Malware Analysis Report

2024-10-24 18:16

Sample ID 240607-bxyf3agd65
Target 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike
SHA256 fade6579c5745e148923498b5e2be690a2c45c444e5e664164c4d0208beba1eb
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fade6579c5745e148923498b5e2be690a2c45c444e5e664164c4d0208beba1eb

Threat Level: Known bad

The file 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

xmrig

UPX dump on OEP (original entry point)

Xmrig family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 01:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 01:32

Reported

2024-06-07 01:34

Platform

win7-20240508-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cRdFGmZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sMvJAEB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qyvxeCe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jAVkXTo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xWyegZN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zrunwUJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PlYlAor.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RmHMGhI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aLllZQN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jJUrdrX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FilBJTy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LRMfqjt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ugcTiqG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cRUhzlR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\klhIWmQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YjfYnmD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GDEquYn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sDkIpOm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xjNjUuS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pKzjpAc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oNzSgFN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1872 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jJUrdrX.exe
PID 1872 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jJUrdrX.exe
PID 1872 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jJUrdrX.exe
PID 1872 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\FilBJTy.exe
PID 1872 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\FilBJTy.exe
PID 1872 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\FilBJTy.exe
PID 1872 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GDEquYn.exe
PID 1872 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GDEquYn.exe
PID 1872 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\GDEquYn.exe
PID 1872 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyvxeCe.exe
PID 1872 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyvxeCe.exe
PID 1872 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyvxeCe.exe
PID 1872 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDkIpOm.exe
PID 1872 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDkIpOm.exe
PID 1872 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDkIpOm.exe
PID 1872 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKzjpAc.exe
PID 1872 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKzjpAc.exe
PID 1872 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKzjpAc.exe
PID 1872 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWyegZN.exe
PID 1872 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWyegZN.exe
PID 1872 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWyegZN.exe
PID 1872 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAVkXTo.exe
PID 1872 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAVkXTo.exe
PID 1872 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAVkXTo.exe
PID 1872 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNzSgFN.exe
PID 1872 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNzSgFN.exe
PID 1872 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNzSgFN.exe
PID 1872 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cRdFGmZ.exe
PID 1872 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cRdFGmZ.exe
PID 1872 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cRdFGmZ.exe
PID 1872 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrunwUJ.exe
PID 1872 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrunwUJ.exe
PID 1872 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrunwUJ.exe
PID 1872 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjNjUuS.exe
PID 1872 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjNjUuS.exe
PID 1872 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjNjUuS.exe
PID 1872 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRMfqjt.exe
PID 1872 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRMfqjt.exe
PID 1872 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRMfqjt.exe
PID 1872 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlYlAor.exe
PID 1872 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlYlAor.exe
PID 1872 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlYlAor.exe
PID 1872 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugcTiqG.exe
PID 1872 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugcTiqG.exe
PID 1872 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugcTiqG.exe
PID 1872 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cRUhzlR.exe
PID 1872 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cRUhzlR.exe
PID 1872 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\cRUhzlR.exe
PID 1872 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\klhIWmQ.exe
PID 1872 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\klhIWmQ.exe
PID 1872 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\klhIWmQ.exe
PID 1872 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmHMGhI.exe
PID 1872 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmHMGhI.exe
PID 1872 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmHMGhI.exe
PID 1872 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\sMvJAEB.exe
PID 1872 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\sMvJAEB.exe
PID 1872 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\sMvJAEB.exe
PID 1872 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLllZQN.exe
PID 1872 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLllZQN.exe
PID 1872 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLllZQN.exe
PID 1872 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjfYnmD.exe
PID 1872 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjfYnmD.exe
PID 1872 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjfYnmD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jJUrdrX.exe

C:\Windows\System\jJUrdrX.exe

C:\Windows\System\FilBJTy.exe

C:\Windows\System\FilBJTy.exe

C:\Windows\System\GDEquYn.exe

C:\Windows\System\GDEquYn.exe

C:\Windows\System\qyvxeCe.exe

C:\Windows\System\qyvxeCe.exe

C:\Windows\System\sDkIpOm.exe

C:\Windows\System\sDkIpOm.exe

C:\Windows\System\pKzjpAc.exe

C:\Windows\System\pKzjpAc.exe

C:\Windows\System\xWyegZN.exe

C:\Windows\System\xWyegZN.exe

C:\Windows\System\jAVkXTo.exe

C:\Windows\System\jAVkXTo.exe

C:\Windows\System\oNzSgFN.exe

C:\Windows\System\oNzSgFN.exe

C:\Windows\System\cRdFGmZ.exe

C:\Windows\System\cRdFGmZ.exe

C:\Windows\System\zrunwUJ.exe

C:\Windows\System\zrunwUJ.exe

C:\Windows\System\xjNjUuS.exe

C:\Windows\System\xjNjUuS.exe

C:\Windows\System\LRMfqjt.exe

C:\Windows\System\LRMfqjt.exe

C:\Windows\System\PlYlAor.exe

C:\Windows\System\PlYlAor.exe

C:\Windows\System\ugcTiqG.exe

C:\Windows\System\ugcTiqG.exe

C:\Windows\System\cRUhzlR.exe

C:\Windows\System\cRUhzlR.exe

C:\Windows\System\klhIWmQ.exe

C:\Windows\System\klhIWmQ.exe

C:\Windows\System\RmHMGhI.exe

C:\Windows\System\RmHMGhI.exe

C:\Windows\System\sMvJAEB.exe

C:\Windows\System\sMvJAEB.exe

C:\Windows\System\aLllZQN.exe

C:\Windows\System\aLllZQN.exe

C:\Windows\System\YjfYnmD.exe

C:\Windows\System\YjfYnmD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1872-0-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1872-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\jJUrdrX.exe

MD5 a197e1c17fea896e5eb056890d185cd4
SHA1 d964bc11c4945b153ab99520e32dc2df28c26515
SHA256 3f335d39ade0dd77daa485e6e2d9134e9b251427e60ab59cd04f3027dfdf779d
SHA512 4326ed000a82257a6f9917c383e774c445ae6fd1b77d2a5b3ba9c1a0828b3376943e2317ee046e9231f97ab70ad3972e4464960a1d82735fb8bc4b6b846258ce

\Windows\system\FilBJTy.exe

MD5 2b50b80d6af7d20a4af5533921126b4e
SHA1 b026c16c5d0cd71dbf5d87f8a105c551dd64a9d3
SHA256 16216fe5f0b6c982b3a842a642c998afbbade3eec0f3c47d254ef5920ff75f8c
SHA512 78ba8edcb20746f2e63d33c29a0d399f7a482fd036c1ed61eb6f3ce0f5ffe5620594f17da50fe22e1703d37f7b9a6895ed748d87a67e2869d5d960d726d3349e

memory/2880-15-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2948-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp

C:\Windows\system\GDEquYn.exe

MD5 2dad0398158baa0e22be739ddce1079a
SHA1 abc86e17ed6b5f137a19471b3cfa3c6aad0f0e3e
SHA256 a49328b05d3926c812ba6e683be413154cd116f13abf4dba0b768492b736fa51
SHA512 d9ba1ad192069b0a47de00be3bda91a3fc68846ab8755e8966a738d6bfe3b49222c593355aa458cca1ef0dee95d801540d68994777cfae124482dd49d4d9793d

memory/2272-22-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1872-33-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2644-28-0x000000013F2F0000-0x000000013F644000-memory.dmp

C:\Windows\system\pKzjpAc.exe

MD5 d8ba5a3fa1340754bfde60b66563d88c
SHA1 647bd730c5e3d1262101a579b9e9c018f283907f
SHA256 ab437544d942699cf25e202bbaeb6be6dbd34bac6b98b4d370bc86ac592d3809
SHA512 2f6e66c09a42d919509d6d3d1d50a25fa5b59e1d6422aa26da276f70b1177c72161acfbb9793b9ffa6aa6524dc389966fd356eeb5a03187eff1341ef140c4f50

memory/2592-41-0x000000013F230000-0x000000013F584000-memory.dmp

memory/1628-61-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2332-63-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\cRdFGmZ.exe

MD5 54836edc137c745b3f03f09a7f0fb5f6
SHA1 b0f93d5f7d3230afa75dc31ac73b031a20d5201d
SHA256 5918c183c31826de74c8f8d8a25161f0e17592b835f1b386ff1212529fad980d
SHA512 605366e8979c8129e79ab3ac7daeaaca112261af6e6e5a925ea538ad227ef72421272c25c8b973e7a1729e015a3c4013acf187a47eb5e02539005c2e88609c5a

memory/2508-70-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2276-81-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/836-95-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2592-101-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\klhIWmQ.exe

MD5 2505bf5838e2bbdc8ff6e2fe96dfb113
SHA1 b26f95298ea77c9c6c99b2df8c3c677ad7384e09
SHA256 8b0f2b01ceb0d2b5e67b98cfc1369075266e0772ac245aed6a76657aabdf5261
SHA512 b5b906a542ec6899dacc904418a78b80523573007e9a2079967fca3b72730ae96af3b494e9999cc8b10fd15d5cb061ff64b29c4301b9547ec06d60d11f8c4abb

C:\Windows\system\aLllZQN.exe

MD5 e132bb7d49a49b7053a8befc7be53b1b
SHA1 3cbdf5211276355edb2fcf47dd7cf3433aa30cca
SHA256 e2d3e85e59b0d2552b88a4f98631ad8864a3272d836b13a5e181fe1915521c97
SHA512 b74de076196c5a663d3c576f91fac652595e818424fa42caf0b1423d27ef23aa0b33e729a7319ad282930f859e52b93f9960a9162853358250d4b800afa51def

C:\Windows\system\YjfYnmD.exe

MD5 7f9fd3dbb6e0886aae949d54855fbec7
SHA1 65490b2044fbd48eb4ca5bf2998070308e01bce7
SHA256 6edf88823a0cb723668b4e207f17d3b1a5e29d09cc9ec9a46776e19ff7d6dee9
SHA512 e18fc5c12357b1f7bbb47cd76a9fc972536aeb18c605747c937786ed9c7275e7528fa8dc3a3f7957f1b060bef6669249196aa835404f352dff81a25e0f7e9114

\Windows\system\aLllZQN.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

C:\Windows\system\RmHMGhI.exe

MD5 d41cc16989ea771640e6da397c21b7b2
SHA1 3b10f46dfc365cfc46a7404b9502b843b659311c
SHA256 86774ad5a2227e7c7e5c6c747e5575b09c320f7150c8ba3cf712fa2e2917de36
SHA512 cc0190cf600f7e4a966db9472d77820a210e3006063551481576a878b3bb18f8f4ab87dd60fbff21c43f2d3671fad53df15e849a9d1b17773832dd113b765ece

C:\Windows\system\sMvJAEB.exe

MD5 c2c6b7154820ea527a4c0649645bba94
SHA1 3418a9f21e490de49e4e5ec657bd00241a9e14cf
SHA256 549cbc3b6501b943b446c9e4992708a35dff9eb214e75efce5fb3401b100b784
SHA512 c4e498120c25bb9bbc7d8a198170dcc7b8d95b2d7b215d0a617277bf1cc5324a51731eef4b8be25eacdb932af1223082bd31f3ff3b2c38ec81f81807e712da1b

\Windows\system\RmHMGhI.exe

MD5 4b7216d89e20f49e9c16c0253cc47511
SHA1 2897390157f4ddd1aa5b6b0434e8fd2685151896
SHA256 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f
SHA512 f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84

C:\Windows\system\cRUhzlR.exe

MD5 f505e9632fbd4a5d58adc9e4173d1271
SHA1 1bde162a3fb4ccb17e2151f596876ce0481e68a3
SHA256 470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6
SHA512 e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf

\Windows\system\cRUhzlR.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

C:\Windows\system\ugcTiqG.exe

MD5 3cb624af897d52a81e426d4f5dd59d60
SHA1 38356b755815775283f59d16c133c5e3105415eb
SHA256 d50bb98d3205c0f9bd21e9333c1f911364f1253dd92fb5ea16f15d0712b195dc
SHA512 0a207149724ba627e0b96cff365833da977a591e9cb52cfa909d40a9c4fb54cb0d756289dfe50ad3611619abb8690f22fd860f7df291b44c412bac710e7a472b

memory/1872-106-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2728-105-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/1872-104-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2520-103-0x000000013FE00000-0x0000000140154000-memory.dmp

C:\Windows\system\PlYlAor.exe

MD5 9388a431d776fb3384cc0f8d889c5fe8
SHA1 66f8b35e47221994ff4fc314a69a8a79a8ebc4c5
SHA256 482908ab4109d086faa1485dac315f1e3f5c0118e0b4482155d77041a8ca8982
SHA512 44c241d469e4f32c8e679838c423c74ce374e74ebaf7f80146110ef4bddf8db62923d8a3d8e3c7bff9abc70cc1269c950395bd1be36cd3f539a94529769021ab

memory/1872-94-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\LRMfqjt.exe

MD5 04c07271dd2c1957e69f2330cc9a995d
SHA1 6997f073aa27a18c26984ecbdf54ce1fecc19da4
SHA256 0e3a57335afc2a5a90c1c5d168d0eee9ca0e33277d5faedf04d985dc4ed25921
SHA512 470b4046e5f3ad6ec576cb9335eaba44f6dcdacb39e98f22153be19f15d84326b5ac7dfb61910febe67825675698fa242430a243a82e1aad3183f6264a51fed4

memory/840-88-0x000000013F240000-0x000000013F594000-memory.dmp

memory/1872-87-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\xjNjUuS.exe

MD5 a6e11638de1c1049cced1684ca7cd041
SHA1 afac20e587821316792de96dadae8351ca4d69ed
SHA256 4caba453c6182f54be465df0480760a39d7b9b678164d04cddbeab2b748ddb63
SHA512 de1ce779a46bcc7122831312c111e13c8caf89aaa0b3fa5480a6ef3854a9433777b4000f4f982c8fe18d90ae43f81de84375fe5e5d1291663fa754796516c435

memory/1872-80-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2632-79-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2644-78-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1872-69-0x000000013F970000-0x000000013FCC4000-memory.dmp

C:\Windows\system\zrunwUJ.exe

MD5 4b33a158dbe7078072d056207cca5b88
SHA1 cd7026b204c8364f98fb9faec5df24e6feb232ee
SHA256 94213f11e41d98cf89b2316e919c373394f2012962a683e3eca873189ec97fcf
SHA512 a4e71d3e7162761b5e47192a4ba502cb311b93c9fd753b9c98f17142e93bd61e1c4a92f6c46c2f17e0fd0ce8be4e7e0dddc7808db1fd5ee552758ee7c7ea4644

memory/2272-68-0x000000013FE40000-0x0000000140194000-memory.dmp

\Windows\system\cRdFGmZ.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/1872-51-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2520-50-0x000000013FE00000-0x0000000140154000-memory.dmp

\Windows\system\jAVkXTo.exe

MD5 a367b6d521c108d0d655409af3987a51
SHA1 e089965a81cdd40f5255db7b387258b187714b1e
SHA256 74722ed8ea31a31c0a862af965b51a937e91d4b397659b64e4f01aaaa208cc8e
SHA512 a6202dfe8040e1510787086efe5d6dc9207f9edc13fe9e0dce31a25c6b6c2b674ab2aa70c652e4ede78be5a6cbd9d2974a7381c9ef5bafc47aab76b6c2ebb0ff

memory/1872-58-0x000000013FBD0000-0x000000013FF24000-memory.dmp

C:\Windows\system\oNzSgFN.exe

MD5 e7444d77cf14ef0e95c0a8cd435e9490
SHA1 0e0a708ed2619225be4adb14afb3fe5611522f74
SHA256 a706948e9037d7b1f0c228cc79efdad7fcc0c221c0a70b3a9041f4d21ae56912
SHA512 b21e1bcd3dcbf2a47b2f002cf783a704b2daab3434f069b3eca66f5bb43bb00aa8337eed8912de0de7b61acb6c16cda8162b233b4401f240eafe4ed90b625559

memory/1872-46-0x000000013FE00000-0x0000000140154000-memory.dmp

C:\Windows\system\xWyegZN.exe

MD5 f0676dfd30283cd21514bb1d30ac9cec
SHA1 c75665b8fab12b8ae5e7627225e4700b988f4f77
SHA256 cb309ac32a2b5d5d945d7d9b882f76fe049935d9fe58c5ca985e33d41f93aa87
SHA512 6ee45480050e9eb6ab96c504edf5c1fbffd0694c470356de5f702b336c57887ed0812f95fa14abb155905fa80c3aa2b28ed2787d73f1e8dabaf41edb8f896764

memory/1872-38-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/2632-36-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/1872-27-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\sDkIpOm.exe

MD5 13c43bd31a380a2ec41d43d72ae962f2
SHA1 267cec60b8644cad5446f7b1570a64740ef34c3e
SHA256 b0565691213e413b0c35efe6c47f809597e2eaa9b0db0a2b9ffdf9eaf85aadb1
SHA512 88581808fcbe2c5f1607aced4e8a05abfd7f1167467e70f13ae497ad22337858f2a21ce68504dfa175bc5e8208619bd72116da866db34e12d9ead44c2add019a

C:\Windows\system\qyvxeCe.exe

MD5 cc1bd029f9fbde25af7836ab4529bee4
SHA1 4f07f573100ff6e1cf57b1e0e5999d63e34d3b4f
SHA256 d960febdb2edb56842ef38ca8acf84549536c4ed5cde47099c4d688247ab07c8
SHA512 4961e525242aac34acb05740d1bc743dc6dc338090cbda080367774bdb1f7fb572123d3494e3af1762882944c6c4b58b4766ce0e39a78d4a8517d182b23bd8bb

memory/1872-20-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1872-13-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2332-140-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2508-142-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/1872-141-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/1872-143-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/1872-144-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/1872-145-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/1872-146-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2880-148-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2948-147-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2272-149-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2632-150-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2644-151-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1628-154-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2592-153-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2332-155-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2508-156-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2276-157-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/840-158-0x000000013F240000-0x000000013F594000-memory.dmp

memory/836-159-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2728-160-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2520-152-0x000000013FE00000-0x0000000140154000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 01:32

Reported

2024-06-07 01:34

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ROeYSOG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\urJcNrT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wzbSNQU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oGtRknr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NNybTjL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VjsRYph.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HmKhZNa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UVWmlrf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\APotKmh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ryaFRvh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FodKnOO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JIHZaQQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OxWHUpC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xuSsqqM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fZRvYYZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wPlJqdW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TqLzuBR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNDjMww.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NEFBrTR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fMedKPU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oCjEIKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\FodKnOO.exe
PID 380 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\FodKnOO.exe
PID 380 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\VjsRYph.exe
PID 380 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\VjsRYph.exe
PID 380 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TqLzuBR.exe
PID 380 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\TqLzuBR.exe
PID 380 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNDjMww.exe
PID 380 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNDjMww.exe
PID 380 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIHZaQQ.exe
PID 380 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIHZaQQ.exe
PID 380 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\NEFBrTR.exe
PID 380 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\NEFBrTR.exe
PID 380 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxWHUpC.exe
PID 380 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxWHUpC.exe
PID 380 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROeYSOG.exe
PID 380 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROeYSOG.exe
PID 380 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\urJcNrT.exe
PID 380 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\urJcNrT.exe
PID 380 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMedKPU.exe
PID 380 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMedKPU.exe
PID 380 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\HmKhZNa.exe
PID 380 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\HmKhZNa.exe
PID 380 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCjEIKQ.exe
PID 380 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCjEIKQ.exe
PID 380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPlJqdW.exe
PID 380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPlJqdW.exe
PID 380 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xuSsqqM.exe
PID 380 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\xuSsqqM.exe
PID 380 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\fZRvYYZ.exe
PID 380 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\fZRvYYZ.exe
PID 380 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzbSNQU.exe
PID 380 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzbSNQU.exe
PID 380 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\oGtRknr.exe
PID 380 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\oGtRknr.exe
PID 380 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\NNybTjL.exe
PID 380 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\NNybTjL.exe
PID 380 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\APotKmh.exe
PID 380 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\APotKmh.exe
PID 380 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVWmlrf.exe
PID 380 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVWmlrf.exe
PID 380 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ryaFRvh.exe
PID 380 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe C:\Windows\System\ryaFRvh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\FodKnOO.exe

C:\Windows\System\FodKnOO.exe

C:\Windows\System\VjsRYph.exe

C:\Windows\System\VjsRYph.exe

C:\Windows\System\TqLzuBR.exe

C:\Windows\System\TqLzuBR.exe

C:\Windows\System\pNDjMww.exe

C:\Windows\System\pNDjMww.exe

C:\Windows\System\JIHZaQQ.exe

C:\Windows\System\JIHZaQQ.exe

C:\Windows\System\NEFBrTR.exe

C:\Windows\System\NEFBrTR.exe

C:\Windows\System\OxWHUpC.exe

C:\Windows\System\OxWHUpC.exe

C:\Windows\System\ROeYSOG.exe

C:\Windows\System\ROeYSOG.exe

C:\Windows\System\urJcNrT.exe

C:\Windows\System\urJcNrT.exe

C:\Windows\System\fMedKPU.exe

C:\Windows\System\fMedKPU.exe

C:\Windows\System\HmKhZNa.exe

C:\Windows\System\HmKhZNa.exe

C:\Windows\System\oCjEIKQ.exe

C:\Windows\System\oCjEIKQ.exe

C:\Windows\System\wPlJqdW.exe

C:\Windows\System\wPlJqdW.exe

C:\Windows\System\xuSsqqM.exe

C:\Windows\System\xuSsqqM.exe

C:\Windows\System\fZRvYYZ.exe

C:\Windows\System\fZRvYYZ.exe

C:\Windows\System\wzbSNQU.exe

C:\Windows\System\wzbSNQU.exe

C:\Windows\System\oGtRknr.exe

C:\Windows\System\oGtRknr.exe

C:\Windows\System\NNybTjL.exe

C:\Windows\System\NNybTjL.exe

C:\Windows\System\APotKmh.exe

C:\Windows\System\APotKmh.exe

C:\Windows\System\UVWmlrf.exe

C:\Windows\System\UVWmlrf.exe

C:\Windows\System\ryaFRvh.exe

C:\Windows\System\ryaFRvh.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/380-0-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp

memory/380-1-0x000002D1C22D0000-0x000002D1C22E0000-memory.dmp

C:\Windows\System\FodKnOO.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/4564-8-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp

C:\Windows\System\FodKnOO.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

C:\Windows\System\VjsRYph.exe

MD5 c83a72fd32d1ea03c4c25e0b40a06534
SHA1 de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1
SHA256 c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359
SHA512 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c

memory/1704-14-0x00007FF6575B0000-0x00007FF657904000-memory.dmp

C:\Windows\System\VjsRYph.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

C:\Windows\System\TqLzuBR.exe

MD5 90be846177ebce09b1bfa8b40630684a
SHA1 43a2c66ff47d9e295f18f8c18fe76b69e8850154
SHA256 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65
SHA512 f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6

memory/2480-20-0x00007FF650680000-0x00007FF6509D4000-memory.dmp

memory/3616-26-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp

C:\Windows\System\pNDjMww.exe

MD5 170dd624fc04fc3839f9c4b66a089ce7
SHA1 689050489367e9d7989856de58d7dae4b3e867bb
SHA256 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA512 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

memory/456-32-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp

C:\Windows\System\JIHZaQQ.exe

MD5 2c29c56557704a5af675ac862b6acadc
SHA1 8095e9a472d534a6ef5dc3ab384273149ae12d48
SHA256 ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d
SHA512 f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049

memory/3784-38-0x00007FF64E620000-0x00007FF64E974000-memory.dmp

memory/3236-44-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp

C:\Windows\System\urJcNrT.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/4064-56-0x00007FF745350000-0x00007FF7456A4000-memory.dmp

memory/3648-50-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp

C:\Windows\System\fMedKPU.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

memory/380-62-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp

memory/4004-63-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp

C:\Windows\System\NEFBrTR.exe

MD5 2543c4760bd9af7f70b7834411ab61af
SHA1 ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256 c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA512 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

memory/4564-68-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp

memory/1340-70-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp

C:\Windows\System\oCjEIKQ.exe

MD5 4ebd1901e669a14d40cee031fd206e82
SHA1 48b4d9303ce77228a3ead5a9a71386291542a98f
SHA256 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512 c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

memory/1704-76-0x00007FF6575B0000-0x00007FF657904000-memory.dmp

memory/3144-77-0x00007FF662DD0000-0x00007FF663124000-memory.dmp

C:\Windows\System\wzbSNQU.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

C:\Windows\System\fZRvYYZ.exe

MD5 0003cb25d8e5fcf51d1ea8407b9410fc
SHA1 fc0940ac8a56e45a19f31c325aba00f814dae439
SHA256 f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2
SHA512 3e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87

memory/2480-100-0x00007FF650680000-0x00007FF6509D4000-memory.dmp

memory/2812-102-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp

memory/2168-107-0x00007FF63C330000-0x00007FF63C684000-memory.dmp

memory/2092-106-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp

memory/1388-103-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp

memory/2596-122-0x00007FF7083F0000-0x00007FF708744000-memory.dmp

memory/456-124-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp

C:\Windows\System\ryaFRvh.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

C:\Windows\System\UVWmlrf.exe

MD5 cefe7ebbcbdc6a5e5023e2ad8530b25b
SHA1 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8
SHA256 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475
SHA512 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844

memory/3700-125-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp

C:\Windows\System\UVWmlrf.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/3056-119-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp

memory/3616-115-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp

memory/3784-133-0x00007FF64E620000-0x00007FF64E974000-memory.dmp

memory/2876-135-0x00007FF74E890000-0x00007FF74EBE4000-memory.dmp

memory/3236-134-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp

memory/4712-132-0x00007FF69DC40000-0x00007FF69DF94000-memory.dmp

memory/4564-136-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp

memory/1704-137-0x00007FF6575B0000-0x00007FF657904000-memory.dmp

memory/2480-138-0x00007FF650680000-0x00007FF6509D4000-memory.dmp

memory/3616-139-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp

memory/456-140-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp

memory/3784-141-0x00007FF64E620000-0x00007FF64E974000-memory.dmp

memory/3236-142-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp

memory/3648-143-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp

memory/4064-144-0x00007FF745350000-0x00007FF7456A4000-memory.dmp

memory/4004-145-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp

memory/1340-146-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp

memory/3144-147-0x00007FF662DD0000-0x00007FF663124000-memory.dmp

memory/2812-148-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp

memory/1388-149-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp

memory/2092-150-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp

memory/2168-151-0x00007FF63C330000-0x00007FF63C684000-memory.dmp

memory/3056-152-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp

memory/2596-153-0x00007FF7083F0000-0x00007FF708744000-memory.dmp

memory/3700-154-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp

memory/4712-155-0x00007FF69DC40000-0x00007FF69DF94000-memory.dmp

memory/2876-156-0x00007FF74E890000-0x00007FF74EBE4000-memory.dmp