Malware Analysis Report

2025-03-15 08:10

Sample ID 240530-a5w3jahb73
Target 2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike
SHA256 703b35b12a84f9270e7a6379976008337f4c022d847439da1b487c3f70aa5aca
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

703b35b12a84f9270e7a6379976008337f4c022d847439da1b487c3f70aa5aca

Threat Level: Known bad

The file 2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 00:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 00:48

Reported

2024-05-30 00:50

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JAteAEF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mWkADVy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\krHduXp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IeygzgX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CodYHFw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mrCxhrE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FUkwzmF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\twHQHqa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wmwSWPJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cedeWaw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EdxzvlF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ERMqBGh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EUgnXPe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iVdumIr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yBspDjo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HkrNPbw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OCDrmoN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kyCiUlt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RdifDyI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HlChjTn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UrSWwAt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeygzgX.exe
PID 2896 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeygzgX.exe
PID 2896 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdifDyI.exe
PID 2896 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdifDyI.exe
PID 2896 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVdumIr.exe
PID 2896 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVdumIr.exe
PID 2896 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\CodYHFw.exe
PID 2896 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\CodYHFw.exe
PID 2896 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\yBspDjo.exe
PID 2896 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\yBspDjo.exe
PID 2896 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlChjTn.exe
PID 2896 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlChjTn.exe
PID 2896 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrCxhrE.exe
PID 2896 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrCxhrE.exe
PID 2896 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HkrNPbw.exe
PID 2896 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HkrNPbw.exe
PID 2896 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrSWwAt.exe
PID 2896 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrSWwAt.exe
PID 2896 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdxzvlF.exe
PID 2896 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdxzvlF.exe
PID 2896 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\twHQHqa.exe
PID 2896 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\twHQHqa.exe
PID 2896 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCDrmoN.exe
PID 2896 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCDrmoN.exe
PID 2896 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\JAteAEF.exe
PID 2896 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\JAteAEF.exe
PID 2896 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\ERMqBGh.exe
PID 2896 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\ERMqBGh.exe
PID 2896 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmwSWPJ.exe
PID 2896 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmwSWPJ.exe
PID 2896 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUgnXPe.exe
PID 2896 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUgnXPe.exe
PID 2896 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCiUlt.exe
PID 2896 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCiUlt.exe
PID 2896 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWkADVy.exe
PID 2896 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWkADVy.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\cedeWaw.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\cedeWaw.exe
PID 2896 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\krHduXp.exe
PID 2896 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\krHduXp.exe
PID 2896 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUkwzmF.exe
PID 2896 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUkwzmF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\IeygzgX.exe

C:\Windows\System\IeygzgX.exe

C:\Windows\System\RdifDyI.exe

C:\Windows\System\RdifDyI.exe

C:\Windows\System\iVdumIr.exe

C:\Windows\System\iVdumIr.exe

C:\Windows\System\CodYHFw.exe

C:\Windows\System\CodYHFw.exe

C:\Windows\System\yBspDjo.exe

C:\Windows\System\yBspDjo.exe

C:\Windows\System\HlChjTn.exe

C:\Windows\System\HlChjTn.exe

C:\Windows\System\mrCxhrE.exe

C:\Windows\System\mrCxhrE.exe

C:\Windows\System\HkrNPbw.exe

C:\Windows\System\HkrNPbw.exe

C:\Windows\System\UrSWwAt.exe

C:\Windows\System\UrSWwAt.exe

C:\Windows\System\EdxzvlF.exe

C:\Windows\System\EdxzvlF.exe

C:\Windows\System\twHQHqa.exe

C:\Windows\System\twHQHqa.exe

C:\Windows\System\OCDrmoN.exe

C:\Windows\System\OCDrmoN.exe

C:\Windows\System\JAteAEF.exe

C:\Windows\System\JAteAEF.exe

C:\Windows\System\ERMqBGh.exe

C:\Windows\System\ERMqBGh.exe

C:\Windows\System\wmwSWPJ.exe

C:\Windows\System\wmwSWPJ.exe

C:\Windows\System\EUgnXPe.exe

C:\Windows\System\EUgnXPe.exe

C:\Windows\System\kyCiUlt.exe

C:\Windows\System\kyCiUlt.exe

C:\Windows\System\mWkADVy.exe

C:\Windows\System\mWkADVy.exe

C:\Windows\System\cedeWaw.exe

C:\Windows\System\cedeWaw.exe

C:\Windows\System\krHduXp.exe

C:\Windows\System\krHduXp.exe

C:\Windows\System\FUkwzmF.exe

C:\Windows\System\FUkwzmF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 163.126.19.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2896-0-0x00007FF698D30000-0x00007FF699081000-memory.dmp

memory/2896-1-0x000001FF8BA40000-0x000001FF8BA50000-memory.dmp

C:\Windows\System\IeygzgX.exe

MD5 7bb8baa084873f040fc7a04cf5c8d37e
SHA1 17c78436fab806c42422acd36dacbd8b5e237666
SHA256 9dcda4b48f6ee883e742447a92569d334b3dc3124bc3192e12156039d1794eda
SHA512 d3fc171b15be5b4eeaeb74ee54113f8e10a88f1d59df2e90af621a216bc04320320dfb7dd976520a2a8c8cdfd3dc756deaa82e6f335fb31aa31a25c9c79de576

memory/1672-6-0x00007FF6FA040000-0x00007FF6FA391000-memory.dmp

C:\Windows\System\iVdumIr.exe

MD5 674c9103cabc53ec65f3ec5ad50882bd
SHA1 bbbd81c751d53f785c87d9442a6f2578428d6bb3
SHA256 d9603b9a9023b8fb1c5a8cbc3582289dce5164e3f238abd84793a4da52f373e7
SHA512 ed2d94d2c4893b746193e2f12954722c69f9cc4248a4e8874b4c0e4b92b2719985c9cf111b52a902e9cfa256012f86f3135906b670d40bff7ffc657a5216382e

C:\Windows\System\RdifDyI.exe

MD5 ea8211ea91658bb56448023104a033a8
SHA1 6b13e1187989df1f16515414a94c9b5328dd1025
SHA256 9320fb36e43c0abf28504c602b17686ff60a5da95373fed688f3492ec1d4bab9
SHA512 9fdb3de00cbd346d4a24adc5d7992a2472be4af453a0f02b5ce05c3603bf347b1afcaff92f3962954803d30b907d0d59142409c37bec1ee3fd40962f872169e6

memory/2572-13-0x00007FF6C2110000-0x00007FF6C2461000-memory.dmp

memory/2660-18-0x00007FF7CF970000-0x00007FF7CFCC1000-memory.dmp

C:\Windows\System\CodYHFw.exe

MD5 152b752ff7003eb0efc4ee587ae747c1
SHA1 44bd4fe29c4c3d82c6a712a66f36aea9f047121a
SHA256 48725502d15422b8ff4f5de369eca2da9973d555e4df222785f40bd850d54aa1
SHA512 c1f3c66f65ac9df72cc5c2f66afdf3cfa92da131e6a8f52cbcd0ed362b8bb0f5c0e9e587ff7fbab544ab0f136179c94765fd343ad43c6dc540e179ded26d8f73

memory/1704-26-0x00007FF767FA0000-0x00007FF7682F1000-memory.dmp

C:\Windows\System\yBspDjo.exe

MD5 c16da80218f1bd9b08f86cb63a8aacea
SHA1 9465ffbc1d184c17ea6780830ec4bafa15f9f3cb
SHA256 59b4d21a997f956bfb26b4b99084f6909735b599e6a81f716bc8ae413dba574d
SHA512 5e5b0079bef709aac01c64e11e5fe658f34a49a33781c08c64bbe2b69dbf49bed40da3c5beb24893e16e740a521b600067f470b12e1bbfe762b56826493157d0

C:\Windows\System\HlChjTn.exe

MD5 b341c8499b65f4779e0b92973f241c4f
SHA1 543ebc268ff51a61371463bdac807dbfe0b85ca2
SHA256 c51402b4b189faaca8d54f09b1658b96a543c728fdfce03b5371b76e86236dd9
SHA512 1393fd72bae23faa46a34db84c87ab1043cf9cd5490d6a8123f6e71f6a6ca3615956a67c7e05403e8a67fcb3a13e588bebfe5b73c7bb1d6bb54113e56248f235

memory/4652-35-0x00007FF7AA9A0000-0x00007FF7AACF1000-memory.dmp

memory/2208-30-0x00007FF7E2CD0000-0x00007FF7E3021000-memory.dmp

C:\Windows\System\mrCxhrE.exe

MD5 bc89955d9e1fd2d5e1eea3458c454e99
SHA1 1ccab6024bf49f3664bed4804c80d9855e983b9e
SHA256 7190a4230f429b62fc0ca12db8c124d2e32691d0f444bae8160f2f88b17ef138
SHA512 94ad32ae947b17acf6ca452a0e68b55bcc4f39e15184d1b3413b7560b5f1d2a788fec7db7a3b86bcc4baf3eeb687697dbf88d36f070986b24d471b6872a95120

memory/4796-43-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp

C:\Windows\System\HkrNPbw.exe

MD5 2911931d3b0315dc8c86b763db6d2d29
SHA1 e5a7fb55096c85423a810dc41d24a6b9f350b9a5
SHA256 8f705c895f1e9bbf6d73893f5c3d81eb4ae589219067cab952a6d81e92246ea6
SHA512 5f733273c1b2c593f2eaae520a8369bab6b51720bea718822a97e1e485b674e078c5319b9518007ce6cd21580b19c5d39edeb18e31652bd344c00b201bc6616a

C:\Windows\System\UrSWwAt.exe

MD5 570a37348cb661bc675e644c5ce3907c
SHA1 7cd370adaa48d989a36632352bf6b66b81773427
SHA256 1a295fa89b8ad35f76fea09bc5dce695010e06278931f6f39c90611519c46d21
SHA512 986a0726097b1c0a01023bc15cd6a049bbbe8adf88737efc493aa846a2b6a925c4848fc2d49061b5f05156cee43a5f1f9083c0d6de843be441e43c20f8ad3332

memory/4992-56-0x00007FF62F7F0000-0x00007FF62FB41000-memory.dmp

C:\Windows\System\EdxzvlF.exe

MD5 8b9580b9fdeed944ba64def301925e21
SHA1 3d31da526325c188701c861207b96efc99994de1
SHA256 53bb6f26c522bc43229d9549a149ee458afb1eac58ae76e3ca2d3a9a60e51508
SHA512 1f569c212d8f8234bfe3aecd8a5b4cfc9666b58e6799f8163eb56d360a20ecdc0e2e562b8399a6ddcdf568c15715b6ce78a84533da0a4189e876d9ad4797511e

memory/1228-52-0x00007FF7967F0000-0x00007FF796B41000-memory.dmp

C:\Windows\System\twHQHqa.exe

MD5 90bb09044a6999c535677523d79e2f3a
SHA1 21facb5e6a9720df8c5f7d4b8fa56f328bb074c9
SHA256 5b637cc2113cb32e18ca63603849ea25b971f514ce11ed621048a38f1e9dffdf
SHA512 b6a1a5e17921f7f5df5fb4c86fd302b6b905dc4a4fba80537ee39be6a0e877e8b8bfdef01f213dd901dc8a0690e6c522e63fffef77ae666f0a80ed06d18d1d2f

memory/3348-65-0x00007FF67E5B0000-0x00007FF67E901000-memory.dmp

memory/3384-70-0x00007FF6CA8B0000-0x00007FF6CAC01000-memory.dmp

memory/1672-69-0x00007FF6FA040000-0x00007FF6FA391000-memory.dmp

memory/2896-62-0x00007FF698D30000-0x00007FF699081000-memory.dmp

C:\Windows\System\OCDrmoN.exe

MD5 0e1ecd8d787545861ac2a1ba2d6c113b
SHA1 44fca19a7ad48db844edf03399bffe3b78a68fa9
SHA256 3664a0f62f8fe12387652ffb2bc14dbd76eb13bed513845015492e39c813aa5b
SHA512 7192eadece8cf5c9a0e9dfe153fac30923c3b6b9d399bab52de4fdc0ae7cb8f106ee41c033b3d6ff86609795572c90d011c04dbd3f7e49add762c7f16873377e

memory/4068-99-0x00007FF7200D0000-0x00007FF720421000-memory.dmp

C:\Windows\System\kyCiUlt.exe

MD5 e9f1890dca0f1a527aa12a1381dff050
SHA1 f4a9e42bd9a3d69ec7152a03fdd94f8489b8e349
SHA256 63bd35c4631d4bad51367a18436fffe43449dfbc7432977b7f0d705ae71211f6
SHA512 55690577b29a1902f9575424912a27dade3f8df1e49f479ad7701d60d076265827a72244b5fccab4bb768af894bd9664c2d6331d9b56e4fe3a0e44fd1fe5ee34

C:\Windows\System\mWkADVy.exe

MD5 c9ef05d37a22bdffc887ba403f5b2fb8
SHA1 57b791a0b00f76a8aa5d07c53da73040f197d525
SHA256 bc01ac5023cb52bd2052dfbd8efc87593222e46b4d32ed7ff8af0e0dec78b46f
SHA512 524c2010e2e8c5d6a3fe4445e99ff9e6913dcd648bc52cf2b4ca2f2ceb52152e82941c5232e67b77bd16f049c031f03190f8a0bf517d372e63905e0a247a315e

memory/3064-120-0x00007FF7B4CF0000-0x00007FF7B5041000-memory.dmp

C:\Windows\System\krHduXp.exe

MD5 53305762c43833b08a6b7be131e5beaf
SHA1 7cb46cc971c8eb312e82ae41c567faa4169ca633
SHA256 f1e2244afd4b72cd79d89eb1dd458f80cdb553239cc7e9a64904ba36a66b3ab0
SHA512 c349fe714686904ef99b11f9f167e80fe523171f84ad5e24ef775dc31e2bc4c03aec2c1570d7e1e03ce40f3fc62058879cf59e6dfaeeda7b210cf818c0d76405

C:\Windows\System\cedeWaw.exe

MD5 3bc1d25d6779700122f928e7cc51b914
SHA1 7d9ed28e096cd4d3a54b9f7817f6663d8115f9d8
SHA256 abf0573a31ed8548cfbf7c0fdb47be289842115a6e5ea366d2e3dcd5dfd22165
SHA512 142a94083a4bc391e9c56b30d26095ca3d077868048b0a204eb8fb042fc8e481bcd3b1202d0588dabb6cc2322ec1cf254bfd2debc535c09f452257e65023ec50

memory/2848-123-0x00007FF799880000-0x00007FF799BD1000-memory.dmp

memory/4652-122-0x00007FF7AA9A0000-0x00007FF7AACF1000-memory.dmp

memory/3484-121-0x00007FF726DE0000-0x00007FF727131000-memory.dmp

memory/2208-117-0x00007FF7E2CD0000-0x00007FF7E3021000-memory.dmp

memory/3268-115-0x00007FF6D5480000-0x00007FF6D57D1000-memory.dmp

memory/1816-107-0x00007FF75C4B0000-0x00007FF75C801000-memory.dmp

C:\Windows\System\EUgnXPe.exe

MD5 25829a209ac315159b97fc292c48e439
SHA1 ac68e092a5552877113f00f19a6843f847f2c1c4
SHA256 05e60094b66b5de390442bff344b8c861a3b07a046cee6018ab9db923fef78fa
SHA512 57d07b7fde279ae9488986c9ee716f928b01b3a360976e5ec4dc44a3906e96a0b2c811affc542120c80776370305ef31ad8c7c09a0c62df1fbeccfa8eef79153

memory/3828-108-0x00007FF6B7000000-0x00007FF6B7351000-memory.dmp

C:\Windows\System\wmwSWPJ.exe

MD5 bb491dd4f2acf526fae41c972075910f
SHA1 e9f683aca78b23832c609ef67afd96c71cdd9368
SHA256 80b71d14b12b26c3cdbade4f92ed0d11d837c8065406fad8beabc4b282e97fd2
SHA512 f4d485f28346170c0ff460de3a61348047694dbb14b3a0cfc275f0d1c36485b44bdf3e9a423a590ef6898c589b18a22e5731c592cf9481b208ff1900f1ad2c3f

memory/1232-91-0x00007FF67EE40000-0x00007FF67F191000-memory.dmp

memory/2660-90-0x00007FF7CF970000-0x00007FF7CFCC1000-memory.dmp

C:\Windows\System\JAteAEF.exe

MD5 28173ad6129c6cfd208685517afda711
SHA1 50158f7c832de193a8a2593863c3a237677dcc5d
SHA256 e3f5000754d3beecc1af8367b4ca486b452637bdf1176888bd756f0386e6609e
SHA512 3cee5efbd53a5cebf947d004a9f0b72a8ed636b70b731957c9ca83e4d138016d05289ae82e9a9511d409edf34c1409d21535055fc81a1c9d7ff7e276713a50e8

C:\Windows\System\ERMqBGh.exe

MD5 9db6286379a81fb865ea838347ecc246
SHA1 749a88c88db36f7ec00b96a75eb7a01e77be05d1
SHA256 cf52df057dff245eb5ac05e03af3e5926cd79014060a9dbab4153e6e151cb899
SHA512 8b08b8a8a1442804700ae808f3eb1f57e5111201af7cd04502481ce51fc2f1eadd68e6b1e1975f0ce1cc26c8e6f0fa8f4f64e41789a7ef7a8b03cf4b1b9fe628

memory/1896-77-0x00007FF64E690000-0x00007FF64E9E1000-memory.dmp

memory/2572-74-0x00007FF6C2110000-0x00007FF6C2461000-memory.dmp

memory/2896-132-0x00007FF698D30000-0x00007FF699081000-memory.dmp

memory/4796-137-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp

memory/1128-140-0x00007FF639DD0000-0x00007FF63A121000-memory.dmp

C:\Windows\System\FUkwzmF.exe

MD5 e8e17c23c782315dbbc3d86a5438df08
SHA1 5041a8d349b272245215b6bd9a7b919f676c75d1
SHA256 67c553b9792a3b8eaa31181e11695715ceaa2c04b8e02543acf49c175638ba80
SHA512 48d694ebb002c70d1fceb968dabcb25601fc993cafc91eaef7e7cb1681953dbdce265f36a2656eb449ed3899ff214b6a1965e1fe558493211ee198ea766838c5

memory/4992-144-0x00007FF62F7F0000-0x00007FF62FB41000-memory.dmp

memory/1896-147-0x00007FF64E690000-0x00007FF64E9E1000-memory.dmp

memory/3828-152-0x00007FF6B7000000-0x00007FF6B7351000-memory.dmp

memory/3484-155-0x00007FF726DE0000-0x00007FF727131000-memory.dmp

memory/2848-154-0x00007FF799880000-0x00007FF799BD1000-memory.dmp

memory/1816-151-0x00007FF75C4B0000-0x00007FF75C801000-memory.dmp

memory/4068-149-0x00007FF7200D0000-0x00007FF720421000-memory.dmp

memory/1232-148-0x00007FF67EE40000-0x00007FF67F191000-memory.dmp

memory/2896-157-0x00007FF698D30000-0x00007FF699081000-memory.dmp

memory/1672-202-0x00007FF6FA040000-0x00007FF6FA391000-memory.dmp

memory/2572-207-0x00007FF6C2110000-0x00007FF6C2461000-memory.dmp

memory/2660-211-0x00007FF7CF970000-0x00007FF7CFCC1000-memory.dmp

memory/1704-213-0x00007FF767FA0000-0x00007FF7682F1000-memory.dmp

memory/2208-215-0x00007FF7E2CD0000-0x00007FF7E3021000-memory.dmp

memory/4652-217-0x00007FF7AA9A0000-0x00007FF7AACF1000-memory.dmp

memory/4796-219-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp

memory/1228-221-0x00007FF7967F0000-0x00007FF796B41000-memory.dmp

memory/4992-223-0x00007FF62F7F0000-0x00007FF62FB41000-memory.dmp

memory/3348-225-0x00007FF67E5B0000-0x00007FF67E901000-memory.dmp

memory/3384-229-0x00007FF6CA8B0000-0x00007FF6CAC01000-memory.dmp

memory/1896-236-0x00007FF64E690000-0x00007FF64E9E1000-memory.dmp

memory/1232-240-0x00007FF67EE40000-0x00007FF67F191000-memory.dmp

memory/4068-239-0x00007FF7200D0000-0x00007FF720421000-memory.dmp

memory/3064-244-0x00007FF7B4CF0000-0x00007FF7B5041000-memory.dmp

memory/3828-246-0x00007FF6B7000000-0x00007FF6B7351000-memory.dmp

memory/3268-243-0x00007FF6D5480000-0x00007FF6D57D1000-memory.dmp

memory/2848-248-0x00007FF799880000-0x00007FF799BD1000-memory.dmp

memory/1816-252-0x00007FF75C4B0000-0x00007FF75C801000-memory.dmp

memory/3484-251-0x00007FF726DE0000-0x00007FF727131000-memory.dmp

memory/1128-256-0x00007FF639DD0000-0x00007FF63A121000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 00:48

Reported

2024-05-30 00:50

Platform

win7-20240508-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yBspDjo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mrCxhrE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UrSWwAt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EdxzvlF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RdifDyI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HkrNPbw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EUgnXPe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OCDrmoN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ERMqBGh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wmwSWPJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mWkADVy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IeygzgX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iVdumIr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CodYHFw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\twHQHqa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FUkwzmF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\krHduXp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HlChjTn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JAteAEF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kyCiUlt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cedeWaw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeygzgX.exe
PID 2932 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeygzgX.exe
PID 2932 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeygzgX.exe
PID 2932 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdifDyI.exe
PID 2932 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdifDyI.exe
PID 2932 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdifDyI.exe
PID 2932 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVdumIr.exe
PID 2932 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVdumIr.exe
PID 2932 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVdumIr.exe
PID 2932 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\CodYHFw.exe
PID 2932 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\CodYHFw.exe
PID 2932 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\CodYHFw.exe
PID 2932 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\yBspDjo.exe
PID 2932 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\yBspDjo.exe
PID 2932 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\yBspDjo.exe
PID 2932 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlChjTn.exe
PID 2932 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlChjTn.exe
PID 2932 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlChjTn.exe
PID 2932 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrCxhrE.exe
PID 2932 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrCxhrE.exe
PID 2932 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrCxhrE.exe
PID 2932 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HkrNPbw.exe
PID 2932 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HkrNPbw.exe
PID 2932 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\HkrNPbw.exe
PID 2932 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrSWwAt.exe
PID 2932 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrSWwAt.exe
PID 2932 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrSWwAt.exe
PID 2932 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdxzvlF.exe
PID 2932 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdxzvlF.exe
PID 2932 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdxzvlF.exe
PID 2932 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\twHQHqa.exe
PID 2932 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\twHQHqa.exe
PID 2932 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\twHQHqa.exe
PID 2932 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCDrmoN.exe
PID 2932 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCDrmoN.exe
PID 2932 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCDrmoN.exe
PID 2932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\JAteAEF.exe
PID 2932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\JAteAEF.exe
PID 2932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\JAteAEF.exe
PID 2932 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\ERMqBGh.exe
PID 2932 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\ERMqBGh.exe
PID 2932 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\ERMqBGh.exe
PID 2932 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmwSWPJ.exe
PID 2932 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmwSWPJ.exe
PID 2932 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmwSWPJ.exe
PID 2932 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUgnXPe.exe
PID 2932 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUgnXPe.exe
PID 2932 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUgnXPe.exe
PID 2932 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCiUlt.exe
PID 2932 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCiUlt.exe
PID 2932 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCiUlt.exe
PID 2932 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWkADVy.exe
PID 2932 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWkADVy.exe
PID 2932 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWkADVy.exe
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\cedeWaw.exe
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\cedeWaw.exe
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\cedeWaw.exe
PID 2932 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\krHduXp.exe
PID 2932 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\krHduXp.exe
PID 2932 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\krHduXp.exe
PID 2932 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUkwzmF.exe
PID 2932 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUkwzmF.exe
PID 2932 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUkwzmF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2f59ddd10087796e775a28d49e687b61_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\IeygzgX.exe

C:\Windows\System\IeygzgX.exe

C:\Windows\System\RdifDyI.exe

C:\Windows\System\RdifDyI.exe

C:\Windows\System\iVdumIr.exe

C:\Windows\System\iVdumIr.exe

C:\Windows\System\CodYHFw.exe

C:\Windows\System\CodYHFw.exe

C:\Windows\System\yBspDjo.exe

C:\Windows\System\yBspDjo.exe

C:\Windows\System\HlChjTn.exe

C:\Windows\System\HlChjTn.exe

C:\Windows\System\mrCxhrE.exe

C:\Windows\System\mrCxhrE.exe

C:\Windows\System\HkrNPbw.exe

C:\Windows\System\HkrNPbw.exe

C:\Windows\System\UrSWwAt.exe

C:\Windows\System\UrSWwAt.exe

C:\Windows\System\EdxzvlF.exe

C:\Windows\System\EdxzvlF.exe

C:\Windows\System\twHQHqa.exe

C:\Windows\System\twHQHqa.exe

C:\Windows\System\OCDrmoN.exe

C:\Windows\System\OCDrmoN.exe

C:\Windows\System\JAteAEF.exe

C:\Windows\System\JAteAEF.exe

C:\Windows\System\ERMqBGh.exe

C:\Windows\System\ERMqBGh.exe

C:\Windows\System\wmwSWPJ.exe

C:\Windows\System\wmwSWPJ.exe

C:\Windows\System\EUgnXPe.exe

C:\Windows\System\EUgnXPe.exe

C:\Windows\System\kyCiUlt.exe

C:\Windows\System\kyCiUlt.exe

C:\Windows\System\mWkADVy.exe

C:\Windows\System\mWkADVy.exe

C:\Windows\System\cedeWaw.exe

C:\Windows\System\cedeWaw.exe

C:\Windows\System\krHduXp.exe

C:\Windows\System\krHduXp.exe

C:\Windows\System\FUkwzmF.exe

C:\Windows\System\FUkwzmF.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2932-0-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2932-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\IeygzgX.exe

MD5 7bb8baa084873f040fc7a04cf5c8d37e
SHA1 17c78436fab806c42422acd36dacbd8b5e237666
SHA256 9dcda4b48f6ee883e742447a92569d334b3dc3124bc3192e12156039d1794eda
SHA512 d3fc171b15be5b4eeaeb74ee54113f8e10a88f1d59df2e90af621a216bc04320320dfb7dd976520a2a8c8cdfd3dc756deaa82e6f335fb31aa31a25c9c79de576

\Windows\system\RdifDyI.exe

MD5 ea8211ea91658bb56448023104a033a8
SHA1 6b13e1187989df1f16515414a94c9b5328dd1025
SHA256 9320fb36e43c0abf28504c602b17686ff60a5da95373fed688f3492ec1d4bab9
SHA512 9fdb3de00cbd346d4a24adc5d7992a2472be4af453a0f02b5ce05c3603bf347b1afcaff92f3962954803d30b907d0d59142409c37bec1ee3fd40962f872169e6

memory/2932-13-0x000000013F620000-0x000000013F971000-memory.dmp

memory/3000-15-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2012-14-0x000000013F650000-0x000000013F9A1000-memory.dmp

\Windows\system\iVdumIr.exe

MD5 674c9103cabc53ec65f3ec5ad50882bd
SHA1 bbbd81c751d53f785c87d9442a6f2578428d6bb3
SHA256 d9603b9a9023b8fb1c5a8cbc3582289dce5164e3f238abd84793a4da52f373e7
SHA512 ed2d94d2c4893b746193e2f12954722c69f9cc4248a4e8874b4c0e4b92b2719985c9cf111b52a902e9cfa256012f86f3135906b670d40bff7ffc657a5216382e

C:\Windows\system\CodYHFw.exe

MD5 152b752ff7003eb0efc4ee587ae747c1
SHA1 44bd4fe29c4c3d82c6a712a66f36aea9f047121a
SHA256 48725502d15422b8ff4f5de369eca2da9973d555e4df222785f40bd850d54aa1
SHA512 c1f3c66f65ac9df72cc5c2f66afdf3cfa92da131e6a8f52cbcd0ed362b8bb0f5c0e9e587ff7fbab544ab0f136179c94765fd343ad43c6dc540e179ded26d8f73

memory/2932-20-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2652-28-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2932-26-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2932-31-0x00000000022B0000-0x0000000002601000-memory.dmp

\Windows\system\yBspDjo.exe

MD5 c16da80218f1bd9b08f86cb63a8aacea
SHA1 9465ffbc1d184c17ea6780830ec4bafa15f9f3cb
SHA256 59b4d21a997f956bfb26b4b99084f6909735b599e6a81f716bc8ae413dba574d
SHA512 5e5b0079bef709aac01c64e11e5fe658f34a49a33781c08c64bbe2b69dbf49bed40da3c5beb24893e16e740a521b600067f470b12e1bbfe762b56826493157d0

memory/2368-25-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2736-35-0x000000013FB50000-0x000000013FEA1000-memory.dmp

\Windows\system\HlChjTn.exe

MD5 b341c8499b65f4779e0b92973f241c4f
SHA1 543ebc268ff51a61371463bdac807dbfe0b85ca2
SHA256 c51402b4b189faaca8d54f09b1658b96a543c728fdfce03b5371b76e86236dd9
SHA512 1393fd72bae23faa46a34db84c87ab1043cf9cd5490d6a8123f6e71f6a6ca3615956a67c7e05403e8a67fcb3a13e588bebfe5b73c7bb1d6bb54113e56248f235

memory/2644-43-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2932-40-0x00000000022B0000-0x0000000002601000-memory.dmp

C:\Windows\system\HkrNPbw.exe

MD5 2911931d3b0315dc8c86b763db6d2d29
SHA1 e5a7fb55096c85423a810dc41d24a6b9f350b9a5
SHA256 8f705c895f1e9bbf6d73893f5c3d81eb4ae589219067cab952a6d81e92246ea6
SHA512 5f733273c1b2c593f2eaae520a8369bab6b51720bea718822a97e1e485b674e078c5319b9518007ce6cd21580b19c5d39edeb18e31652bd344c00b201bc6616a

memory/2932-56-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2560-57-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2820-51-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2368-50-0x000000013F180000-0x000000013F4D1000-memory.dmp

C:\Windows\system\mrCxhrE.exe

MD5 bc89955d9e1fd2d5e1eea3458c454e99
SHA1 1ccab6024bf49f3664bed4804c80d9855e983b9e
SHA256 7190a4230f429b62fc0ca12db8c124d2e32691d0f444bae8160f2f88b17ef138
SHA512 94ad32ae947b17acf6ca452a0e68b55bcc4f39e15184d1b3413b7560b5f1d2a788fec7db7a3b86bcc4baf3eeb687697dbf88d36f070986b24d471b6872a95120

memory/2932-48-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2932-47-0x000000013F990000-0x000000013FCE1000-memory.dmp

\Windows\system\UrSWwAt.exe

MD5 570a37348cb661bc675e644c5ce3907c
SHA1 7cd370adaa48d989a36632352bf6b66b81773427
SHA256 1a295fa89b8ad35f76fea09bc5dce695010e06278931f6f39c90611519c46d21
SHA512 986a0726097b1c0a01023bc15cd6a049bbbe8adf88737efc493aa846a2b6a925c4848fc2d49061b5f05156cee43a5f1f9083c0d6de843be441e43c20f8ad3332

memory/2576-66-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2652-65-0x000000013F3B0000-0x000000013F701000-memory.dmp

\Windows\system\EdxzvlF.exe

MD5 8b9580b9fdeed944ba64def301925e21
SHA1 3d31da526325c188701c861207b96efc99994de1
SHA256 53bb6f26c522bc43229d9549a149ee458afb1eac58ae76e3ca2d3a9a60e51508
SHA512 1f569c212d8f8234bfe3aecd8a5b4cfc9666b58e6799f8163eb56d360a20ecdc0e2e562b8399a6ddcdf568c15715b6ce78a84533da0a4189e876d9ad4797511e

memory/2564-73-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2932-72-0x000000013F130000-0x000000013F481000-memory.dmp

\Windows\system\twHQHqa.exe

MD5 90bb09044a6999c535677523d79e2f3a
SHA1 21facb5e6a9720df8c5f7d4b8fa56f328bb074c9
SHA256 5b637cc2113cb32e18ca63603849ea25b971f514ce11ed621048a38f1e9dffdf
SHA512 b6a1a5e17921f7f5df5fb4c86fd302b6b905dc4a4fba80537ee39be6a0e877e8b8bfdef01f213dd901dc8a0690e6c522e63fffef77ae666f0a80ed06d18d1d2f

memory/2488-80-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2736-78-0x000000013FB50000-0x000000013FEA1000-memory.dmp

C:\Windows\system\OCDrmoN.exe

MD5 0e1ecd8d787545861ac2a1ba2d6c113b
SHA1 44fca19a7ad48db844edf03399bffe3b78a68fa9
SHA256 3664a0f62f8fe12387652ffb2bc14dbd76eb13bed513845015492e39c813aa5b
SHA512 7192eadece8cf5c9a0e9dfe153fac30923c3b6b9d399bab52de4fdc0ae7cb8f106ee41c033b3d6ff86609795572c90d011c04dbd3f7e49add762c7f16873377e

memory/1536-87-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2932-86-0x00000000022B0000-0x0000000002601000-memory.dmp

\Windows\system\JAteAEF.exe

MD5 28173ad6129c6cfd208685517afda711
SHA1 50158f7c832de193a8a2593863c3a237677dcc5d
SHA256 e3f5000754d3beecc1af8367b4ca486b452637bdf1176888bd756f0386e6609e
SHA512 3cee5efbd53a5cebf947d004a9f0b72a8ed636b70b731957c9ca83e4d138016d05289ae82e9a9511d409edf34c1409d21535055fc81a1c9d7ff7e276713a50e8

memory/2644-93-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2932-94-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2812-95-0x000000013FBF0000-0x000000013FF41000-memory.dmp

\Windows\system\EUgnXPe.exe

MD5 25829a209ac315159b97fc292c48e439
SHA1 ac68e092a5552877113f00f19a6843f847f2c1c4
SHA256 05e60094b66b5de390442bff344b8c861a3b07a046cee6018ab9db923fef78fa
SHA512 57d07b7fde279ae9488986c9ee716f928b01b3a360976e5ec4dc44a3906e96a0b2c811affc542120c80776370305ef31ad8c7c09a0c62df1fbeccfa8eef79153

memory/2932-124-0x00000000022B0000-0x0000000002601000-memory.dmp

C:\Windows\system\krHduXp.exe

MD5 53305762c43833b08a6b7be131e5beaf
SHA1 7cb46cc971c8eb312e82ae41c567faa4169ca633
SHA256 f1e2244afd4b72cd79d89eb1dd458f80cdb553239cc7e9a64904ba36a66b3ab0
SHA512 c349fe714686904ef99b11f9f167e80fe523171f84ad5e24ef775dc31e2bc4c03aec2c1570d7e1e03ce40f3fc62058879cf59e6dfaeeda7b210cf818c0d76405

C:\Windows\system\kyCiUlt.exe

MD5 e9f1890dca0f1a527aa12a1381dff050
SHA1 f4a9e42bd9a3d69ec7152a03fdd94f8489b8e349
SHA256 63bd35c4631d4bad51367a18436fffe43449dfbc7432977b7f0d705ae71211f6
SHA512 55690577b29a1902f9575424912a27dade3f8df1e49f479ad7701d60d076265827a72244b5fccab4bb768af894bd9664c2d6331d9b56e4fe3a0e44fd1fe5ee34

C:\Windows\system\cedeWaw.exe

MD5 3bc1d25d6779700122f928e7cc51b914
SHA1 7d9ed28e096cd4d3a54b9f7817f6663d8115f9d8
SHA256 abf0573a31ed8548cfbf7c0fdb47be289842115a6e5ea366d2e3dcd5dfd22165
SHA512 142a94083a4bc391e9c56b30d26095ca3d077868048b0a204eb8fb042fc8e481bcd3b1202d0588dabb6cc2322ec1cf254bfd2debc535c09f452257e65023ec50

\Windows\system\FUkwzmF.exe

MD5 e8e17c23c782315dbbc3d86a5438df08
SHA1 5041a8d349b272245215b6bd9a7b919f676c75d1
SHA256 67c553b9792a3b8eaa31181e11695715ceaa2c04b8e02543acf49c175638ba80
SHA512 48d694ebb002c70d1fceb968dabcb25601fc993cafc91eaef7e7cb1681953dbdce265f36a2656eb449ed3899ff214b6a1965e1fe558493211ee198ea766838c5

memory/2820-132-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2932-131-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

C:\Windows\system\mWkADVy.exe

MD5 c9ef05d37a22bdffc887ba403f5b2fb8
SHA1 57b791a0b00f76a8aa5d07c53da73040f197d525
SHA256 bc01ac5023cb52bd2052dfbd8efc87593222e46b4d32ed7ff8af0e0dec78b46f
SHA512 524c2010e2e8c5d6a3fe4445e99ff9e6913dcd648bc52cf2b4ca2f2ceb52152e82941c5232e67b77bd16f049c031f03190f8a0bf517d372e63905e0a247a315e

memory/1644-125-0x000000013FB30000-0x000000013FE81000-memory.dmp

C:\Windows\system\wmwSWPJ.exe

MD5 bb491dd4f2acf526fae41c972075910f
SHA1 e9f683aca78b23832c609ef67afd96c71cdd9368
SHA256 80b71d14b12b26c3cdbade4f92ed0d11d837c8065406fad8beabc4b282e97fd2
SHA512 f4d485f28346170c0ff460de3a61348047694dbb14b3a0cfc275f0d1c36485b44bdf3e9a423a590ef6898c589b18a22e5731c592cf9481b208ff1900f1ad2c3f

C:\Windows\system\ERMqBGh.exe

MD5 9db6286379a81fb865ea838347ecc246
SHA1 749a88c88db36f7ec00b96a75eb7a01e77be05d1
SHA256 cf52df057dff245eb5ac05e03af3e5926cd79014060a9dbab4153e6e151cb899
SHA512 8b08b8a8a1442804700ae808f3eb1f57e5111201af7cd04502481ce51fc2f1eadd68e6b1e1975f0ce1cc26c8e6f0fa8f4f64e41789a7ef7a8b03cf4b1b9fe628

memory/2560-140-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2932-139-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2932-141-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/1636-157-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2232-156-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2932-163-0x000000013F130000-0x000000013F481000-memory.dmp

memory/1740-161-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2200-160-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/1980-159-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/788-158-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/1936-162-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2932-164-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2932-170-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/3000-211-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2012-212-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2368-214-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2652-216-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2736-223-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2644-225-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2560-227-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2820-229-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2576-231-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2564-233-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2488-235-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/1536-237-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2812-248-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/1644-250-0x000000013FB30000-0x000000013FE81000-memory.dmp