Malware Analysis Report

2025-01-22 19:48

Sample ID 240601-vjwvvshh66
Target 2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike
SHA256 6931c38c3fd5ea1cfd632c0c300d81e346294bc9d6fd131358ad5ad5750da7c4
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6931c38c3fd5ea1cfd632c0c300d81e346294bc9d6fd131358ad5ad5750da7c4

Threat Level: Known bad

The file 2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 17:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 17:01

Reported

2024-06-01 17:04

Platform

win7-20240221-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RRdfeur.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CDarvbm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yOqkvlw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dHxxwyH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HXoLwnv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jNWVScM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RPoPUao.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xUNuTFF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\exqhdMm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eqvfHqJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WYBsIEk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gzIjdFh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lqDVDNQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TGMUpkp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GyukSRm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CjiBsUh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pXSBCNE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AGSljae.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\klHDXHp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oOeAIlh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sfVYZEj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RRdfeur.exe
PID 2180 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RRdfeur.exe
PID 2180 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RRdfeur.exe
PID 2180 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CDarvbm.exe
PID 2180 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CDarvbm.exe
PID 2180 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CDarvbm.exe
PID 2180 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yOqkvlw.exe
PID 2180 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yOqkvlw.exe
PID 2180 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yOqkvlw.exe
PID 2180 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GyukSRm.exe
PID 2180 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GyukSRm.exe
PID 2180 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GyukSRm.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eqvfHqJ.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eqvfHqJ.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eqvfHqJ.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dHxxwyH.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dHxxwyH.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dHxxwyH.exe
PID 2180 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjiBsUh.exe
PID 2180 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjiBsUh.exe
PID 2180 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjiBsUh.exe
PID 2180 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXoLwnv.exe
PID 2180 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXoLwnv.exe
PID 2180 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXoLwnv.exe
PID 2180 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jNWVScM.exe
PID 2180 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jNWVScM.exe
PID 2180 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jNWVScM.exe
PID 2180 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXSBCNE.exe
PID 2180 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXSBCNE.exe
PID 2180 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXSBCNE.exe
PID 2180 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WYBsIEk.exe
PID 2180 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WYBsIEk.exe
PID 2180 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WYBsIEk.exe
PID 2180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPoPUao.exe
PID 2180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPoPUao.exe
PID 2180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPoPUao.exe
PID 2180 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGSljae.exe
PID 2180 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGSljae.exe
PID 2180 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGSljae.exe
PID 2180 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sfVYZEj.exe
PID 2180 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sfVYZEj.exe
PID 2180 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sfVYZEj.exe
PID 2180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xUNuTFF.exe
PID 2180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xUNuTFF.exe
PID 2180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xUNuTFF.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gzIjdFh.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gzIjdFh.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gzIjdFh.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\exqhdMm.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\exqhdMm.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\exqhdMm.exe
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqDVDNQ.exe
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqDVDNQ.exe
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqDVDNQ.exe
PID 2180 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\klHDXHp.exe
PID 2180 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\klHDXHp.exe
PID 2180 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\klHDXHp.exe
PID 2180 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOeAIlh.exe
PID 2180 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOeAIlh.exe
PID 2180 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOeAIlh.exe
PID 2180 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TGMUpkp.exe
PID 2180 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TGMUpkp.exe
PID 2180 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TGMUpkp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\RRdfeur.exe

C:\Windows\System\RRdfeur.exe

C:\Windows\System\CDarvbm.exe

C:\Windows\System\CDarvbm.exe

C:\Windows\System\yOqkvlw.exe

C:\Windows\System\yOqkvlw.exe

C:\Windows\System\GyukSRm.exe

C:\Windows\System\GyukSRm.exe

C:\Windows\System\eqvfHqJ.exe

C:\Windows\System\eqvfHqJ.exe

C:\Windows\System\dHxxwyH.exe

C:\Windows\System\dHxxwyH.exe

C:\Windows\System\CjiBsUh.exe

C:\Windows\System\CjiBsUh.exe

C:\Windows\System\HXoLwnv.exe

C:\Windows\System\HXoLwnv.exe

C:\Windows\System\jNWVScM.exe

C:\Windows\System\jNWVScM.exe

C:\Windows\System\pXSBCNE.exe

C:\Windows\System\pXSBCNE.exe

C:\Windows\System\WYBsIEk.exe

C:\Windows\System\WYBsIEk.exe

C:\Windows\System\RPoPUao.exe

C:\Windows\System\RPoPUao.exe

C:\Windows\System\AGSljae.exe

C:\Windows\System\AGSljae.exe

C:\Windows\System\sfVYZEj.exe

C:\Windows\System\sfVYZEj.exe

C:\Windows\System\xUNuTFF.exe

C:\Windows\System\xUNuTFF.exe

C:\Windows\System\gzIjdFh.exe

C:\Windows\System\gzIjdFh.exe

C:\Windows\System\exqhdMm.exe

C:\Windows\System\exqhdMm.exe

C:\Windows\System\lqDVDNQ.exe

C:\Windows\System\lqDVDNQ.exe

C:\Windows\System\klHDXHp.exe

C:\Windows\System\klHDXHp.exe

C:\Windows\System\oOeAIlh.exe

C:\Windows\System\oOeAIlh.exe

C:\Windows\System\TGMUpkp.exe

C:\Windows\System\TGMUpkp.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2180-0-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2180-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\RRdfeur.exe

MD5 6bd33f93d2d2d3f6096f9d4b9688f2b8
SHA1 96de9bb2bafeb5d278032e4cfdaf14529c749231
SHA256 eac0dd48ca92b743cccb1b3fbd2fdcd5561addcc1bafb06c229b352537e40c59
SHA512 e2d2f717332b0b8dfc43ad3ad7de35fc4f070a2e1e83230892782a197e69be6521d22b7de1d82795f4740fbf8014910825ed973039d816b428263b9c2547fbd9

memory/324-8-0x000000013F350000-0x000000013F6A4000-memory.dmp

C:\Windows\system\CDarvbm.exe

MD5 1dd6cc7cf6fb5a0a21689c0732674219
SHA1 2a5662dce415876aaa91acc48e170dd482280931
SHA256 fc213dec94a64004a9e6945a90d9551dc6d931c372f475a0145af74935dd3efb
SHA512 93c10141cc9cb47ee0a0a27ba40316d0cf802c71989b98dfa294f7351738e81661d3f9538d5679d2258e0a29c6878c135126f197b91c99ba546411c0216376e6

C:\Windows\system\yOqkvlw.exe

MD5 67203355aeb0738da1b35fa90adb084d
SHA1 80a778b6b423e0e9510966ac436fae27be47c173
SHA256 96f95fd09a1e5ffb5230368eee1db968dc30ec5002d079f0c0f44320d7c36d7b
SHA512 0b967a44541e5f557ef9edae16b348c719e3835472f533d2200493fe47b7649026285fd445ade517307dcb02a03bf229e1fb353b541ffe4756cc149bf12a3277

memory/2956-14-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2180-21-0x000000013F6D0000-0x000000013FA24000-memory.dmp

C:\Windows\system\GyukSRm.exe

MD5 10a5997c78dead6dfe92ed69e3dacfec
SHA1 52e379a605600db3e4ad9af210bcc51353cba661
SHA256 9e264017447c01a4789b0f1bc8214dd9c6393e60f9b72ad5b32352a03f86d560
SHA512 a213b38fdc72ab86ca339929543adcff544ea70ae570d392a85f8b7da55d46d1cf0b0baaead748a505182e8fc856c3cb2a228d57646339791546c670b1144c54

memory/1720-28-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/3012-109-0x000000013F460000-0x000000013F7B4000-memory.dmp

C:\Windows\system\sfVYZEj.exe

MD5 44709ee073c7585ae2f3ca253872bc68
SHA1 03d2504144f07cd7e3d6a69bcbabd921233c266d
SHA256 f92c6be81b4c2fe9d04ece0266f2d3058011358e8f7d615bd05cd8016376440d
SHA512 c52f6b470d63d291a8bb00137de9c2f649fb2805ae2fc1366a1b2097408416040cd5f5f8d0c9256e585da8b61d86006a71c1dbcd15a6e028d81faa397294f6f2

\Windows\system\oOeAIlh.exe

MD5 cfc748eaa4cc190822bf006b1e785804
SHA1 b2deb798b20b04a031c0e68a28c57a464af92809
SHA256 d59e39374c145abf36c7a8c79e7734f36037b9b76f3549a7e59a988de952d2ad
SHA512 b31ec562caad68ff000c05ee11b76c302e2ef71469fd6e8dd35db9aa42d76d196d54e3778746cfb5d614435652eade6274e0f2d873a434fc71b0a443e440aa64

memory/2180-97-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\HXoLwnv.exe

MD5 70999bdafe61208705cfccc5929e728b
SHA1 f213be038393d4eeb1d2342390e0991e9f0fed5a
SHA256 11bd480245c7e3a70c77a6122243e530d901f084a9ea357bff8ea2d2fa8077ee
SHA512 11abd2de3c9a44ace2bbb5d08c13ff1e4a20a5cd47d4e51c7236621b9ee46162cacdb72dfb80b28a3524bfa35552f2bc1bf3e8b82aab737a0b63fdc890ab9a28

C:\Windows\system\exqhdMm.exe

MD5 828b59124cca2ec4066179dc742f2c5f
SHA1 7fc4e111e5613c6032636a1db81b7733ef4cee5e
SHA256 d0afc1a89bac8c8741f2d5361a9478001f9b3786884334a211b95c0d6deda3d4
SHA512 476b48f8db97945d3c6cdf4533b484218638e4ad7ceb8c9967866722b1a5995f9d6ec14a06accf8f6f8ceb745309aee256043984fbb299adbe1d1b661ae6e9e7

memory/1872-93-0x000000013FF70000-0x00000001402C4000-memory.dmp

\Windows\system\lqDVDNQ.exe

MD5 7ab3f611ac2ac52c8003723a36ddf28c
SHA1 6d24a484508091107f44c50e8da3f97d84c4474b
SHA256 03d587d4501ee55950472f4e909240b596e8c2fa13b1ea5eb0e988e158896c77
SHA512 34b75c7259d6500e2495e4330c2871c4c1449b6bc0decf1d7d0bc926341ed5eacc0134220691aeb191a4c2f52771e313c6dd5dbb8bbbfde36039037f7eda60d1

C:\Windows\system\xUNuTFF.exe

MD5 d4e6be526537dd1981681ccf5b1e5551
SHA1 1120de6bdc1139d7d7071a4fb245c8ae02ec0675
SHA256 a48197c6bb6f7243c781652f9f884249605c654c0a982f0c60a11e17d3b0d407
SHA512 a5447cffc864a5de47f4f5a4289a37a3a018d1ba47cafdd4392b172b26944865c08637d66b80d82f274ece900a34dd4f745453ecd472d528e72e6f0ecd5346c8

C:\Windows\system\dHxxwyH.exe

MD5 26091a67d07a4ca7ee723077addcfb07
SHA1 b527f3b4ad5c8dce189d22063976bc44cb89093e
SHA256 410c77258b7ae83a27a11a29863c25d7b2d06d38a14884101246fd54625196ba
SHA512 84e1cdd237fba283413f55ad59116e7171b91e1311b71fc12d25b40dc12010d860162de78c3254c8b026fe5a08a0c0a8ab64220f5bf3d7f56270fe987d738038

\Windows\system\gzIjdFh.exe

MD5 e8746e9984439b6f894a6df54baec353
SHA1 45fc0be8045b407da75bafeb982b0c18277a46fc
SHA256 bf2b50ba60e4cd0e5e9e5925d6ea76e6fa25fd83e60a2d04bf4a8c15d75b672f
SHA512 d419f6c5f252728fa7b92ac6c460153e108453164ec928b65b2a28a18daecd2624c0f41451d334fb67fe897260ca03dff293f3696d8c6aa64b85a88fc4436895

memory/2180-133-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2180-74-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\AGSljae.exe

MD5 90f6ce316cba85bd3f44fb9bc3f323ee
SHA1 71a7a36bc9c9e5978bf6d1d20a7f08190ebc4ea2
SHA256 ae0f5acc63aad33b94ebda63bbad1970b69f583fba235911eb108618f9471d5f
SHA512 de2a86a60a931a946649bb7b09a44138454f7bac9f5d417a162a40ba149502ac3754600d78850572029b65629ad2255359936b85e26d929cb06476a24198d520

memory/2992-65-0x000000013FD90000-0x00000001400E4000-memory.dmp

\Windows\system\RPoPUao.exe

MD5 19fd6e74cdde69344cbc403967c76220
SHA1 e5fb3724392574ec92fb1f5f256dbb3c81f9bbd5
SHA256 c170acc11001311da68ef205f99d2994d892c702c05195793a9f3246b2a1dc8f
SHA512 d24b97da6796ec0334b795176c56ac02a24b48cfd27f0cace82976c38a3b93cef97bd2c9cbc80bc10a3bcdba2a34808b749143be45ade670fce0af29b9d56724

memory/2180-122-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2180-121-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2180-120-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2180-119-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2180-134-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2180-118-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2180-117-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2904-116-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

C:\Windows\system\TGMUpkp.exe

MD5 b5bdc12efda685ea402f57e0ef1b26d8
SHA1 8f9de694139689cd3424321e32e77fce59eb99e9
SHA256 19980ac78ae73366675bf388ec63add4f0690ebc365ac81eac8e2bd79e93a296
SHA512 7ca4bd6dc3dc1e2716da634eb90f31842820b58461ce8345584f63130f1234623780c17d1026a42ea845e20313894338473a343cae9f0db7ded44d14fd46e3af

C:\Windows\system\pXSBCNE.exe

MD5 b0e80db814bdbeef75095218f82c5364
SHA1 c1e064f02f9e8ab5915407406aadcdb81eda4b18
SHA256 5ec79c29a343b0ea5ec8f9ca334b27ae9bb4c5e4addeb79e80e9dd997a041425
SHA512 6e69d2d791d1dad7b22cf31940ed29162649eeaa9d69836b38f610a3a7e425098ae06a4227c121290d8d04a6e1fde757773628a42b44fa5a722af35ddb87048c

C:\Windows\system\klHDXHp.exe

MD5 feefd32d839f6cb6df9630c382c0d800
SHA1 7faff234224678c49b0801d2fac06068eec95013
SHA256 e3f8a005def19c08b7af99bb4479e84b77e5f91a3bb8c981d8b8238f0d90fdb0
SHA512 cc22db9d63224fd55dbbf76613af6491dd4d112c58719c88ebef6b8fea59544ff7bc760840fd0c24ec0f2786a684fcab157d463a366039f7ed7159e1f0f489a3

C:\Windows\system\jNWVScM.exe

MD5 ae76b303065d71f7fa6bc957f0fbc891
SHA1 9f215fb0b444355d0f6882cc8e573eae3ee73bcf
SHA256 5eb78aedad8db92af7ae5bc1bf13a220cb7fe1778d368ae5af1f988bf59b8533
SHA512 0d06e896e9f19137c5a5fcce726026b137b0533deed59cc0a3806d47c88d890ded7db1d5a9b82b6117e8fbb9d0a1945b6938f666c1bf4f6e1ddc889be36d0409

memory/2764-100-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2180-99-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\CjiBsUh.exe

MD5 cfd80e3a11330b1a1bfa0069c8686694
SHA1 c085d1d63f68d8662ff1692b5f120804bed532d9
SHA256 b3c378e8d1a41462a9ec51747ef184ca3c71a7a93a4877a9aee9983cea92b72f
SHA512 2d55fc60a3aff99177d598698405059d9ea5aed15700f81b61c9f19499b6050d6c4b880b2f7ba8981c1d4cc73a71126def0d4aac1cea4245eea69681b8d0ffae

memory/2180-43-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2180-78-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2956-135-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2100-69-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2180-60-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\WYBsIEk.exe

MD5 4c4c703a464e81c929b35de99cc56c79
SHA1 ebad8d1a48d9e60bbfb06b7a4e5bf6262b559996
SHA256 560240d63acea6b3819a0efeac388781673353c93516cfa1f7850476ef93e5bd
SHA512 2c96159958ef7706f4c68ef7f2957b506d209dae6eb7008086cd7aa9d7934715cb63e8524b483cbd250e41854706f8f7bbb8c9dee9024c49f0bf3dc6f31816c2

memory/2860-41-0x000000013FB50000-0x000000013FEA4000-memory.dmp

C:\Windows\system\eqvfHqJ.exe

MD5 7d6cae4194bc506378dff116d30f8d8a
SHA1 f459c442ba6e0c6dacf414d55273a5b477617371
SHA256 3c00a13197e121b0a20547f58224aaa0c8bdec7d833ebb09f25cb21425b29fc9
SHA512 e71dc6f7c9e79708ef86f803577fa7e684a015f468ec8b53a25671a325792ee43f1eaf7e47f094406810357ad0ef03f4404398172072555f0c359b36de16a0e0

memory/2180-26-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/1028-25-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2180-13-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1720-136-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2180-137-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/324-138-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/1028-140-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2956-139-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2860-141-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1720-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2100-143-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2992-145-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1872-144-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2904-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/3012-147-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2764-146-0x000000013FE70000-0x00000001401C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 17:01

Reported

2024-06-01 17:04

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qxBOnXE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OWHeiVz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QhoVUrj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iVnhIwW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JNkckEy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZXxiIKX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zQAzdct.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OvfaHnb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EoWHdWT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VlnjqRI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yrnHkGP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fAnjykQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WtpCaWu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\StOsPsf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wTwiaPI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LxhUttG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oefaNQi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\poJpYjU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VASTubw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nqeOnPy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wNKPNCy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4336 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LxhUttG.exe
PID 4336 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LxhUttG.exe
PID 4336 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlnjqRI.exe
PID 4336 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlnjqRI.exe
PID 4336 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oefaNQi.exe
PID 4336 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oefaNQi.exe
PID 4336 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrnHkGP.exe
PID 4336 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrnHkGP.exe
PID 4336 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\poJpYjU.exe
PID 4336 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\poJpYjU.exe
PID 4336 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhoVUrj.exe
PID 4336 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhoVUrj.exe
PID 4336 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVnhIwW.exe
PID 4336 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\iVnhIwW.exe
PID 4336 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VASTubw.exe
PID 4336 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VASTubw.exe
PID 4336 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAnjykQ.exe
PID 4336 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAnjykQ.exe
PID 4336 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNkckEy.exe
PID 4336 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNkckEy.exe
PID 4336 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WtpCaWu.exe
PID 4336 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WtpCaWu.exe
PID 4336 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXxiIKX.exe
PID 4336 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXxiIKX.exe
PID 4336 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqeOnPy.exe
PID 4336 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqeOnPy.exe
PID 4336 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wNKPNCy.exe
PID 4336 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wNKPNCy.exe
PID 4336 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zQAzdct.exe
PID 4336 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zQAzdct.exe
PID 4336 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvfaHnb.exe
PID 4336 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvfaHnb.exe
PID 4336 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EoWHdWT.exe
PID 4336 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EoWHdWT.exe
PID 4336 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxBOnXE.exe
PID 4336 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxBOnXE.exe
PID 4336 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OWHeiVz.exe
PID 4336 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OWHeiVz.exe
PID 4336 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\StOsPsf.exe
PID 4336 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\StOsPsf.exe
PID 4336 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTwiaPI.exe
PID 4336 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTwiaPI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LxhUttG.exe

C:\Windows\System\LxhUttG.exe

C:\Windows\System\VlnjqRI.exe

C:\Windows\System\VlnjqRI.exe

C:\Windows\System\oefaNQi.exe

C:\Windows\System\oefaNQi.exe

C:\Windows\System\yrnHkGP.exe

C:\Windows\System\yrnHkGP.exe

C:\Windows\System\poJpYjU.exe

C:\Windows\System\poJpYjU.exe

C:\Windows\System\QhoVUrj.exe

C:\Windows\System\QhoVUrj.exe

C:\Windows\System\iVnhIwW.exe

C:\Windows\System\iVnhIwW.exe

C:\Windows\System\VASTubw.exe

C:\Windows\System\VASTubw.exe

C:\Windows\System\fAnjykQ.exe

C:\Windows\System\fAnjykQ.exe

C:\Windows\System\JNkckEy.exe

C:\Windows\System\JNkckEy.exe

C:\Windows\System\WtpCaWu.exe

C:\Windows\System\WtpCaWu.exe

C:\Windows\System\ZXxiIKX.exe

C:\Windows\System\ZXxiIKX.exe

C:\Windows\System\nqeOnPy.exe

C:\Windows\System\nqeOnPy.exe

C:\Windows\System\wNKPNCy.exe

C:\Windows\System\wNKPNCy.exe

C:\Windows\System\zQAzdct.exe

C:\Windows\System\zQAzdct.exe

C:\Windows\System\OvfaHnb.exe

C:\Windows\System\OvfaHnb.exe

C:\Windows\System\EoWHdWT.exe

C:\Windows\System\EoWHdWT.exe

C:\Windows\System\qxBOnXE.exe

C:\Windows\System\qxBOnXE.exe

C:\Windows\System\OWHeiVz.exe

C:\Windows\System\OWHeiVz.exe

C:\Windows\System\StOsPsf.exe

C:\Windows\System\StOsPsf.exe

C:\Windows\System\wTwiaPI.exe

C:\Windows\System\wTwiaPI.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4336-0-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp

memory/4336-1-0x000001C02E880000-0x000001C02E890000-memory.dmp

C:\Windows\System\LxhUttG.exe

MD5 16a85ff0d9706bd0ee65c57ea3d90790
SHA1 9ee6280627fa7d63c1503d7141b677eee319d577
SHA256 831a2c99efa4aeeb71d5299fbb4b2c38c492f70c4aee2f44c0ae335b7f84eb5e
SHA512 3f6e90792e35bfb631ac0b2916be2ace978b8c2d9ce9722f9691123199e87a77136d0d823dc02c03dba70184078f17de3a1d7562dae6ea781fe8a20a1683dd09

memory/1008-6-0x00007FF657700000-0x00007FF657A54000-memory.dmp

C:\Windows\System\VlnjqRI.exe

MD5 0d96c57ecf30830330f774739120a337
SHA1 ef177a28ce0ce8ade992550561b95607641336bc
SHA256 0b8904884aeee4eafbcfa99ffd06c50001c93fb89e4657ab4f09a40d5977b362
SHA512 fcaa47e3f15ef55217f89ca4759c1c4fd9c59893e34563fb365df4f6c5258079c9668d3024ff32f45bec49a835a356da40b4d70de614f8d54c205ced74d124e9

C:\Windows\System\oefaNQi.exe

MD5 d1942ee8668d940112d49f8ab8d18297
SHA1 60eefcadc3fc90a5b86d74bf90b7c64eae3fadd2
SHA256 09f28022ec1922ff725292e96e30f7cf47170c75058384643d9a0d6ac3ac048a
SHA512 66ef31ee541cb04794536aaef76555a35c34ccf3b0d7b7f83fe87cbbfae879f3cd95f318db6737fcd847c5e753a44db16345e7f2f3e7deb7982405c4c9e40443

C:\Windows\System\yrnHkGP.exe

MD5 52e2beebbeef4baf00fb7baafff8382b
SHA1 a03f317690c3f99b6c435a63376cc2c638e2dd42
SHA256 0ec9531c3f196291fecfcf638ee2b4cdf2c1082c39fc84c770ad165af6354369
SHA512 a028e3dc3d921ab75672a61006d57a1975eba44c8960057d4a4ff60a400d791395113d903efd7a4f050dbef0b78ddd53b0af02af392049c3849622bff96aee7b

C:\Windows\System\poJpYjU.exe

MD5 354839f93bd9e786310e94ef0cf794df
SHA1 c6d042b6a6ab34f23da44e16275a31431105c510
SHA256 7551e3def202845dba562c7a9fc7465d207555e13154a99a47f3f9acc92fae53
SHA512 ea6b1c3a2d2573173fe6d24257b6fa46b0022fc079bbb986b99753c3a561143b8577251cdc945d58cf5082cf66e029ac4c201fe9eaa68e1a7dba8be6770b60d1

C:\Windows\System\QhoVUrj.exe

MD5 129bea8fb3ff6ab89963ef4cee5eaa7f
SHA1 59919f1a972bb2f13adb5dbd7233b31b6c4c8d45
SHA256 ac166069a65cab2e532389191942b586585b474387af6a288e0f67fef50e61e2
SHA512 b4d79e0eb16edb3a9693a199937126344a8ddf0337305fa4e5a0816762be6d0da4d876bbae5fcf0b31dc8e123c26bf6dca1a59a669b1758818e085e5114f1ebd

memory/4612-37-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp

C:\Windows\System\VASTubw.exe

MD5 6d4573bc294fe073ef868abdd64e81bf
SHA1 dedf5cc1cea2b35050327b59c1843fa149e4783a
SHA256 bce9dea9b744d1132c5505e8891e00af779fb483a3861c32838e0c19513b39f3
SHA512 1815f0b74d4f7548044262ab2af50bfe3fd052b73f21cba379a1965ae6eab6328afdc68ec90bca6e9a244d9dd5e3421ffbd79c4c33d155a8884048429073fa93

C:\Windows\System\fAnjykQ.exe

MD5 2d45900d20a72011898ff51b9cf86b05
SHA1 4103734f742a794183ed11bda2add3097d88ee12
SHA256 0b1afbcb3f2486da350476187cbaa74a3d988e55f2dc69fe61f7458684d8928d
SHA512 ed2d5c0332075a023e43ca3a6c709c945563201c80bf47e0506e68d77704e172ff9d4014bf2c1d579ccd45d5ea9bc926741dc3e2409cd8330a58f396ae9965be

C:\Windows\System\JNkckEy.exe

MD5 7cf36fd15442985d3fe7f3d9124eed94
SHA1 f871dedf2a470e7c76dfd9cf7e3810c72188ab65
SHA256 d6d58c56798afd6309d27d81ca5bde1225867e0626a8a2e5d02b76745532d365
SHA512 ee9cc460b323b2f3dd952fa8cdb05d7ae9ca56a192cf2c1b8191efca3daf8042046ba9259eb9de65d45efa9eea709af51d1891c4af4418737b31df91ec7040fe

memory/1432-60-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp

memory/2596-59-0x00007FF632CE0000-0x00007FF633034000-memory.dmp

memory/3644-55-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp

C:\Windows\System\iVnhIwW.exe

MD5 6d4d8245e36c451039c2d9afea11b162
SHA1 03d1b0890f48ce6a719c2d36b018169ea9e2d176
SHA256 a017be663220fa9dde124e6bade8f438abd4ef92ec4ffdfe72420fec1bd1a680
SHA512 72991ab00a0828b2543a0476d33ecca0930fb258ff048833a79e4b1b1fc6d3f58da9e1852b24f8cce75b6fb301020ec4e95af9429bbbe942cfdec6e7487b2431

memory/3188-43-0x00007FF700730000-0x00007FF700A84000-memory.dmp

memory/4212-41-0x00007FF798360000-0x00007FF7986B4000-memory.dmp

C:\Windows\System\WtpCaWu.exe

MD5 b48aca958b0f06783258bf07bc346a70
SHA1 2d013fb95b9abb4be128baf676b76ee11e41fa62
SHA256 5698c2ae3b6ab6e80d206662ba943c4e955ad0986fc9edde0f71344f7062de29
SHA512 ec3cb252d1e41935985071f20af3056159b28b87bcd465b27be5f3d81d062b5fdaaa9924c4c28a62740f9e4f952a1a45f3087064dfc83f891f5904d8e101bb06

memory/4336-70-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp

C:\Windows\System\nqeOnPy.exe

MD5 d8e3d3f209f2eca1083c5cdba5218827
SHA1 ba236b554be802ebf38af63915511b4b892eed21
SHA256 c5e117712117fb898d84aa47891132efe6a3a2791e2df34842d083184faa5e18
SHA512 55edd656337272684ce0518b2f7a4ecdf3bbff46a375bd152a2e7eed71df32dd14debdd7ab476e2722e0a368b7503caf75b8dfa76370637f61cce845bdaabb8a

C:\Windows\System\wNKPNCy.exe

MD5 ac8c6464442ad0119178a03a541b3e5c
SHA1 ac329b506ff5f31643fb62c17d8979fabb1b5b7a
SHA256 5d98f3f3d18c19efc41edc0f708c4d223cbffdaeb015b55bb4baf42ce23dc075
SHA512 476402e4f76cd394b3ded12f7b6ee5bf43122fcb48bcf929c33c032117c0cd21b89800d724b5fb929d3c9b08d6f06d7daf53794a176ee46ca17f5de49bd6f43b

memory/2932-83-0x00007FF7D4080000-0x00007FF7D43D4000-memory.dmp

C:\Windows\System\OvfaHnb.exe

MD5 81618df808ca932766bd5f344bb62f39
SHA1 1d7b25e04a01446eab4d77d2f213009ff3827ffc
SHA256 ec938b767788a0a19fd694654d9d62daf19b44c5358cec44a4539b1740302b7e
SHA512 e68b6546281af63d3c5386361ec84f7d84c67894fa36526363db1039803a6589a2a023d277c6a0bcff75039492b3549f8116310e4f65ffbd102870bbef2520ca

memory/4848-87-0x00007FF7B08D0000-0x00007FF7B0C24000-memory.dmp

memory/2656-91-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp

memory/228-105-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp

C:\Windows\System\EoWHdWT.exe

MD5 6508efde9138bb2693a0a6df8e6811ff
SHA1 1b4ab92d6caf5b242c8ca83cd7a012a383e7361f
SHA256 c0250860bfd098544032d416b77c373725a42a5dd1a7506e4ad0a86cb8c28415
SHA512 7af0524646cf241992a2d1c81bf3f76f70a66cfca6847353a4ec0924f3577fd0a3a218fc1934279a04ca21ab0c4a601544a625749551b906d7e745b4264cf742

memory/4792-106-0x00007FF67F110000-0x00007FF67F464000-memory.dmp

memory/1660-104-0x00007FF7A9E00000-0x00007FF7AA154000-memory.dmp

C:\Windows\System\zQAzdct.exe

MD5 68489055f481cbfbe0c3afa8acd1ed0a
SHA1 9490a22fd89c9da952fa7215e9ab9758c30de1ce
SHA256 f442646d5527858b35f3df840352bc51d4d983922a15a0ce169543064ac6a233
SHA512 8e743fcb305adeb814ffc4bb7718055b645e2fae7f5106e020b492a69f9e09fe0c28be582d9543f5f7f1e906cbb5ad3cb2d4762b9920f6ed4728f46af7f33329

memory/3884-98-0x00007FF67E610000-0x00007FF67E964000-memory.dmp

memory/1172-97-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp

memory/1008-84-0x00007FF657700000-0x00007FF657A54000-memory.dmp

memory/2824-80-0x00007FF6C5C20000-0x00007FF6C5F74000-memory.dmp

C:\Windows\System\ZXxiIKX.exe

MD5 14bfd67506cc8ae625e0123635622d14
SHA1 238f4f9a098f862a069437b9f95b8cac1dc8adbd
SHA256 898f5ce0693c056215e340fea0e0ad417c7772db87f5ea8a6cf5788d4b6fbad7
SHA512 82ede701166ba9a31d3c970940886d47dfed201862a0541e2c6835f1fb8c31d159fd01f241489732200b042c8e53f99e38397610768768bb17fd4c79111b3517

memory/228-24-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp

memory/3884-20-0x00007FF67E610000-0x00007FF67E964000-memory.dmp

memory/4552-17-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp

C:\Windows\System\qxBOnXE.exe

MD5 b6fbe26a34d603dc8875f4c5ac2fcdfb
SHA1 5c7240a071db785f350a692481503293940c638b
SHA256 ad4697bd2733fb5522b656a4e2ebfeedb213d77effe5e0d799e666838ce8327d
SHA512 eee320e7af06916fb3a7a6e94026567faf7f300e124319e9030f070693358e9feaea7fcd627d58359e78ccec4b39f0ba48db59ca6c1dd7249ddf369a43055587

memory/4212-114-0x00007FF798360000-0x00007FF7986B4000-memory.dmp

C:\Windows\System\OWHeiVz.exe

MD5 1a1c70bed66ee6a1255c4bf07b5ae2a6
SHA1 726b7b72845ba373822056010d6fdc9e7863c6b8
SHA256 6862a1430bff24a10f22c08e1f117e4149f04ba8f9cf74aa17eba4c2237d5e2a
SHA512 39a9a6fdc6f47d27a284111855d8df3f7fb4df3cfd1456aa5a89198b63552f7d70288fa64ed9923ea19f057876f752e691bd13d9dfa0a9ff67658707e51ff445

C:\Windows\System\StOsPsf.exe

MD5 036a92d96c1836ba84490e43f2011d4d
SHA1 5b1f80bc506615422decaf5e5211aa7386e5c32c
SHA256 8dea39e99eb28ac4c13029ad4541bcffae2e8a8de342a3f438d942317dad2df1
SHA512 f5b31a066f70b8d957c31b449236402c0267c4d9b4b3f5d0075375ae14cc4b362cf4bf627abd546ebd86d0b8dc7d331fc0414f46d462bfe70c1872bf8c58e888

memory/4732-122-0x00007FF7D7120000-0x00007FF7D7474000-memory.dmp

C:\Windows\System\wTwiaPI.exe

MD5 4428441e9b4fa489faac064005797ba5
SHA1 079bacd8d25925f19d161e4da735c6092808cd4a
SHA256 ac09670d469e4055f3b83373fe1eefc8701ed83e8d186c561e27ec527870154e
SHA512 82a4c1ab3da1a8ac6910c3d08d91de0df8bfee9ee6d7ce5e36f3ce305fbfdb3ce16806b531078af19a121e0abcc547f01a8fc7d214151202c2493711017366b6

memory/364-130-0x00007FF7366D0000-0x00007FF736A24000-memory.dmp

memory/3188-131-0x00007FF700730000-0x00007FF700A84000-memory.dmp

memory/1208-132-0x00007FF72A070000-0x00007FF72A3C4000-memory.dmp

memory/2596-133-0x00007FF632CE0000-0x00007FF633034000-memory.dmp

memory/2364-134-0x00007FF7466F0000-0x00007FF746A44000-memory.dmp

memory/1432-135-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp

memory/2656-136-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp

memory/1172-137-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp

memory/4792-138-0x00007FF67F110000-0x00007FF67F464000-memory.dmp

memory/1008-139-0x00007FF657700000-0x00007FF657A54000-memory.dmp

memory/4552-140-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp

memory/3884-141-0x00007FF67E610000-0x00007FF67E964000-memory.dmp

memory/228-142-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp

memory/4612-143-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp

memory/4212-144-0x00007FF798360000-0x00007FF7986B4000-memory.dmp

memory/3188-145-0x00007FF700730000-0x00007FF700A84000-memory.dmp

memory/3644-146-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp

memory/2596-147-0x00007FF632CE0000-0x00007FF633034000-memory.dmp

memory/1432-148-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp

memory/2824-149-0x00007FF6C5C20000-0x00007FF6C5F74000-memory.dmp

memory/4848-150-0x00007FF7B08D0000-0x00007FF7B0C24000-memory.dmp

memory/2932-151-0x00007FF7D4080000-0x00007FF7D43D4000-memory.dmp

memory/2656-152-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp

memory/1172-153-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp

memory/1660-154-0x00007FF7A9E00000-0x00007FF7AA154000-memory.dmp

memory/4792-155-0x00007FF67F110000-0x00007FF67F464000-memory.dmp

memory/4732-156-0x00007FF7D7120000-0x00007FF7D7474000-memory.dmp

memory/364-157-0x00007FF7366D0000-0x00007FF736A24000-memory.dmp

memory/1208-158-0x00007FF72A070000-0x00007FF72A3C4000-memory.dmp

memory/2364-159-0x00007FF7466F0000-0x00007FF746A44000-memory.dmp