Malware Analysis Report

2025-01-06 16:49

Sample ID 240527-werwsadb89
Target 2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike
SHA256 90afe90f27b1149d6b310fdb4d6576f0adae4db71bf7a4db09fd8857402cc9d4
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90afe90f27b1149d6b310fdb4d6576f0adae4db71bf7a4db09fd8857402cc9d4

Threat Level: Known bad

The file 2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

Xmrig family

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 17:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 17:50

Reported

2024-05-27 17:53

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WanRapI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cVxagOT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\raOvBev.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IWkVJXe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\emYCNOO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nYbmntG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\odgCNpa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TiXHcgC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vLiaSrd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KpmoaJP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AVliJju.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LvvWgSw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ymsifIU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RALOkaH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qmiRLaA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xEhawcY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mXxiaQk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\knVZYNm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vpXhHbE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uixCkSD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\epdWgUs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3400 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\LvvWgSw.exe
PID 3400 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\LvvWgSw.exe
PID 3400 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ymsifIU.exe
PID 3400 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ymsifIU.exe
PID 3400 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWkVJXe.exe
PID 3400 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\IWkVJXe.exe
PID 3400 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\uixCkSD.exe
PID 3400 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\uixCkSD.exe
PID 3400 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\emYCNOO.exe
PID 3400 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\emYCNOO.exe
PID 3400 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEhawcY.exe
PID 3400 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEhawcY.exe
PID 3400 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\nYbmntG.exe
PID 3400 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\nYbmntG.exe
PID 3400 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\odgCNpa.exe
PID 3400 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\odgCNpa.exe
PID 3400 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\TiXHcgC.exe
PID 3400 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\TiXHcgC.exe
PID 3400 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLiaSrd.exe
PID 3400 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLiaSrd.exe
PID 3400 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WanRapI.exe
PID 3400 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WanRapI.exe
PID 3400 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\epdWgUs.exe
PID 3400 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\epdWgUs.exe
PID 3400 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\knVZYNm.exe
PID 3400 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\knVZYNm.exe
PID 3400 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpmoaJP.exe
PID 3400 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpmoaJP.exe
PID 3400 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\cVxagOT.exe
PID 3400 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\cVxagOT.exe
PID 3400 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AVliJju.exe
PID 3400 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AVliJju.exe
PID 3400 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\vpXhHbE.exe
PID 3400 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\vpXhHbE.exe
PID 3400 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\RALOkaH.exe
PID 3400 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\RALOkaH.exe
PID 3400 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\qmiRLaA.exe
PID 3400 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\qmiRLaA.exe
PID 3400 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mXxiaQk.exe
PID 3400 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mXxiaQk.exe
PID 3400 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\raOvBev.exe
PID 3400 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\raOvBev.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LvvWgSw.exe

C:\Windows\System\LvvWgSw.exe

C:\Windows\System\ymsifIU.exe

C:\Windows\System\ymsifIU.exe

C:\Windows\System\IWkVJXe.exe

C:\Windows\System\IWkVJXe.exe

C:\Windows\System\uixCkSD.exe

C:\Windows\System\uixCkSD.exe

C:\Windows\System\emYCNOO.exe

C:\Windows\System\emYCNOO.exe

C:\Windows\System\xEhawcY.exe

C:\Windows\System\xEhawcY.exe

C:\Windows\System\nYbmntG.exe

C:\Windows\System\nYbmntG.exe

C:\Windows\System\odgCNpa.exe

C:\Windows\System\odgCNpa.exe

C:\Windows\System\TiXHcgC.exe

C:\Windows\System\TiXHcgC.exe

C:\Windows\System\vLiaSrd.exe

C:\Windows\System\vLiaSrd.exe

C:\Windows\System\WanRapI.exe

C:\Windows\System\WanRapI.exe

C:\Windows\System\epdWgUs.exe

C:\Windows\System\epdWgUs.exe

C:\Windows\System\knVZYNm.exe

C:\Windows\System\knVZYNm.exe

C:\Windows\System\KpmoaJP.exe

C:\Windows\System\KpmoaJP.exe

C:\Windows\System\cVxagOT.exe

C:\Windows\System\cVxagOT.exe

C:\Windows\System\AVliJju.exe

C:\Windows\System\AVliJju.exe

C:\Windows\System\vpXhHbE.exe

C:\Windows\System\vpXhHbE.exe

C:\Windows\System\RALOkaH.exe

C:\Windows\System\RALOkaH.exe

C:\Windows\System\qmiRLaA.exe

C:\Windows\System\qmiRLaA.exe

C:\Windows\System\mXxiaQk.exe

C:\Windows\System\mXxiaQk.exe

C:\Windows\System\raOvBev.exe

C:\Windows\System\raOvBev.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3400-0-0x00007FF63F740000-0x00007FF63FA94000-memory.dmp

memory/3400-1-0x00000271716E0000-0x00000271716F0000-memory.dmp

C:\Windows\System\LvvWgSw.exe

MD5 be807dded96e51e6ed0edbff2998ddd9
SHA1 beb79010f287926f3fdb212fad43114f2d189ff5
SHA256 2da3096c7226df5be3871d49371fb157cf6e105c642654407d5c8788404d0eab
SHA512 1a7ba3d942f34f97985f25333446b26b88c9de0c19f75930ede676abb342e5b154dc2326533f900cc9a4458a4c0c7a1482e9ff5814beadeab48e0a6707c4446d

memory/4340-8-0x00007FF620DD0000-0x00007FF621124000-memory.dmp

C:\Windows\System\ymsifIU.exe

MD5 1e65ccb144e7271b997854400d4820a0
SHA1 04bfa33e0d213357a110e6af5110955f9c9d4105
SHA256 4f9c367cce32a77c77040c1d38e02982735c6a8aaf13792bfa34e51d3e7a3e51
SHA512 ca818752d41eebc2e6fbe1fbf4f38f2090acd133029bcf48a4b540a0ed7e6aeb6509e890e05f5b1e73f6119a06a0fae5e6921745236a5e0d3ff6438f09d6cdd0

C:\Windows\System\IWkVJXe.exe

MD5 f9d476eb7b27b5523b15aebd3b8184bf
SHA1 799db6a001941670257aa662dad784f647aa4a83
SHA256 8ad30c7f93857d0559d6466c81392d2316fd7c0624879380ec2d48a294a21b72
SHA512 3c1a07e5f9078c2c571742bf440982cda9a82e5b3705d940bfdf36d611bd20098b43c56cf7857b76f7671fe4c30085918db8ebe00c8e0129ec424967f4cc8b5d

memory/4432-13-0x00007FF6961F0000-0x00007FF696544000-memory.dmp

memory/4620-20-0x00007FF66A4F0000-0x00007FF66A844000-memory.dmp

C:\Windows\System\uixCkSD.exe

MD5 be75fa4185f6031657bc82901b61f507
SHA1 b9e00a4bab0bfe2c492fa261d64dba44a024b103
SHA256 add5b33ca3fc4999f44603535c5293b0b91e07fe51257baa6a1fb59f8c6667cc
SHA512 45e66d08047179ef88095d9563a2ba7722cf6d1a955c3d76fdd1dd0db5d1154e1391648877104200016b6dbffac80d153b940743050445036c68a39d40414718

C:\Windows\System\emYCNOO.exe

MD5 dca3e670206884fb9b72792f75ac2d76
SHA1 463d4398e4892ba50e8e9a38f474e77095e2ed41
SHA256 41fb031f555f17abef48a69903a2c426336b02e9c8ecb712cbd60027f4701684
SHA512 c9fad8077185556367bb6f82f348680ba9f13c20282dc3d1193bc5b300b8e2a524b2afac20fa1e7c2caf969bc69df36f99ff0c55afa7544a8c58ec21596cc96e

memory/1276-26-0x00007FF71AB10000-0x00007FF71AE64000-memory.dmp

memory/3580-30-0x00007FF75B4F0000-0x00007FF75B844000-memory.dmp

C:\Windows\System\xEhawcY.exe

MD5 61e51ace7cb67ac6dc789fac5ce5ad67
SHA1 33a60c32d9608fed8d071b45b9409f885a1ccacd
SHA256 a10a366a6ed8812e9aa7355e189a43b0ae394d3942994de153887da7f3352079
SHA512 e50996a98736e5eb6a6bce3f8b5a8c634bb323cebe2c8c63b15275c6b60b4b45cf7af94910631f7c66db85395c75cc6ab803bbccb0c0356c71591c6a987dac02

C:\Windows\System\nYbmntG.exe

MD5 8c29e199660b8b233d5f7abd303f4276
SHA1 ec9e50c4da20735fce6be9b7814350f7044b9fd3
SHA256 bb754751495360904166521f045661caa95b6d101a259c62296f5614e77f0337
SHA512 8499bf6efa023bd8a59113c3c0b76479baf4d421994c4ffda4587b55c31b78c360bce585279d7d079363ba0db4e85a67ca56fc8190bf029f70adcc5b78cb1aaa

C:\Windows\System\odgCNpa.exe

MD5 d8bff8ae4a68d928c555bd2ae4c2eee9
SHA1 31792e4c0f96c032f06c753c9a9db149fcb06e3c
SHA256 a5e99aefd0f2b96b398eaf400d039ea4d4fc6ae424c96675c71fb5e88bf3d48a
SHA512 7bccc84cf3a1ab7e8d4d56d007f42d7c57b3ecee2f13abfa00cbef3fd08e3c534066875bdbe590a9fdb04f7320df7e574797732ffa1162bb79377833c7eb2690

C:\Windows\System\TiXHcgC.exe

MD5 bd976d4fb489b8d82b17f86ad7b190f9
SHA1 a0ab927ab3ef061d3af7d8c6c8c24dcd65450461
SHA256 a98a84a94fe9cbb095fff25fc91f61de8b1b788fbd477de915ef5ff8d8c8f6df
SHA512 1ed0986ceb19d9d1dd1776abd4c0f072f2bfcaa54868c22a661d8b4a0e27b9d2aa7e8672406b3074e6971d9e176652120512af1769f110a80b704348059a86cc

memory/4984-54-0x00007FF71DC50000-0x00007FF71DFA4000-memory.dmp

memory/4756-50-0x00007FF6DEAE0000-0x00007FF6DEE34000-memory.dmp

memory/4744-40-0x00007FF64A560000-0x00007FF64A8B4000-memory.dmp

memory/3920-36-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp

memory/3400-62-0x00007FF63F740000-0x00007FF63FA94000-memory.dmp

C:\Windows\System\vLiaSrd.exe

MD5 6a06c365bf9c3031bf516e14a621f450
SHA1 34dcb0680cedd525709e15d15b83b43b07b683ab
SHA256 a8d2c0bd80a39a0a4ec5fd84e947342c7f88d091cd7d97e7cf98f76ec42e1243
SHA512 61f8487a1a4effad275809b5504336d66f164ada234f8e52616dacd10cf0e14893cbb28a99750f7024f5f670de123b045d85a9d79d98251af11268273087eeee

C:\Windows\System\WanRapI.exe

MD5 11884af191417abf54140bcee2e7d141
SHA1 e145935419985d0aa0f42d65531745f18df5052f
SHA256 a353c20d9593856038b933caffc92281b39c746958d8e6c888d480dda270cc6f
SHA512 7596129fb5285df0b8976b15dc31259bee9d6ec3c6e4c0fdafe4b27b77c276dc6613e2d18ed0fe35fc0516b0c96dae36a29c69cb3fe8b440d8666838c2d80d41

C:\Windows\System\epdWgUs.exe

MD5 5eb7ae3aafdabb4b6c90f78c309dfd66
SHA1 9dddab5cd7b8ad83f664504411157358dd29805d
SHA256 a9215201b4a3e078e5aa81d02048748c65ceef0b798cb0efa6bf9c1ad2db2725
SHA512 a96f68e64b99b86d923e2a5e2d8db6eeb343aae68cffb8948d9bc83f89a42c48b1c565319ff148f5bb5c614de3e5c2e9715ca9eeae306cdd9d95adc0ee67337b

memory/2788-63-0x00007FF69DFF0000-0x00007FF69E344000-memory.dmp

memory/4340-74-0x00007FF620DD0000-0x00007FF621124000-memory.dmp

memory/3108-76-0x00007FF7B0370000-0x00007FF7B06C4000-memory.dmp

C:\Windows\System\knVZYNm.exe

MD5 0cabec53c426e594a1e039df976d7388
SHA1 492ecdfff2c6487eb8db125d1b23487dad7b8ab9
SHA256 0fb6f133bfb48491c77688db1c42d6037879c27fba54688a5e9968b71d97fa88
SHA512 993babed94339bfa5dfaf4c27accdefb24d7d73f714c7fef759de235f43768745b10e165a678f794225bb032b7eb91cf715f9cacef6b98a9c57f3b72aa543570

memory/4432-80-0x00007FF6961F0000-0x00007FF696544000-memory.dmp

C:\Windows\System\KpmoaJP.exe

MD5 7b46ef080abf0e334ead43e5464bfa46
SHA1 2b203dcbc174ef4440191b3e4954f2f501ee6c85
SHA256 dc5992370a7cf205aab25797394ee11ca8088505bcb57b693515f574690d7466
SHA512 eae0736637a7b3807c97b6ec0ee93e40ca4ee3fdbdf6487c2862609b7b2c5d58065bdd625491808e541fadd97121ee198e60db00e295a646b655a993f6d17739

memory/4004-83-0x00007FF7A80A0000-0x00007FF7A83F4000-memory.dmp

memory/5100-75-0x00007FF7577E0000-0x00007FF757B34000-memory.dmp

C:\Windows\System\cVxagOT.exe

MD5 b6d7b69556e21212e0f6fd5eab597e47
SHA1 77a14f045869a01e2a3fdac5af5900c359dd6128
SHA256 3afdb723846d06384e043075f1e440178e815b5a5faa8dc0d9c7f9e4ba515bdf
SHA512 01dec0015c1036697e34e8af98fe2b49b3da519bd676b1baa9b61b0f47bbb3838d2284a142b053ed24cb05e32c86ebb6a932fbbedfbdfdedaf3feb79cbcb8f2f

memory/4888-89-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp

C:\Windows\System\AVliJju.exe

MD5 cb6b2a994f807c9c1a2a717da852b87a
SHA1 c56bfd1fe3fa0046f79416f4a1de4f8508d6af9d
SHA256 358056f6eb6c60fc558e22713f240d9ebc7fd643122158c802a01673900f7246
SHA512 0f717812d93bd1e8f7d5a28dafa9be2a76e13b24d4d7e388e286a8b2607f4344b2a66e2d6d5450eb343fbf6a4f7eb723e6b9f138b7cdd9c922c5b53c36264663

C:\Windows\System\vpXhHbE.exe

MD5 c678cefa72154028cbfeb955bce4ea0b
SHA1 50a98f2739a4f6e37b27fc9ba4206c5280c9e917
SHA256 da039db718904083eaa76d365063ba07964d2f928208c9a95a7cccd9b6aa58b3
SHA512 1168cae5f4da04b88e21751375ce73e879328ce4be3b174573e2210392c314096ad4f2a63152ad2f06ef58e86b1d391766ce50b4bb370daaf6a2eb9766e80d29

memory/3580-101-0x00007FF75B4F0000-0x00007FF75B844000-memory.dmp

memory/1528-95-0x00007FF7CDB30000-0x00007FF7CDE84000-memory.dmp

memory/548-107-0x00007FF653940000-0x00007FF653C94000-memory.dmp

memory/3920-108-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp

C:\Windows\System\RALOkaH.exe

MD5 e9e0a4bdbb2fe637fbcae7f321901aa2
SHA1 755f9b065c52cf2c1ffc8b2f484581a0529cc158
SHA256 b9845a931d156458f88392776b16bb37d6c742eb04daebabd9a8036732f7d71c
SHA512 ff954d6ad53af4b256258b57f6329775dd5cbfb55d979c56f9a7450ed1b110604c8eafdde13b036ca2fddc27c09dd284904425f19274af6e99a3a24817960818

memory/5116-116-0x00007FF6EE300000-0x00007FF6EE654000-memory.dmp

memory/4744-115-0x00007FF64A560000-0x00007FF64A8B4000-memory.dmp

memory/2868-110-0x00007FF68CBA0000-0x00007FF68CEF4000-memory.dmp

C:\Windows\System\qmiRLaA.exe

MD5 4ebfa2f2fd0eb2c8a90f9505ec015d49
SHA1 86776edcd6d7ea0efd89f7fb37d8a301b2975d6b
SHA256 c49644b350e28feeaa952abb5fa655abd16c86ad9aca9c3c8adc64bc6fe194c9
SHA512 584f63890d13d158c99b30afca54e812e2772aac7ca7dc8ddfb342a40cbe16e14a028012859c3179adb329cd96ecab6ecde80600d02566343f533c13a8645d5c

C:\Windows\System\raOvBev.exe

MD5 38eaea56e1c0a9dbd8cefc3508b72090
SHA1 7c2a5f740ef4f58ac7d5fba9913691d875a7b454
SHA256 4564e578b458d13afa9ff5a70c7b33372fbe60530971eb09c976c7c543f2ab2c
SHA512 e1d7714d32c7a2dac0f069fe7be2a0c69ff34f4d46b7367f36213288abd5bf184f67aee9641e47587e19cf21f575a91c5a69cb2d5394f20f7657e358725d3c43

C:\Windows\System\mXxiaQk.exe

MD5 9e9b6387007a00539e005665518c1387
SHA1 00366c1e09f9f6a7684d17725271303dc7bbe462
SHA256 595153710737b107cc8d08a7b03773d580149b2fd4353bc60ab35d7f82d3bb76
SHA512 15d603b77005ca5eb9f211093e51a5eab4ab25daeb2be37a0daa4162fccf91d10dec6c2ab23e3544623e8c7fceee7be136b087f9ccbd675937fb75e71f6f47aa

memory/560-124-0x00007FF6A3F00000-0x00007FF6A4254000-memory.dmp

memory/4984-132-0x00007FF71DC50000-0x00007FF71DFA4000-memory.dmp

memory/2192-133-0x00007FF760070000-0x00007FF7603C4000-memory.dmp

memory/2384-134-0x00007FF614EC0000-0x00007FF615214000-memory.dmp

memory/4004-135-0x00007FF7A80A0000-0x00007FF7A83F4000-memory.dmp

memory/4340-136-0x00007FF620DD0000-0x00007FF621124000-memory.dmp

memory/4432-137-0x00007FF6961F0000-0x00007FF696544000-memory.dmp

memory/4620-138-0x00007FF66A4F0000-0x00007FF66A844000-memory.dmp

memory/1276-139-0x00007FF71AB10000-0x00007FF71AE64000-memory.dmp

memory/3580-140-0x00007FF75B4F0000-0x00007FF75B844000-memory.dmp

memory/3920-141-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp

memory/4756-142-0x00007FF6DEAE0000-0x00007FF6DEE34000-memory.dmp

memory/4744-143-0x00007FF64A560000-0x00007FF64A8B4000-memory.dmp

memory/4984-144-0x00007FF71DC50000-0x00007FF71DFA4000-memory.dmp

memory/2788-145-0x00007FF69DFF0000-0x00007FF69E344000-memory.dmp

memory/3108-146-0x00007FF7B0370000-0x00007FF7B06C4000-memory.dmp

memory/5100-147-0x00007FF7577E0000-0x00007FF757B34000-memory.dmp

memory/4888-148-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp

memory/4004-149-0x00007FF7A80A0000-0x00007FF7A83F4000-memory.dmp

memory/1528-150-0x00007FF7CDB30000-0x00007FF7CDE84000-memory.dmp

memory/548-151-0x00007FF653940000-0x00007FF653C94000-memory.dmp

memory/2868-152-0x00007FF68CBA0000-0x00007FF68CEF4000-memory.dmp

memory/5116-153-0x00007FF6EE300000-0x00007FF6EE654000-memory.dmp

memory/560-154-0x00007FF6A3F00000-0x00007FF6A4254000-memory.dmp

memory/2192-155-0x00007FF760070000-0x00007FF7603C4000-memory.dmp

memory/2384-156-0x00007FF614EC0000-0x00007FF615214000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 17:50

Reported

2024-05-27 17:53

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ymZLiCX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kdYrUNA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QCIJAiX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dCbcsHT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mxmqUMb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XWhBbuG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XIJHMln.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EiyLDQL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UnGJuQO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UXiAWhJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mRkfhtH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WoEHHdu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FWbfOzf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PVgVPoy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QvhapXa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\taihCPY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yceMWHZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UKhZLNn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CPBKTVb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aSRSmYo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JUFibpq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiyLDQL.exe
PID 2276 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiyLDQL.exe
PID 2276 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiyLDQL.exe
PID 2276 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUFibpq.exe
PID 2276 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUFibpq.exe
PID 2276 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUFibpq.exe
PID 2276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ymZLiCX.exe
PID 2276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ymZLiCX.exe
PID 2276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ymZLiCX.exe
PID 2276 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\taihCPY.exe
PID 2276 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\taihCPY.exe
PID 2276 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\taihCPY.exe
PID 2276 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\yceMWHZ.exe
PID 2276 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\yceMWHZ.exe
PID 2276 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\yceMWHZ.exe
PID 2276 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kdYrUNA.exe
PID 2276 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kdYrUNA.exe
PID 2276 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kdYrUNA.exe
PID 2276 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKhZLNn.exe
PID 2276 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKhZLNn.exe
PID 2276 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKhZLNn.exe
PID 2276 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPBKTVb.exe
PID 2276 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPBKTVb.exe
PID 2276 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPBKTVb.exe
PID 2276 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVgVPoy.exe
PID 2276 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVgVPoy.exe
PID 2276 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVgVPoy.exe
PID 2276 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\QCIJAiX.exe
PID 2276 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\QCIJAiX.exe
PID 2276 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\QCIJAiX.exe
PID 2276 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\dCbcsHT.exe
PID 2276 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\dCbcsHT.exe
PID 2276 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\dCbcsHT.exe
PID 2276 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mxmqUMb.exe
PID 2276 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mxmqUMb.exe
PID 2276 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mxmqUMb.exe
PID 2276 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XWhBbuG.exe
PID 2276 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XWhBbuG.exe
PID 2276 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XWhBbuG.exe
PID 2276 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWbfOzf.exe
PID 2276 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWbfOzf.exe
PID 2276 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWbfOzf.exe
PID 2276 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRkfhtH.exe
PID 2276 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRkfhtH.exe
PID 2276 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRkfhtH.exe
PID 2276 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSRSmYo.exe
PID 2276 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSRSmYo.exe
PID 2276 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSRSmYo.exe
PID 2276 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WoEHHdu.exe
PID 2276 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WoEHHdu.exe
PID 2276 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WoEHHdu.exe
PID 2276 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIJHMln.exe
PID 2276 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIJHMln.exe
PID 2276 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIJHMln.exe
PID 2276 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXiAWhJ.exe
PID 2276 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXiAWhJ.exe
PID 2276 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXiAWhJ.exe
PID 2276 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\QvhapXa.exe
PID 2276 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\QvhapXa.exe
PID 2276 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\QvhapXa.exe
PID 2276 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnGJuQO.exe
PID 2276 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnGJuQO.exe
PID 2276 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnGJuQO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\EiyLDQL.exe

C:\Windows\System\EiyLDQL.exe

C:\Windows\System\JUFibpq.exe

C:\Windows\System\JUFibpq.exe

C:\Windows\System\ymZLiCX.exe

C:\Windows\System\ymZLiCX.exe

C:\Windows\System\taihCPY.exe

C:\Windows\System\taihCPY.exe

C:\Windows\System\yceMWHZ.exe

C:\Windows\System\yceMWHZ.exe

C:\Windows\System\kdYrUNA.exe

C:\Windows\System\kdYrUNA.exe

C:\Windows\System\UKhZLNn.exe

C:\Windows\System\UKhZLNn.exe

C:\Windows\System\CPBKTVb.exe

C:\Windows\System\CPBKTVb.exe

C:\Windows\System\PVgVPoy.exe

C:\Windows\System\PVgVPoy.exe

C:\Windows\System\QCIJAiX.exe

C:\Windows\System\QCIJAiX.exe

C:\Windows\System\dCbcsHT.exe

C:\Windows\System\dCbcsHT.exe

C:\Windows\System\mxmqUMb.exe

C:\Windows\System\mxmqUMb.exe

C:\Windows\System\XWhBbuG.exe

C:\Windows\System\XWhBbuG.exe

C:\Windows\System\FWbfOzf.exe

C:\Windows\System\FWbfOzf.exe

C:\Windows\System\mRkfhtH.exe

C:\Windows\System\mRkfhtH.exe

C:\Windows\System\aSRSmYo.exe

C:\Windows\System\aSRSmYo.exe

C:\Windows\System\WoEHHdu.exe

C:\Windows\System\WoEHHdu.exe

C:\Windows\System\XIJHMln.exe

C:\Windows\System\XIJHMln.exe

C:\Windows\System\UXiAWhJ.exe

C:\Windows\System\UXiAWhJ.exe

C:\Windows\System\QvhapXa.exe

C:\Windows\System\QvhapXa.exe

C:\Windows\System\UnGJuQO.exe

C:\Windows\System\UnGJuQO.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2276-0-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2276-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\EiyLDQL.exe

MD5 a04cfbba87cd3f78cb6011cab6cc8515
SHA1 21f970b27196b03ee8a550498ce79d383fc365c4
SHA256 6b948da827462b4ab37e1c8fd5e54cfe76e80486f1caf11576cc246dba66687b
SHA512 1a495c387096b2f400dc635993dc118b3508f7cd6d90351176e8365eb6d8f153cd32b7fd9da7bc2468289c547373884db7001fb89376133b870a059f97ffa177

C:\Windows\system\JUFibpq.exe

MD5 f6921eba0bff11b581f10943bc449de9
SHA1 2220689502f95e2fdd8fbe72ea2ee4659c5d7a22
SHA256 26b02811ed13c8442cb89e2ada03bbbc2b9ad5974fe8880d62ff335de8c692b8
SHA512 28eeb709fdac552d98544b7ece00574b5a0f69b8ca91224a8546b0cd5a7de49ef98bd45d491ac7bdf97677c8356352d5df1a6ea696260ac9e4a7de4289bca010

memory/2892-9-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2276-14-0x00000000023D0000-0x0000000002724000-memory.dmp

\Windows\system\ymZLiCX.exe

MD5 992eea9ed1102c914d49f19026225fb6
SHA1 3d916f822f87dd7fe4c9969bb8542072842d7df7
SHA256 bcc95bbd6a840e554ea1df91703682b4b253b0d9ba20ee4bdc3c4bd38ef0c3f2
SHA512 64fb81db09266caebca0116650bbfd7ba0e99798fe4afe9c2d65d0989ebf111d323940a96ab6d72b94f1213909a1d53eefab863440f4c9f0e92d6143f9dff19c

memory/2616-20-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2980-19-0x000000013FD60000-0x00000001400B4000-memory.dmp

\Windows\system\taihCPY.exe

MD5 825a4ef26d5d52325374d5081c44aeac
SHA1 5b9fcf3f0aca1d3dbf5f00585e3d96d0a968c470
SHA256 2b8e98b95e0993fb5835dd6e4d7d034d1539a668cd9f5d035801b51366270aca
SHA512 fe5bc8a8bf1f807919c32a39b9867caeaa82035434d4d401a9f4712eb83d6a270b8fceb7b8581b465ce820a5648cd1147ff3b7269e5f184f6441e8745179c40c

memory/2276-26-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2604-28-0x000000013F920000-0x000000013FC74000-memory.dmp

\Windows\system\yceMWHZ.exe

MD5 5cc6c1d797ddefba10f98c124b54f382
SHA1 612201e140900fe6eb7b398ba73b227c0eece7fb
SHA256 9fce14876c501186776151009ed83f6cfe7812806eac45bd43116c7d7219875f
SHA512 06d41716f2abbf1e98680721a0840b1cf95307813794a3bcdea5642570d9caa00a67970dac95e9dfc38f42c18e3a6e487daa8ed8bf9c2fff6c4452b972f42ab7

C:\Windows\system\kdYrUNA.exe

MD5 bebc9930242652ad608a8a4b7dbe564f
SHA1 007f50ac8c0fe26a841eaa82ce5e4d37d865e585
SHA256 fa5ab72a29e22f4d0ff2fc565ee94f56367c1ad6d6e1555b7a28a46e36f3ae8f
SHA512 4ab27200044136ca6dc03459d775e27bcb741b725925f8c8fec652a70b71e9d442defb4b23865c998a4257089e78f8fe88240965e4b789334c8764f18ab794f5

C:\Windows\system\UKhZLNn.exe

MD5 8bfb54d016f5b83def404b94081f0abd
SHA1 64245c173667a3bf819e6e9872aebd90279b86b3
SHA256 8c7d55d903883b70dbeaa480fa034542f28d42b50624bd76c36ea4cb4f47b9cb
SHA512 bca9e942f4047dd117039a95986c88a9cbf844c622320b7b1fc7f5c88066c4d8ee5eb7fe2bf0c0e68e762f13080ae611481b77a907ff7c69c5951d0db05a1e4a

C:\Windows\system\CPBKTVb.exe

MD5 b1ca7e7bd1856b35baf2fd82ee1531da
SHA1 390329abf67f0581b171b64eb1dda6fa12667da5
SHA256 20f51321720e60e047aa278554adbed08fbfee0d3456e6e1c9944f9f43e8ca29
SHA512 3f6f5e708c304c29b00d328dc2a1ba2d5d4977d212b6bd29f9cb62fecc7d6ec98b6fcc3b91b2890342f3ff86eb1f3f47fa669b03adc4b5e160bd0d8277506475

C:\Windows\system\PVgVPoy.exe

MD5 757a17250d4ad4f7da3c66a22142e124
SHA1 a583720d49c1540ae844d21fa28ca3f9e99549e4
SHA256 616198677e663873490086b124542d8ad210bbde200e8d97e8229e9aba535bce
SHA512 ddde7adc30bbee08be92164c5db74b4a64f1d5fab832fed17d8adbee9da6b4d4de12fcd0382d98cb83a78148a8c7ef13089ac3c4cb0f35414bb21e14df3ff504

C:\Windows\system\FWbfOzf.exe

MD5 1e7a9cd0ee214d916091f0a28fa55b78
SHA1 ce95f4286011b9b57ffbf19cb43052e3783a318b
SHA256 259bfcd80fe3faa91148f33d7d359a4447380cb6a4c1a2952de202d7b3a938fd
SHA512 183ea854a1948fb40a0add3690204f0f2545a29d17ba3b706eff641a913ab680aff68d74d03e5b2be73f4c06ab7aa0eb39a3da538e81c45a2e5c9566af4dc5b4

\Windows\system\aSRSmYo.exe

MD5 e1d2e7d60e14c0eeb26088c6d5ad6d34
SHA1 850c13d6b6bff8599257b2bf1868902ca2236f4d
SHA256 e5df22db188bb02aaf2aed5140438358529ee93f8a97ee43353f0801fb9b9b46
SHA512 afb0e66520fdc33a19c5ad71ec337701a7f6ad4cf9d1199ea06615da6b87fcaf2f4b67f35654fdaab17377a499905c0e50a8889679acfba6f4eac083b00b6e56

memory/2276-92-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2580-85-0x000000013F640000-0x000000013F994000-memory.dmp

\Windows\system\mRkfhtH.exe

MD5 b7f38a7612faef9bd1a619a6986552aa
SHA1 ed79bf2c87a614e9ec45384aa5608691bca506e9
SHA256 dc94c44dc51f73c7a30c5a73b52e571d016e52cf4dac26797e3e0b4bc5467fa2
SHA512 b3bc46bc95bb5ee5cb0d04d95f377191aec1d20c4d67aa766b7e445501e848855066b2ee7c76246dbeb8c5e011dcd09285e2cce6ac363eba53e8c80d590808b6

memory/2276-87-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2464-90-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2276-106-0x000000013F790000-0x000000013FAE4000-memory.dmp

C:\Windows\system\QvhapXa.exe

MD5 4fea6f1e733fd9cee9b15addf85891c9
SHA1 5b14a1242d6ec446d4530f1a0d45470e0df3a8ff
SHA256 943374614fce65325b78485f96a630912d7db3eaaa8410a09a7ce85cbded5e2f
SHA512 873ca164b42a113f0a6aab70a822e536fe369c87e4c3ee40ea9095411ee52abe7cbfd6f7c2c853e06a6e4e7d1e9c363df65d861dddcf6c83449ba98ca4553287

\Windows\system\UnGJuQO.exe

MD5 aacbe4609573ecedc12b10facb31afae
SHA1 78439cd21972b9afb98d67c07cb3c3772d827d23
SHA256 e752ffb53968b4b6e91ea53fd934a31fcb9142157c3ed1ee58e039a6da7b3d23
SHA512 ee3844dbe2fa9f2168a4601c4eb40f4f8a3b503c018c5f2bba9afe71463a083c6188bf6a2702d8b8784ddc146dbdb4d80ae2eb9faad52b44891ff920515dffc6

C:\Windows\system\UXiAWhJ.exe

MD5 198ba94b9024512018044d6d1b97fbcd
SHA1 297e02ae4b504d2c2edd969645b5a6f5e828e3f8
SHA256 4bf9bea3665c72bf771089e2d5a442e9eb84a6fe6cd04ff3ca711d67a97a8844
SHA512 de4584f5c4155f3c20921645de65dcf0ae7dba8e984ce1660b9f0356487277a86c9965e91c3289d771a5fcfb847b615deac9858812e349d4b8f5d8591d4e9877

C:\Windows\system\XIJHMln.exe

MD5 384df71345039ffcb5993d441ff32926
SHA1 dd71455445c7fe2758d977891ac63910b3cd330e
SHA256 8cdff0b5796a628666faf32204c51330514f07e5211bd7ac52413aee1e39863a
SHA512 b272616c50a3c1b0aeab183f1ef4ca6ef4fc8ddfe04dce0e0dc0ecdd03e8d2161a8af7832335b6600cbfd9996e9152c9eeaf6df2c6f5763142f32a2e517679d8

C:\Windows\system\WoEHHdu.exe

MD5 01e2de858f7ddbe3eb1e620f2acdf83f
SHA1 d0c56b68936ba000726927abdc79038e26a3ff34
SHA256 1c76017bbf0cbaa1625361eece786d39ca799055ce850846b130ed635d02756e
SHA512 29bef7be693002e3f76687c2671b7685d7e607fc57cf30ee4bb9ea767cebb6222d6f2a4bf39109f2a182a70e0cc4b2e9f6fea073a3651d4774cf1cb86b439645

memory/2752-111-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2276-110-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2276-109-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1552-108-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/1456-105-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2276-103-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/3060-102-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2276-101-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/1740-100-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2276-99-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/1240-97-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2276-82-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2436-81-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2276-80-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\XWhBbuG.exe

MD5 b700230c29d8c2708e4433168421dfa6
SHA1 ccbef77a19066aa8144912a3fd1830c0e66de705
SHA256 a83a378daaf42066305af6d3159c85a2aad5f99fc09c5b33dccec5beef64b327
SHA512 d244636e2d2cb47b77694266e71ba96a647b417229d489f5d39fe3f666ecf66e2f59b59f8f80a71c34f16b7b60748ce207027370188dd982bf479f2135f0ea65

C:\Windows\system\mxmqUMb.exe

MD5 8992f0facbf7e5522127d1afa37472b7
SHA1 ea76909645348a1e83ab932057fb32f9868bd7cf
SHA256 15df4a908148d26afc317fab59b5b1e9d76f7dd5d180901da5bcb1345de7357c
SHA512 42829a19b9753f54c964dad12595671f9296851e0b0b2f45319405b5e2290ba2cc6e3619f4bf31c6d6becb763e1aced353d18d6a1a743c3fde732cd322b84ad4

C:\Windows\system\dCbcsHT.exe

MD5 8eb74720c0c8280cdeacbd3f6778201b
SHA1 03a96b21c2c0a9c1c6b34b35fe51155f9dec725e
SHA256 06a5dcdf947642df097eb3b158819e585528dee7740bf16e6c83705bc98a5e0b
SHA512 895c71f029c4eaf1b40119f6e4f33342503690a42ba8af48aa7cfefd2aca57cb18069fdd71cac89a2a1cec724f20c80a1d7a876f3b86834b769904b93e310224

C:\Windows\system\QCIJAiX.exe

MD5 75beedeaca3b1b35da425062ad58438a
SHA1 060629e60c532aa2f73ccf0b686b1d1c71e0245c
SHA256 fbedad49082bc00d9c4011d8b91dfb040b815f71897e281d72ff2391dd11143b
SHA512 d40996fc07682133e0d3bda29bc5f090162a53fd58279506098f30b79dca4990f23267f5b7761b387578c3a7a2b255fe73f56d180f25aae5dc6ccebf4bbac1c5

memory/2588-37-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2892-128-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2616-135-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2276-134-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2588-136-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2892-137-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2980-138-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2616-139-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2604-140-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2752-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2436-141-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2580-143-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2464-144-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/1240-145-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/1740-146-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/3060-147-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/1456-148-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/1552-149-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2588-150-0x000000013FF70000-0x00000001402C4000-memory.dmp