Analysis
-
max time kernel
153s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 01:32
Behavioral task
behavioral1
Sample
2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe
Resource
win7-20240221-en
General
-
Target
2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
8e35823e8117c85255225df826c30dc5
-
SHA1
812b6655831abc94f18127481508fd3b82be5992
-
SHA256
f46f94f88649139805ddbefd1fb1fe21f1a57d9c49e64d5f1a3d093262151d72
-
SHA512
8873c088108e916dc6780786892a9b339815eec4f9f254da0853d74261a25d42aa2db4d6b37e8ebc6f0ed5a530a1fd0a9979c23d30ce647b5c5ef453984b9e98
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU+:Q+856utgpPF8u/7+
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 28 IoCs
Processes:
resource yara_rule C:\Windows\System\xjypVYA.exe UPX behavioral2/memory/3304-8-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp UPX C:\Windows\System\xjypVYA.exe UPX C:\Windows\System\hXQyAWz.exe UPX behavioral2/memory/5036-14-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp UPX C:\Windows\System\hXQyAWz.exe UPX C:\Windows\System\MamSpXd.exe UPX C:\Windows\System\BLkKKmW.exe UPX C:\Windows\System\BLkKKmW.exe UPX behavioral2/memory/3820-38-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp UPX C:\Windows\System\sztkdEc.exe UPX behavioral2/memory/2440-44-0x00007FF795470000-0x00007FF7957C4000-memory.dmp UPX C:\Windows\System\AKCMuzg.exe UPX behavioral2/memory/1460-50-0x00007FF663200000-0x00007FF663554000-memory.dmp UPX C:\Windows\System\XpRwATS.exe UPX C:\Windows\System\XpRwATS.exe UPX behavioral2/memory/792-62-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp UPX behavioral2/memory/4048-82-0x00007FF606360000-0x00007FF6066B4000-memory.dmp UPX C:\Windows\System\DzEVCqL.exe UPX C:\Windows\System\kFlAZWH.exe UPX behavioral2/memory/5036-137-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp UPX behavioral2/memory/4048-138-0x00007FF606360000-0x00007FF6066B4000-memory.dmp UPX behavioral2/memory/4696-140-0x00007FF761930000-0x00007FF761C84000-memory.dmp UPX behavioral2/memory/432-146-0x00007FF6552F0000-0x00007FF655644000-memory.dmp UPX behavioral2/memory/4652-150-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp UPX behavioral2/memory/4572-152-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp UPX behavioral2/memory/928-154-0x00007FF6693F0000-0x00007FF669744000-memory.dmp UPX behavioral2/memory/3412-155-0x00007FF7040B0000-0x00007FF704404000-memory.dmp UPX -
XMRig Miner payload 58 IoCs
Processes:
resource yara_rule behavioral2/memory/792-0-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp xmrig C:\Windows\System\xjypVYA.exe xmrig behavioral2/memory/3304-8-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp xmrig C:\Windows\System\xjypVYA.exe xmrig C:\Windows\System\hXQyAWz.exe xmrig behavioral2/memory/5036-14-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp xmrig C:\Windows\System\hXQyAWz.exe xmrig behavioral2/memory/4048-20-0x00007FF606360000-0x00007FF6066B4000-memory.dmp xmrig C:\Windows\System\MamSpXd.exe xmrig C:\Windows\System\BLkKKmW.exe xmrig C:\Windows\System\BLkKKmW.exe xmrig behavioral2/memory/4696-32-0x00007FF761930000-0x00007FF761C84000-memory.dmp xmrig behavioral2/memory/3820-38-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp xmrig C:\Windows\System\sztkdEc.exe xmrig behavioral2/memory/2440-44-0x00007FF795470000-0x00007FF7957C4000-memory.dmp xmrig C:\Windows\System\AKCMuzg.exe xmrig behavioral2/memory/1460-50-0x00007FF663200000-0x00007FF663554000-memory.dmp xmrig C:\Windows\System\XpRwATS.exe xmrig C:\Windows\System\XpRwATS.exe xmrig behavioral2/memory/792-62-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp xmrig behavioral2/memory/1676-63-0x00007FF64D220000-0x00007FF64D574000-memory.dmp xmrig behavioral2/memory/3304-69-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp xmrig behavioral2/memory/432-70-0x00007FF6552F0000-0x00007FF655644000-memory.dmp xmrig behavioral2/memory/4104-77-0x00007FF724160000-0x00007FF7244B4000-memory.dmp xmrig behavioral2/memory/5036-76-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp xmrig behavioral2/memory/4048-82-0x00007FF606360000-0x00007FF6066B4000-memory.dmp xmrig behavioral2/memory/4044-84-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp xmrig C:\Windows\System\FyvILwF.exe xmrig behavioral2/memory/3936-91-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp xmrig behavioral2/memory/2184-90-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp xmrig C:\Windows\System\DzEVCqL.exe xmrig behavioral2/memory/4652-97-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp xmrig behavioral2/memory/4572-110-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp xmrig C:\Windows\System\kFlAZWH.exe xmrig behavioral2/memory/4384-116-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp xmrig behavioral2/memory/3412-128-0x00007FF7040B0000-0x00007FF704404000-memory.dmp xmrig behavioral2/memory/928-125-0x00007FF6693F0000-0x00007FF669744000-memory.dmp xmrig behavioral2/memory/4044-134-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp xmrig behavioral2/memory/3304-136-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp xmrig behavioral2/memory/5036-137-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp xmrig behavioral2/memory/4048-138-0x00007FF606360000-0x00007FF6066B4000-memory.dmp xmrig behavioral2/memory/2184-139-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp xmrig behavioral2/memory/4696-140-0x00007FF761930000-0x00007FF761C84000-memory.dmp xmrig behavioral2/memory/3820-141-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp xmrig behavioral2/memory/2440-142-0x00007FF795470000-0x00007FF7957C4000-memory.dmp xmrig behavioral2/memory/1460-143-0x00007FF663200000-0x00007FF663554000-memory.dmp xmrig behavioral2/memory/3308-144-0x00007FF77BA60000-0x00007FF77BDB4000-memory.dmp xmrig behavioral2/memory/1676-145-0x00007FF64D220000-0x00007FF64D574000-memory.dmp xmrig behavioral2/memory/432-146-0x00007FF6552F0000-0x00007FF655644000-memory.dmp xmrig behavioral2/memory/4104-147-0x00007FF724160000-0x00007FF7244B4000-memory.dmp xmrig behavioral2/memory/4044-148-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp xmrig behavioral2/memory/4652-150-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp xmrig behavioral2/memory/2956-151-0x00007FF77D5D0000-0x00007FF77D924000-memory.dmp xmrig behavioral2/memory/4572-152-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp xmrig behavioral2/memory/4384-153-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp xmrig behavioral2/memory/928-154-0x00007FF6693F0000-0x00007FF669744000-memory.dmp xmrig behavioral2/memory/3412-155-0x00007FF7040B0000-0x00007FF704404000-memory.dmp xmrig behavioral2/memory/4128-156-0x00007FF660FA0000-0x00007FF6612F4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
xjypVYA.exehXQyAWz.exeMamSpXd.exeDgPyPZb.exeBLkKKmW.exeAuKPpYK.exesztkdEc.exeAKCMuzg.exeXpRwATS.exeuvURIqk.exePZNcYgl.exejXBDidm.exelYsjqPm.exeFyvILwF.exeDzEVCqL.exekPlYftQ.exekFlAZWH.exeePYZOUS.exevGkCFFd.exewVjfYQj.exejDliCsO.exepid process 3304 xjypVYA.exe 5036 hXQyAWz.exe 4048 MamSpXd.exe 2184 DgPyPZb.exe 4696 BLkKKmW.exe 3820 AuKPpYK.exe 2440 sztkdEc.exe 1460 AKCMuzg.exe 3308 XpRwATS.exe 1676 uvURIqk.exe 432 PZNcYgl.exe 4104 jXBDidm.exe 4044 lYsjqPm.exe 3936 FyvILwF.exe 4652 DzEVCqL.exe 2956 kPlYftQ.exe 4572 kFlAZWH.exe 4384 ePYZOUS.exe 928 vGkCFFd.exe 3412 wVjfYQj.exe 4128 jDliCsO.exe -
Processes:
resource yara_rule behavioral2/memory/792-0-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp upx C:\Windows\System\xjypVYA.exe upx behavioral2/memory/3304-8-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp upx C:\Windows\System\xjypVYA.exe upx C:\Windows\System\hXQyAWz.exe upx behavioral2/memory/5036-14-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp upx C:\Windows\System\hXQyAWz.exe upx behavioral2/memory/4048-20-0x00007FF606360000-0x00007FF6066B4000-memory.dmp upx C:\Windows\System\MamSpXd.exe upx behavioral2/memory/2184-26-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp upx C:\Windows\System\BLkKKmW.exe upx C:\Windows\System\BLkKKmW.exe upx behavioral2/memory/4696-32-0x00007FF761930000-0x00007FF761C84000-memory.dmp upx behavioral2/memory/3820-38-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp upx C:\Windows\System\sztkdEc.exe upx behavioral2/memory/2440-44-0x00007FF795470000-0x00007FF7957C4000-memory.dmp upx C:\Windows\System\AKCMuzg.exe upx behavioral2/memory/1460-50-0x00007FF663200000-0x00007FF663554000-memory.dmp upx C:\Windows\System\XpRwATS.exe upx C:\Windows\System\XpRwATS.exe upx behavioral2/memory/3308-56-0x00007FF77BA60000-0x00007FF77BDB4000-memory.dmp upx behavioral2/memory/792-62-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp upx behavioral2/memory/1676-63-0x00007FF64D220000-0x00007FF64D574000-memory.dmp upx behavioral2/memory/3304-69-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp upx behavioral2/memory/432-70-0x00007FF6552F0000-0x00007FF655644000-memory.dmp upx behavioral2/memory/4104-77-0x00007FF724160000-0x00007FF7244B4000-memory.dmp upx behavioral2/memory/5036-76-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp upx behavioral2/memory/4048-82-0x00007FF606360000-0x00007FF6066B4000-memory.dmp upx behavioral2/memory/4044-84-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp upx C:\Windows\System\FyvILwF.exe upx behavioral2/memory/3936-91-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp upx behavioral2/memory/2184-90-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp upx C:\Windows\System\DzEVCqL.exe upx C:\Windows\System\DzEVCqL.exe upx behavioral2/memory/4652-97-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp upx behavioral2/memory/2956-103-0x00007FF77D5D0000-0x00007FF77D924000-memory.dmp upx behavioral2/memory/2440-108-0x00007FF795470000-0x00007FF7957C4000-memory.dmp upx behavioral2/memory/4572-110-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp upx C:\Windows\System\kFlAZWH.exe upx C:\Windows\System\ePYZOUS.exe upx behavioral2/memory/4384-116-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp upx behavioral2/memory/3412-128-0x00007FF7040B0000-0x00007FF704404000-memory.dmp upx behavioral2/memory/928-125-0x00007FF6693F0000-0x00007FF669744000-memory.dmp upx behavioral2/memory/4128-133-0x00007FF660FA0000-0x00007FF6612F4000-memory.dmp upx behavioral2/memory/4044-134-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp upx behavioral2/memory/4652-135-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp upx behavioral2/memory/3304-136-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp upx behavioral2/memory/5036-137-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp upx behavioral2/memory/4048-138-0x00007FF606360000-0x00007FF6066B4000-memory.dmp upx behavioral2/memory/2184-139-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp upx behavioral2/memory/4696-140-0x00007FF761930000-0x00007FF761C84000-memory.dmp upx behavioral2/memory/3820-141-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp upx behavioral2/memory/2440-142-0x00007FF795470000-0x00007FF7957C4000-memory.dmp upx behavioral2/memory/1460-143-0x00007FF663200000-0x00007FF663554000-memory.dmp upx behavioral2/memory/3308-144-0x00007FF77BA60000-0x00007FF77BDB4000-memory.dmp upx behavioral2/memory/1676-145-0x00007FF64D220000-0x00007FF64D574000-memory.dmp upx behavioral2/memory/432-146-0x00007FF6552F0000-0x00007FF655644000-memory.dmp upx behavioral2/memory/4104-147-0x00007FF724160000-0x00007FF7244B4000-memory.dmp upx behavioral2/memory/4044-148-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp upx behavioral2/memory/3936-149-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp upx behavioral2/memory/4652-150-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp upx behavioral2/memory/2956-151-0x00007FF77D5D0000-0x00007FF77D924000-memory.dmp upx behavioral2/memory/4572-152-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp upx behavioral2/memory/4384-153-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\MamSpXd.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\sztkdEc.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xjypVYA.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\hXQyAWz.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PZNcYgl.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\jXBDidm.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kPlYftQ.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\wVjfYQj.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\DgPyPZb.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BLkKKmW.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AKCMuzg.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uvURIqk.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\DzEVCqL.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ePYZOUS.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\jDliCsO.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AuKPpYK.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XpRwATS.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\lYsjqPm.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FyvILwF.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kFlAZWH.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\vGkCFFd.exe 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exedescription pid process target process PID 792 wrote to memory of 3304 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe xjypVYA.exe PID 792 wrote to memory of 3304 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe xjypVYA.exe PID 792 wrote to memory of 5036 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe hXQyAWz.exe PID 792 wrote to memory of 5036 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe hXQyAWz.exe PID 792 wrote to memory of 4048 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe MamSpXd.exe PID 792 wrote to memory of 4048 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe MamSpXd.exe PID 792 wrote to memory of 2184 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe DgPyPZb.exe PID 792 wrote to memory of 2184 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe DgPyPZb.exe PID 792 wrote to memory of 4696 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe BLkKKmW.exe PID 792 wrote to memory of 4696 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe BLkKKmW.exe PID 792 wrote to memory of 3820 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe AuKPpYK.exe PID 792 wrote to memory of 3820 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe AuKPpYK.exe PID 792 wrote to memory of 2440 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe sztkdEc.exe PID 792 wrote to memory of 2440 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe sztkdEc.exe PID 792 wrote to memory of 1460 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe AKCMuzg.exe PID 792 wrote to memory of 1460 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe AKCMuzg.exe PID 792 wrote to memory of 3308 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe XpRwATS.exe PID 792 wrote to memory of 3308 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe XpRwATS.exe PID 792 wrote to memory of 1676 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe uvURIqk.exe PID 792 wrote to memory of 1676 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe uvURIqk.exe PID 792 wrote to memory of 432 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe PZNcYgl.exe PID 792 wrote to memory of 432 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe PZNcYgl.exe PID 792 wrote to memory of 4104 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe jXBDidm.exe PID 792 wrote to memory of 4104 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe jXBDidm.exe PID 792 wrote to memory of 4044 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe lYsjqPm.exe PID 792 wrote to memory of 4044 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe lYsjqPm.exe PID 792 wrote to memory of 3936 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe FyvILwF.exe PID 792 wrote to memory of 3936 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe FyvILwF.exe PID 792 wrote to memory of 4652 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe DzEVCqL.exe PID 792 wrote to memory of 4652 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe DzEVCqL.exe PID 792 wrote to memory of 2956 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe kPlYftQ.exe PID 792 wrote to memory of 2956 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe kPlYftQ.exe PID 792 wrote to memory of 4572 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe kFlAZWH.exe PID 792 wrote to memory of 4572 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe kFlAZWH.exe PID 792 wrote to memory of 4384 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe ePYZOUS.exe PID 792 wrote to memory of 4384 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe ePYZOUS.exe PID 792 wrote to memory of 928 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe vGkCFFd.exe PID 792 wrote to memory of 928 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe vGkCFFd.exe PID 792 wrote to memory of 3412 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe wVjfYQj.exe PID 792 wrote to memory of 3412 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe wVjfYQj.exe PID 792 wrote to memory of 4128 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe jDliCsO.exe PID 792 wrote to memory of 4128 792 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe jDliCsO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\System\xjypVYA.exeC:\Windows\System\xjypVYA.exe2⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\System\hXQyAWz.exeC:\Windows\System\hXQyAWz.exe2⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\System\MamSpXd.exeC:\Windows\System\MamSpXd.exe2⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\System\DgPyPZb.exeC:\Windows\System\DgPyPZb.exe2⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\System\BLkKKmW.exeC:\Windows\System\BLkKKmW.exe2⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\System\AuKPpYK.exeC:\Windows\System\AuKPpYK.exe2⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\System\sztkdEc.exeC:\Windows\System\sztkdEc.exe2⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\System\AKCMuzg.exeC:\Windows\System\AKCMuzg.exe2⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\System\XpRwATS.exeC:\Windows\System\XpRwATS.exe2⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\System\uvURIqk.exeC:\Windows\System\uvURIqk.exe2⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\System\PZNcYgl.exeC:\Windows\System\PZNcYgl.exe2⤵
- Executes dropped EXE
PID:432 -
C:\Windows\System\jXBDidm.exeC:\Windows\System\jXBDidm.exe2⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\System\lYsjqPm.exeC:\Windows\System\lYsjqPm.exe2⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\System\FyvILwF.exeC:\Windows\System\FyvILwF.exe2⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\System\DzEVCqL.exeC:\Windows\System\DzEVCqL.exe2⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\System\kPlYftQ.exeC:\Windows\System\kPlYftQ.exe2⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\System\kFlAZWH.exeC:\Windows\System\kFlAZWH.exe2⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\System\ePYZOUS.exeC:\Windows\System\ePYZOUS.exe2⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\System\vGkCFFd.exeC:\Windows\System\vGkCFFd.exe2⤵
- Executes dropped EXE
PID:928 -
C:\Windows\System\wVjfYQj.exeC:\Windows\System\wVjfYQj.exe2⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\System\jDliCsO.exeC:\Windows\System\jDliCsO.exe2⤵
- Executes dropped EXE
PID:4128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:1508
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD53c4936ba91eaa69f7fdbfccc9b857022
SHA1d97c8ba6655ec64594f86192c6bdb9c832040c3a
SHA256f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10
SHA512327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9
-
Filesize
1.8MB
MD5c665d55523745ebd550a2c4296ad8ec9
SHA143f72a8e93454ded742dbec7a7c84f59cb0d6520
SHA2564ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b
SHA51257b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454
-
Filesize
5.4MB
MD58003c8ca1c6255c4a9df50b61d369786
SHA1ef521c59d5519424152618453d9a1ec413a267cf
SHA256caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA5120384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795
-
Filesize
1.9MB
MD5ca2c8fc23ac2c4dd58545d16927e5bef
SHA1b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA25651b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA5121d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce
-
Filesize
448KB
MD50642442db4acbbfb6037e06789624264
SHA1923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA2565d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA5127fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1
-
Filesize
704KB
MD527f1ae58c0e7ea96c463a8f0329d13e3
SHA1a5352f33f2a7ec676e07aa36bd587f2a910b1502
SHA256570ef729e78067f9e824a09ee84a0b44c24671dfe07947eaca970f453f235334
SHA51251c2e61154a9cf7b8c51728bee23d084e40467a64fc74544ed07917de5c42cd2c4f093dc4dba57e475be140334b7f9d2f8c2784d353f9bec4fe5fc6098f5ad70
-
Filesize
1.8MB
MD54ebd1901e669a14d40cee031fd206e82
SHA148b4d9303ce77228a3ead5a9a71386291542a98f
SHA256877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087
-
Filesize
1024KB
MD5aa84df2aa4d3e405cfa711ea45f76832
SHA1f9d4c6b07df318263e7c10c93fe5aee7c1ed449f
SHA25635f254698cefc343a5afa8e1f4afbd2f4e15c9dea7be1bc9d3cdc9a25b594ef4
SHA51240f8b842b8711e2a819c83c44eea2c12af01ba9972546d0cb7e21121b875f8bed7da028e78b61c94b16de95a951cf536d7b2db14fba809cc0242849570fa0f9d
-
Filesize
1.2MB
MD5711965c0ed770375b388ea9b5ea57c70
SHA121f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA5121805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428
-
Filesize
128KB
MD57ce4ba1725e83a50f64ba525f8815dcf
SHA1b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA2569f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA5122dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19
-
Filesize
2.1MB
MD5fbb6a602f644dbf57142122f30692c9a
SHA18158aaa7168744874ea387599d6d2cead21e28a3
SHA2563ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe
-
Filesize
2.1MB
MD52543c4760bd9af7f70b7834411ab61af
SHA1ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA51237d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56
-
Filesize
1.9MB
MD50b1dc771469fa6753e7aace834956918
SHA1ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA25660a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA5126ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60
-
Filesize
3.1MB
MD53ee04f109da47a1ec064d84e674f1c93
SHA1644e873cc5a86065097d9d560d0304443e10d64c
SHA25647d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f
SHA5129c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4
-
Filesize
3.6MB
MD50628374c349921c969043e8b725a574d
SHA1d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA2566f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA5122db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1
-
Filesize
2.4MB
MD5ffafad94c04d076c16e861ff07a4cb57
SHA1c3501d64aef8c1b093200710a06e749c69db782a
SHA2568937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295
SHA51264f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700