Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-gvbr6shf31
Target 2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike
SHA256 cddc5acf3291117c12d2349ce4c57a42113ab968aee274303dda47fac483b5e8
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cddc5acf3291117c12d2349ce4c57a42113ab968aee274303dda47fac483b5e8

Threat Level: Known bad

The file 2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Xmrig family

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 06:07

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 06:07

Reported

2024-06-08 06:09

Platform

win7-20240221-en

Max time kernel

130s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GBJKDlo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WYXObMa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YFedHVP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iEaWjDk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jTYuDih.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WSvWXzB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cJtPjQz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qwwYMPf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mSVytSq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sDNewBY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zNuuOXM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Oryvgmj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lEyKKie.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TwDNkmv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CGdOlhL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tPPkXiN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KtgeVJD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GurRoZY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YkorbGt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ApigdBf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OhYrskX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkorbGt.exe
PID 1056 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkorbGt.exe
PID 1056 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkorbGt.exe
PID 1056 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cJtPjQz.exe
PID 1056 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cJtPjQz.exe
PID 1056 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cJtPjQz.exe
PID 1056 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwwYMPf.exe
PID 1056 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwwYMPf.exe
PID 1056 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwwYMPf.exe
PID 1056 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApigdBf.exe
PID 1056 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApigdBf.exe
PID 1056 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApigdBf.exe
PID 1056 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNuuOXM.exe
PID 1056 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNuuOXM.exe
PID 1056 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNuuOXM.exe
PID 1056 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WYXObMa.exe
PID 1056 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WYXObMa.exe
PID 1056 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WYXObMa.exe
PID 1056 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\Oryvgmj.exe
PID 1056 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\Oryvgmj.exe
PID 1056 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\Oryvgmj.exe
PID 1056 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSVytSq.exe
PID 1056 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSVytSq.exe
PID 1056 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSVytSq.exe
PID 1056 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YFedHVP.exe
PID 1056 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YFedHVP.exe
PID 1056 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YFedHVP.exe
PID 1056 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\OhYrskX.exe
PID 1056 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\OhYrskX.exe
PID 1056 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\OhYrskX.exe
PID 1056 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\iEaWjDk.exe
PID 1056 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\iEaWjDk.exe
PID 1056 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\iEaWjDk.exe
PID 1056 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwDNkmv.exe
PID 1056 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwDNkmv.exe
PID 1056 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwDNkmv.exe
PID 1056 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGdOlhL.exe
PID 1056 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGdOlhL.exe
PID 1056 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGdOlhL.exe
PID 1056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tPPkXiN.exe
PID 1056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tPPkXiN.exe
PID 1056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tPPkXiN.exe
PID 1056 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTYuDih.exe
PID 1056 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTYuDih.exe
PID 1056 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTYuDih.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\lEyKKie.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\lEyKKie.exe
PID 1056 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\lEyKKie.exe
PID 1056 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDNewBY.exe
PID 1056 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDNewBY.exe
PID 1056 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDNewBY.exe
PID 1056 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WSvWXzB.exe
PID 1056 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WSvWXzB.exe
PID 1056 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WSvWXzB.exe
PID 1056 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GBJKDlo.exe
PID 1056 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GBJKDlo.exe
PID 1056 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GBJKDlo.exe
PID 1056 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtgeVJD.exe
PID 1056 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtgeVJD.exe
PID 1056 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtgeVJD.exe
PID 1056 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GurRoZY.exe
PID 1056 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GurRoZY.exe
PID 1056 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GurRoZY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YkorbGt.exe

C:\Windows\System\YkorbGt.exe

C:\Windows\System\cJtPjQz.exe

C:\Windows\System\cJtPjQz.exe

C:\Windows\System\qwwYMPf.exe

C:\Windows\System\qwwYMPf.exe

C:\Windows\System\ApigdBf.exe

C:\Windows\System\ApigdBf.exe

C:\Windows\System\zNuuOXM.exe

C:\Windows\System\zNuuOXM.exe

C:\Windows\System\WYXObMa.exe

C:\Windows\System\WYXObMa.exe

C:\Windows\System\Oryvgmj.exe

C:\Windows\System\Oryvgmj.exe

C:\Windows\System\mSVytSq.exe

C:\Windows\System\mSVytSq.exe

C:\Windows\System\YFedHVP.exe

C:\Windows\System\YFedHVP.exe

C:\Windows\System\OhYrskX.exe

C:\Windows\System\OhYrskX.exe

C:\Windows\System\iEaWjDk.exe

C:\Windows\System\iEaWjDk.exe

C:\Windows\System\TwDNkmv.exe

C:\Windows\System\TwDNkmv.exe

C:\Windows\System\CGdOlhL.exe

C:\Windows\System\CGdOlhL.exe

C:\Windows\System\tPPkXiN.exe

C:\Windows\System\tPPkXiN.exe

C:\Windows\System\jTYuDih.exe

C:\Windows\System\jTYuDih.exe

C:\Windows\System\lEyKKie.exe

C:\Windows\System\lEyKKie.exe

C:\Windows\System\sDNewBY.exe

C:\Windows\System\sDNewBY.exe

C:\Windows\System\WSvWXzB.exe

C:\Windows\System\WSvWXzB.exe

C:\Windows\System\GBJKDlo.exe

C:\Windows\System\GBJKDlo.exe

C:\Windows\System\KtgeVJD.exe

C:\Windows\System\KtgeVJD.exe

C:\Windows\System\GurRoZY.exe

C:\Windows\System\GurRoZY.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1056-0-0x000000013F510000-0x000000013F864000-memory.dmp

memory/1056-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\YkorbGt.exe

MD5 646f16b26ea9eca4f4afce3133d19778
SHA1 06d3ec494ceb53790110c0b35ee19baa57003152
SHA256 337c3dd73fcea860d8b04097c3ae08b22029857a4fd338e751a0477f6aa7d871
SHA512 f46a769c9410703d67bff46be530301cfcaf126868a15889dd403ebf126f3d5c32fc8b6fe5bbd1da13b380085f210a461b6b5d2b119a72b121127f66ced97ff3

C:\Windows\system\cJtPjQz.exe

MD5 a2900bbd2cc238f6248d1af2aa048702
SHA1 a9b7b31cca27479222d8e35a2f8fa19a91713943
SHA256 981bd95330372cc41563896aa6d48a1b399e34783cd2ad8a4d1ee7d667e2bc84
SHA512 7770e4d6b0e648b190f0dc177fbcf67ab48c9acc3be9b8222b713e48071cf23a0e7bb89e922ff3d2ee507dca26327dc42cc913a1effb1338aacf7fe87ff02541

memory/1056-22-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1056-14-0x0000000002270000-0x00000000025C4000-memory.dmp

\Windows\system\ApigdBf.exe

MD5 83e3a8bf4d41651c7a5d6408dfcd22d8
SHA1 d1aaa7e090b72c84c825e7efc291427498b20f2e
SHA256 b70e56832fe7e39da4f8c0791c2c7c6eeeddc874d0c07288df0d8e39c2d987f4
SHA512 80b28d48b0134ffc1c9fd49f3f6f43083ab2ace0e8f70e90cc9a111c5f4e5b6c5cafd62ecdb592e61cee9b080949ac87217ddf39590e01b5cf97b9b1d595efe4

memory/3064-29-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/760-114-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

C:\Windows\system\KtgeVJD.exe

MD5 7d1166941b20222674bb4ad14b70c655
SHA1 fccde62356efd30216042d9cc8e97114a259111c
SHA256 5b19e3f9b5ad2cb34de1da57334cdfe1c68ebf461f6bf1a38a484a15269490ea
SHA512 c1f8baaa3c33cfec26008841b8e71478eedee41d07ad7f1d9d8d882d8a982ab4b2be50ac9020537d1ce5704a1a4a0ed31a280e369d14f1a5c5bf7c31b859fb4c

memory/1056-109-0x000000013FA30000-0x000000013FD84000-memory.dmp

\Windows\system\WSvWXzB.exe

MD5 cecc25eeabe773e63b558a690deb3209
SHA1 f63f1186b8c9eee571f2359a458670338ea8f983
SHA256 54f0f5486c0d920a737fba3f69d384d38049fe17580ddc97028f0fe81482df26
SHA512 534fad44e5fdcbfdd63c3f7100c7cb12fc912c13bf578c47cb1796bdb3d8dfc6d915caea6b3d9dfe0b1d251dab3e999dc926753078d1cb6f6f315e0f99c54d7b

memory/1056-89-0x0000000002270000-0x00000000025C4000-memory.dmp

C:\Windows\system\jTYuDih.exe

MD5 b5bd43b896a26ec72b8ee4297c426a12
SHA1 b14b1b820e0a5ddcbbb9a5eca9ea9973f86da148
SHA256 32bba546ed66fc9723b4d24603e3355992c05403fc5085bc0d132cdd83c47f98
SHA512 44e66aab0752c7451c8e6df09d2de83dfd6d924e75683360f3ec6339275a60672cd9cd7887f710776809220c3cd84bae436e802d822f9acfc00af4f8a375e7f5

\Windows\system\lEyKKie.exe

MD5 09459679c80159947bc92016e3a1f5c8
SHA1 a023e474f3a51d057f2ce999375a9eff9776df0d
SHA256 b204431d57adfa2d50135c187c2b5f1cea72c0b2301f3657bdea7bf9e62ad453
SHA512 ecc951139b846441352e4ff8dd8b20a1277df77896b7e5b7876fff9f71c16f5124d42dd4455f9362d85902482c18a7dadb2672858cec9ec7bceabb8bd1b0f85a

memory/1056-80-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2660-79-0x000000013F090000-0x000000013F3E4000-memory.dmp

\Windows\system\tPPkXiN.exe

MD5 89477a9ffee171680181c9af5c77f216
SHA1 fffb9c70357d871ed7b32e49b0dd067ff1923407
SHA256 39d9c2e01a9ad0b299dffb0549ed9041afcaec78cb3810a49413ac2b51538836
SHA512 dcb63469c67149b8dd4e9f97db16233362875e4b33898bbdc2cb6e8e04e47957a8e500df068942b91ce336359e2afff07948add2826b6d2f43ecb31e9b6b048c

memory/2332-70-0x000000013F740000-0x000000013FA94000-memory.dmp

\Windows\system\TwDNkmv.exe

MD5 6b487c5d8301816f994156859cbcc918
SHA1 e4ec67171a68c8d2865fc7cb5d231437e2dc0dc1
SHA256 71e0e2d45cea6b5a9198bb6b6a55a7b42eb4640036bfc6deb31fc64432bb1663
SHA512 aec0d9a4e68aa0c94b5c9a57d992af29e17309c5fc34cee3943025e291d70cf2571af954e3a989b6ce35c59441fa51116605cb3b4943be9b3a7f8ccd2a474216

\Windows\system\OhYrskX.exe

MD5 747086e78209f05943bf3910ff579dda
SHA1 087e1a813b9efc38e1aa67870f668472f745fa2c
SHA256 3806fbcf55c2556b529ab1e15ee9d8d2614f070bf728df237bd667b8de17bb55
SHA512 6207532ac3e0797840e0f2d7a4512b5e95d3031bd2fb095904dfb7432ee04f4f61c41d8a703d83115f479e4459d2442003344b2c0a9fd5ed55151b8e7727668d

C:\Windows\system\WYXObMa.exe

MD5 428f0d7edf6f6ed798d59f75b158cbcd
SHA1 2c3a826ac12140658b38a67fec550cad53cda311
SHA256 a0de8e02f5e661cc587ff9992c37b0f1db77889e44b07c14cb61f36cdf00fa33
SHA512 1c48d9235f72d27d7ba8500998e9dc61ab248acbb280e0cde5fc5425e174b9d9e1f9378f9a9888f9ae74b5d5fb982752d3f2593a1583b2a448b38a2f889d0b79

\Windows\system\mSVytSq.exe

MD5 a64e1b62c39beabc23a06dceaa3b8ff0
SHA1 68eb70a7d56b54be3c456063c8187a0681305604
SHA256 44236950283c421872b013aca49e6cad3151b841607fb3e476dae0dc5605afb5
SHA512 9835983a414a4038ca85d91964d6a400b09dad20b4bd91b31ef734adc6010998d79f52829e7dbc95d1ed87d233d8ab3f07de73e7fdc17b7b8c26ab6bce6bbea1

memory/2608-40-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/1056-38-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/1056-113-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

C:\Windows\system\GurRoZY.exe

MD5 b88f79ee613302e97079eea6c4035f6b
SHA1 8ff33c43c86eb8c95175037bb5d146a7d106fd12
SHA256 70378b72a88300801d498b3499922a9ab841a55da5e71bbbd12f2e58773fb6ec
SHA512 e446ccbd2a6560b82fa572ae7e54322b7331e46235a6306834eb56e13dc5f6360ea285dabd69972f77b05678f70d21b8bb805b703c96232d26662d737bd78449

memory/1056-105-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/1056-104-0x000000013FF60000-0x00000001402B4000-memory.dmp

C:\Windows\system\GBJKDlo.exe

MD5 3108fed557071babf15a1973e3f56d5d
SHA1 0b3acbbf5026420fb0b27ece0c3f8c76f15ef72c
SHA256 67d64a31831e3862170117089fc34b788f15d14fd555b21109de87b0e07a1ab1
SHA512 4760a487da110b2d93a378202ff5e9981c80833a38807e8c1616fec83c48701c9f89fb6b022d44709ce80a0de9e11ba6a6155939ac37a7183967dbf18e840b07

memory/2800-101-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/1056-95-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\sDNewBY.exe

MD5 48f5815f0a41668972ce1edb5123bb37
SHA1 2c1a08124c5794ea58fccd8a97cd7b929fb9b1d6
SHA256 2c0326b0c03b0026c25fe03ab3ba97832154a775b092e465daef39ff21a008ac
SHA512 763dcc0c1fc9f4ebe38ea904ee1d79914dcf075aab617a1dd714241d4dabb491abb6e10cc46be9a8e9bf43609bbf3ae8ddb215d989902463e1c08288379c11f0

memory/528-93-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/3064-136-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/1056-84-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/1056-75-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\CGdOlhL.exe

MD5 276785e568b844d82150d425eceb18da
SHA1 563112ada8b15e962c8a1ae61a2263afef6ca522
SHA256 6b9b71e16158e9f3010ba33f940b25c7733eaa4a4d8394c27ddab79000effb33
SHA512 8a4462abaf0f990c418f46a15d71a0f632dc13263c4bf512953dcf07c4c172563a4bc93d35d57bf04e0b701add44da742ebee03449d2d2817012c51ab54f5a20

memory/2456-66-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\iEaWjDk.exe

MD5 8e38e2599c957f624dc72cc2594a9fc9
SHA1 9e64104bec2306057333719f92f6fe701e3d1c13
SHA256 a124fe55446bf4a6eedcae62ffdadb34b5903f8755e3c8627db4a83ee41b35e2
SHA512 f0adc49b6c6f4a4e27f8c4f8bcd64dea7823d32e25c622705c670c80b4708c43076a43c78d5bdd193749ba5b5c12e1e62babe8e9391e9568adac14f028fe31a9

memory/2340-58-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

C:\Windows\system\YFedHVP.exe

MD5 f063072dd34d2122e22eca3ba1475ecc
SHA1 c21eb731b430c31791edb87a0d243b754e0d5c11
SHA256 8298e62a19ecb06bac706a27fd12857b1f27e3ed25a1d2d3c9db52a058935b8c
SHA512 81d7dc1898436a61c766b02895dc9406f56694b0548f61177967bb779152a1603c167b58220bb3189df27d292f80a77e52e97bfc41200d6df60624661ba7e716

memory/1056-55-0x000000013F510000-0x000000013F864000-memory.dmp

C:\Windows\system\Oryvgmj.exe

MD5 777e7656c5656f074379a6fbf57e5fcd
SHA1 2fd2caaca2a824bec386f7c640207ac9552c5648
SHA256 64431f64a554b9316c50c4ad5e344ab7a929fdd9006269d165c466c930530b4a
SHA512 05e77a9415c134b0f43dea7e10d3f386b1091143f9099956d3383f37cb50afd21d7201b0d3e401b96378f71642bf5e2db128dcfaa8d0d71fd4707ffc41ab820b

memory/1056-43-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/1056-42-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2332-137-0x000000013F740000-0x000000013FA94000-memory.dmp

C:\Windows\system\zNuuOXM.exe

MD5 d6a250463a155a60c95a7d7adb9504fd
SHA1 30901294a03f14fa7f085a4d3e6945a255312fe6
SHA256 f7e5b476aec10a14684a651b5a9d99b3687cbf24708790193301499dcb99894d
SHA512 5f57e34282addcf0d1b9b165f53bf4d7984f0f369a52da313bb58ea414eb9afa67e4c2637b134c123d11cd644951e08d581ce9c07ab1ee465040867c53e2d7ab

memory/1056-25-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/2424-23-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2076-21-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\qwwYMPf.exe

MD5 54043bbe9d01fc2953739ac561d5f13d
SHA1 14c8cd8dbd940b082772afebc2afc54521db3a04
SHA256 ca00d5018836c1860de24947b34b72f0d7fb4843c4ee07bbb88b9602afbeeca6
SHA512 e781510d3cda8bd74cbf4a9326b2f4dec807ce5c45107e72f3107ec5d405b5ed61d9078854319606c687fb2c300d86cbf9c66d4a2249717098c05d2efda51ede

memory/2660-138-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/528-139-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/1056-12-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/2628-18-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/1056-140-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2800-141-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/760-142-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2076-143-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2628-144-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2424-145-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/3064-146-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2608-147-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2340-148-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2456-149-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2800-154-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2332-153-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/760-152-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/528-151-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2660-150-0x000000013F090000-0x000000013F3E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 06:07

Reported

2024-06-08 06:09

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kaMiKeg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BaEWJek.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MFQzjwq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KiiYcTr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CNaXBIR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rwykzPi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UdgRYmW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FmEWLdi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UkFHbnR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NsUnirQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mDTlvan.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HabbCce.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\miZHQEC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ftrZvGP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QmMmTCF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SgVSgsJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PYnnljd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OSRTLbW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xSjLAjX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WwMxuTO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eYsHhFN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HabbCce.exe
PID 2064 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HabbCce.exe
PID 2064 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\miZHQEC.exe
PID 2064 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\miZHQEC.exe
PID 2064 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftrZvGP.exe
PID 2064 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftrZvGP.exe
PID 2064 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KiiYcTr.exe
PID 2064 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KiiYcTr.exe
PID 2064 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\OSRTLbW.exe
PID 2064 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\OSRTLbW.exe
PID 2064 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNaXBIR.exe
PID 2064 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNaXBIR.exe
PID 2064 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QmMmTCF.exe
PID 2064 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\QmMmTCF.exe
PID 2064 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSjLAjX.exe
PID 2064 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSjLAjX.exe
PID 2064 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwMxuTO.exe
PID 2064 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwMxuTO.exe
PID 2064 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rwykzPi.exe
PID 2064 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rwykzPi.exe
PID 2064 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgVSgsJ.exe
PID 2064 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgVSgsJ.exe
PID 2064 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UdgRYmW.exe
PID 2064 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UdgRYmW.exe
PID 2064 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\eYsHhFN.exe
PID 2064 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\eYsHhFN.exe
PID 2064 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PYnnljd.exe
PID 2064 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PYnnljd.exe
PID 2064 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmEWLdi.exe
PID 2064 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmEWLdi.exe
PID 2064 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kaMiKeg.exe
PID 2064 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kaMiKeg.exe
PID 2064 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsUnirQ.exe
PID 2064 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsUnirQ.exe
PID 2064 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UkFHbnR.exe
PID 2064 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UkFHbnR.exe
PID 2064 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFQzjwq.exe
PID 2064 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFQzjwq.exe
PID 2064 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mDTlvan.exe
PID 2064 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mDTlvan.exe
PID 2064 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BaEWJek.exe
PID 2064 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BaEWJek.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HabbCce.exe

C:\Windows\System\HabbCce.exe

C:\Windows\System\miZHQEC.exe

C:\Windows\System\miZHQEC.exe

C:\Windows\System\ftrZvGP.exe

C:\Windows\System\ftrZvGP.exe

C:\Windows\System\KiiYcTr.exe

C:\Windows\System\KiiYcTr.exe

C:\Windows\System\OSRTLbW.exe

C:\Windows\System\OSRTLbW.exe

C:\Windows\System\CNaXBIR.exe

C:\Windows\System\CNaXBIR.exe

C:\Windows\System\QmMmTCF.exe

C:\Windows\System\QmMmTCF.exe

C:\Windows\System\xSjLAjX.exe

C:\Windows\System\xSjLAjX.exe

C:\Windows\System\WwMxuTO.exe

C:\Windows\System\WwMxuTO.exe

C:\Windows\System\rwykzPi.exe

C:\Windows\System\rwykzPi.exe

C:\Windows\System\SgVSgsJ.exe

C:\Windows\System\SgVSgsJ.exe

C:\Windows\System\UdgRYmW.exe

C:\Windows\System\UdgRYmW.exe

C:\Windows\System\eYsHhFN.exe

C:\Windows\System\eYsHhFN.exe

C:\Windows\System\PYnnljd.exe

C:\Windows\System\PYnnljd.exe

C:\Windows\System\FmEWLdi.exe

C:\Windows\System\FmEWLdi.exe

C:\Windows\System\kaMiKeg.exe

C:\Windows\System\kaMiKeg.exe

C:\Windows\System\NsUnirQ.exe

C:\Windows\System\NsUnirQ.exe

C:\Windows\System\UkFHbnR.exe

C:\Windows\System\UkFHbnR.exe

C:\Windows\System\MFQzjwq.exe

C:\Windows\System\MFQzjwq.exe

C:\Windows\System\mDTlvan.exe

C:\Windows\System\mDTlvan.exe

C:\Windows\System\BaEWJek.exe

C:\Windows\System\BaEWJek.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 52.111.229.43:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp

Files

memory/2064-0-0x00007FF6ECDC0000-0x00007FF6ED114000-memory.dmp

memory/2064-1-0x00000236E1060000-0x00000236E1070000-memory.dmp

C:\Windows\System\HabbCce.exe

MD5 95b960337db4855176852e8dc4e8339e
SHA1 71c15f0fdb8d1c46d3f4250657d8db56fe947f03
SHA256 44e263aefe70fe721949c56f155ba4d0c46dce6140b6fb48ebc3c415801e85d2
SHA512 4e3f33e7e2b79681c49c7e794950ba5198a28f238edc86b6847489a1fe6b8dc207ee13d806e8bbd9261097a0d3e0a7bc236ee6ca7ad91dd5937280ab6b4ab1ec

memory/2452-8-0x00007FF7B2AE0000-0x00007FF7B2E34000-memory.dmp

C:\Windows\System\ftrZvGP.exe

MD5 c53cc7fdbb58343ac59dfd6718cf0006
SHA1 22c8f50c4eb99320915d6f14e3d2cb250780da3d
SHA256 5dca6aa68752c037799a0834c5f92508f3137e52c16f06f3398b732447a2b957
SHA512 ef0f5332b6d59ccd563709cb8556fd683f081720972b965084605d5c08f6900eb6aad29a04e55f868ebe735d020468b28d3364533c3ee02d53365e030c00b927

C:\Windows\System\miZHQEC.exe

MD5 2eb94c033bf7a2715f94f9d141faeacd
SHA1 62c23d46e5ec9ff7f65446ccd89c53de4d5863c0
SHA256 3a27b2ae1b94893796623e7190c7cc2272400afb6fdaa10b477a53e6ac679b64
SHA512 eeb50b46e087cf8b6f950d75d736863cc4459ef132b0989e79f1df6deb19226d44b045bcfcfafd4507a39d2e46745b046bed569fae24d159ba6bdd948783fe54

memory/3216-16-0x00007FF704B50000-0x00007FF704EA4000-memory.dmp

memory/696-20-0x00007FF6C1C90000-0x00007FF6C1FE4000-memory.dmp

C:\Windows\System\KiiYcTr.exe

MD5 0f38a9e6bf6b54667085d03545194d93
SHA1 d113937269d5a5bb452193df0a3a946c67e86fc8
SHA256 b62ebe295dd87a7d6f6b5cc51c7e0a40c4dcce9335b163bba2091b040ab52b0f
SHA512 f9e964371da0a1ec6486234e968a202b49141a2b463ecbc0a8c22c892465c3964763d71abcd858530677e95708992881eca1cb2a2f4eb4de373438cf49260010

C:\Windows\System\CNaXBIR.exe

MD5 28c702707796ccf6baa1675a4d58a307
SHA1 e4313486d93d07e3081193e7acd119a7ad5c8ff4
SHA256 512df00ada49f7dbef02e550c5020fd0f3ff36960b5c65108dc6895803eff91d
SHA512 6e2de3125e88c65e4b6b27f8fd02a9513e5207e843accbc4fa11284209cb3026b475abf5eeb18d65ed6cf63dfee0974c784b53d1b1c8797e64f0c52850181c82

C:\Windows\System\OSRTLbW.exe

MD5 551fa98f22c1ca8fe8a12cd5f7a4127b
SHA1 7f03292d147d1397ff95288f8d6713b18ad332e5
SHA256 fe91aacfae6d74fd929dae75ae36d9b4e7b88c3727cd46827d0c47a5f953b8f7
SHA512 0ed26a6e341c59fd14d3b6ce3cfa1651dd0c5276c2ab26f491245c2edcfb0aefd96c9c0427a19d9af8863375274a08c5ebb6def183328c9a2b3dc707251814b1

C:\Windows\System\xSjLAjX.exe

MD5 973e745504847d261b762ef158a69bcb
SHA1 f3fbab60c5953457b915de79736c0b30e06f050a
SHA256 c6badbe3d173bfb9b20aac02a3b3c3dabf749116c694e47b69a8148403914e3c
SHA512 311a7fa53b1f9a5943ca2f01b79ebd9b5673649dcf8b0785b962bc72b711fe3196cd1f8645e45a89328f79736671594eece8af58485f4b271017ba9f6abc36e3

C:\Windows\System\WwMxuTO.exe

MD5 f7c5e2c0f97cffc89e6dd7183b91bd4f
SHA1 0758e90eefa07d9c16efe8200436c63be813e721
SHA256 0ef3d1461d0f6d96fe82b692638967c0f452942bfc3b020c8df0eba57c320626
SHA512 e75d9c5523872230d5e597ea4475e5d608543159669291843a8636504b0311fe1e7a5c96c11a4da61c2849a6604a261b4b891cd61d916e527a8a88f94b1f3f64

C:\Windows\System\rwykzPi.exe

MD5 44fa346212392a76beac1a780b6cc5eb
SHA1 d2b2ef8774deb3c4acbb3ce554d124e29b697ad4
SHA256 9391c7a9f8d316f8a57bc76645b46109a57f4c6e69c6eb66c6d84a501e9666d2
SHA512 009bc82b81aaf8aa7083a5a8e8d6575a0987b5c3884c58ccd8f5e45f44b4b83d2fd4c2056092e5adb12ed64f68f4214bff6b62ce87f7fa0b6ad74d8d21ec2841

memory/3700-65-0x00007FF6734B0000-0x00007FF673804000-memory.dmp

C:\Windows\System\UdgRYmW.exe

MD5 e7f89229e157b4c829fc75eb67c0a4dc
SHA1 57371f9378e01f8c3537ae9d2c0c2e63571865cc
SHA256 b4f0586e75e7942902feafd831a177e214078686b0f8e01ec8a9b3c113811fa7
SHA512 b88129c5469257a0f6525422d47835355823841e37be9e301c2ccc8a584a59e27c6ddfc8808657830f464e440bbfb7c006078efeebc06e79be5b9deba749f831

C:\Windows\System\eYsHhFN.exe

MD5 8483efb37cfe477c3b959b66d9dac65c
SHA1 dcf7a874474e9bfdf94eef6696d419bde9da86d4
SHA256 81862797f9394f97641d96a878fe2d287c7375bf0b75f62c4437ae38f5c9f88a
SHA512 9bcce724a3a4ee9107147f5586212b3487bbd1d31af76588d9f2747102f7583abbd8db455047112ff6e7ad3dacf30c9131af3a5d2df1045e657ce3c604757d84

C:\Windows\System\FmEWLdi.exe

MD5 558c52de2400bcc964fab106d3e778fe
SHA1 8b5e8c2c6e479c870a4dbe1fdfea363265c449f0
SHA256 5d4d6124fb2fe8e2edd52db80d272698a5df654e978804f8f272cdf01b21f262
SHA512 ee1d87cdfa2963e1b1cdf8db4f124a5354e5f30ea7015c207bca63b317a9ef8942b2384b74291e79b7750fbcefdd505c87404770e1f12b7014fb38a5ad3a8c2e

C:\Windows\System\BaEWJek.exe

MD5 6d4195caf9d6e2da4b430030f66aeb9d
SHA1 3efebfad44631f8f65372149525d0a6ae8a7f69f
SHA256 2bc88d5955feb72d811a888abb6fc9db62d06e5073ae8c820adb36b9f5644a91
SHA512 cadafe386957adf411b93544f7a04828b2558f279c72954cb2f0c40cd1a1564a608874333862a26417c0fe16d00d0f3d136184d3666575b46cdf989ff1690e77

C:\Windows\System\mDTlvan.exe

MD5 5f6403e578d6262fd971e5fe2adf0047
SHA1 9e86143dfb6a91e2dba5de1a1102946aa4ee8f65
SHA256 a1fe805c2e4a1ef796f48742b696d09146ba218ba9e994feb99b03dc9369ea78
SHA512 dc99faac2ec18d0bd7dfbf8232ae0f7956d69ac04f962a46ac0b70c9d81b64b84aa781c16a152bfedbdd65592484d3fbb652a48998006c5f8bcf706b92d9d7aa

C:\Windows\System\MFQzjwq.exe

MD5 4ba888b80f3d158f627237f3292e7df7
SHA1 d0a24b380af6c6cee964537bb3916afb138a8f35
SHA256 0c041424dd7ea950e577141d6a4ed924f19c23f63675e5f2e8187bd4add43737
SHA512 baa2e758c4c82a4d7a698399aad4d48d6c6fe034965f0f4f73335225ba3bc138ec3b40deb9adf0cf65dcce83fa2385d71ed79a6f929d7c82204a1f934530a9d6

C:\Windows\System\UkFHbnR.exe

MD5 54a5a812f3116203682e4c734c80f9c0
SHA1 ca4293392390915d4832b67da0bbaef61a8c957b
SHA256 47e410feca28fe5f09dbd49e8785244d05994bf37ddec6ab8626c09f6c636f4c
SHA512 ab3c63f776fc727fc143fe6a38f87624de6f1ea1a7a920ae2028a1c7efe4d46dc8ceb9c43ccbb59515abad2b528937438b5fa750684505062e56a6754b89f538

C:\Windows\System\NsUnirQ.exe

MD5 02b7b333f6d3214a2a59e3bbab7a1e1b
SHA1 a09abb3fb42e72cf655bb089c831b4674ea4d3c1
SHA256 d264adcebe1404cb47708857378f08958e2bd5fc7cb31cb3605aa0d86b86a1b7
SHA512 dfc725e1909046cce6a2d7f0a5a5238ab317298e5548f6f4afbf8d7372ff7a0ca90ed58bfbf5422459e64c2142b5c31495db5e0fc4945cc585550d15f9b94a80

C:\Windows\System\kaMiKeg.exe

MD5 a68c7dc8a024762550e6b64e75cfac71
SHA1 2491720150b50a2eabfa8d9fa6bbfb83aed5127d
SHA256 9e43289e2c000e7b9166e1123849975435ce2e5d3c96c9e79dbc8c04206a4ee0
SHA512 03c4a30fa48f058a53e7c82f8f28b7afde27662391aff2268e85ffde495dbaa827d3f276b5fe0bec5983ed6a08cebd870978cfa653cb5c29c68ad63fb2166e0c

C:\Windows\System\PYnnljd.exe

MD5 afc9012f88fe8af3864c7597fb6558bc
SHA1 51b8fbb65a5d155cbc63c39a3ebac7e2785d027b
SHA256 3ddd364bee26f47b2b09ab8cef468f8c09fbbabb0e9bd486f26621f2dd27e837
SHA512 288cdc6d15e7c19fcc2093ba73231eae9161dd6d2fbc9b65f40fe3ca7d993f5781d834bd8da7c6fb023c0c80fe88a70914e2737466af69ef3fc4773958615929

C:\Windows\System\SgVSgsJ.exe

MD5 ffbc7b0d3c876a6fa7e278a744e6c2aa
SHA1 b744039616aebe47e0652524c63700e39b5ba3fb
SHA256 c449494ebfed3607d6b2e5d0e97fe633b3644fc86e6464e70eb92f6bed447584
SHA512 373f18e4bc628d24d6682a2dac583c8e756a00a9f5a55d846723ea2679c34afc79a2642c234038fa93e1588f8926e85eab6d1c2dfe6eb8824ff7d8e9b585b039

memory/1744-69-0x00007FF6E2040000-0x00007FF6E2394000-memory.dmp

memory/2064-66-0x00007FF6ECDC0000-0x00007FF6ED114000-memory.dmp

memory/3288-59-0x00007FF621370000-0x00007FF6216C4000-memory.dmp

memory/3048-55-0x00007FF7ABD50000-0x00007FF7AC0A4000-memory.dmp

memory/4016-51-0x00007FF75B610000-0x00007FF75B964000-memory.dmp

C:\Windows\System\QmMmTCF.exe

MD5 9d513c2a4bba70e344d93d31c68fd0c2
SHA1 ddbb64e7c4b32a337d3821fc0d6bd50f15a813e7
SHA256 2b1e8141c10eefa65d3c6b1ff3c32bedaacd7ae5151567e0c7f69b2ee297ea37
SHA512 0034dc7a281b9f308a2e235ea7d47d13354a267369fe9f6611746afc622ac80b3d27b101969c637acfd8c4736ed6ba01deb65670320515b2c32ec5a73ef5fd6e

memory/2516-34-0x00007FF65ED70000-0x00007FF65F0C4000-memory.dmp

memory/4088-33-0x00007FF618010000-0x00007FF618364000-memory.dmp

memory/4252-30-0x00007FF6C3310000-0x00007FF6C3664000-memory.dmp

memory/2056-119-0x00007FF6C0F90000-0x00007FF6C12E4000-memory.dmp

memory/1680-120-0x00007FF6C4520000-0x00007FF6C4874000-memory.dmp

memory/5100-121-0x00007FF75DFB0000-0x00007FF75E304000-memory.dmp

memory/2528-122-0x00007FF6BE2A0000-0x00007FF6BE5F4000-memory.dmp

memory/1668-123-0x00007FF754750000-0x00007FF754AA4000-memory.dmp

memory/444-124-0x00007FF689390000-0x00007FF6896E4000-memory.dmp

memory/4840-125-0x00007FF6DA390000-0x00007FF6DA6E4000-memory.dmp

memory/3832-127-0x00007FF789860000-0x00007FF789BB4000-memory.dmp

memory/1944-128-0x00007FF7C0870000-0x00007FF7C0BC4000-memory.dmp

memory/2392-126-0x00007FF774DC0000-0x00007FF775114000-memory.dmp

memory/3216-129-0x00007FF704B50000-0x00007FF704EA4000-memory.dmp

memory/696-130-0x00007FF6C1C90000-0x00007FF6C1FE4000-memory.dmp

memory/4088-131-0x00007FF618010000-0x00007FF618364000-memory.dmp

memory/2516-132-0x00007FF65ED70000-0x00007FF65F0C4000-memory.dmp

memory/3700-133-0x00007FF6734B0000-0x00007FF673804000-memory.dmp

memory/3288-134-0x00007FF621370000-0x00007FF6216C4000-memory.dmp

memory/1744-135-0x00007FF6E2040000-0x00007FF6E2394000-memory.dmp

memory/2452-136-0x00007FF7B2AE0000-0x00007FF7B2E34000-memory.dmp

memory/696-138-0x00007FF6C1C90000-0x00007FF6C1FE4000-memory.dmp

memory/3216-137-0x00007FF704B50000-0x00007FF704EA4000-memory.dmp

memory/4252-139-0x00007FF6C3310000-0x00007FF6C3664000-memory.dmp

memory/4088-140-0x00007FF618010000-0x00007FF618364000-memory.dmp

memory/2516-141-0x00007FF65ED70000-0x00007FF65F0C4000-memory.dmp

memory/4016-142-0x00007FF75B610000-0x00007FF75B964000-memory.dmp

memory/3048-143-0x00007FF7ABD50000-0x00007FF7AC0A4000-memory.dmp

memory/3700-144-0x00007FF6734B0000-0x00007FF673804000-memory.dmp

memory/3288-145-0x00007FF621370000-0x00007FF6216C4000-memory.dmp

memory/2056-146-0x00007FF6C0F90000-0x00007FF6C12E4000-memory.dmp

memory/1744-147-0x00007FF6E2040000-0x00007FF6E2394000-memory.dmp

memory/5100-150-0x00007FF75DFB0000-0x00007FF75E304000-memory.dmp

memory/2528-149-0x00007FF6BE2A0000-0x00007FF6BE5F4000-memory.dmp

memory/1668-148-0x00007FF754750000-0x00007FF754AA4000-memory.dmp

memory/3832-153-0x00007FF789860000-0x00007FF789BB4000-memory.dmp

memory/4840-155-0x00007FF6DA390000-0x00007FF6DA6E4000-memory.dmp

memory/444-154-0x00007FF689390000-0x00007FF6896E4000-memory.dmp

memory/1944-152-0x00007FF7C0870000-0x00007FF7C0BC4000-memory.dmp

memory/1680-151-0x00007FF6C4520000-0x00007FF6C4874000-memory.dmp

memory/2392-156-0x00007FF774DC0000-0x00007FF775114000-memory.dmp