Malware Analysis Report

2024-10-24 18:16

Sample ID 240607-byeqcagd74
Target 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike
SHA256 f46f94f88649139805ddbefd1fb1fe21f1a57d9c49e64d5f1a3d093262151d72
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f46f94f88649139805ddbefd1fb1fe21f1a57d9c49e64d5f1a3d093262151d72

Threat Level: Known bad

The file 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Detects Reflective DLL injection artifacts

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 01:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 01:32

Reported

2024-06-07 01:35

Platform

win7-20240221-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UgBMrXT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dPtRfHI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NiAPHNt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\COHydri.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tHwAFJm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AxEHrDS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\watqKHK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QVAtAqh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\REyxMGV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mSGcvNs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wCyNZFR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gCNIVJw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATWejPI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wBLvgrw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oUqyfHP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\knnyXHh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\huITLBA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tEUiHEb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZTroHHb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JKeGUUC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zwElSMx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxEHrDS.exe
PID 2016 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxEHrDS.exe
PID 2016 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxEHrDS.exe
PID 2016 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\huITLBA.exe
PID 2016 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\huITLBA.exe
PID 2016 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\huITLBA.exe
PID 2016 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCyNZFR.exe
PID 2016 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCyNZFR.exe
PID 2016 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCyNZFR.exe
PID 2016 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\gCNIVJw.exe
PID 2016 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\gCNIVJw.exe
PID 2016 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\gCNIVJw.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\watqKHK.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\watqKHK.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\watqKHK.exe
PID 2016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tEUiHEb.exe
PID 2016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tEUiHEb.exe
PID 2016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tEUiHEb.exe
PID 2016 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\QVAtAqh.exe
PID 2016 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\QVAtAqh.exe
PID 2016 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\QVAtAqh.exe
PID 2016 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZTroHHb.exe
PID 2016 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZTroHHb.exe
PID 2016 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZTroHHb.exe
PID 2016 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\REyxMGV.exe
PID 2016 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\REyxMGV.exe
PID 2016 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\REyxMGV.exe
PID 2016 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UgBMrXT.exe
PID 2016 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UgBMrXT.exe
PID 2016 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UgBMrXT.exe
PID 2016 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\dPtRfHI.exe
PID 2016 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\dPtRfHI.exe
PID 2016 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\dPtRfHI.exe
PID 2016 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATWejPI.exe
PID 2016 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATWejPI.exe
PID 2016 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATWejPI.exe
PID 2016 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKeGUUC.exe
PID 2016 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKeGUUC.exe
PID 2016 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKeGUUC.exe
PID 2016 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiAPHNt.exe
PID 2016 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiAPHNt.exe
PID 2016 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiAPHNt.exe
PID 2016 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwElSMx.exe
PID 2016 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwElSMx.exe
PID 2016 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwElSMx.exe
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUqyfHP.exe
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUqyfHP.exe
PID 2016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUqyfHP.exe
PID 2016 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\COHydri.exe
PID 2016 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\COHydri.exe
PID 2016 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\COHydri.exe
PID 2016 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBLvgrw.exe
PID 2016 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBLvgrw.exe
PID 2016 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBLvgrw.exe
PID 2016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSGcvNs.exe
PID 2016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSGcvNs.exe
PID 2016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSGcvNs.exe
PID 2016 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHwAFJm.exe
PID 2016 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHwAFJm.exe
PID 2016 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHwAFJm.exe
PID 2016 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\knnyXHh.exe
PID 2016 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\knnyXHh.exe
PID 2016 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\knnyXHh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\AxEHrDS.exe

C:\Windows\System\AxEHrDS.exe

C:\Windows\System\huITLBA.exe

C:\Windows\System\huITLBA.exe

C:\Windows\System\wCyNZFR.exe

C:\Windows\System\wCyNZFR.exe

C:\Windows\System\gCNIVJw.exe

C:\Windows\System\gCNIVJw.exe

C:\Windows\System\watqKHK.exe

C:\Windows\System\watqKHK.exe

C:\Windows\System\tEUiHEb.exe

C:\Windows\System\tEUiHEb.exe

C:\Windows\System\QVAtAqh.exe

C:\Windows\System\QVAtAqh.exe

C:\Windows\System\ZTroHHb.exe

C:\Windows\System\ZTroHHb.exe

C:\Windows\System\REyxMGV.exe

C:\Windows\System\REyxMGV.exe

C:\Windows\System\UgBMrXT.exe

C:\Windows\System\UgBMrXT.exe

C:\Windows\System\dPtRfHI.exe

C:\Windows\System\dPtRfHI.exe

C:\Windows\System\ATWejPI.exe

C:\Windows\System\ATWejPI.exe

C:\Windows\System\JKeGUUC.exe

C:\Windows\System\JKeGUUC.exe

C:\Windows\System\NiAPHNt.exe

C:\Windows\System\NiAPHNt.exe

C:\Windows\System\zwElSMx.exe

C:\Windows\System\zwElSMx.exe

C:\Windows\System\oUqyfHP.exe

C:\Windows\System\oUqyfHP.exe

C:\Windows\System\COHydri.exe

C:\Windows\System\COHydri.exe

C:\Windows\System\wBLvgrw.exe

C:\Windows\System\wBLvgrw.exe

C:\Windows\System\mSGcvNs.exe

C:\Windows\System\mSGcvNs.exe

C:\Windows\System\tHwAFJm.exe

C:\Windows\System\tHwAFJm.exe

C:\Windows\System\knnyXHh.exe

C:\Windows\System\knnyXHh.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2016-0-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2016-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\AxEHrDS.exe

MD5 1e2fa26a0bdb80c9f51db7f223b1d934
SHA1 b24928cf63ed334707dd03329a92fb1c516a7d08
SHA256 82406e12deac8d9b42bc6d21b7e1286ac90761d01e5a0532b59e91d85678f5cf
SHA512 56c4b19417e417efbcfd458823cac8b1443d6d75ed8eb1f64899af3c10ea93285946af3e4c3b92549c41f2781a0fa6607bf826e339174ea9bf03a5a5dbe4d65c

\Windows\system\huITLBA.exe

MD5 b282207d94a4bfe78b80ce9bab86f40b
SHA1 d52c5a6a8200e5dc04e94904ec4c618b41bfa6b9
SHA256 a4e5841ee20393217580204a858570f47c2f89857c032c83a47660a57b950228
SHA512 c6d7f002d3500225ac635fc05b1d651449ca57c32347170da2f4e65d7aabb537c0ad77db76a7f14c8db72f6e71c6d7e04d54ee723b3e78a0f9272a57e9a66006

memory/2016-6-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/1532-15-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\wCyNZFR.exe

MD5 1cf5151ba8f728f3872f83a75207b136
SHA1 ced2423cc6d032d93a1fd4ced600547698410cfe
SHA256 316f988345a7b5675b0d84d3c397f610bb20b3b852ec0a87fd8bc9272a0d7be5
SHA512 a7699232d204949aa41553aad4e2079da92b76461fff3df38f3151bec9e5067696df7a01036d487414ef1238784f3061e4e89ab1381ca24c72818c6808e2760e

memory/2016-23-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\tEUiHEb.exe

MD5 8eae66ff6eb8f3b2c19e77ec55a5bcc2
SHA1 1c083e5de90581022a39684bc059628e2f8fd661
SHA256 21182fdc945ba77cd4cdbc6f0ba3dea29c385632d50d78db488583cb9c4de0e9
SHA512 e410d97c9e46e963bbf4669e951c153dc81082655d612f697c9ac0e699b62712b211c10b93a50e10380cdc9a7d2424de6931345490f14aa690b71f99c50ec9b6

memory/2592-40-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2584-39-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2016-45-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2016-54-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2824-55-0x000000013F810000-0x000000013FB64000-memory.dmp

C:\Windows\system\REyxMGV.exe

MD5 3f0d8010a2fd12896ede491b3c442c1c
SHA1 293a36b531ddd1e7ec6692dfeb27040ecc7efb9b
SHA256 9a4fccc778f22b3af6337b6afe9e432269906d2dbcaf0dec232412f6f3c8bfa8
SHA512 b0b22b36b635c9729788352f1f00fdedd52f5cbd43bf16c0436293aad5cd819fdd1db6d9f90ee5fdcc17fd9c3b1c404f1f6fd07aa5c31363acb91bc8890378a8

memory/2480-62-0x000000013F140000-0x000000013F494000-memory.dmp

memory/1768-82-0x000000013F760000-0x000000013FAB4000-memory.dmp

C:\Windows\system\dPtRfHI.exe

MD5 c9ddb2738533bc3d53756adae66f7177
SHA1 e0c105e34f79f5da6a9c27ea17ecacdb4d590f27
SHA256 82e28bad40d03a540cef9492b96f05b923c4d82c0f30307765295d581d44a15c
SHA512 adc7f4c4287886ac83bb3272d93a366d1f89a06f35a5af60acfbcc7a40870187d3e0642dcfabb8af4e7bdab81ab1b9fc3884867a8a4e18d2c3eed83589da7502

memory/2032-102-0x000000013F6C0000-0x000000013FA14000-memory.dmp

C:\Windows\system\oUqyfHP.exe

MD5 ab1bb5c6d8831a39a6b8feac38d9b41d
SHA1 f825c70db33925f5bdf26fc70ddf41d6e86c2869
SHA256 706205d2dc1f1927a543c805ebf718d24f438b6378f0ca25bdc72edea6b107d6
SHA512 cc1d441726066637c524af945c4a0be45c229e45eec6bb7914011a7876cbaab8b87320929f5d3bbb6a7f9df2437510e609efd919b8728c00213da5c6a1cc86ae

C:\Windows\system\wBLvgrw.exe

MD5 9d775d51a510618cb995b6c88d08b05a
SHA1 227ebcb59ea1cbff34d40b1b06c54fd500bbcc43
SHA256 1be2615186b4a367a8f8db0ffec2447da8df8dc4a4e546425be57f1ba4c5d062
SHA512 93b898ad1fe778e06de68233b4916152913fff142641c838f5feb748398c3e0f0f6214498b87793e80597c8a81aadc74d1f8f57661947351e33165319167b407

C:\Windows\system\tHwAFJm.exe

MD5 0f60ef2f8deda7139ed6127bd2b36b59
SHA1 8acfe14ece63d2205606d5be74f35dca5a01524c
SHA256 9da6e7e2ef597a3b493894ccfcf133aa321fea7dfe3829efa31126e7033bc92b
SHA512 510a4455cf674e70c5ace338e841d17ceba0cc2dbd0143b734e37917deea032ab57ae0beaa818ffae264cafdc66ea6d0b20042ecda4aa5638ae83cee889b9ca9

\Windows\system\knnyXHh.exe

MD5 d6b0d405ef112ca8a6a8240adc18230a
SHA1 0a52951ca8e4803f314355b2b46a2b50c8d27d89
SHA256 76d5cade0474365c8e5141da26e1684c16c6e9160f153d2a5987b40ec8f58e56
SHA512 f8e35957f41da78d7d03f3f377a8e4d6694ca0814ffd91ca54b07923fe2dc3eaf13e46b55e0b04026b156d40a1ff91620aa7bae33bc708b6530f95be6fe4edb6

C:\Windows\system\mSGcvNs.exe

MD5 9ebbb3ac7ea27bb42f3f4c46b353d37c
SHA1 4c3a8bfd0b92f6ca75c906f6eb5328e2e601b63f
SHA256 e19c90fef98642be1ad711cf21cc86bb5d318604019ea18be86f9689dc696ba0
SHA512 006d08c45f80e2969688010aa0ed928b92d9311d48fc2c61cf02b020132833893ab3ab0285a3c660341144a333fd51a3681f0bcf28e2890ee236c6dba400ae0f

C:\Windows\system\COHydri.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

\Windows\system\COHydri.exe

MD5 a8020fde75bc781e29fe9163124e8892
SHA1 d4b0ae5ad2ce4c0ec3a5afa2d36b21249c6cfef7
SHA256 62dedc723d589a17cb1b0769420311188d010af638323d4d7bf074019b57c1dd
SHA512 019d92ac7ecebf6d386da7837916780a7425e7838678cd773a19f5e6b3cc5d1f53da24dca8fdc8585007d7d3521062334b4178eb8b71ee7fea9b8ad607587408

memory/2852-140-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2016-108-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\zwElSMx.exe

MD5 553c5b307d5e446477417dc73cb98d6a
SHA1 98df8869cd007195431c083e32c90f3bd40d44e2
SHA256 007931fd2f35e7cca7666cc5a3a03cab80cf03b9ba9845861eb15ea0431f6683
SHA512 acfab804e321955a08e23408169333bbf38acf8efad50c4ef9c96eb24d551bf561fd03d309e3819041a30695977ec594b4732f3446ddb5819fdb769987061e1f

memory/2016-101-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2592-100-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2584-99-0x000000013FE50000-0x00000001401A4000-memory.dmp

C:\Windows\system\NiAPHNt.exe

MD5 356b0a8c98dc90cf3571a7c28beba034
SHA1 4cbc5601053762f293e796ad327b4495ab9e3399
SHA256 35cfdfcb9763028a62a5b86f555956c693f00205509486b4e0b605439dff1936
SHA512 fc8c7ddc3d486232de1187ea354682ad3431358c410f7b4148ca7e41589377a400eb0a188b89bfa814685be998ef91992440ffa625311c08d0439c6e2bda2e81

\Windows\system\NiAPHNt.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/2932-93-0x000000013FB20000-0x000000013FE74000-memory.dmp

C:\Windows\system\JKeGUUC.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

memory/2016-90-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2824-141-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2652-89-0x000000013F180000-0x000000013F4D4000-memory.dmp

\Windows\system\JKeGUUC.exe

MD5 ab0ac1bfd008107af73d163b6b489f0a
SHA1 99f00f75f6bce227747ebc4fc683d04a4878e57a
SHA256 af0916cc45844dc12decdf67b06d0b5d60e04a02b0a7ca3314b05167fed59af7
SHA512 9975d86cbb71b0e6e036fd86393902701e296c051f97e1a455a55f240bf0afd8a538a95e1a5719ef212b62c28e2067d5a40ec92997cff292b2a5114cac100b5a

memory/2016-77-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2524-76-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1532-75-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2000-74-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2924-84-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2016-83-0x000000013FD90000-0x00000001400E4000-memory.dmp

C:\Windows\system\ATWejPI.exe

MD5 9aabda20e2264e96d4e96a461410906f
SHA1 a9de12328554a35584637654d993c63e7f972d27
SHA256 8656737a2dc4d59bcebb3b853e4c2062c6a18636cd18dd85aa7076184a20a689
SHA512 bacdda90a01cb85a9dc067e60f7e0524540febda7585dc88db3f9c7bb54ed68b46952749e0b50c4b3c393aee4af36d3e7f5c7c1058c73f09c94da39c1f0becb8

memory/2608-70-0x000000013FB40000-0x000000013FE94000-memory.dmp

C:\Windows\system\UgBMrXT.exe

MD5 31736e5e406768d3f219895d09dcee72
SHA1 33c8f0818c4ff58e50e4f6717304f39516c713bb
SHA256 22b0130beefcf21e8ed4d551cfe2ba2ba54437f7c32a8b147d9ae097c53f5fec
SHA512 7e04de2d560e7d3533103dfa523d60114285f6f4161caabf3059ab8cffaf1e06b908b393a398cf831916bd51563912e625df893e0e76dbd8a4165cc15a21dff7

memory/2016-61-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2852-49-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2480-142-0x000000013F140000-0x000000013F494000-memory.dmp

C:\Windows\system\QVAtAqh.exe

MD5 91c5dd3401561ef107bb07080a4fdc3f
SHA1 e3a939f3e75f851fd312db57e70f1378bdc5e3b3
SHA256 5a71aaac83ec92de05d2c6a06ecfe60f32ed26f128b1a9ccd917a3313df67f38
SHA512 26821f65b2d6b727d3fecf19f88be09f1d8a7d0cb98de9662976a4e253ec3baba98e5a7c12f6c3137e1cfb954163559eacc138ecc041a723ff9a07bca9cc9f11

C:\Windows\system\ZTroHHb.exe

MD5 4bcb6d54b9cb8a7782feb41c56843c0f
SHA1 a418946b9fd440df06c2e5092d2a8e5f30291ddb
SHA256 472b42d43fa35a92f12ef510533e136402936560ce7f1b2aeda383a54cae6b27
SHA512 91654dd2d21ad47f67f86f8a271442b1864154356f47b7105a869394b01ff65a61c53235f8eb5f4de89b07e256dfa5cdf444233b65eba8d7b375ae1ccc191476

C:\Windows\system\gCNIVJw.exe

MD5 451c1548c332fdde11e4cfa87c3f4546
SHA1 66d5345d867f52c15ff763833bd91ba3ac74b931
SHA256 ee40af941783a41a79f80bf8e1ad0ea3fb92d2d6c8d26a681129cb8c814f80e6
SHA512 137bd72cc2cb97d6289847d94f8203c5497dd1aca5a51d6e3a464b1f0c2735cb2e6f08a227d9797e910561a7755156eeeb8d32dca78af5b35656649c108c8574

memory/2016-36-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2652-35-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\watqKHK.exe

MD5 1272729b1eda1ce23d22b78d031e4212
SHA1 41c07783cbca3bcfe6ced907f7e2fa0993631574
SHA256 65b9e2315f61b70089062117547a434dfad65d1eef6100ebf5d636d12cccd55c
SHA512 31e1292c68c89d7b47484649b5d69abb564610087579f4c336890dc27b16e89c702f5b2e0c57bc30f8ab98554047332fcad08d04854d9e96086519f03079eb3b

memory/2016-29-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2524-27-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2016-14-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2000-12-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2016-143-0x0000000002420000-0x0000000002774000-memory.dmp

memory/1768-144-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2924-145-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2932-146-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2032-147-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2000-148-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2524-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2652-150-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/1532-151-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2852-154-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2592-153-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2824-155-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2584-152-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2480-156-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2608-157-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2924-158-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1768-159-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2932-160-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2032-161-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 01:32

Reported

2024-06-07 01:36

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MamSpXd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sztkdEc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xjypVYA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hXQyAWz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PZNcYgl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jXBDidm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kPlYftQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wVjfYQj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DgPyPZb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BLkKKmW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AKCMuzg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uvURIqk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DzEVCqL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ePYZOUS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jDliCsO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AuKPpYK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XpRwATS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lYsjqPm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FyvILwF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kFlAZWH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vGkCFFd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjypVYA.exe
PID 792 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjypVYA.exe
PID 792 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXQyAWz.exe
PID 792 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXQyAWz.exe
PID 792 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\MamSpXd.exe
PID 792 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\MamSpXd.exe
PID 792 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgPyPZb.exe
PID 792 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgPyPZb.exe
PID 792 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLkKKmW.exe
PID 792 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLkKKmW.exe
PID 792 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AuKPpYK.exe
PID 792 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AuKPpYK.exe
PID 792 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sztkdEc.exe
PID 792 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sztkdEc.exe
PID 792 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKCMuzg.exe
PID 792 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKCMuzg.exe
PID 792 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XpRwATS.exe
PID 792 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XpRwATS.exe
PID 792 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvURIqk.exe
PID 792 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvURIqk.exe
PID 792 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZNcYgl.exe
PID 792 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZNcYgl.exe
PID 792 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXBDidm.exe
PID 792 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXBDidm.exe
PID 792 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\lYsjqPm.exe
PID 792 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\lYsjqPm.exe
PID 792 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyvILwF.exe
PID 792 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyvILwF.exe
PID 792 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzEVCqL.exe
PID 792 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzEVCqL.exe
PID 792 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kPlYftQ.exe
PID 792 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kPlYftQ.exe
PID 792 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kFlAZWH.exe
PID 792 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kFlAZWH.exe
PID 792 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ePYZOUS.exe
PID 792 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ePYZOUS.exe
PID 792 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\vGkCFFd.exe
PID 792 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\vGkCFFd.exe
PID 792 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wVjfYQj.exe
PID 792 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\wVjfYQj.exe
PID 792 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\jDliCsO.exe
PID 792 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe C:\Windows\System\jDliCsO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\xjypVYA.exe

C:\Windows\System\xjypVYA.exe

C:\Windows\System\hXQyAWz.exe

C:\Windows\System\hXQyAWz.exe

C:\Windows\System\MamSpXd.exe

C:\Windows\System\MamSpXd.exe

C:\Windows\System\DgPyPZb.exe

C:\Windows\System\DgPyPZb.exe

C:\Windows\System\BLkKKmW.exe

C:\Windows\System\BLkKKmW.exe

C:\Windows\System\AuKPpYK.exe

C:\Windows\System\AuKPpYK.exe

C:\Windows\System\sztkdEc.exe

C:\Windows\System\sztkdEc.exe

C:\Windows\System\AKCMuzg.exe

C:\Windows\System\AKCMuzg.exe

C:\Windows\System\XpRwATS.exe

C:\Windows\System\XpRwATS.exe

C:\Windows\System\uvURIqk.exe

C:\Windows\System\uvURIqk.exe

C:\Windows\System\PZNcYgl.exe

C:\Windows\System\PZNcYgl.exe

C:\Windows\System\jXBDidm.exe

C:\Windows\System\jXBDidm.exe

C:\Windows\System\lYsjqPm.exe

C:\Windows\System\lYsjqPm.exe

C:\Windows\System\FyvILwF.exe

C:\Windows\System\FyvILwF.exe

C:\Windows\System\DzEVCqL.exe

C:\Windows\System\DzEVCqL.exe

C:\Windows\System\kPlYftQ.exe

C:\Windows\System\kPlYftQ.exe

C:\Windows\System\kFlAZWH.exe

C:\Windows\System\kFlAZWH.exe

C:\Windows\System\ePYZOUS.exe

C:\Windows\System\ePYZOUS.exe

C:\Windows\System\vGkCFFd.exe

C:\Windows\System\vGkCFFd.exe

C:\Windows\System\wVjfYQj.exe

C:\Windows\System\wVjfYQj.exe

C:\Windows\System\jDliCsO.exe

C:\Windows\System\jDliCsO.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp

Files

memory/792-0-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp

memory/792-1-0x000001B0F1760000-0x000001B0F1770000-memory.dmp

C:\Windows\System\xjypVYA.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

memory/3304-8-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp

C:\Windows\System\xjypVYA.exe

MD5 ffafad94c04d076c16e861ff07a4cb57
SHA1 c3501d64aef8c1b093200710a06e749c69db782a
SHA256 8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295
SHA512 64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700

C:\Windows\System\hXQyAWz.exe

MD5 2543c4760bd9af7f70b7834411ab61af
SHA1 ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256 c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA512 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

memory/5036-14-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp

C:\Windows\System\hXQyAWz.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/4048-20-0x00007FF606360000-0x00007FF6066B4000-memory.dmp

C:\Windows\System\MamSpXd.exe

MD5 4ebd1901e669a14d40cee031fd206e82
SHA1 48b4d9303ce77228a3ead5a9a71386291542a98f
SHA256 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512 c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

memory/2184-26-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp

C:\Windows\System\BLkKKmW.exe

MD5 c665d55523745ebd550a2c4296ad8ec9
SHA1 43f72a8e93454ded742dbec7a7c84f59cb0d6520
SHA256 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b
SHA512 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

C:\Windows\System\BLkKKmW.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/4696-32-0x00007FF761930000-0x00007FF761C84000-memory.dmp

memory/3820-38-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp

C:\Windows\System\sztkdEc.exe

MD5 3ee04f109da47a1ec064d84e674f1c93
SHA1 644e873cc5a86065097d9d560d0304443e10d64c
SHA256 47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f
SHA512 9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4

memory/2440-44-0x00007FF795470000-0x00007FF7957C4000-memory.dmp

C:\Windows\System\AKCMuzg.exe

MD5 3c4936ba91eaa69f7fdbfccc9b857022
SHA1 d97c8ba6655ec64594f86192c6bdb9c832040c3a
SHA256 f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10
SHA512 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9

memory/1460-50-0x00007FF663200000-0x00007FF663554000-memory.dmp

C:\Windows\System\XpRwATS.exe

MD5 aa84df2aa4d3e405cfa711ea45f76832
SHA1 f9d4c6b07df318263e7c10c93fe5aee7c1ed449f
SHA256 35f254698cefc343a5afa8e1f4afbd2f4e15c9dea7be1bc9d3cdc9a25b594ef4
SHA512 40f8b842b8711e2a819c83c44eea2c12af01ba9972546d0cb7e21121b875f8bed7da028e78b61c94b16de95a951cf536d7b2db14fba809cc0242849570fa0f9d

C:\Windows\System\XpRwATS.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/3308-56-0x00007FF77BA60000-0x00007FF77BDB4000-memory.dmp

memory/792-62-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp

memory/1676-63-0x00007FF64D220000-0x00007FF64D574000-memory.dmp

memory/3304-69-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp

memory/432-70-0x00007FF6552F0000-0x00007FF655644000-memory.dmp

memory/4104-77-0x00007FF724160000-0x00007FF7244B4000-memory.dmp

memory/5036-76-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp

memory/4048-82-0x00007FF606360000-0x00007FF6066B4000-memory.dmp

memory/4044-84-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp

C:\Windows\System\FyvILwF.exe

MD5 27f1ae58c0e7ea96c463a8f0329d13e3
SHA1 a5352f33f2a7ec676e07aa36bd587f2a910b1502
SHA256 570ef729e78067f9e824a09ee84a0b44c24671dfe07947eaca970f453f235334
SHA512 51c2e61154a9cf7b8c51728bee23d084e40467a64fc74544ed07917de5c42cd2c4f093dc4dba57e475be140334b7f9d2f8c2784d353f9bec4fe5fc6098f5ad70

memory/3936-91-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp

memory/2184-90-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp

C:\Windows\System\DzEVCqL.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

C:\Windows\System\DzEVCqL.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

memory/4652-97-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp

memory/2956-103-0x00007FF77D5D0000-0x00007FF77D924000-memory.dmp

memory/2440-108-0x00007FF795470000-0x00007FF7957C4000-memory.dmp

memory/4572-110-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp

C:\Windows\System\kFlAZWH.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

C:\Windows\System\ePYZOUS.exe

MD5 7ce4ba1725e83a50f64ba525f8815dcf
SHA1 b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA256 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA512 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

memory/4384-116-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp

memory/3412-128-0x00007FF7040B0000-0x00007FF704404000-memory.dmp

memory/928-125-0x00007FF6693F0000-0x00007FF669744000-memory.dmp

memory/4128-133-0x00007FF660FA0000-0x00007FF6612F4000-memory.dmp

memory/4044-134-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp

memory/4652-135-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp

memory/3304-136-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp

memory/5036-137-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp

memory/4048-138-0x00007FF606360000-0x00007FF6066B4000-memory.dmp

memory/2184-139-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp

memory/4696-140-0x00007FF761930000-0x00007FF761C84000-memory.dmp

memory/3820-141-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp

memory/2440-142-0x00007FF795470000-0x00007FF7957C4000-memory.dmp

memory/1460-143-0x00007FF663200000-0x00007FF663554000-memory.dmp

memory/3308-144-0x00007FF77BA60000-0x00007FF77BDB4000-memory.dmp

memory/1676-145-0x00007FF64D220000-0x00007FF64D574000-memory.dmp

memory/432-146-0x00007FF6552F0000-0x00007FF655644000-memory.dmp

memory/4104-147-0x00007FF724160000-0x00007FF7244B4000-memory.dmp

memory/4044-148-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp

memory/3936-149-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp

memory/4652-150-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp

memory/2956-151-0x00007FF77D5D0000-0x00007FF77D924000-memory.dmp

memory/4572-152-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp

memory/4384-153-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp

memory/928-154-0x00007FF6693F0000-0x00007FF669744000-memory.dmp

memory/3412-155-0x00007FF7040B0000-0x00007FF704404000-memory.dmp

memory/4128-156-0x00007FF660FA0000-0x00007FF6612F4000-memory.dmp