Malware Analysis Report

2025-01-22 19:39

Sample ID 240601-bthw7scg6x
Target 2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike
SHA256 097e368f8c0e0d3c1526fe2bf8165507a2392ec0fba5a12fec4e5da2879f7d7f
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

097e368f8c0e0d3c1526fe2bf8165507a2392ec0fba5a12fec4e5da2879f7d7f

Threat Level: Known bad

The file 2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

XMRig Miner payload

xmrig

Xmrig family

Cobaltstrike

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:26

Reported

2024-06-01 01:28

Platform

win7-20240508-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\Rcfozfl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sBLJRtI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rMsjTHr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xIrlONw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gfQNwCi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\riqFOCH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xAkDMud.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yALrgGu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jYWvaWR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\srFjmjD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oEFNqxn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gAwOWWD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EmqJphz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\szYZCrE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zrDTFTb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PRggXTW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HDhfZIG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FcmJkjK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KybiJSJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TzgBkDI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HQagaED.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAkDMud.exe
PID 1276 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAkDMud.exe
PID 1276 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAkDMud.exe
PID 1276 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmqJphz.exe
PID 1276 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmqJphz.exe
PID 1276 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmqJphz.exe
PID 1276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yALrgGu.exe
PID 1276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yALrgGu.exe
PID 1276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yALrgGu.exe
PID 1276 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcmJkjK.exe
PID 1276 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcmJkjK.exe
PID 1276 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FcmJkjK.exe
PID 1276 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\szYZCrE.exe
PID 1276 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\szYZCrE.exe
PID 1276 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\szYZCrE.exe
PID 1276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrDTFTb.exe
PID 1276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrDTFTb.exe
PID 1276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrDTFTb.exe
PID 1276 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KybiJSJ.exe
PID 1276 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KybiJSJ.exe
PID 1276 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KybiJSJ.exe
PID 1276 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBLJRtI.exe
PID 1276 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBLJRtI.exe
PID 1276 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBLJRtI.exe
PID 1276 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYWvaWR.exe
PID 1276 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYWvaWR.exe
PID 1276 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYWvaWR.exe
PID 1276 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzgBkDI.exe
PID 1276 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzgBkDI.exe
PID 1276 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzgBkDI.exe
PID 1276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMsjTHr.exe
PID 1276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMsjTHr.exe
PID 1276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMsjTHr.exe
PID 1276 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIrlONw.exe
PID 1276 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIrlONw.exe
PID 1276 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIrlONw.exe
PID 1276 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HQagaED.exe
PID 1276 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HQagaED.exe
PID 1276 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HQagaED.exe
PID 1276 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfQNwCi.exe
PID 1276 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfQNwCi.exe
PID 1276 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfQNwCi.exe
PID 1276 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRggXTW.exe
PID 1276 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRggXTW.exe
PID 1276 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRggXTW.exe
PID 1276 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDhfZIG.exe
PID 1276 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDhfZIG.exe
PID 1276 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDhfZIG.exe
PID 1276 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\riqFOCH.exe
PID 1276 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\riqFOCH.exe
PID 1276 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\riqFOCH.exe
PID 1276 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\Rcfozfl.exe
PID 1276 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\Rcfozfl.exe
PID 1276 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\Rcfozfl.exe
PID 1276 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\srFjmjD.exe
PID 1276 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\srFjmjD.exe
PID 1276 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\srFjmjD.exe
PID 1276 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEFNqxn.exe
PID 1276 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEFNqxn.exe
PID 1276 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEFNqxn.exe
PID 1276 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gAwOWWD.exe
PID 1276 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gAwOWWD.exe
PID 1276 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gAwOWWD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\xAkDMud.exe

C:\Windows\System\xAkDMud.exe

C:\Windows\System\EmqJphz.exe

C:\Windows\System\EmqJphz.exe

C:\Windows\System\yALrgGu.exe

C:\Windows\System\yALrgGu.exe

C:\Windows\System\FcmJkjK.exe

C:\Windows\System\FcmJkjK.exe

C:\Windows\System\szYZCrE.exe

C:\Windows\System\szYZCrE.exe

C:\Windows\System\zrDTFTb.exe

C:\Windows\System\zrDTFTb.exe

C:\Windows\System\KybiJSJ.exe

C:\Windows\System\KybiJSJ.exe

C:\Windows\System\sBLJRtI.exe

C:\Windows\System\sBLJRtI.exe

C:\Windows\System\jYWvaWR.exe

C:\Windows\System\jYWvaWR.exe

C:\Windows\System\TzgBkDI.exe

C:\Windows\System\TzgBkDI.exe

C:\Windows\System\rMsjTHr.exe

C:\Windows\System\rMsjTHr.exe

C:\Windows\System\xIrlONw.exe

C:\Windows\System\xIrlONw.exe

C:\Windows\System\HQagaED.exe

C:\Windows\System\HQagaED.exe

C:\Windows\System\gfQNwCi.exe

C:\Windows\System\gfQNwCi.exe

C:\Windows\System\PRggXTW.exe

C:\Windows\System\PRggXTW.exe

C:\Windows\System\HDhfZIG.exe

C:\Windows\System\HDhfZIG.exe

C:\Windows\System\riqFOCH.exe

C:\Windows\System\riqFOCH.exe

C:\Windows\System\Rcfozfl.exe

C:\Windows\System\Rcfozfl.exe

C:\Windows\System\srFjmjD.exe

C:\Windows\System\srFjmjD.exe

C:\Windows\System\oEFNqxn.exe

C:\Windows\System\oEFNqxn.exe

C:\Windows\System\gAwOWWD.exe

C:\Windows\System\gAwOWWD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1276-0-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/1276-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\xAkDMud.exe

MD5 a335f20ccd4671ef2bab3a1c197acacb
SHA1 2c76a8b83a6c3518b8521e4b8622d732a712a399
SHA256 ff429cc9a52d6e5cf76f0deb0d838a55b85cb3a9edc190103724816d37ec6002
SHA512 11a8a5a03ec98fd70dbc20f7c9614c922ebb3e0471a201a0daa9c62080360b2f25eb0d9cbbd63024c61ac200e6a6a548b10ff21c1463dc1cf830cab1af87334a

memory/1276-6-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2008-9-0x000000013F0D0000-0x000000013F424000-memory.dmp

\Windows\system\EmqJphz.exe

MD5 a48adad1d2e25ebc567962f3ae548f3e
SHA1 2581c993c5ad533f7ba2c8f145db8d3594fb0bf5
SHA256 b9e6303d0511a99e62141a0dbe569b5ec09a7ab16da55c1cde3e43075670c178
SHA512 922880199d47e1b8952999209b8e5d7d2daa6723063a42a749df54fd5d5317fed48126a72ed7c3ad1106ae731d955eb669bd1ab1beb9b0a1da36a7187697fd21

memory/1276-15-0x0000000002220000-0x0000000002574000-memory.dmp

memory/3000-16-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\yALrgGu.exe

MD5 e8b2a4a40c84c2dbfc64cfadb5d13969
SHA1 a449c6d07a01a5e5f731e653f35bcd4ea4a5605d
SHA256 048c7b38aa09474526622e62f93913edaed4d412965f65f47d27c8c718b40861
SHA512 b70956f4105b2681f33be314561ca5cde0e0107fbce9c9bd6feec82c96e7a09806d0bafdd1e9d2e3d658844bcc23f20c49c73eaf6e01e6566450859730170665

memory/3040-22-0x000000013F3C0000-0x000000013F714000-memory.dmp

\Windows\system\FcmJkjK.exe

MD5 0f3f68afd90fed7077f6633dfadfcc4b
SHA1 59a22d772acbe382dfeca45e9a490c842076c6a2
SHA256 be960b9ac74d7c3adc8db892d53b5a102230f15139864a5b27b8caa2e387ebaa
SHA512 b89aac23357fcd52a9d3c1ba100f44927e54ccf95eeed2710304eabeb5b1ed353281afca69f8272bfef222a91ac6fc4de86cbc0d4e93ce6a121db30960e4869d

memory/1276-27-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2692-29-0x000000013FDC0000-0x0000000140114000-memory.dmp

C:\Windows\system\zrDTFTb.exe

MD5 f1e80b4a5f0325c483c4df92c597a092
SHA1 1b10a28db8968d36b850d0c529c04064d4bf226c
SHA256 9208c1a7ce85459c4e5d621d2646e04b7c5a0d515f6c4715970d4232a001c136
SHA512 54b28258364a258ee900c469e3c84d5e486f93d407b37b912e4c45df200b7b434ebcbdf91e3a220e02e932ed77108c292816a131cedf4612df04c0fcfa21bb63

C:\Windows\system\szYZCrE.exe

MD5 f417c649afcfc0d5aa176d9bb03a3e3b
SHA1 020083ce47be1db3891b35a235452b67c5b0c139
SHA256 142d10dd382c9f726aa31f90114747e4b2403dae7186a03e2a129efb2b04e51a
SHA512 c89c5a1ff3c9fd7a4b093999aed52568afa7b0621dc5aeb658fed868f3471e99d120f482706224e021a9d193420d8d51204e72401d6f8f4e8885034309da5c04

\Windows\system\KybiJSJ.exe

MD5 bd2022f4e71bb33b4a2b69dd2bd9e652
SHA1 d92fa6ca6e92f5128f224bd3a7ee9f1d9d6cd78f
SHA256 33db0710a2ee5efc150a70ef58114faddab3cc8d4f5ee8048938f37484954693
SHA512 13be899c0feaa5174194686550c2cd510cb0993ff9d5cbf2a3e5e9fe0207cf898e623471433838b2305f5249685dd644d373e3108778904d8f73f46a1de8f0a4

memory/2748-50-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2008-48-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2840-47-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/1276-45-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/1276-44-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2844-43-0x000000013FA00000-0x000000013FD54000-memory.dmp

\Windows\system\sBLJRtI.exe

MD5 362d767cf86fc1a5f80c47bddb9a35cf
SHA1 a98451ccb2a4565344416ff6e7bbf0ace981ce92
SHA256 f7c65fc5eda882cdb06790308421e37a40fa74bde4fa5eca44e73a942aa3f39a
SHA512 58586fdfe5fc8e9d2afc33cb8dc9533e7912bb9f5240781ed24356d63f1f4874fdea12d31f107cc75d2cdbf7040290cf853bf8210018ea88390d33837382d1c7

memory/1276-55-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2576-56-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\TzgBkDI.exe

MD5 cb12efca7471932e856516edc9634aaa
SHA1 5075680c9b190b6a4ba851cb2a4e6fcad7c803fa
SHA256 ea8b4d14c08b0d7eca14c5a483338704adf5638f4447b2af94f29ac52d232582
SHA512 9d83b07e36494e08207570bdf691be48cb8034602c1a6b8619af0b1991105780b22f83d37765c215a1ef6bf750438f1fb88389d36954c6fa3e4ed6605d93a72c

\Windows\system\xIrlONw.exe

MD5 f48851f350bb787b8fa0b09adef3c7a4
SHA1 71e6fc66befb59e067f1e63cdb2b461a5b337584
SHA256 71710c1f4ab1ea7cddb0e02cb14db56bff1f54d1ed7754c782e21908aa4311b7
SHA512 c1072d3fcfa4db04b520a82cdae664b8c56deeaf1569adfb0755631a61f44325bc1ee5bb2dd029dfff6f26be3afe32801f7d94fd93107ba641506e8f29aced23

C:\Windows\system\gfQNwCi.exe

MD5 707a56c257aa6d49c9b555d588afeffd
SHA1 7672d774c4dfefe6fb5c4ec8b2a355ae2b41de93
SHA256 a197e97b67ac99907bcd7f2f5dc7f062ff005cffd5536d9cc2e535842bde8aeb
SHA512 897d164be6e16e8ee4198ff68585acda1c763aa04a00251828adff3d9091c6d4e8293fa6f63931f8aa1756498153291669a54479b8c244aeb98b9045167c1b98

memory/1276-93-0x0000000002220000-0x0000000002574000-memory.dmp

C:\Windows\system\HDhfZIG.exe

MD5 20760e5b6f3cc015208f99a67ad7ebf2
SHA1 871682825b6a5bd2795bdcbb424dfcde473b3ce9
SHA256 1530d09e10216f4a6496544a908001e669b5ea5cb3eb8f398f7d9548f41562cc
SHA512 0a4b225cc9f687ff8cad37578732ececdf5efd726f5ce190f34d2ad9860115e22d0d32c8bf325bc8c7360d5dd3526f557cbe3ecd281815e8f7592a87bb57e112

memory/1276-94-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/1276-97-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2640-98-0x000000013FD40000-0x0000000140094000-memory.dmp

C:\Windows\system\rMsjTHr.exe

MD5 903a8a7b145effc47e881014f624247e
SHA1 7e59f74b38198a21baf6e329f94db8c3adaf132b
SHA256 f0821d33cf3ecc65ea7234d9869b44c342076fddc09417a2165eed783c36c67b
SHA512 cb51a4b4977d7d62152aec8d2cb1914057e58cedda121ff8764e27804ab1ac239f93ffa324756d3f62bf8f1d3f73475ce62b0990f1dc83f4799cf87fc3246438

memory/1276-61-0x0000000002220000-0x0000000002574000-memory.dmp

C:\Windows\system\oEFNqxn.exe

MD5 8a6d8147fbd484c84b82f2dcf052d738
SHA1 288d60eadbbed17ea95fd9b3e98c89682d740c72
SHA256 68a5460af5dd8a2ad4814163b055359571b9950a53c394675bdd15c939cb2189
SHA512 1d1168522878a3c9377ebb4f1a85d13113e344ba73bae77552b109c1f7c57d19b4e1aff6039df7084c485af515ef481e37260aa4955b21108e5112453371e62e

\Windows\system\gAwOWWD.exe

MD5 6fc4ba3d7328db5518e8bedff595a0f9
SHA1 26144b8d632dc1919191a27256ec31c2821f41ac
SHA256 27b0392f23eba62ecd0875c59a1ca7d7dc44d21f1c8e5c6f332cf244020236a2
SHA512 625a82c1a795a8f9120f30d433e1df402e39831ace0c6849b04f537ddbdc50aa624188feb25040e4fd3dc1dcbee0c8ebfcac323cbc339ca78063d36dd8b7b3cd

C:\Windows\system\srFjmjD.exe

MD5 ea87226ad5ad50447031851afcb58137
SHA1 215c18ef16f4232b8bbdaf320b93af1bbbcf6c4c
SHA256 7bed6f41c383f0f05f6dd66bcd0e8c4bb9e868b15cd715ad891af5a01ae395a6
SHA512 d06db758bbeb94e4287e44c70350dd53023fa4fa7fd4c268e42ced4fc357f1fd12999daa2830fa9c59babdd741836b70fc6bbf912e2467034ed359dffbab295f

C:\Windows\system\riqFOCH.exe

MD5 a4a3f870df8d0e03bcbf770a58a83337
SHA1 43c77b71986f4407982871434bacc57ca752fb6e
SHA256 7b7eefbbc9b9c57ac9eb546ef8dff33706ef6ef7d686d51399657c9f09d6a82f
SHA512 e1915975ecfcdbae75d080cd393cdb2bd966fa1f9a584329b44fb3bcc52e4a087bd25d63860d01c06abcf9fbbd82a6ccbe04e620dfdabdc9cca67082c208efec

C:\Windows\system\PRggXTW.exe

MD5 27fbc3901e6bcb35e2637c8f27277f67
SHA1 796369ab7650ca14faaa0af49ac317476c07cead
SHA256 b32b5d91e8dd51ed19e1d5a8c4dc9bd44d7af1ac6016ce2f5452544a3c1b53c2
SHA512 1343ee5941700aab0d42f15f14af704461c2d913721d1e950deb39c11a473a70bfcd6b7973cadb930ba7115f7b3985dc2fa73ca922cb3399fc5c73162192a149

C:\Windows\system\HQagaED.exe

MD5 f8da21b057e1d9bdf4fef8bbcadd27cc
SHA1 eb3abd7b14c2c79febe649518eb19930b34dfc23
SHA256 9ed823dd190ff8115090dceec6c993665c6fa1ebfe70504368ad28822ad4bb77
SHA512 73f34ad77050a930d4197b39660b8cf4704016d0c1498b08dc907ade2c6ff05a03bf584501767ddc2f0a3178738f2471d543876726fab553cfdd9324a1e566aa

memory/1276-104-0x000000013F640000-0x000000013F994000-memory.dmp

C:\Windows\system\jYWvaWR.exe

MD5 e40924d3af95db1c359fede440eb7a6d
SHA1 8f9e79f77efb3ac18af4de419d7ccf2c43485bca
SHA256 02a0385f4d64829f098d6e68840a2a029c82114cd6b9fe9879c3e5817354b929
SHA512 b4eb1ebf867926471d22264b170997d4f018316ea81130123fa1d0b5cfc20022da1b5afe8fc18ffeaf918f6a044dd0b94ab03eb1703c9eeed3235570c4afba97

memory/812-89-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2288-86-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/1276-79-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2540-69-0x000000013F7B0000-0x000000013FB04000-memory.dmp

C:\Windows\system\Rcfozfl.exe

MD5 d436309042b39d1e9dcb88aec744ab6d
SHA1 dc4e81af955fff274a2fc08237b58bfc53223a45
SHA256 28461db39b17f61485e967e17cf7c17bdb832262ebfe60163e5a2205f7b71114
SHA512 6fb12c25942183956a706d33a0b3628a3ad6cf00e50aac51511263884faef494b736b028a50abf08754af84b0f2847471ff381e305392a48f8b7076ab000e4f0

memory/1276-96-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2748-133-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1276-134-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2576-135-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2540-136-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/1276-137-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/1276-138-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/1276-139-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2640-140-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1276-141-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2008-142-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/3000-143-0x000000013F440000-0x000000013F794000-memory.dmp

memory/3040-144-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2692-145-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2840-146-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2844-147-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2748-148-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2576-149-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2540-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2288-151-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/812-152-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2640-153-0x000000013FD40000-0x0000000140094000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:26

Reported

2024-06-01 01:28

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZTfLpwG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xIarCen.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pJmgUXE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DZPPURC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zKfwSlB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ytVGFjk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FTEFjFq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xaQHdVm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JtVWRxY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PlEBVSx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jxxMHGR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XJxrMTU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oKtcUjG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Kidgbpr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\adQYyKH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VjBHIyM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXQWbXX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YyubLaG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GWqvnTP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tGGiQFk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZbcmsFa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\Kidgbpr.exe
PID 3176 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\Kidgbpr.exe
PID 3176 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\adQYyKH.exe
PID 3176 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\adQYyKH.exe
PID 3176 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZTfLpwG.exe
PID 3176 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZTfLpwG.exe
PID 3176 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VjBHIyM.exe
PID 3176 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VjBHIyM.exe
PID 3176 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FTEFjFq.exe
PID 3176 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FTEFjFq.exe
PID 3176 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JtVWRxY.exe
PID 3176 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JtVWRxY.exe
PID 3176 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xaQHdVm.exe
PID 3176 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xaQHdVm.exe
PID 3176 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlEBVSx.exe
PID 3176 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlEBVSx.exe
PID 3176 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jxxMHGR.exe
PID 3176 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jxxMHGR.exe
PID 3176 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJxrMTU.exe
PID 3176 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJxrMTU.exe
PID 3176 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXQWbXX.exe
PID 3176 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXQWbXX.exe
PID 3176 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIarCen.exe
PID 3176 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xIarCen.exe
PID 3176 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YyubLaG.exe
PID 3176 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YyubLaG.exe
PID 3176 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJmgUXE.exe
PID 3176 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJmgUXE.exe
PID 3176 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZPPURC.exe
PID 3176 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZPPURC.exe
PID 3176 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\zKfwSlB.exe
PID 3176 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\zKfwSlB.exe
PID 3176 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytVGFjk.exe
PID 3176 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytVGFjk.exe
PID 3176 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GWqvnTP.exe
PID 3176 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GWqvnTP.exe
PID 3176 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGGiQFk.exe
PID 3176 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGGiQFk.exe
PID 3176 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\oKtcUjG.exe
PID 3176 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\oKtcUjG.exe
PID 3176 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbcmsFa.exe
PID 3176 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbcmsFa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_05a38a41904d6f7af9ef1e46a066ddd1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\Kidgbpr.exe

C:\Windows\System\Kidgbpr.exe

C:\Windows\System\adQYyKH.exe

C:\Windows\System\adQYyKH.exe

C:\Windows\System\ZTfLpwG.exe

C:\Windows\System\ZTfLpwG.exe

C:\Windows\System\VjBHIyM.exe

C:\Windows\System\VjBHIyM.exe

C:\Windows\System\FTEFjFq.exe

C:\Windows\System\FTEFjFq.exe

C:\Windows\System\JtVWRxY.exe

C:\Windows\System\JtVWRxY.exe

C:\Windows\System\xaQHdVm.exe

C:\Windows\System\xaQHdVm.exe

C:\Windows\System\PlEBVSx.exe

C:\Windows\System\PlEBVSx.exe

C:\Windows\System\jxxMHGR.exe

C:\Windows\System\jxxMHGR.exe

C:\Windows\System\XJxrMTU.exe

C:\Windows\System\XJxrMTU.exe

C:\Windows\System\kXQWbXX.exe

C:\Windows\System\kXQWbXX.exe

C:\Windows\System\xIarCen.exe

C:\Windows\System\xIarCen.exe

C:\Windows\System\YyubLaG.exe

C:\Windows\System\YyubLaG.exe

C:\Windows\System\pJmgUXE.exe

C:\Windows\System\pJmgUXE.exe

C:\Windows\System\DZPPURC.exe

C:\Windows\System\DZPPURC.exe

C:\Windows\System\zKfwSlB.exe

C:\Windows\System\zKfwSlB.exe

C:\Windows\System\ytVGFjk.exe

C:\Windows\System\ytVGFjk.exe

C:\Windows\System\GWqvnTP.exe

C:\Windows\System\GWqvnTP.exe

C:\Windows\System\tGGiQFk.exe

C:\Windows\System\tGGiQFk.exe

C:\Windows\System\oKtcUjG.exe

C:\Windows\System\oKtcUjG.exe

C:\Windows\System\ZbcmsFa.exe

C:\Windows\System\ZbcmsFa.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4448 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
NL 52.142.223.178:80 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/3176-0-0x00007FF7F81E0000-0x00007FF7F8534000-memory.dmp

memory/3176-1-0x000001306EF80000-0x000001306EF90000-memory.dmp

C:\Windows\System\Kidgbpr.exe

MD5 154f3822b3d9489522bc4a5baa7b45d9
SHA1 b1d6cde8ea79ab47f3cd1e7d2c48e30b7311d92d
SHA256 29b640dc7a55f695a08fe5fe0a7a97fb0f6df802fef86754172dd3d26cb62a1f
SHA512 7a902ba16c948b2a6ca54b4fd428783fb5c7eaa5ec9f569cf36d21fac0a00ba301536064ee6e38a7e52b09702de4e241fe34747f44db692a3d73c15eb9abcc9c

memory/1384-8-0x00007FF74DA20000-0x00007FF74DD74000-memory.dmp

C:\Windows\System\adQYyKH.exe

MD5 791a374cfb6aa540760ab5106792b262
SHA1 26a44d26680b4de49e7c06569e66d4b4b760a111
SHA256 0464323b845c48e9acdf1d2f9a7591b43983f6e99322b01b3b1d80bb65fe3058
SHA512 cab6ce8d25ec3bfc1b56c05e85fb068e304801d32dae3495889a03cfa52bbe4d194214bd0166f32b0d0304a00f8a8a17d4d137286c92ac0f06bb99e957bd6777

memory/884-14-0x00007FF70C000000-0x00007FF70C354000-memory.dmp

C:\Windows\System\ZTfLpwG.exe

MD5 431fea44cdd761e56974a5f6c829d94e
SHA1 e4ae0c868424ca44403739533913a67d6aebcbe0
SHA256 ca91f6d28b5b49dfdd32a9875300790722be5afa8b970b4fccf8b64940dc1562
SHA512 dc0731343dd23015256e7e5fee36dca4cf9da4856420f56df7c199587c4258a4ba6fdb558f23554e4166a320913257355c249be2bbdec9f2a20a7e58f657537e

memory/4856-20-0x00007FF79BB10000-0x00007FF79BE64000-memory.dmp

C:\Windows\System\VjBHIyM.exe

MD5 d756261fd6b8d96c7b3a9605b2e382a2
SHA1 84e357606e64ab87f17d367bac3a247c442cc97c
SHA256 5b7fe93891fb00c6e04c2340b31bceab0d12c07dfd57fa03802e8ed00fcbe305
SHA512 8dfeaaa18b75ca50fe24558bf8e9dab335bcdaf632cb04888f08bb209bc89f5ba6d696cd046d0415a4c4335f0e638af210825503d2d28f522ab9c3b104ee99b6

memory/4984-26-0x00007FF6F20F0000-0x00007FF6F2444000-memory.dmp

C:\Windows\System\FTEFjFq.exe

MD5 88f30745d1a3d25b96cfc3bf8993a498
SHA1 896d9e31477ec57090f8869624b0e6884ac85f93
SHA256 311e9841a1ad792696f8605d6324e96d901d0ac7fa7dac02319c86934e23e369
SHA512 e6649c9594ad69eada0aaca1a469a00d80edc560763564128b0bb27d9283b62ddfebc99c793ea91d0d25c92e6134f67b48e90459890228cb3c6b8882c6858cac

memory/220-32-0x00007FF62BAC0000-0x00007FF62BE14000-memory.dmp

C:\Windows\System\JtVWRxY.exe

MD5 1228a4b62dac6075c31e3b0c9b908be7
SHA1 6c0eff82cda46337bfc4c4a17db84aa2469355b7
SHA256 acf38f43e8b94650a9585955d5fe0fa45603c0de62804d547dbc8378d1ca1dbc
SHA512 a871733b99a4bf922768c17d74e93869bb0f9868d6eb7ee5000116a160c05b7ddd028197f682cadc9e235cc49d43dfc16b5ff214a3a5f2f7244f92bd3a32689f

memory/1836-38-0x00007FF73E3B0000-0x00007FF73E704000-memory.dmp

C:\Windows\System\xaQHdVm.exe

MD5 da816c980a43cd2c6924f8f565a40af3
SHA1 7429e487a7b3f582f2341a4a3714d27d2b29bbdd
SHA256 2edc35ddf9608644392a4fa92fe824686daa33b9dd16d2eca4e80ad173247de0
SHA512 6d5f19372e9effc32c8a6d0b25b590eb9e57df9d411965f5864034e7596ef99932e5cb0eabed90bef46efd215fd971ba601fe7786f1314154d95f82bb3d5a503

memory/2904-44-0x00007FF6E9C20000-0x00007FF6E9F74000-memory.dmp

C:\Windows\System\PlEBVSx.exe

MD5 2f63f2d3d92353a6dd921dda30b7fa82
SHA1 90681aff42a17ec751de5dc1170b7ead9294bc68
SHA256 80bb76e476865534c315e97a21007249f20fab495b07531756f428d501ba7ce8
SHA512 63925ef3139c2ac90c86d257db1d884286fe5ab96378a6703390c039c7c4cb707cdcea5ccbc519649e9033363091b308d6c611a7f99c083983969121c98ca8df

memory/1016-50-0x00007FF6AACD0000-0x00007FF6AB024000-memory.dmp

C:\Windows\System\jxxMHGR.exe

MD5 a751c697e643fafbb366260cdce6db86
SHA1 3561a2e02218efd9ae0f9594b8f37195b47b36dc
SHA256 2b7f5c4f87c5b20aca447c90d8797ee83c8bbde0c36b3e0ca65af8167f4c62e7
SHA512 bf0c37b06d4580a815e5ed3254eebca6b3d62d4dc4d142ed2ddef53c54f94e550fdb42872df4a92254df1c65c32f29fcf6f86ad02332b994a818928a29239699

memory/4104-56-0x00007FF62E9F0000-0x00007FF62ED44000-memory.dmp

C:\Windows\System\XJxrMTU.exe

MD5 cf3f4eb17ee94ccb614255f3b135f1cd
SHA1 a913d1ba657cb53dd1437da3dfc17751f148d1ad
SHA256 c6a6d8ea99f6a40baeef5175cb0d454d2045043bf4353e8ce693c59306bf88c7
SHA512 33a9543deb372877b1e39006e3d2a71d2612fda39c65b49f714ceeaf21a1cf68708c9e92b30d42cf63d41c20cb2bde976c8eba5650b5c7c99d7444a16dce1657

memory/3176-62-0x00007FF7F81E0000-0x00007FF7F8534000-memory.dmp

memory/3944-63-0x00007FF781BC0000-0x00007FF781F14000-memory.dmp

C:\Windows\System\kXQWbXX.exe

MD5 59d2f5312f344b36996e3dd0f87b2c7a
SHA1 634075bc988e12540cc4df2ea8c7624e954843ed
SHA256 e408e6ad767a6a54ba4296ac5de940a27d10ff93afb4471a046c237202f18491
SHA512 116afd91f65677ae6ea258c6aa61541693890942ebbe1439b12ac0e32a39f6f0e5c94fe21e64f113678a60cd352dd3abe95f9c46754b4f4b39d269928b4784f2

memory/1384-67-0x00007FF74DA20000-0x00007FF74DD74000-memory.dmp

memory/2756-68-0x00007FF602E50000-0x00007FF6031A4000-memory.dmp

C:\Windows\System\xIarCen.exe

MD5 16fad712b6d8351b9c279db8fb17c00f
SHA1 2ee9a08a4173f5471ae244cb86b35280e17b66a7
SHA256 e1f098c8d1241c4e9d0fce06ed10decc014417e0e28ac2313c7060842d83b450
SHA512 389b82c8b953570ad7b200fce5a20bc5042841a2ace30a47a73eed0eda37f414f38ec90a480b0da2c872209fbba3119d3b29f0930ea968a3f8aa4788f271a11a

C:\Windows\System\YyubLaG.exe

MD5 7fa84798bc8cf55f79edd56c27c41e68
SHA1 f7cdf8b2657c1edd9a74c30611e37218c8295968
SHA256 0da65bc3d979fb2ee8a25dbde128d2d6615547465e2e5cedb3d5a7b2008078be
SHA512 925da7b5f6eaddf5ecb0d05f05153ee0c4c914cccfd90c04f599225502375c753d59dfbe773c287cdb7c032871e61a07d57a2ddd0492eafadcd067ca55491030

C:\Windows\System\pJmgUXE.exe

MD5 2f8a842b25e6c85fb144f0263e08a5ca
SHA1 8ac8e3734ab59710705d6c7fe5c319d3a4891159
SHA256 480e5eba2e4d1121af30e1acd7515f2da138e4784eba2ce798949efbdd40e69b
SHA512 7a073e058f5e7735cbe44b6bf1da4b16b42526694d808bbb739449fde7e33a7087a46e9c4857c22557a5e659b94a86c4df8649ee7f5c42bb60abd36d93f1ed94

memory/4636-88-0x00007FF791350000-0x00007FF7916A4000-memory.dmp

memory/2600-91-0x00007FF76E370000-0x00007FF76E6C4000-memory.dmp

memory/4984-92-0x00007FF6F20F0000-0x00007FF6F2444000-memory.dmp

memory/2912-97-0x00007FF7FE5E0000-0x00007FF7FE934000-memory.dmp

C:\Windows\System\zKfwSlB.exe

MD5 fa5d0ad4565a6bc770c771e54df8800d
SHA1 1494ff87bd82485b399d98087e0cbd768b87fd65
SHA256 4a09fda490c455f3a36f7594da6d7875c9d9795ef333e08cc0d69619ae84609e
SHA512 ae4dda60819cd04b69572d0d97be9fdf63390bc8f052f2404fcbb047bdd14fcecd811e248dcb50fed2f65785f53d349baa19e32a38753eba834f10fd9aad9356

C:\Windows\System\DZPPURC.exe

MD5 01371f8a61bdf5a6c0ba39a030c6a2c2
SHA1 8129ff0f877f50c32d84557335bb824354f19f41
SHA256 0e236426623ff79c496a2949df04af92a89bc0be861029ab44d974ec0abd54a1
SHA512 14b41599f9ad71a99cbf1e18b50fc7258db02900d8503d7af44269021b05f9fb91ca4f9228163b36e980f797d4ec1ac00222d4e1c1ca1c56d41abf17b8c95349

memory/3820-86-0x00007FF6E5D40000-0x00007FF6E6094000-memory.dmp

memory/2124-104-0x00007FF686610000-0x00007FF686964000-memory.dmp

memory/2604-107-0x00007FF6C4FD0000-0x00007FF6C5324000-memory.dmp

C:\Windows\System\ytVGFjk.exe

MD5 2f80ca27c905b30dce5045506305651e
SHA1 df7f4fcdf50312b38423fdea57e5aeb799d37976
SHA256 7563377a06602ea8bf0b0175f5b38b6e12c3462edbf6c5e2a8d88a6a1e4dc0a6
SHA512 df4b4f22407b60d9f21b407b9147c7ea3576299ed8ad3d4d82bea3d43976062b901d3a44fbd378cbb65c34f009e7adb87d2035af5f7360942d2f3dde15dc624a

C:\Windows\System\tGGiQFk.exe

MD5 006be624eec3f0e66393392d7c8ef250
SHA1 b29953eb2123ac27bf982b0cd43b3395eb7ce026
SHA256 3eac14eba073ec44640c7586fff81a84913577f3f85997a93446244fdf832734
SHA512 b7db43b22b9228928c17c3590edded77442c9ba3b6bfeeedbd417a1e78eb05d02c3e5e61fd18a00e4a66a44c83140a2bc56e1e9dd4b37f26d04331461ccc2a56

memory/1016-123-0x00007FF6AACD0000-0x00007FF6AB024000-memory.dmp

C:\Windows\System\ZbcmsFa.exe

MD5 0ca18e4d654c7b486ec950574f33a2ca
SHA1 d50ab760fae50b4301c7c7afdf69d78fb1d188c2
SHA256 f1a965be878c43a99241e24cf10e497ef6f99dc6619aa6584346f487e4e400bd
SHA512 2cf7a560a1b6107755284a06077d0463b82cd99f211245d938c5640e7ac73b240a9788e0bced0d664da6eda5658d3f3f9138eb160356f79625e07938aefbd4a5

C:\Windows\System\oKtcUjG.exe

MD5 c5ff939f6f436dba85026b80c63c7b98
SHA1 c8bdc446ec569d0b0b864a632780ab7a251b9170
SHA256 e4f8c883c296b02cffe5719d1399670298aea532239867f92998872841053eea
SHA512 d5ef4a357f0cbcf213fcaaaa65ed8e891be048667d00ab10974a689047e6b8f336f4487fcf6205650ca13993536dc737635d1169ca4d8346e036a05572295c9f

memory/4460-128-0x00007FF671E30000-0x00007FF672184000-memory.dmp

memory/2316-125-0x00007FF7844E0000-0x00007FF784834000-memory.dmp

memory/3620-124-0x00007FF612140000-0x00007FF612494000-memory.dmp

memory/2904-121-0x00007FF6E9C20000-0x00007FF6E9F74000-memory.dmp

C:\Windows\System\GWqvnTP.exe

MD5 dd54f4f1ef113c389116aeee9f752920
SHA1 9ed06851b4086ea6095b808b3da3cf8de3b421f4
SHA256 44edb155af777c30fad047f0cd8247813001110c611263866a66287e6e1f13c7
SHA512 92d32bf655f543c8d7940c6badd6ca78757dace4bdb3c615e07b2dcaaa3d8a22a35140a834f0a773897ab50b114b4882e020ad2ff4e6ad9c86bca617a840fa28

memory/4104-132-0x00007FF62E9F0000-0x00007FF62ED44000-memory.dmp

memory/4860-133-0x00007FF603F40000-0x00007FF604294000-memory.dmp

memory/2756-134-0x00007FF602E50000-0x00007FF6031A4000-memory.dmp

memory/2912-135-0x00007FF7FE5E0000-0x00007FF7FE934000-memory.dmp

memory/2604-136-0x00007FF6C4FD0000-0x00007FF6C5324000-memory.dmp

memory/1384-137-0x00007FF74DA20000-0x00007FF74DD74000-memory.dmp

memory/884-138-0x00007FF70C000000-0x00007FF70C354000-memory.dmp

memory/4856-139-0x00007FF79BB10000-0x00007FF79BE64000-memory.dmp

memory/4984-140-0x00007FF6F20F0000-0x00007FF6F2444000-memory.dmp

memory/220-141-0x00007FF62BAC0000-0x00007FF62BE14000-memory.dmp

memory/1836-142-0x00007FF73E3B0000-0x00007FF73E704000-memory.dmp

memory/2904-143-0x00007FF6E9C20000-0x00007FF6E9F74000-memory.dmp

memory/1016-144-0x00007FF6AACD0000-0x00007FF6AB024000-memory.dmp

memory/4104-145-0x00007FF62E9F0000-0x00007FF62ED44000-memory.dmp

memory/3944-146-0x00007FF781BC0000-0x00007FF781F14000-memory.dmp

memory/2756-147-0x00007FF602E50000-0x00007FF6031A4000-memory.dmp

memory/3820-148-0x00007FF6E5D40000-0x00007FF6E6094000-memory.dmp

memory/4636-149-0x00007FF791350000-0x00007FF7916A4000-memory.dmp

memory/2600-150-0x00007FF76E370000-0x00007FF76E6C4000-memory.dmp

memory/2912-151-0x00007FF7FE5E0000-0x00007FF7FE934000-memory.dmp

memory/2124-152-0x00007FF686610000-0x00007FF686964000-memory.dmp

memory/2604-153-0x00007FF6C4FD0000-0x00007FF6C5324000-memory.dmp

memory/3620-154-0x00007FF612140000-0x00007FF612494000-memory.dmp

memory/2316-155-0x00007FF7844E0000-0x00007FF784834000-memory.dmp

memory/4460-156-0x00007FF671E30000-0x00007FF672184000-memory.dmp

memory/4860-157-0x00007FF603F40000-0x00007FF604294000-memory.dmp