec3ebd4967e6a5a6d722ad44970e742
SHA256 23dc67e1437b7776e6aa628a1eb4b7fa68675ef1ea6b630002585edbca2ee1ca
SHA512 758ce3de4f9d8371abecf247235eed943b4388eb88e9ec512c0a6d5a5f3bab8a8cfe1e74187a67588db382391ef7ff9b3d419e96ea1cffa2242154abe55b84df

C:\Windows\system\yNtyEeX.exe

MD5 de3dc48a350b186eaa687e06ecdd23d1
SHA1 036b2f3f66e300e4709d7040359d9dbd1af09f1d
SHA256 348f5cfae5fdbb514504657752a3596f247cef2a8c3ddee483e040d5916a8be1
SHA512 962903551e34a50a5adfc49c50b6c5fb0f2f9632f5ddc06436403ad59ac52a77c17df191fab1124a6621f7837da25a4cc2fde45c4de710f8a53e04f9a4492d78

memory/2740-54-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2728-56-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2740-55-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2720-53-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2576-51-0x000000013FB80000-0x000000013FED4000-memory.dmp

C:\Windows\system\aTJkvxa.exe

MD5 b7861634cf08d4c7130d568ad7ce315e
SHA1 38bd4fa3ff3b7400483b08f604e169c9a84eede1
SHA256 ec86f047aec630f541eedf003068d128aa352bf2e715f0b122e05a56d7e912d5
SHA512 aa5f3b28e25ff27755bd8fc54a21a0a4942c258c9bcee540941a245141fbb4053e4189d0fd0e4f4f0950d6f09a38e7df7990b24d7217aa3d86406a4004172451

memory/2740-47-0x00000000022C0000-0x0000000002614000-memory.dmp

memory/2692-45-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2740-42-0x00000000022C0000-0x0000000002614000-memory.dmp

memory/2996-39-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2564-63-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2492-70-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2740-69-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2740-62-0x000000013F310000-0x000000013F664000-memory.dmp

C:\Windows\system\umiIquy.exe

MD5 e010bc225c69d070a0782ebcc7ae90e2
SHA1 e82502b2ff39d34d1b83065836ff02ccb850561d
SHA256 05ebe47c90c76761a79ca478d4d9ddd3e39b4869c1162b09f3cf8f09201346ae
SHA512 8cb89c7ac1bfbb47ca8028c6181427d70884d47155a2d496ad8fb01224e406ff2949ddc89da9de052260db6ec112d685256e17196523c54f243f2ab80686afd2

C:\Windows\system\UjjKtsB.exe

MD5 fb548018d6f90baaa855ab8db5ae31ab
SHA1 ad889150b8d22957642ed8912a930a677dcf2d6d
SHA256 ba2a48a053aa0e5493789c7af4e1cfad80569a568e279e3f479f33d89f4e546b
SHA512 b280b48972ff9338c1607b5919cdb1ce7c72b8596f1eeb08036ee6d90a200bc8e15bed95a189d518c9d7dd069ca07e36298b6be048b87a8f36b89d0fd72395ef

memory/2664-35-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2740-29-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

C:\Windows\system\LvXbqUT.exe

MD5 4d35b828b344d53732360805e666abf2
SHA1 e675bfe2ba25418b771595ff4634e77bc8da0746
SHA256 a445a226ae799e7a260bde7d0d602d77c30038ac0ef8d74b7f8d6b3541e20ba4
SHA512 94a8586ccba3b438dec3620c33dc29e3b053593ff036a4ada7ff25d99e3b95e9fba00433c633cc048cb10bc66cb08dbd848250757380856f60349dba218c3141

\Windows\system\LvXbqUT.exe

MD5 c83a72fd32d1ea03c4c25e0b40a06534
SHA1 de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1
SHA256 c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359
SHA512 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c

C:\Windows\system\KikRgyd.exe

MD5 5efc59a8876fe86ed1f6efb6c54446ab
SHA1 8b47295d9262ffb5265b42e1fb8efd70e8d99dcf
SHA256 20f29904c73671ce2ed560930a0906e2fe16b2710542db21373c6bcdd9e0f31a
SHA512 6ec0b8d764617e6f50d3e08f36988ad1d7e30254e227c2ffa70b1a27a8a844a207c5b2d15397c0e1caa803e384f089dc67a4004d400a96301ec82f277a292b27

C:\Windows\system\bpWcBRr.exe

MD5 77654ed0c5dd15716578a044cee07111
SHA1 c1663c9ae775bdc2887fbbcb5682bf9fd13c6ed7
SHA256 6c513bb182041fe6dffceb28486068e1f4a77f9291e73863051b50fa2f439889
SHA512 9cf5d69deb9fd5102d47893dee35b09afc07bcab78b6f5bcc059ad55ed0b4afa2fe28c54d54581cf872937d5b5d91b0cfea8dfe58ade3fad3eb508a2a3c1993e

memory/2920-75-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2740-74-0x000000013F110000-0x000000013F464000-memory.dmp

\Windows\system\bpWcBRr.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

\Windows\system\XrudYYP.exe

MD5 2c29c56557704a5af675ac862b6acadc
SHA1 8095e9a472d534a6ef5dc3ab384273149ae12d48
SHA256 ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d
SHA512 f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049

C:\Windows\system\IdxLmXR.exe

MD5 17784aebda31d4b1af643ad82655e04c
SHA1 8e40f62ca1b969b7f281da7bd4cfe14f96fd0f86
SHA256 6e388db819e338ea68574dd4f011f9d8a94587466c4dfb804ee04ec5f47f01d5
SHA512 e3fddaea080507a7ae397e2492a3fac17966b30182dc8da0e654bf48feca61906f3935d6213d3efc5fdc1e04be81c515fa3445e53484a87bff283eddbd423fd4

\Windows\system\bPEKjre.exe

MD5 ef3c248dc879ef2d14b07311fa6abf92
SHA1 8e6c5779d6fef4cb7ba126f74c3e8b699b22318b
SHA256 24a011fcd2bf19fef94a57c530e00bfbb621832988e0b52f372ec8bdd1f1e4e9
SHA512 0baa6907ee48f8e42846a52ea52baff05c71751aeb437fa9501626cf0dddfd289005bc9ecc1c7ee9aa7f6ebbb2d450fd150bccba8e641bc9f26a2bc83fc819d2

C:\Windows\system\MbNDprI.exe

MD5 529055656518e6da6c6270633c6f9de1
SHA1 5682551738927068d1be79a158661fa0769fd781
SHA256 16165851b82fa17d0ce715293dada4689488cd8ce71ad35fedb4e94ebefcbc48
SHA512 71dc4bd0b3ac58817685e88cc87e60f086066d52499862121a6334122313eafe703dfa98024fb8ee395399f79a53447bd167f3a70d2367c166c3f4b6ccdccd6f

C:\Windows\system\ygWMEjf.exe

MD5 33b6801c3b2b2e2e73d676693617ac21
SHA1 3a9b0a20ef3d0ca2f1093bc6500cdbd6a3b9ab9a
SHA256 3a48e8fca108daa50b01b48a2190c43ff6547b717ed7384c82c37b047525ccc9
SHA512 975c5f8d11eeffe350a0aef35955a89dbba16d4c8626b8b83bcb5fb26c791482a4a42c51bce37b8fb16a2664031bf1651e854d87e4d3ddbd69ff5bb0bf80672b

memory/2740-116-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/872-113-0x000000013F3E0000-0x000000013F734000-memory.dmp

C:\Windows\system\eKIKLgj.exe

MD5 0255e7f06d781b3a8c1df6c5f8b73384
SHA1 1613b26f2732ace813791a2ae88e263ca1b3e498
SHA256 b3e08b0cec974ceaa28fd0f5d87b34d482f3a12f9e16839d1dd9e5130400a998
SHA512 b5d6507ba4f644fc8f07163b5374902d741d5c05bd17d3fbe997cf95ba7ba8fa5a35983f1e497729e12d8d5c7031d6e0fccb06370161d35fb495e8e45963986c

memory/2740-110-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2172-104-0x000000013FE70000-0x00000001401C4000-memory.dmp

C:\Windows\system\fdXeTyO.exe

MD5 f57e8218a9872898557a5aadd6297582
SHA1 09ff2cc5d94b0b0aaadc74bed2832d8c8187b97e
SHA256 4cd7c8f3daf75e0f044318bc6eb9145bd3212a4a89529734762273a452493f55
SHA512 a03bb8dfd2dc3977f6bb6ddc2767946409439e916df9c89570d594cc62cb9516818fbfdb91cd67374ceaa70dc40c79935aea369eeacbb4b6cea381d7ed81f547

C:\Windows\system\XJhXiZO.exe

MD5 9392e1304936a67bcc155188e54c8653
SHA1 069a81747cb838e1a53e07bc8e53b16c30d6bf18
SHA256 4124b6efc5b90216bc1e55dcfc6496e87fd1ba85fed0065a8a04164e3c58b06d
SHA512 683fad87d797169c2567666b00dcfe4d28f7c1d8e1195fb3cfa5f25ae2c841cd1305bb43b782caedc92c6e3c7f0201b6bd6a55b906a809a6e7b3794cc2e0ecd0

C:\Windows\system\SXIskue.exe

MD5 2d990043cd67cc5a51d68104541b0a84
SHA1 30811c74961535cc434cb75662c0fc99f98adffe
SHA256 f566b3d8461775fff4e67f9deb2cb02ad1c12a2f3d09782c846b1cd931935517
SHA512 5475da8534d26baf171115deb97e3c2527c78e97d34a1c044150680ab1b038a8a3587e56b4922f63c5758298b8f112fa53fcf09a67d845a3d5c7d5f82d773678

C:\Windows\system\PjSIxVU.exe

MD5 d5999667da5b48b31a6c3cb5f4f1b6be
SHA1 762ccbe88e9bea54bcf2a4d5dab377aafba10e13
SHA256 bc9b99c71649e034a467409af979870634116f44327599d22349896912dc3ca9
SHA512 75d7a1a5523aae2c370a051f717c2e940c2a9e27c751d8d8cee7cfdbd0c997414296fd60d051f01c4f675adf716d7770cfc8eacde2d596f26fe85e199ea27a0b

C:\Windows\system\XrudYYP.exe

MD5 0465a0e52d4df6a5e893b79eb835e8b3
SHA1 241be985926ec2b8fb8644686f3e02f2a9f6dd33
SHA256 28e9b7f35e381e6d092840b27338cd1b6255b7cf8940459d5fb82e220e792c9b
SHA512 ec3c48887603354c7b10ab01a630afec1fa2776ebf9c32f9ad757f475ef92069384e8327d89631e5da80b56b54e4b2cb45acad58dec4956e20813b07420a9019

memory/2944-17-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2740-11-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2664-132-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2740-131-0x00000000022C0000-0x0000000002614000-memory.dmp

memory/2920-133-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2204-134-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2944-135-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2996-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2664-137-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2692-138-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2576-139-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2720-140-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2728-141-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2564-142-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2492-143-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2920-144-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2172-145-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/872-146-0x000000013F3E0000-0x000000013F734000-memory.dmp