Malware Analysis Report

2025-01-22 19:37

Sample ID 240601-nlqy3aca47
Target 2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike
SHA256 ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20

Threat Level: Known bad

The file 2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike

Xmrig family

XMRig Miner payload

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 11:29

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 11:29

Reported

2024-06-01 11:31

Platform

win7-20231129-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lvyCOdD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\InDEufA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iroZAyF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VCSDccy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\goXhwHX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ovnwmNv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aHhpnTW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BVFLQHY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JRLuLGb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AXbfgJC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sfqfijk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XgrufiE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PlBBjFa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OQwOOGQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wnmpLFD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VAThEmC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GjtjuFQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HRNfXdV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PMlvBBh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sGMBoCL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SrSHhLh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCSDccy.exe
PID 2304 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCSDccy.exe
PID 2304 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCSDccy.exe
PID 2304 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\goXhwHX.exe
PID 2304 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\goXhwHX.exe
PID 2304 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\goXhwHX.exe
PID 2304 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRNfXdV.exe
PID 2304 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRNfXdV.exe
PID 2304 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRNfXdV.exe
PID 2304 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQwOOGQ.exe
PID 2304 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQwOOGQ.exe
PID 2304 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQwOOGQ.exe
PID 2304 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMlvBBh.exe
PID 2304 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMlvBBh.exe
PID 2304 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMlvBBh.exe
PID 2304 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\wnmpLFD.exe
PID 2304 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\wnmpLFD.exe
PID 2304 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\wnmpLFD.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovnwmNv.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovnwmNv.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovnwmNv.exe
PID 2304 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRLuLGb.exe
PID 2304 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRLuLGb.exe
PID 2304 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRLuLGb.exe
PID 2304 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGMBoCL.exe
PID 2304 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGMBoCL.exe
PID 2304 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGMBoCL.exe
PID 2304 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXbfgJC.exe
PID 2304 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXbfgJC.exe
PID 2304 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXbfgJC.exe
PID 2304 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHhpnTW.exe
PID 2304 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHhpnTW.exe
PID 2304 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHhpnTW.exe
PID 2304 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\BVFLQHY.exe
PID 2304 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\BVFLQHY.exe
PID 2304 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\BVFLQHY.exe
PID 2304 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\SrSHhLh.exe
PID 2304 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\SrSHhLh.exe
PID 2304 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\SrSHhLh.exe
PID 2304 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\sfqfijk.exe
PID 2304 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\sfqfijk.exe
PID 2304 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\sfqfijk.exe
PID 2304 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAThEmC.exe
PID 2304 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAThEmC.exe
PID 2304 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAThEmC.exe
PID 2304 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\lvyCOdD.exe
PID 2304 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\lvyCOdD.exe
PID 2304 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\lvyCOdD.exe
PID 2304 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\InDEufA.exe
PID 2304 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\InDEufA.exe
PID 2304 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\InDEufA.exe
PID 2304 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\iroZAyF.exe
PID 2304 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\iroZAyF.exe
PID 2304 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\iroZAyF.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgrufiE.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgrufiE.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgrufiE.exe
PID 2304 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjtjuFQ.exe
PID 2304 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjtjuFQ.exe
PID 2304 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjtjuFQ.exe
PID 2304 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlBBjFa.exe
PID 2304 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlBBjFa.exe
PID 2304 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlBBjFa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\VCSDccy.exe

C:\Windows\System\VCSDccy.exe

C:\Windows\System\goXhwHX.exe

C:\Windows\System\goXhwHX.exe

C:\Windows\System\HRNfXdV.exe

C:\Windows\System\HRNfXdV.exe

C:\Windows\System\OQwOOGQ.exe

C:\Windows\System\OQwOOGQ.exe

C:\Windows\System\PMlvBBh.exe

C:\Windows\System\PMlvBBh.exe

C:\Windows\System\wnmpLFD.exe

C:\Windows\System\wnmpLFD.exe

C:\Windows\System\ovnwmNv.exe

C:\Windows\System\ovnwmNv.exe

C:\Windows\System\JRLuLGb.exe

C:\Windows\System\JRLuLGb.exe

C:\Windows\System\sGMBoCL.exe

C:\Windows\System\sGMBoCL.exe

C:\Windows\System\AXbfgJC.exe

C:\Windows\System\AXbfgJC.exe

C:\Windows\System\aHhpnTW.exe

C:\Windows\System\aHhpnTW.exe

C:\Windows\System\BVFLQHY.exe

C:\Windows\System\BVFLQHY.exe

C:\Windows\System\SrSHhLh.exe

C:\Windows\System\SrSHhLh.exe

C:\Windows\System\sfqfijk.exe

C:\Windows\System\sfqfijk.exe

C:\Windows\System\VAThEmC.exe

C:\Windows\System\VAThEmC.exe

C:\Windows\System\lvyCOdD.exe

C:\Windows\System\lvyCOdD.exe

C:\Windows\System\InDEufA.exe

C:\Windows\System\InDEufA.exe

C:\Windows\System\iroZAyF.exe

C:\Windows\System\iroZAyF.exe

C:\Windows\System\XgrufiE.exe

C:\Windows\System\XgrufiE.exe

C:\Windows\System\GjtjuFQ.exe

C:\Windows\System\GjtjuFQ.exe

C:\Windows\System\PlBBjFa.exe

C:\Windows\System\PlBBjFa.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2304-0-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2304-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\VCSDccy.exe

MD5 2b13cb728dd4929a0f8d07aaf468a82b
SHA1 4924870dfad12c25ac6560f222f956d43989cb0d
SHA256 76081b30e9f680f492e1220ca461c773798ac5b57182609c2cbe84bcecc8d887
SHA512 28a66912a5e7bca570aa98cd8c3b8a7846f3fd8d72821ecc92e791f091aaa7ce24ccab95019d15a07d165afa4fc80dd3e22551ec6d74ea4534f8ccbc6d779a08

memory/2304-8-0x0000000002450000-0x00000000027A4000-memory.dmp

C:\Windows\system\goXhwHX.exe

MD5 1260e6ebe6829a80dc0d9ec57c3ae2c7
SHA1 d6f8dbdd79c6ae5f697db18ff41d4f68ebb047bd
SHA256 e03e4f5015a5f987a521f330c45883ff04315e486e85927b33cfae22cfb3be4d
SHA512 6de1cfa2ec3c44a12b04f44c5b9ea4ebf8cb96cae68257b17cd402e6ae7992b7c387ffe1fafe04b09a90e25726d53f7f0385c40de8e8836bf1ecc5a18fce4f7f

memory/1624-16-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2304-15-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/2864-12-0x000000013FA70000-0x000000013FDC4000-memory.dmp

C:\Windows\system\HRNfXdV.exe

MD5 3f9bc771f04eba27b896ae4493c7ed81
SHA1 184fcc289d63cdf1a4d345d9c637a19636affdab
SHA256 2b42a3ef4910007aa5229daf1e93a3e8cf9d46f89ea287300fcf746cc301e0ad
SHA512 b8931ae7bc5c74b2434f9879d58ec43c1ea0600083b85035fa94a6c7d116aaecaf3575415a727778f8a5c8aa897b0af18ec44a1e3e86f8033342bde0e1ddb322

memory/2304-22-0x0000000002450000-0x00000000027A4000-memory.dmp

C:\Windows\system\OQwOOGQ.exe

MD5 809ca98fa1838a0ff48b9fb8149f2934
SHA1 853a75744205c8eb3c4f345b26e4a2e8308d53a8
SHA256 100c1685fa0a01f068394555a77821a2d0f2eab351d95f858065b86d55e48a79
SHA512 3d6319143a23844d9e35d39bdcf1e7e109656f0c3eb82bc60f0c4713c78a4b15249cbf54324b1d767d55d7d4164ee10dc018d98bcb229926fc053a37433c4254

memory/1428-30-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2304-28-0x000000013F240000-0x000000013F594000-memory.dmp

memory/3028-26-0x000000013F640000-0x000000013F994000-memory.dmp

\Windows\system\PMlvBBh.exe

MD5 a035267395cd76a2d570e8ec13e211fd
SHA1 aaa92ba226609705272cdbd625f7d88ea3ae216a
SHA256 784d87c0da8a40df8bbec1e1c860ab65fb2abc949c389afdf68c6cbe2ff7bf47
SHA512 c7d9f0ece9ea959656a69fd30971fcded97d7e2e2af1edd5ddc5a75c4498bd80c524d427a7dbee33b15d796869f2eb151d0f4ee285a859daef7a98c74acb026c

memory/2304-41-0x000000013F1F0000-0x000000013F544000-memory.dmp

C:\Windows\system\wnmpLFD.exe

MD5 e3b4e7ec022fb3dc440b5689309deeb9
SHA1 3c41c84e6d51403a25f60e3f2c22a533074277d4
SHA256 983adeb2ebb99f42b7a8afeb5a7953df1246060abbdd45ea42f4f83acda1d6c5
SHA512 019d6d3679561ae845fa89caac2dbac2f96fb4cad34c415e46d2c1361c827af983344defd8e86c11ae7fc811b6d26841a73339a8e89ba87e759a51f53ed74745

memory/2540-39-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2304-49-0x000000013FED0000-0x0000000140224000-memory.dmp

C:\Windows\system\ovnwmNv.exe

MD5 2c129992490d7303b9d86120a5811461
SHA1 16e09b115096fca9114c7f5f6367dc12a732c9db
SHA256 4c5526f5350f8730175e0f4075b1feae25cbc9a65268d8311a9601b1f2e60c1e
SHA512 39dd1c28c410150c70125026cdecdaf4d396d5f335fd6936d46ad06dab7dfeb7dff01fbf4b4e96105f0919e1957ef9f8fdf43dbc880891caa0bab8d456aface0

memory/2592-50-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2648-46-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2304-60-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/1184-63-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2304-62-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2304-65-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2684-64-0x000000013F340000-0x000000013F694000-memory.dmp

C:\Windows\system\sGMBoCL.exe

MD5 f06dde0bec409460e1be771c09db1a1d
SHA1 8939c2195dbf7199301dc767f13c768c9f9725bb
SHA256 7139ccf55eeacf3fd97692b2bcca76376aea0617418ab7dcf82cbe33952a38bb
SHA512 2e0c6c74ea80a216726ea16a26e960d4d367b42fa551f97e917457ed0e1d113737c351389c9132a3df33fbc757659961012d4cf9dad7ee42b80be116df56a555

C:\Windows\system\JRLuLGb.exe

MD5 152b37feb954cfce6c6cba00bdc1bb24
SHA1 f86ffd36c9e546af9a4af30a8826ee92967cd11f
SHA256 734c71b90c33210451cf7807a95db5778b7f90f0250ae23dddd4ebcdd3c1e984
SHA512 a46970bf5e16325eb4d19516af366725b35438e8e06db784e8d16c50e7da08f840b2ec0a416c0e9982703a9473ff0f0ab973d3c62cba10c54c587fc797a5d84c

\Windows\system\AXbfgJC.exe

MD5 a05fdba0448c38e2d178c426b7d64ebf
SHA1 e22308d62790826a2fa1e2c1a95c3dabd031b8f4
SHA256 ca68029b085435dc90d3f98ad068881e6ec98a62178e89ec7a136a21a190bedd
SHA512 e77026ad7a6bcb0bdfda92c2ebbe91e3d1d2298c899ff9794aae0011ff0b0a77d9271e17f2f199b3b83f6e48876f25ddabbcf98d1e97dbcafe27e8f5345b484b

memory/2304-71-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/2468-73-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2304-72-0x000000013FD40000-0x0000000140094000-memory.dmp

C:\Windows\system\aHhpnTW.exe

MD5 67f728a10245902b42f681468fe797af
SHA1 a4536f0b946ff48cb8b19063bd9fd8f699c80819
SHA256 1a1894253e47bc74280bd8fb2935d4bc9df0296dfac1743a0cab31af9278741d
SHA512 a4bf2cb31e82961f23c201ac913b11ca48f28059bc5833d469a945bfdd51221657fa00c2fb52853d98d58a398c850482fe66935860e79768db7cc0308b0d2bb3

memory/2304-79-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2700-80-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\BVFLQHY.exe

MD5 16491b2668904c19ad71f06c6d27bbeb
SHA1 890d84a7a4df2bc6008d3d3c67ecbae282100e0c
SHA256 d8cc3789cc37b6f065b8d530af7ecc513784870b0e057fd3672ebc2bdd69b078
SHA512 27a0ab4c9bfb8551421f22dcb9da783e37f492f9e8605e98524e9614355318d7e8c8ccd0f34af870973918c39605a5b147483e253e569e7e9fd17f2a2ecd0138

C:\Windows\system\SrSHhLh.exe

MD5 38ec69bd1e3ebd0ebc8143f38e1c882f
SHA1 79f3cf9bc6206e841770d9018d8f7ba481319120
SHA256 6ba7ac6aa6217d964f3fead71586375bc636428a454b9e10235696702650c16e
SHA512 a88990c9f195e01362bf88c395968bb4d684accd0930637b86c0e84a38fc9d831bf4696c8ce550f67afa030e55cc72798a0439d67e0b18f9ab0003448b2f75e9

memory/1616-100-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2304-104-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1428-105-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2304-107-0x000000013F250000-0x000000013F5A4000-memory.dmp

C:\Windows\system\iroZAyF.exe

MD5 987dbe647ce54850d5991baed1ade27b
SHA1 2cb5ca126a66733f0a60d99a57e70d4afd4bbd6a
SHA256 a6e9afce7cfa981af086cb5f35c59602b0fb55f80b4f27cdc25f6b8bb8512dea
SHA512 b919cd99db37b42a74a90bf58e6a558b84c061921c209859e3e7a41c9e1ba0e5ee0392af000b4897c0308ca2857a91f6029d5bd6cb0d33e126cab280625be9b8

C:\Windows\system\InDEufA.exe

MD5 3d65f2a68c79321d022b7b0c67e64481
SHA1 bd8d954449fa0c64f0362f77f3b52922f3c931d7
SHA256 7fd28d146d6084b2699e114374201f695772a4ad4ec0d056479464cb3980fb62
SHA512 a6afeffe972283e406848b9982d09ecd03a7aa8089a2150005e0f2f55e5853492f2c8e6fd24e3527c66314963b48fd331d39e083b210ec75725e9a9d9cd6055b

C:\Windows\system\PlBBjFa.exe

MD5 019dbe37e755798af1e5d6f8127bdbd8
SHA1 c6f78a365b43c517bb2842b1cc117e7635816957
SHA256 61adf8f7c1f0a842ea476977ce3e11b8b370cad38901bdb56205a64c3f7b27eb
SHA512 720899c6808b339be74898828d80f7ab6123e098e29876ac88f62deaedb3132fc6a94bbc3352e14bba0b30af8d6d07bc4d5b17930e95b4b52e7f2c6367f925a9

C:\Windows\system\XgrufiE.exe

MD5 b929e809c46378577e3ba0272d27d914
SHA1 7310664e0b8f47caa3aa7661a31612dad2272b56
SHA256 b32cc0c9cc7dce6067d8eaeeb6a30bbaaede482ce4ba8c03e9d5f56ca0077bac
SHA512 11fcbda48eb364b3f8dd98312793d4c8caad36638eeb7bb15512d597c3f9115da09d6d26cff945f9cfe7f9db1591d07fd284379e6b0a7577b6e0dd697061a491

C:\Windows\system\GjtjuFQ.exe

MD5 c8f178fe08f0a9e6fce78b0bf7adcbb7
SHA1 16d499f5fbc5428aa3eccc333708ce5bd50f5d70
SHA256 0d033221d9e535d51297cb564731ce3218fe4ba79f7290bcc7f947499584aaf4
SHA512 d71d7c6a38d7765d5bda69a46f56d56ca35bf4c33afdc08cfc8b7e1ad3cbc744b23832e0dece1a4c6c073ba4e56afebc98c27d6c5df3fdfff6f45ad1a763014f

\Windows\system\VAThEmC.exe

MD5 bc870bc7d7cf0ecce574b4f0a49aaa47
SHA1 c5bcfceb382e251f24f283c49617bedae26bab0d
SHA256 920df8e4a9eda059a7837076f7e71f07afb49a5b0392a648e5218fa0dd841f8d
SHA512 4cd3a3fc14180b136cde503204668314b43e0fca6953cac8a0f3b8426212f0bfa0f799cffc8d6a3d43cec17bcca830521c917d510710b5f6c6ea024256da325e

C:\Windows\system\lvyCOdD.exe

MD5 e86a5a115c6574fdb937af60cfe4226a
SHA1 9a8ccb4921f57289595cd7fb2a5550e69edb697f
SHA256 5cf8765e091a6fd4183b04529f73348b74bee41c0b246f6f2e38c347acf3ecf2
SHA512 5ca49247ab1da890825e89e614883df7fa4ad0a8424e58a51d5622d5ce8483f57d1922407c8133e9e80d8aa70cc3752e747a109aa7a43443a0cac178d1240fbb

memory/2304-108-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2540-106-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2304-103-0x0000000002450000-0x00000000027A4000-memory.dmp

C:\Windows\system\sfqfijk.exe

MD5 ded062077eea747f0fb4eba56f41c89b
SHA1 286b1c8aa55a0542fe820f75f28d727bada8c83c
SHA256 b592c695bbdc293881e457161acaeaa505cdf59f01faccdc661698e75e128279
SHA512 9c588ceed710311f413ea8bc6375c945bebcee6e116305a9d297c3ed8b596baca7865705970cbae3c7126b6c5c2c9847bdac981536e83b63a67ac18276d7988b

memory/2232-93-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2304-86-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2648-139-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2304-140-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2304-141-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2304-142-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/1616-143-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2304-144-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/2304-145-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2304-146-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2864-147-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/1624-148-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/3028-149-0x000000013F640000-0x000000013F994000-memory.dmp

memory/1428-150-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2540-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2648-152-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2592-153-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1184-154-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2684-155-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2468-156-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2700-157-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2232-158-0x000000013F120000-0x000000013F474000-memory.dmp

memory/1616-159-0x000000013F250000-0x000000013F5A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 11:29

Reported

2024-06-01 11:32

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BOwkkQq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mgJvrbQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RAYpxGc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DWflrQe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YgBEySI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SnteVBM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LybKloA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hpXWmWK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dMIrnyS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cXPWNej.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VGLpBRB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BOvRnUc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pyBoulU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WQDrwSn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wbDnAmH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TEhUDIO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CnsUUUm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ARZQWkF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vnpmNSa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fIHfdeM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ckyhQoZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXPWNej.exe
PID 4540 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXPWNej.exe
PID 4540 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGLpBRB.exe
PID 4540 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGLpBRB.exe
PID 4540 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\RAYpxGc.exe
PID 4540 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\RAYpxGc.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\WQDrwSn.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\WQDrwSn.exe
PID 4540 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\DWflrQe.exe
PID 4540 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\DWflrQe.exe
PID 4540 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOvRnUc.exe
PID 4540 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOvRnUc.exe
PID 4540 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\ARZQWkF.exe
PID 4540 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\ARZQWkF.exe
PID 4540 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\vnpmNSa.exe
PID 4540 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\vnpmNSa.exe
PID 4540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbDnAmH.exe
PID 4540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbDnAmH.exe
PID 4540 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgBEySI.exe
PID 4540 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgBEySI.exe
PID 4540 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\SnteVBM.exe
PID 4540 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\SnteVBM.exe
PID 4540 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOwkkQq.exe
PID 4540 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOwkkQq.exe
PID 4540 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\fIHfdeM.exe
PID 4540 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\fIHfdeM.exe
PID 4540 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\pyBoulU.exe
PID 4540 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\pyBoulU.exe
PID 4540 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEhUDIO.exe
PID 4540 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEhUDIO.exe
PID 4540 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\LybKloA.exe
PID 4540 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\LybKloA.exe
PID 4540 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\hpXWmWK.exe
PID 4540 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\hpXWmWK.exe
PID 4540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckyhQoZ.exe
PID 4540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckyhQoZ.exe
PID 4540 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\CnsUUUm.exe
PID 4540 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\CnsUUUm.exe
PID 4540 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMIrnyS.exe
PID 4540 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMIrnyS.exe
PID 4540 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgJvrbQ.exe
PID 4540 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgJvrbQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\cXPWNej.exe

C:\Windows\System\cXPWNej.exe

C:\Windows\System\VGLpBRB.exe

C:\Windows\System\VGLpBRB.exe

C:\Windows\System\RAYpxGc.exe

C:\Windows\System\RAYpxGc.exe

C:\Windows\System\WQDrwSn.exe

C:\Windows\System\WQDrwSn.exe

C:\Windows\System\DWflrQe.exe

C:\Windows\System\DWflrQe.exe

C:\Windows\System\BOvRnUc.exe

C:\Windows\System\BOvRnUc.exe

C:\Windows\System\ARZQWkF.exe

C:\Windows\System\ARZQWkF.exe

C:\Windows\System\vnpmNSa.exe

C:\Windows\System\vnpmNSa.exe

C:\Windows\System\wbDnAmH.exe

C:\Windows\System\wbDnAmH.exe

C:\Windows\System\YgBEySI.exe

C:\Windows\System\YgBEySI.exe

C:\Windows\System\SnteVBM.exe

C:\Windows\System\SnteVBM.exe

C:\Windows\System\BOwkkQq.exe

C:\Windows\System\BOwkkQq.exe

C:\Windows\System\fIHfdeM.exe

C:\Windows\System\fIHfdeM.exe

C:\Windows\System\pyBoulU.exe

C:\Windows\System\pyBoulU.exe

C:\Windows\System\TEhUDIO.exe

C:\Windows\System\TEhUDIO.exe

C:\Windows\System\LybKloA.exe

C:\Windows\System\LybKloA.exe

C:\Windows\System\hpXWmWK.exe

C:\Windows\System\hpXWmWK.exe

C:\Windows\System\ckyhQoZ.exe

C:\Windows\System\ckyhQoZ.exe

C:\Windows\System\CnsUUUm.exe

C:\Windows\System\CnsUUUm.exe

C:\Windows\System\dMIrnyS.exe

C:\Windows\System\dMIrnyS.exe

C:\Windows\System\mgJvrbQ.exe

C:\Windows\System\mgJvrbQ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4540-0-0x00007FF7C2080000-0x00007FF7C23D4000-memory.dmp

memory/4540-1-0x0000024CDF0F0000-0x0000024CDF100000-memory.dmp

C:\Windows\System\cXPWNej.exe

MD5 016c3e23ed5fd0d700f0240da7d55ae7
SHA1 423a623c6cd9bac68a7dc7c8bb5e8a0c0e81b2da
SHA256 c2986c0c87745594676b557c9c7e4abb6a3c0fcf5aac4b185e7ca561ec2bc584
SHA512 c4dede92432552a58449d000374eb0d6131a2af3481984c5d54b5d35b9753c497cca26cac92377527e3beb7062a9ff0d83e7f1df9dcb54df9dbfff1fe9d9cd2f

memory/3932-7-0x00007FF7A2E80000-0x00007FF7A31D4000-memory.dmp

C:\Windows\System\VGLpBRB.exe

MD5 c8532159048eea9719a24a0ae75fa1a4
SHA1 92995717b6cd3d0f3d103d6d46ad2a03af2ac73f
SHA256 022c969f96cd853dd3e642a42ea616af82a0e322380359624b027b388276bb04
SHA512 0218cff5f4cbcb2f01e322a6999dcb8f6ac4167bb336bb3b11901fc4e5619a967477d249d9b59b571953bbff28a0ea53b0c91a60d68f545b4711f93e5c60fb56

C:\Windows\System\RAYpxGc.exe

MD5 1fc9db9e6613eb6ee860e440016bf269
SHA1 9a530a923b279fb0c3d8c2710da83fdc35df481e
SHA256 b3c5c016fec4b482c529ce213815a864ad42f95a38baf792927b86c8444791a7
SHA512 2b1090933cf5c0006e2d86d2d2820f29f361711a722f902ec853b1fac3dde8465f6b804e42a25da87a1cc5d974d8397cb187973e25f3e55f18f3ce981a3555ae

memory/3192-14-0x00007FF629330000-0x00007FF629684000-memory.dmp

C:\Windows\System\DWflrQe.exe

MD5 d7a5ad7d01b5279d798bfc265a2f023d
SHA1 75c23f0bc5f20574508ce4b700c4640fe35ef393
SHA256 df4741cca1fafe22fca67fd896b33dee2acdeb093005940a499febbecaed3053
SHA512 228a4bd15af822c60bbbe31ef5604a0cc0ea8782fe2e898a0bd729f70a6f2781d0cf917645381bdace468a5eaff1d581b8bba6be16f2a4478a501c39b7ea3c09

C:\Windows\System\WQDrwSn.exe

MD5 f71687e40964327c518b0d4fc2236c48
SHA1 8709041877d5e601a320bdb1e12d61d433360962
SHA256 f1135f993447cd2c60d02e6f44c6523736cbc8ceb4448d8e149f754749e9a8cd
SHA512 561925220f694fe35260e274386bf9c7a609765deeb29db89603aa3856b901d98ccdd5222045d29fa2958b8db16ec733de06fe2ada4b62725d1f72a588a445db

C:\Windows\System\vnpmNSa.exe

MD5 003ab4fa184558c26d7e27df66826d25
SHA1 1e36b3cba1afed688ccd4140054e571ce8cf3fe2
SHA256 2d865a067b0830db2123a1833025c84b336d8f8a1e42bf54f1094f85324285cb
SHA512 713859661ca7c899eda8c961cbc8c3ad84e69fdf598bfffa1d381d59b3f36a6e1129918d479535b97e2a96e6344cba448a30b3ee60988d9f12e26823b2bea6b7

C:\Windows\System\wbDnAmH.exe

MD5 e827e1e706f5424ceaecaa2786aff564
SHA1 abe4f1fcb09262f7fb69670665db5ca33e671d26
SHA256 0dcc8b5589354b9bace52e0430f01b45dfbc91240492e2c349d55c7692df3234
SHA512 a4b4783ea3d174a9ea23635842cddda59805c11afcb3b808d990af9aed06cfd07cfde2a5f7721db0eb59f7b70b2434a2d5aed4b2d32e6eea8ca4f4c18b130aec

C:\Windows\System\YgBEySI.exe

MD5 4eb74d70799acec6bc2f70d4022767f2
SHA1 96e1a237b71d9dbe6b647bdafb30240b214d2df5
SHA256 e72d9a8b2c291cebf588547da6636fc1e3c267a60762881657f0411ebeb2c8a8
SHA512 2fa7b3676eff823ed30b066c9b5fc9867402254e63db8119ceee5f1e7abc2af42cbc7b1d5ce015a613938a08324e80ec8020ab41d13f37efe03e2457f9ea8bc5

C:\Windows\System\SnteVBM.exe

MD5 3e96c6c22c0fc5ffc130d9b9c8f747c6
SHA1 74439c8b78841fda462b76c97c4538ac31dd5d44
SHA256 e5116bccce5f1df270ca6409b7142e93813c3808b6bf288a3bf230b72b76bc6f
SHA512 70967c015be15f24172f558335f45860ec1fd3dade35f4e314f7cf921966a245c1b6dde30aa3efd69a4efabe95dc809897c5a93245703f601c4c4b4562d7c3d0

memory/4896-66-0x00007FF627A50000-0x00007FF627DA4000-memory.dmp

C:\Windows\System\BOwkkQq.exe

MD5 b9a4c5bf1bcee9c5e61f15c76a6cfdb6
SHA1 62953b5f81be8b8dc3a2eb90fbc024de60da6919
SHA256 2ab83ca2c98522aa8a68e30b5ea028ad34c376026836ed8611cc39c8eb607402
SHA512 2061e0ab803e41f842b0143546349a5c060c3b4117ae1367915bd9520a7a30cc8c0816b61b8eb815e0a281e713763b352baf8a43fc2a0da91b256b191ba7ac36

C:\Windows\System\pyBoulU.exe

MD5 416a344380434558c0db7ee7403ec560
SHA1 97544c62555c50ef9a4f8ba12ac6e60f4135a226
SHA256 8e2df8d9223aeb4e9c1d02a4b54c202ce474af83ba290e72746440ff5372051d
SHA512 08ae1189c01182f5c91d7f6d410892830856644ba8c863f5b11d6884d435b8d52a1d8b2972af9cc0a72a9d4f3affa931f764dd5ce225bd800cbd8e8e5b2de143

C:\Windows\System\hpXWmWK.exe

MD5 92421ba251c83cabe76c2088ec3b0c1a
SHA1 a62df7817f8e75f04cff61008bb15ed07ed9ef8a
SHA256 d6b262ecbd6476a8a7a9ce0679df8ec69fbd670a1d35a6c8cb97368f26299f7e
SHA512 e321f597c8070e3caff0a025dd808055e41ebd755881da17d0e77dc401c3818286c5ae41a7a047c6a62aa021b72503bf6d399ccb469382800ab7f46ef077613e

C:\Windows\System\CnsUUUm.exe

MD5 07972a00cb98adf54aee59b31dbf88b6
SHA1 e40e19b3a7d79a8574a26910b72df70184ab3975
SHA256 f38cd7f0fd3b71daad7325635e4db5c0fdb8dbce7836d81c8961d4189060b247
SHA512 5e7472fde135c6b22d45bb6ce6bb7625d59ccaea26900e67e9b9996c04a7568ec0ec0e36a8d26f49f04e1d3c1389aa97cf8feca4f959cfec27eaac64981f6bdb

C:\Windows\System\mgJvrbQ.exe

MD5 b6356aafb3ee531f1f2b4bff5c69f27f
SHA1 85e74246d9ffba2cf84b69e6123a66b15757d5fb
SHA256 17da2b5c18f3c2cdb6e8fb6855196aaffb199b732b7cdd77efb538ed9f9f38e8
SHA512 ff5c2bb264841833e00757e069de8f1174b3e232504662b4094abcb6af8443cf924ff0418a443734cc980f5e9131c13438ed679ed078a639dded9b98eca12fca

C:\Windows\System\dMIrnyS.exe

MD5 535bf32142e6b920efc0c1456e62102f
SHA1 eb0925f00513fdaaad620506d4a675ae1c2f5f85
SHA256 cbdf434c40ee32fc71b1aac687a2740c486b0727c9e0f410f4504d08f0668363
SHA512 d122c7fd47976fb0c6254a30b91aeba64bdbc9e4ee2185f4dacd95df72ab377efa2a7a25c85957f9f90fefc38afd0ab5124c8329ce91791990d3907c42196a3a

C:\Windows\System\ckyhQoZ.exe

MD5 11aede532e6ea058ace9f7050a6e4ad6
SHA1 22173599d020bd1035c4815b71dffd4f502add7a
SHA256 d57b163879037714c7214a51b0ac09620165d6764b43c59a8c75c237c99fdf8d
SHA512 f63ac451650eb7d77256d66d1fb74745d4839864957eae032d39f4fc6930e7ee334b5fa0740fb5d2228615a6fd9be6d9f5b30f1773730c90d23158b7c1ba4582

C:\Windows\System\LybKloA.exe

MD5 2751bd774f9215e4e612acc30fb547cf
SHA1 b89611e687c813ee85aa5a0231ad1f86e4e449be
SHA256 8fab97db14885d429e1e5848f4dc99f40b8f5a72035f5f20ae5d6628b96d1a19
SHA512 08cf42d5488c13b1c874b5a730c49b80fcee7b67c96c019e715f3aa7e73bc8acccaa49d5e8e6e28056d27c87105e2f87b26bb6ab6b455809a44635972b030639

C:\Windows\System\TEhUDIO.exe

MD5 ad0c462554b806763991ab65ad474eb0
SHA1 43aed7b16194603a0b42779fdaccf95abc59b76f
SHA256 d4e0a35783ffdeeb8ea903efdd5dc3dc551abaa15452b20162f079f67286e8f7
SHA512 ea3b61ec0b43949e5a0305f714f7b6a11d65cac7cb0dd848e7807bddbaced82c738b8a48d2cb219ebda4573623c3c989c38ec1dbc0ec6f607cd39089b68360a8

C:\Windows\System\fIHfdeM.exe

MD5 e73078f4af07dcadbe2e9dd48f1aeba7
SHA1 b476ea97caf1e464ace08d91b51c7f708b73d6fe
SHA256 019721a714444453944716bc17e9755f9f95cf2b05e8a7f3777a1daefa439338
SHA512 ff9693e6f2753a92029ef31b16d8b7c5a221fcade49c67332b6073a84b5dc1938e9348e20fb3f4c695361ed92061b17f11c5b1e683e6ad3277ed948208989f2a

memory/4804-72-0x00007FF670330000-0x00007FF670684000-memory.dmp

memory/3936-67-0x00007FF601DC0000-0x00007FF602114000-memory.dmp

memory/1528-63-0x00007FF6A00D0000-0x00007FF6A0424000-memory.dmp

memory/5044-60-0x00007FF7F5FB0000-0x00007FF7F6304000-memory.dmp

memory/3224-52-0x00007FF6E8470000-0x00007FF6E87C4000-memory.dmp

memory/4204-47-0x00007FF6899C0000-0x00007FF689D14000-memory.dmp

C:\Windows\System\ARZQWkF.exe

MD5 71246efeea70c79cbac6c53ac79f06a5
SHA1 7a34566d581fd8420d38ca529b76031343a946a4
SHA256 eb53204c5375ea853b9b265953fd65509867f7594e72a7c914f22f0ee756c7e1
SHA512 9bd83c552ae67f8c7076565563bef9d815826ff8ba2ec78852af1c67dd87294fb4bbe6d2e72271ba938c4859a0b08e2ca2ab97c740bc2f94fd73d766ae8a3d64

C:\Windows\System\BOvRnUc.exe

MD5 4229af1f5667f9577c32c87158ac562f
SHA1 240c3360f55bb8b26cf3f6a5d376d7279ed52f9d
SHA256 f4010374de160d23ad16a89edd967be60f5f04fa5c4d8253a8cf8517892426eb
SHA512 95316f18264ac5b1e940b32a6559377aa89b236c6594be3bb9c0e08cd32e2e7af4fc15ac8ae1ef5e7a3d0fd82267af7ec96a54bff20b50568c4ca733a833cea3

memory/920-28-0x00007FF68A400000-0x00007FF68A754000-memory.dmp

memory/4948-27-0x00007FF7E5830000-0x00007FF7E5B84000-memory.dmp

memory/2452-20-0x00007FF757FB0000-0x00007FF758304000-memory.dmp

memory/5060-119-0x00007FF739670000-0x00007FF7399C4000-memory.dmp

memory/4552-120-0x00007FF7C0B70000-0x00007FF7C0EC4000-memory.dmp

memory/1756-121-0x00007FF630520000-0x00007FF630874000-memory.dmp

memory/2268-122-0x00007FF6C1340000-0x00007FF6C1694000-memory.dmp

memory/1436-124-0x00007FF74FA60000-0x00007FF74FDB4000-memory.dmp

memory/2904-126-0x00007FF6D1890000-0x00007FF6D1BE4000-memory.dmp

memory/628-127-0x00007FF79A340000-0x00007FF79A694000-memory.dmp

memory/5000-125-0x00007FF75BCD0000-0x00007FF75C024000-memory.dmp

memory/3332-123-0x00007FF79C130000-0x00007FF79C484000-memory.dmp

memory/4540-128-0x00007FF7C2080000-0x00007FF7C23D4000-memory.dmp

memory/3932-129-0x00007FF7A2E80000-0x00007FF7A31D4000-memory.dmp

memory/3192-130-0x00007FF629330000-0x00007FF629684000-memory.dmp

memory/4948-131-0x00007FF7E5830000-0x00007FF7E5B84000-memory.dmp

memory/920-132-0x00007FF68A400000-0x00007FF68A754000-memory.dmp

memory/1528-133-0x00007FF6A00D0000-0x00007FF6A0424000-memory.dmp

memory/3936-134-0x00007FF601DC0000-0x00007FF602114000-memory.dmp

memory/4804-135-0x00007FF670330000-0x00007FF670684000-memory.dmp

memory/3932-136-0x00007FF7A2E80000-0x00007FF7A31D4000-memory.dmp

memory/3192-137-0x00007FF629330000-0x00007FF629684000-memory.dmp

memory/2452-138-0x00007FF757FB0000-0x00007FF758304000-memory.dmp

memory/4948-139-0x00007FF7E5830000-0x00007FF7E5B84000-memory.dmp

memory/920-140-0x00007FF68A400000-0x00007FF68A754000-memory.dmp

memory/4204-141-0x00007FF6899C0000-0x00007FF689D14000-memory.dmp

memory/3224-142-0x00007FF6E8470000-0x00007FF6E87C4000-memory.dmp

memory/5044-143-0x00007FF7F5FB0000-0x00007FF7F6304000-memory.dmp

memory/4896-144-0x00007FF627A50000-0x00007FF627DA4000-memory.dmp

memory/4804-145-0x00007FF670330000-0x00007FF670684000-memory.dmp

memory/1528-146-0x00007FF6A00D0000-0x00007FF6A0424000-memory.dmp

memory/4552-150-0x00007FF7C0B70000-0x00007FF7C0EC4000-memory.dmp

memory/5060-151-0x00007FF739670000-0x00007FF7399C4000-memory.dmp

memory/1436-153-0x00007FF74FA60000-0x00007FF74FDB4000-memory.dmp

memory/3332-152-0x00007FF79C130000-0x00007FF79C484000-memory.dmp

memory/1756-149-0x00007FF630520000-0x00007FF630874000-memory.dmp

memory/2268-148-0x00007FF6C1340000-0x00007FF6C1694000-memory.dmp

memory/3936-147-0x00007FF601DC0000-0x00007FF602114000-memory.dmp

memory/628-155-0x00007FF79A340000-0x00007FF79A694000-memory.dmp

memory/5000-154-0x00007FF75BCD0000-0x00007FF75C024000-memory.dmp

memory/2904-156-0x00007FF6D1890000-0x00007FF6D1BE4000-memory.dmp