Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-fpwpqahc6z
Target 2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike
SHA256 e31ff57533b29c3ea3e3dad70c51aeed528c028fe59dc8d61d9e7f5f9f279bf7
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e31ff57533b29c3ea3e3dad70c51aeed528c028fe59dc8d61d9e7f5f9f279bf7

Threat Level: Known bad

The file 2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 05:03

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 05:03

Reported

2024-06-08 05:05

Platform

win7-20240220-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HXXMred.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KFwVFtH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vIsrZHq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uPhbUyx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zwUCWhW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RkUUHlb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YTPoPiW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kuNhWfP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tjRhCRZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NicUpbK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZNJimJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WuCZBqw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oEnKdYB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hFbbHTK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CiUUbsu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XIqSvLQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CQYdzKh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KCmefXz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GsdmqYJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sHBXZpr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uKGjJSR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFwVFtH.exe
PID 1948 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFwVFtH.exe
PID 1948 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFwVFtH.exe
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vIsrZHq.exe
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vIsrZHq.exe
PID 1948 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vIsrZHq.exe
PID 1948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KCmefXz.exe
PID 1948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KCmefXz.exe
PID 1948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KCmefXz.exe
PID 1948 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uPhbUyx.exe
PID 1948 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uPhbUyx.exe
PID 1948 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uPhbUyx.exe
PID 1948 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEnKdYB.exe
PID 1948 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEnKdYB.exe
PID 1948 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEnKdYB.exe
PID 1948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hFbbHTK.exe
PID 1948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hFbbHTK.exe
PID 1948 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hFbbHTK.exe
PID 1948 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwUCWhW.exe
PID 1948 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwUCWhW.exe
PID 1948 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwUCWhW.exe
PID 1948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsdmqYJ.exe
PID 1948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsdmqYJ.exe
PID 1948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsdmqYJ.exe
PID 1948 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiUUbsu.exe
PID 1948 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiUUbsu.exe
PID 1948 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiUUbsu.exe
PID 1948 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTPoPiW.exe
PID 1948 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTPoPiW.exe
PID 1948 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTPoPiW.exe
PID 1948 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIqSvLQ.exe
PID 1948 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIqSvLQ.exe
PID 1948 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIqSvLQ.exe
PID 1948 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kuNhWfP.exe
PID 1948 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kuNhWfP.exe
PID 1948 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kuNhWfP.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjRhCRZ.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjRhCRZ.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjRhCRZ.exe
PID 1948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHBXZpr.exe
PID 1948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHBXZpr.exe
PID 1948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHBXZpr.exe
PID 1948 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\NicUpbK.exe
PID 1948 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\NicUpbK.exe
PID 1948 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\NicUpbK.exe
PID 1948 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkUUHlb.exe
PID 1948 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkUUHlb.exe
PID 1948 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkUUHlb.exe
PID 1948 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CQYdzKh.exe
PID 1948 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CQYdzKh.exe
PID 1948 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CQYdzKh.exe
PID 1948 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNJimJJ.exe
PID 1948 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNJimJJ.exe
PID 1948 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNJimJJ.exe
PID 1948 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuCZBqw.exe
PID 1948 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuCZBqw.exe
PID 1948 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuCZBqw.exe
PID 1948 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKGjJSR.exe
PID 1948 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKGjJSR.exe
PID 1948 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKGjJSR.exe
PID 1948 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXXMred.exe
PID 1948 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXXMred.exe
PID 1948 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXXMred.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KFwVFtH.exe

C:\Windows\System\KFwVFtH.exe

C:\Windows\System\vIsrZHq.exe

C:\Windows\System\vIsrZHq.exe

C:\Windows\System\KCmefXz.exe

C:\Windows\System\KCmefXz.exe

C:\Windows\System\uPhbUyx.exe

C:\Windows\System\uPhbUyx.exe

C:\Windows\System\oEnKdYB.exe

C:\Windows\System\oEnKdYB.exe

C:\Windows\System\hFbbHTK.exe

C:\Windows\System\hFbbHTK.exe

C:\Windows\System\zwUCWhW.exe

C:\Windows\System\zwUCWhW.exe

C:\Windows\System\GsdmqYJ.exe

C:\Windows\System\GsdmqYJ.exe

C:\Windows\System\CiUUbsu.exe

C:\Windows\System\CiUUbsu.exe

C:\Windows\System\YTPoPiW.exe

C:\Windows\System\YTPoPiW.exe

C:\Windows\System\XIqSvLQ.exe

C:\Windows\System\XIqSvLQ.exe

C:\Windows\System\kuNhWfP.exe

C:\Windows\System\kuNhWfP.exe

C:\Windows\System\tjRhCRZ.exe

C:\Windows\System\tjRhCRZ.exe

C:\Windows\System\sHBXZpr.exe

C:\Windows\System\sHBXZpr.exe

C:\Windows\System\NicUpbK.exe

C:\Windows\System\NicUpbK.exe

C:\Windows\System\RkUUHlb.exe

C:\Windows\System\RkUUHlb.exe

C:\Windows\System\CQYdzKh.exe

C:\Windows\System\CQYdzKh.exe

C:\Windows\System\ZNJimJJ.exe

C:\Windows\System\ZNJimJJ.exe

C:\Windows\System\WuCZBqw.exe

C:\Windows\System\WuCZBqw.exe

C:\Windows\System\uKGjJSR.exe

C:\Windows\System\uKGjJSR.exe

C:\Windows\System\HXXMred.exe

C:\Windows\System\HXXMred.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1948-0-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/1948-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\KFwVFtH.exe

MD5 62d08b52138d7a1be8c078d69eef6f36
SHA1 c54d57a854c372b577a66d82f094ef51de8be75c
SHA256 7898324a848e574e995feadc7bdbdbe9efee5a7db09f333374ac2238bd357a06
SHA512 594bf2bb987d9576d43f922618e759bb1b63818d5e2820b9828f9f8fa3b4549067bacd219cf1f30172fc99f6e71be0af135244aeb95242c60aec48c16f5c6abb

memory/1948-8-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/1508-9-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\vIsrZHq.exe

MD5 449dda502f038af81fbeac994278751e
SHA1 19b439eafa8fdb7970c7064913e8ea174d8daed1
SHA256 4c3b910849f291962588d5b461b73b3837aa80c8c70a42fb81406b7977f534e0
SHA512 ee1091a62082e736544b1a64b27656dd6ca0c11a95c65b1aedaab22b16651082cedeea78feec7fadf1e9430194e8dafa0f1c8bbb15968a4a62121c58551d15db

memory/1948-22-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/3064-23-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2628-16-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1948-14-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\KCmefXz.exe

MD5 d6603ead6d2833d4507b4291a05ee847
SHA1 8f713947779349303b96da979531982699c02309
SHA256 bee4febbb6eea952ba63e1ecd1a9064b47168a6f7fbf15c66cae06722358e300
SHA512 0a5494b5782827fbcd0b3399956596eab26c2d5865ca7514e0dd6248583289b6247870f809955b92ceb566e9159a474f995278f7fdd9c584edb4a5a2d494975a

C:\Windows\system\uPhbUyx.exe

MD5 d9ea2174430941c118b7123173dd55fa
SHA1 a4c238a9b6ea962ef00b322a3ac0d02e928946b8
SHA256 dce438a84a9bbdb8ebc2a6d44b368d247ace6e81e237b489e37a111c82f6a1c5
SHA512 b6977732f0a79f1c4d7a25bc6475c958fc2636b3006028dc62dd1a49c8c34166faaf9a323fcaca3ae883a939253fb2935c1565b8715aaec1b9e5dabd9beba058

memory/1948-28-0x0000000002450000-0x00000000027A4000-memory.dmp

C:\Windows\system\oEnKdYB.exe

MD5 4830f7ec4b5a87dba30a939fdb38cdc8
SHA1 4a60c4b1a02baf4873ab47582d20b6bdcd74a846
SHA256 eeae9db7e9bf1b31fd6945d425f33d8ab1f5b9619831dafbe4cdf7c2b5f9aabb
SHA512 e81b655198ed92537312a80cff6ac38cd336a422c64a641ac9a41ad56731eb6a873c62d06797b584d0303e3b50c28d59f4442aa1afd74b9aa40392f53bd3d593

memory/2728-37-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/1948-34-0x000000013F950000-0x000000013FCA4000-memory.dmp

\Windows\system\hFbbHTK.exe

MD5 89cdaf9cb41f7c078483a8440e856f2f
SHA1 f36e2eb021428ac65a91d0b79a8d6db649fb2fe6
SHA256 a4c88c5efcc9db5fb70bb7ba6c576df3882664670dc1d4010453bfdf299fc7b2
SHA512 9dd5d9eed81f8d1b18ccecf4028a6ff0cb8cd9a6a21c0afa17f458c489774981ea2d775a1f2cb08d1f66a1c69e48815d9fe6cb1c8f735c5f8744e1cec54c177b

\Windows\system\zwUCWhW.exe

MD5 9339cb4d49cf96cf65e0f46569288f4c
SHA1 0ba4230e848d04144be0f7f29c1fd1c0f014cb6e
SHA256 e384c50f4968ab2ea80a0607607a9eb2d82625113925b3be336357243cf0a77c
SHA512 c8b70cb106d3f0688d1b444bd1d828a2de5c0397ddfd71e39c7cf93994bc830be948f20a7b2f2affa0651e9700124c46b45693d785caf6e35000c331d4d42950

memory/1948-48-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2580-49-0x000000013FA40000-0x000000013FD94000-memory.dmp

C:\Windows\system\GsdmqYJ.exe

MD5 db75d62f23c192e7563bdc1dab4354f6
SHA1 7f960eb60e85f05a144504661ba3251fcb2ee6ad
SHA256 31ab0bec2b2301d06c6d1fcf5cae20e9f996ab263e6ae8b9413eab9fce867429
SHA512 1023e842f5376ea2479ad9aca91ed94a035eaa97ca1b420009308c18542b971efc36eb289db5e774dbce631147d71608da2a3693315f26a77fab37761c89b8af

memory/2816-54-0x000000013FCE0000-0x0000000140034000-memory.dmp

C:\Windows\system\CiUUbsu.exe

MD5 b2c82a44b76f6d2d35c8cc62fb3423e4
SHA1 10891a88ee1bf573bd5ddbe3ce02b2eb240be245
SHA256 a1e89fc6bdde99185bab21f60da901f31bdbad7e46b398179ea51e9d23d7a976
SHA512 368ff2ec2f91720c24a885f1a9fa9a84e424910baea2a163aceded21f43d06efd75c168a47819e08538cc304d97f9865ca23793ef1952e4de8c6773eb1cdf3db

memory/2792-45-0x000000013F950000-0x000000013FCA4000-memory.dmp

C:\Windows\system\YTPoPiW.exe

MD5 c613d5640d32c0e9282971901a4dff34
SHA1 8b0dc543c20d4afbdae9de127ae415c2e5479b3d
SHA256 76b2e3c0bc342738cd41f4552d619c141ea11a34d24ab3013c6b5eeb2a8c09a1
SHA512 c65194f30c38bba12b3c45a57f38a5c6be3b543b6f975ecaeaba782b779b971ea3094796a94bf0280eaded00fae60268859bf135d944d67f73d8b89045bc791e

memory/1948-67-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2500-74-0x000000013F1F0000-0x000000013F544000-memory.dmp

\Windows\system\tjRhCRZ.exe

MD5 2d30a28ce126420098e7319f5c8d4678
SHA1 da06cb28eabebee5acd8e0ade89eadbebe59a643
SHA256 21d2eba129b5e627b4f2699832e9965bdf0c57ca595bc5a587360aa1059d840d
SHA512 9c116436c937874bb5a991de582c813b5c336495f5528f6b707ad8a5726d3916bd3b4b799fc61ba969e553f5cd7e766980e3397048eaab5c81e1899d3b25e57c

C:\Windows\system\sHBXZpr.exe

MD5 47fb3169b4cb9cf1a07f6acbede78739
SHA1 854c8b2059259b5025331e1f7a0d3e05f1a6e79a
SHA256 7f85a86ddeca683e6d6c63441a15d606e4dd236282b97b82e1446537013c8ec2
SHA512 921e0145ad5ee2ee6af45c6763e819c9bee860d721e66575bae16052609cddedb6f3465f9c442b4cc7d1a68124e17c770375320c27d60a6a15a1765d7271e8f8

memory/1948-99-0x000000013F890000-0x000000013FBE4000-memory.dmp

C:\Windows\system\HXXMred.exe

MD5 8c0ad0fe4deaf38bf34a2bf7e46e493b
SHA1 c630c0a09e82d13283077ccb43720eb8c5cca096
SHA256 1f0d143a6de74b26fc2af1ed92371738715d37678038ede2b60dbf29ed0a288e
SHA512 f8c3d24e843b9fc6e58e74539bd288d39a114b9533a589332813e80fdbc4131eecff7cc62c857db56f3b438ab62b6757dd60d146724a4d35f14f6d41f47e7fcf

\Windows\system\uKGjJSR.exe

MD5 20d54a872b7d6584638fbdddd81f87b5
SHA1 7a2e79780c400c157ef0150a9014b0c70a166ba1
SHA256 6ff36578bdf89a6232a253f63571ab26da32c64507b5b6b0642ca1ce5f4ec085
SHA512 b972dbf6be3d45dd08d7ebecfbea5513b4ed02b5824fe8f22f599b84ea10e0d5bd6b5773b9862ac3541e1713da4dcb7e102cbeeabb276f73c4bc8b662fbc19c2

C:\Windows\system\ZNJimJJ.exe

MD5 8b357f517e7ad1c6185ea214c1d0f6cf
SHA1 14e065b03458eb4b4e345de385c05e31f69ac7d3
SHA256 5dc393cbb03970be9447376257af503accebb84b44edbb8c4b2f7710c26f1939
SHA512 1a2cce1589b6de8bf0a9c7bafbefb80f63de9a878adb8297880257c76724b57b66783d71c5f31e83f0a012cee0273b81ae02b8935275b6ed1621f2325175551a

C:\Windows\system\RkUUHlb.exe

MD5 1aad7f8c7123c4b67520b3d0b99bcb18
SHA1 460c460981f2ad273a3ab2661c94b4f309fa4e0c
SHA256 c97686c8d28550f27a93315c6417fdcb741f26a1f13815cd48515e1d00aebbad
SHA512 ad2df33acc455a4cafe417da50ac9ee62197d9bb707f4dac021de71f85035112827739edaf39fbdd6d9e7c0ce0858d29bcc3d6190775e827abb1cd6baed9214c

C:\Windows\system\CQYdzKh.exe

MD5 4f7321ab8e29f6ea37aea34701b4cdf7
SHA1 1dc32fdeab741dea273a9ce512c0e2100af320c5
SHA256 2005cd596f6aeb52e423bb13958382d8904040ceda16e3031a4fdcb1fdc44e89
SHA512 4f573eb4759bc120ca0c8184ef8f6b9aab55c9527d4fd53b550abab304a0db9a18ceb544ee22e255426c687e13ad543c40b832d93a5e6e49c3837508322c8b97

memory/1948-114-0x000000013F6F0000-0x000000013FA44000-memory.dmp

C:\Windows\system\WuCZBqw.exe

MD5 f6de2d3ef5689c50bd70515725435df8
SHA1 8ff8877fa933efac7cc40d11376488105cad6876
SHA256 e7bfaa445f5747aa76559ff60dd45a134cb78aafe68e6ebba6b17c620f18622d
SHA512 605fb2fd567d58afe2f1fe93e2feaf10e4e9b61515ddd56c5cf19a5569aebb7e976dd82f4b75321316f46b876b06f25218fbbafad0f67fb64f2371d1ac09d581

memory/2632-100-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2792-111-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2728-98-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2576-97-0x000000013F0C0000-0x000000013F414000-memory.dmp

C:\Windows\system\NicUpbK.exe

MD5 4e200b73d4b84bab831ebcab94c787d7
SHA1 3698e0e72dee3e81823775462af5103faf28aeae
SHA256 c86c3451c78338a005f2bd630fbfb87358548b529b3867bdf7b8d375e3889035
SHA512 72f5e81eaaaf02db48fe450f5aa9b68a82a4a3caaba83636f962e02b9b6fe68b4b968c315de2fd4f4862af12d97cc532f444457262866639cdad10cc44b0d817

memory/1944-90-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1948-89-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2184-83-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/1948-82-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2628-81-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\kuNhWfP.exe

MD5 d5f835492242b7935dbbbc36a382cdf9
SHA1 f91a718d2683686ba6977e7cd80d9a0ae762fa0e
SHA256 d83e3ee5d2ad892ff38c31ae4d4588225e3335a6baeb39a6540a2dc06ced7fa6
SHA512 635d9999625a3d8c60737b792e74928d4712204f84d7bf9f5c51aef078ac3a025c7428da7927c240e180fe68e8dd88c8dbd221825323398a9a3a1065754237cb

memory/2444-69-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/1948-68-0x000000013FE50000-0x00000001401A4000-memory.dmp

C:\Windows\system\XIqSvLQ.exe

MD5 f1cb60b091c35c2ad89ed92325ef8ff0
SHA1 2e28dea42c1db88930e6b4e8b1483812c23a9388
SHA256 72c33de6a48ce4d57eea859e42e3e5f3fa19e35f3e1065e5fc755166a8275167
SHA512 ab1992cc00606aa0d5764c510e5e9ca02afda13d3607927ec3ff4ff2c8bab04f8ca132610d132e371ca0f751471f83ded1c12b20037d02921064c3ae40fa02fe

memory/2584-62-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1948-61-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2816-137-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1948-138-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2444-139-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2500-141-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1948-140-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/1948-142-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/1944-144-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1948-143-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1948-145-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/1948-146-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/1508-147-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2628-148-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/3064-149-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2576-150-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2728-151-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2580-153-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2792-152-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2816-154-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2584-155-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2184-156-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2500-157-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2444-158-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/1944-159-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2632-160-0x000000013F890000-0x000000013FBE4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 05:03

Reported

2024-06-08 05:06

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DXEhrFz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AYbpKmw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QTWxDjw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BqLClZi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WzUpawo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CPlqnEc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BxukOOJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eNHynOM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yHtfTxH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tlXqxBN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XmpyUwd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JASHhky.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dlWenxH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jnwmBEF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TIlcmvl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mYBjqkr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CQulAct.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kmZerzi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BiStsPe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QbLdyzK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XRvQfVd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmpyUwd.exe
PID 1836 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmpyUwd.exe
PID 1836 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JASHhky.exe
PID 1836 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JASHhky.exe
PID 1836 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eNHynOM.exe
PID 1836 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eNHynOM.exe
PID 1836 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DXEhrFz.exe
PID 1836 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DXEhrFz.exe
PID 1836 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AYbpKmw.exe
PID 1836 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AYbpKmw.exe
PID 1836 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHtfTxH.exe
PID 1836 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHtfTxH.exe
PID 1836 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mYBjqkr.exe
PID 1836 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mYBjqkr.exe
PID 1836 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlWenxH.exe
PID 1836 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlWenxH.exe
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CQulAct.exe
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CQulAct.exe
PID 1836 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmZerzi.exe
PID 1836 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmZerzi.exe
PID 1836 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTWxDjw.exe
PID 1836 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTWxDjw.exe
PID 1836 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnwmBEF.exe
PID 1836 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnwmBEF.exe
PID 1836 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIlcmvl.exe
PID 1836 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIlcmvl.exe
PID 1836 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tlXqxBN.exe
PID 1836 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tlXqxBN.exe
PID 1836 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqLClZi.exe
PID 1836 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqLClZi.exe
PID 1836 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BiStsPe.exe
PID 1836 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BiStsPe.exe
PID 1836 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QbLdyzK.exe
PID 1836 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QbLdyzK.exe
PID 1836 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\WzUpawo.exe
PID 1836 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\WzUpawo.exe
PID 1836 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRvQfVd.exe
PID 1836 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRvQfVd.exe
PID 1836 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPlqnEc.exe
PID 1836 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPlqnEc.exe
PID 1836 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxukOOJ.exe
PID 1836 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxukOOJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\XmpyUwd.exe

C:\Windows\System\XmpyUwd.exe

C:\Windows\System\JASHhky.exe

C:\Windows\System\JASHhky.exe

C:\Windows\System\eNHynOM.exe

C:\Windows\System\eNHynOM.exe

C:\Windows\System\DXEhrFz.exe

C:\Windows\System\DXEhrFz.exe

C:\Windows\System\AYbpKmw.exe

C:\Windows\System\AYbpKmw.exe

C:\Windows\System\yHtfTxH.exe

C:\Windows\System\yHtfTxH.exe

C:\Windows\System\mYBjqkr.exe

C:\Windows\System\mYBjqkr.exe

C:\Windows\System\dlWenxH.exe

C:\Windows\System\dlWenxH.exe

C:\Windows\System\CQulAct.exe

C:\Windows\System\CQulAct.exe

C:\Windows\System\kmZerzi.exe

C:\Windows\System\kmZerzi.exe

C:\Windows\System\QTWxDjw.exe

C:\Windows\System\QTWxDjw.exe

C:\Windows\System\jnwmBEF.exe

C:\Windows\System\jnwmBEF.exe

C:\Windows\System\TIlcmvl.exe

C:\Windows\System\TIlcmvl.exe

C:\Windows\System\tlXqxBN.exe

C:\Windows\System\tlXqxBN.exe

C:\Windows\System\BqLClZi.exe

C:\Windows\System\BqLClZi.exe

C:\Windows\System\BiStsPe.exe

C:\Windows\System\BiStsPe.exe

C:\Windows\System\QbLdyzK.exe

C:\Windows\System\QbLdyzK.exe

C:\Windows\System\WzUpawo.exe

C:\Windows\System\WzUpawo.exe

C:\Windows\System\XRvQfVd.exe

C:\Windows\System\XRvQfVd.exe

C:\Windows\System\CPlqnEc.exe

C:\Windows\System\CPlqnEc.exe

C:\Windows\System\BxukOOJ.exe

C:\Windows\System\BxukOOJ.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 216.58.201.106:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1836-0-0x00007FF7F0FA0000-0x00007FF7F12F4000-memory.dmp

memory/1836-1-0x000001AE613E0000-0x000001AE613F0000-memory.dmp

C:\Windows\System\XmpyUwd.exe

MD5 6edaa4cce3935f24642ade3e2cea0044
SHA1 3abf9bb75cb655e13752e5a04a34a68226612abc
SHA256 373986a8282321ab41632be903d7ecdfd652b7c7e18c6593f7bd813a817a9baf
SHA512 2430c927b6bc79d79f805ba1970c297ac9c3afcf3f6b77029de9f88dc52af5c9e166f7148896140c1b207a223dacb9b8a65c0486c201bc4f2fcfb1118d77347a

memory/1116-8-0x00007FF707140000-0x00007FF707494000-memory.dmp

C:\Windows\System\JASHhky.exe

MD5 5d0e1d62b5de6c46b9b096efc942f0b7
SHA1 69ac381d0fa00de4f36543ed54f309ae723dcff0
SHA256 60e27c7fa05a8b58d9f97a0e7107311cbea440cc704f1980099da083a36b709a
SHA512 2362d42a1ecc02bd11ad8c0b792b83e5005dd0ad18b2a52e41a3c9430747f8cef9158fb5bee473e680dabdc62c08db7dfa1154562e5a6ece74602dcde33a8e5f

memory/716-14-0x00007FF7040B0000-0x00007FF704404000-memory.dmp

C:\Windows\System\eNHynOM.exe

MD5 d9c1af64d54a3ec39298379b165b892b
SHA1 9b97d160fb5f01d80ba044db1456604bcd9b87f2
SHA256 c788034dca53c6117788691d06838d158d8931626b9de408c73946c2a3ae7f28
SHA512 1dcded2ab525804ea4dc7e4a479652764202ea3fc1ff6f4354cbe2e4f883d842092beb49e5bff4594097550a01616dcbd475f8c4f58234d8b959bdeb3a93b1ff

memory/2628-20-0x00007FF7B1BE0000-0x00007FF7B1F34000-memory.dmp

C:\Windows\System\DXEhrFz.exe

MD5 739c40cd832dc3bb0acbbb8639e9b42d
SHA1 43cb3e1dd840c03272bd47c0d8ea66b35e1c1d65
SHA256 ada8aa38cb81cbdfaa5f060fdb8a9f4d6dba498c534ec813572af3c1f432663d
SHA512 d53f16defc1a14b20c9879a621c991311b3705363798e8db6d75c07199fc7fba1d2be5d9132b204ddf99a7b4a4c2c9c4f767b9ed283387b0a45ec8d367598471

memory/2576-26-0x00007FF696E00000-0x00007FF697154000-memory.dmp

C:\Windows\System\AYbpKmw.exe

MD5 11b6a2ed21739c93a393ca2344c199ea
SHA1 bfcb3b0fc79c8cf202fd92755ce6377355628a84
SHA256 b017b4870e0912b38071356b292c5aa1ad1b85c2527ff1e38cd626d58fbc44a5
SHA512 2fe7004b4a32bab6e33721d3d383a1d389cf3ba9b4e90065ae98d023ba583bfa8e4c3edbfbb2fbd467655a66f59a6fabdd3860320ccf8bd16840ba2f0a922f01

memory/1352-32-0x00007FF6B35C0000-0x00007FF6B3914000-memory.dmp

C:\Windows\System\yHtfTxH.exe

MD5 d35709df7457d5c1e47cb5eae6ea2f14
SHA1 f51f69ad52222d1e3892fd147c50d8db84a42c5e
SHA256 13de509e03e3981ffcac6fecaf87f55327290373807d162769aef2a99b122d26
SHA512 ddae6c2c94c10b4ad81054cf1a154135b8f9f799fa9bd15acde344df0a70ee9f2cbd9dca4fb5b189f3a542527d908c1285a5ff3ec30cd1ee18e7255e625ec64d

memory/2872-37-0x00007FF76E4A0000-0x00007FF76E7F4000-memory.dmp

C:\Windows\System\mYBjqkr.exe

MD5 69d91d086785605c37d6596df2df2a31
SHA1 7caa7f4f18ae82ea2ba556a877128e652d96687a
SHA256 8aeb8de17b768a5cd182cc1b83ae685bb44b280b48bfbc92f9407b330fb9da07
SHA512 06bd51760a20d8152baf4af1e9df46eb813a1533f9ea0724e287e32c4196017cb29b93a80dea8dd5da5be96e12b61d2944b62bcd9881f6d5d4fd65cea839dd65

C:\Windows\System\dlWenxH.exe

MD5 a3fc2a01fd487740ee8befd525cbe74b
SHA1 b4f940195ab8ac023f6ff5fece66a133550dfc78
SHA256 2dad0d81f990dca2ffa678a66287cdf43ff3c1a09f86bdadd8165b09ed43a4b2
SHA512 9fb42542fd4b709955675a3f57f5b5a03da50a4fcf636257bd8c8bf93f8fc6b3e9d08a0ca01106bbd2a135660f626224584a055169681bc9164302d842459808

memory/220-49-0x00007FF7E5DD0000-0x00007FF7E6124000-memory.dmp

C:\Windows\System\CQulAct.exe

MD5 ac1f4c9d24544a407e7e53f4dd2b1321
SHA1 9d4cd6373421db3a2c67399ec33e9ea4305ca28b
SHA256 bffa6a67457243433a2c63b7a9d22b7a164e73c076a435847155f6bb58b2c267
SHA512 a9b37a9082779c1783777a6c9c6afdc845f06268fa168bb54501be6909ef283d77ff50c9d84afb15c08e2dd83df89f098bcd013958c036f0356327cf43de6d92

C:\Windows\System\kmZerzi.exe

MD5 5203b65178aca044cede25dd05c64b7a
SHA1 c80c1c3ce180c7db5bfc6002853fb29c54891d74
SHA256 d7b484f186965b6b6e8e18acc10efb485bf8bf9e84af8b818cc314d97e1fd42b
SHA512 962dd298f9347224601d126d4da199411f6a9258bddd715c129112ee66b1ec9403b7b72689f183cb5a552695c67d1bcdde830495907637a998ca65f2f319cfb7

memory/2500-64-0x00007FF74A790000-0x00007FF74AAE4000-memory.dmp

C:\Windows\System\QTWxDjw.exe

MD5 a7f1d6e18304f5ca971f0bb65112c68a
SHA1 4f3f8cfac3c9934fb8368c0ebcd4cfcd7e6851bb
SHA256 131cb3eb0d20da7b2206c7b220e5945bd74fc303ba4e865303c4cc6b4cea6410
SHA512 2e90499e05c34b092aded54939f6ad053dea3d177ba3f6fd0d5242812351070ea3de394dee35228b7be2e397cfca164b7d36115d9d4085c29ee002b37912ab45

C:\Windows\System\TIlcmvl.exe

MD5 85cad1b2864e633d25e863ba151e2ff3
SHA1 022e7f5b1659c14ce6cd21ad3a420dbf3517931e
SHA256 64b4aa20eb3866934ba4b256d8f3e2306265145944f22b42e422d37113ea794f
SHA512 033b53bae6fb6d19dc73fb9ecadd7974f5c7800435d12e8d1c9fda4aaa22ea05ad5a8638abebc527b1b2ba7a407d6e0bca987822f0e0102f48b3eb93bb530aa6

C:\Windows\System\BqLClZi.exe

MD5 5fd71a02fa139c192d3baa67fb1d9f43
SHA1 6949254ec37824ba4447194f2ba4df90af879ead
SHA256 e4b28ba0fd9da1921d367bf3695433138fc3ebc234b2eece7a143ff49d39080c
SHA512 90bf962c5c107ae31db4144b00e600f7ef660ff3ed7899a4d0761d984a5c3ac22da45f12ca52a92514efcd94383add20ef42240cfb46bd502a99d1b710cb13c9

C:\Windows\System\tlXqxBN.exe

MD5 38b5c2c6046cdd36c373a05535c54b6d
SHA1 2d800c60d57a1a15f7e417175e7ee3014312025f
SHA256 da034d15401b40067e52ce910134f2d7b1bcb7ef0e919b62ba84fd2b528fb35e
SHA512 c50209c4e6b3678da3237acb5088f5090dc4bc0c70fd2be246bc8a4de87b29ba12ebd70ba454ac0f6fc5c277e61463b9668748bdc27a13d04437bf8948da4723

C:\Windows\System\BiStsPe.exe

MD5 6c20c0d559b94b124e60e91cf9f2e34e
SHA1 2c541a07063f2a864b4ef881e9186b8e24c6aa2a
SHA256 cb9e076eb8374ba7e3931a4bb36752e587327cf267d80b5aeb4b809d2b4920d7
SHA512 f41a77ad4d8d938fa94e9948ff4e3cc69339b08ec2f73db6d8eec9eb3e8c5a99b95e9b1ac8635b5199fd0e7d4771177fd71e27822e27633d7132f6b72f6ba3e9

C:\Windows\System\QbLdyzK.exe

MD5 d629bda16eb55164d2002e76a4aa0822
SHA1 8638b10be33033b123f8be9e9126e4ef72f8519e
SHA256 1e3e5ce0db6eddbb77d8d69441fa079ec59dc8a72aba09c3697cf1bafac611c6
SHA512 70652f4dc8343b39c7f1e1fba6b1a7e85ca66bfac975c39a1ffa4231254aa9b0fb74113c7d7b2f90a54f47b006cc8bcdd57364e953a8688d8acd11ffb3da1a5f

C:\Windows\System\WzUpawo.exe

MD5 c85269773858022bce8818cce2e986cf
SHA1 2a0414f73474f7df2890abc8ea271ec9f2109ff3
SHA256 1c842a4443cdf621d69d70e2075ba3cdbf9c28ec74ef41a441a59b8c1fcaa306
SHA512 ffdcffbdd33037e554a660382f4836659c9be13629e670ff9b3b95ca27bb53c768e4ef632e885faefab5f72b4ca9dae7fa136418af0a84091531f13512185313

C:\Windows\System\CPlqnEc.exe

MD5 1852121619fbac8c05b758bc7cbab567
SHA1 5b88af4910883917de63c37efeb622219953d11f
SHA256 642a6d7bb34e60bef6eeb2e883a0972f86e529c31eeffb33d3b4a4b244a91e97
SHA512 ecf7d211b7da134f79b5bad58e59cbe9a6cfb45b57ff8966d3daba65d8ae01fd5bfc75c29cc57d7c4b9cebb076408726e04cffb2f502f8da32254963b82114de

C:\Windows\System\BxukOOJ.exe

MD5 1553e01bf94aa7714034fbdb0ab227cf
SHA1 b793bbf49f145b325cec7b4062f33524ce6d7f53
SHA256 018542340ed3e300c6c4f55bc890ed7dc9013e7fc3a56c6f73796f63cd1ad99b
SHA512 725393e497854596afe839ed73afd6a9723612b228883d3eadff022fe818a7a89e5a9abb82c9f9dbfc12d92fb21af637eb20d0bb579a3d40d082f85eff401705

C:\Windows\System\XRvQfVd.exe

MD5 69c758edf30e341123b1bf783bf42eda
SHA1 61763f84f0307c120cb89de166dbaf18501f0ed2
SHA256 1a14b2f2328b6d75287e630c4ad1e8e8eb6bf2bd18f5e90b0843382d67248641
SHA512 feee411c06aac5673886f3c7ba35d6887db5d6a625958f3fd085164d912da03ed502e97180dea8655345bcf641ee7b98511739901ba84a00d47338ffb1e76d45

C:\Windows\System\jnwmBEF.exe

MD5 d3d07ab8a4bda846a5e6ed1627a27acf
SHA1 94aba6de6cd5d5b1ac75b1201456fe8da3d71c85
SHA256 0ae5a6411a10eac98b93837fb37f30145e0c49e752c41801b2e046d99c91b4b7
SHA512 11bc74f81089439dd1a5e5732f503b0a94623fece9737ea84d8ee78f398d25f9b7fe64382acf5b06fce41bb4f870aa63709ba175eec157f0f856ba836d8434df

memory/4648-79-0x00007FF7EFE10000-0x00007FF7F0164000-memory.dmp

memory/1836-71-0x00007FF7F0FA0000-0x00007FF7F12F4000-memory.dmp

memory/4808-67-0x00007FF67D980000-0x00007FF67DCD4000-memory.dmp

memory/3152-58-0x00007FF781130000-0x00007FF781484000-memory.dmp

memory/1340-119-0x00007FF6AE890000-0x00007FF6AEBE4000-memory.dmp

memory/1580-120-0x00007FF612DD0000-0x00007FF613124000-memory.dmp

memory/4624-121-0x00007FF785770000-0x00007FF785AC4000-memory.dmp

memory/1800-122-0x00007FF656440000-0x00007FF656794000-memory.dmp

memory/2024-123-0x00007FF7F0000000-0x00007FF7F0354000-memory.dmp

memory/4336-125-0x00007FF69A1B0000-0x00007FF69A504000-memory.dmp

memory/700-127-0x00007FF66BB50000-0x00007FF66BEA4000-memory.dmp

memory/1624-126-0x00007FF624F80000-0x00007FF6252D4000-memory.dmp

memory/440-129-0x00007FF700EF0000-0x00007FF701244000-memory.dmp

memory/1116-128-0x00007FF707140000-0x00007FF707494000-memory.dmp

memory/3300-124-0x00007FF7C44A0000-0x00007FF7C47F4000-memory.dmp

memory/2628-130-0x00007FF7B1BE0000-0x00007FF7B1F34000-memory.dmp

memory/1352-131-0x00007FF6B35C0000-0x00007FF6B3914000-memory.dmp

memory/2872-132-0x00007FF76E4A0000-0x00007FF76E7F4000-memory.dmp

memory/220-133-0x00007FF7E5DD0000-0x00007FF7E6124000-memory.dmp

memory/4648-134-0x00007FF7EFE10000-0x00007FF7F0164000-memory.dmp

memory/1116-135-0x00007FF707140000-0x00007FF707494000-memory.dmp

memory/716-136-0x00007FF7040B0000-0x00007FF704404000-memory.dmp

memory/2628-137-0x00007FF7B1BE0000-0x00007FF7B1F34000-memory.dmp

memory/2576-138-0x00007FF696E00000-0x00007FF697154000-memory.dmp

memory/1352-139-0x00007FF6B35C0000-0x00007FF6B3914000-memory.dmp

memory/2872-140-0x00007FF76E4A0000-0x00007FF76E7F4000-memory.dmp

memory/3152-141-0x00007FF781130000-0x00007FF781484000-memory.dmp

memory/220-142-0x00007FF7E5DD0000-0x00007FF7E6124000-memory.dmp

memory/2500-143-0x00007FF74A790000-0x00007FF74AAE4000-memory.dmp

memory/4808-144-0x00007FF67D980000-0x00007FF67DCD4000-memory.dmp

memory/4648-145-0x00007FF7EFE10000-0x00007FF7F0164000-memory.dmp

memory/1340-147-0x00007FF6AE890000-0x00007FF6AEBE4000-memory.dmp

memory/440-146-0x00007FF700EF0000-0x00007FF701244000-memory.dmp

memory/4624-149-0x00007FF785770000-0x00007FF785AC4000-memory.dmp

memory/1580-150-0x00007FF612DD0000-0x00007FF613124000-memory.dmp

memory/1800-148-0x00007FF656440000-0x00007FF656794000-memory.dmp

memory/2024-151-0x00007FF7F0000000-0x00007FF7F0354000-memory.dmp

memory/4336-154-0x00007FF69A1B0000-0x00007FF69A504000-memory.dmp

memory/1624-153-0x00007FF624F80000-0x00007FF6252D4000-memory.dmp

memory/3300-155-0x00007FF7C44A0000-0x00007FF7C47F4000-memory.dmp

memory/700-152-0x00007FF66BB50000-0x00007FF66BEA4000-memory.dmp