Malware Analysis Report

2024-10-24 18:16

Sample ID 240607-bahgbseg5w
Target 2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike
SHA256 901f8912b343fe301814c1278bf706bbbf978dd4968c0c12bbb9c4fe06ef57ab
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

901f8912b343fe301814c1278bf706bbbf978dd4968c0c12bbb9c4fe06ef57ab

Threat Level: Known bad

The file 2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 01:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 00:56

Reported

2024-06-07 01:03

Platform

win7-20240508-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eXuzHFn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Nomofzt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yQCsUmD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ocoVoby.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OJQUCbr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cRjmnTg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dXrohOk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FVoneKt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PxftWdA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HuFrfAY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lbxXGNd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HBjYjMm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRCgLDC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jYRvaIy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YkMUdli.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VCqlqmF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\udICoVH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CrKkQCd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CrxLUMw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wFCelRk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SDMhvZF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxftWdA.exe
PID 1924 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxftWdA.exe
PID 1924 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxftWdA.exe
PID 1924 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYRvaIy.exe
PID 1924 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYRvaIy.exe
PID 1924 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYRvaIy.exe
PID 1924 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuFrfAY.exe
PID 1924 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuFrfAY.exe
PID 1924 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuFrfAY.exe
PID 1924 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkMUdli.exe
PID 1924 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkMUdli.exe
PID 1924 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkMUdli.exe
PID 1924 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrxLUMw.exe
PID 1924 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrxLUMw.exe
PID 1924 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrxLUMw.exe
PID 1924 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXuzHFn.exe
PID 1924 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXuzHFn.exe
PID 1924 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXuzHFn.exe
PID 1924 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbxXGNd.exe
PID 1924 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbxXGNd.exe
PID 1924 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbxXGNd.exe
PID 1924 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\Nomofzt.exe
PID 1924 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\Nomofzt.exe
PID 1924 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\Nomofzt.exe
PID 1924 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCqlqmF.exe
PID 1924 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCqlqmF.exe
PID 1924 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCqlqmF.exe
PID 1924 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\wFCelRk.exe
PID 1924 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\wFCelRk.exe
PID 1924 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\wFCelRk.exe
PID 1924 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQCsUmD.exe
PID 1924 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQCsUmD.exe
PID 1924 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQCsUmD.exe
PID 1924 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\udICoVH.exe
PID 1924 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\udICoVH.exe
PID 1924 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\udICoVH.exe
PID 1924 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrKkQCd.exe
PID 1924 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrKkQCd.exe
PID 1924 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrKkQCd.exe
PID 1924 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\ocoVoby.exe
PID 1924 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\ocoVoby.exe
PID 1924 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\ocoVoby.exe
PID 1924 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBjYjMm.exe
PID 1924 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBjYjMm.exe
PID 1924 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBjYjMm.exe
PID 1924 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\OJQUCbr.exe
PID 1924 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\OJQUCbr.exe
PID 1924 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\OJQUCbr.exe
PID 1924 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDMhvZF.exe
PID 1924 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDMhvZF.exe
PID 1924 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDMhvZF.exe
PID 1924 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRCgLDC.exe
PID 1924 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRCgLDC.exe
PID 1924 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRCgLDC.exe
PID 1924 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\cRjmnTg.exe
PID 1924 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\cRjmnTg.exe
PID 1924 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\cRjmnTg.exe
PID 1924 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\dXrohOk.exe
PID 1924 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\dXrohOk.exe
PID 1924 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\dXrohOk.exe
PID 1924 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\FVoneKt.exe
PID 1924 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\FVoneKt.exe
PID 1924 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\FVoneKt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\PxftWdA.exe

C:\Windows\System\PxftWdA.exe

C:\Windows\System\jYRvaIy.exe

C:\Windows\System\jYRvaIy.exe

C:\Windows\System\HuFrfAY.exe

C:\Windows\System\HuFrfAY.exe

C:\Windows\System\YkMUdli.exe

C:\Windows\System\YkMUdli.exe

C:\Windows\System\CrxLUMw.exe

C:\Windows\System\CrxLUMw.exe

C:\Windows\System\eXuzHFn.exe

C:\Windows\System\eXuzHFn.exe

C:\Windows\System\lbxXGNd.exe

C:\Windows\System\lbxXGNd.exe

C:\Windows\System\Nomofzt.exe

C:\Windows\System\Nomofzt.exe

C:\Windows\System\VCqlqmF.exe

C:\Windows\System\VCqlqmF.exe

C:\Windows\System\wFCelRk.exe

C:\Windows\System\wFCelRk.exe

C:\Windows\System\yQCsUmD.exe

C:\Windows\System\yQCsUmD.exe

C:\Windows\System\udICoVH.exe

C:\Windows\System\udICoVH.exe

C:\Windows\System\CrKkQCd.exe

C:\Windows\System\CrKkQCd.exe

C:\Windows\System\ocoVoby.exe

C:\Windows\System\ocoVoby.exe

C:\Windows\System\HBjYjMm.exe

C:\Windows\System\HBjYjMm.exe

C:\Windows\System\OJQUCbr.exe

C:\Windows\System\OJQUCbr.exe

C:\Windows\System\SDMhvZF.exe

C:\Windows\System\SDMhvZF.exe

C:\Windows\System\bRCgLDC.exe

C:\Windows\System\bRCgLDC.exe

C:\Windows\System\cRjmnTg.exe

C:\Windows\System\cRjmnTg.exe

C:\Windows\System\dXrohOk.exe

C:\Windows\System\dXrohOk.exe

C:\Windows\System\FVoneKt.exe

C:\Windows\System\FVoneKt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1924-0-0x000000013F440000-0x000000013F794000-memory.dmp

memory/1924-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\PxftWdA.exe

MD5 2ba060f7c8c12395ef1670e48fadc092
SHA1 544d518afe7a5c9eaec33c21dd9b1af8f08a881f
SHA256 0a3f9056f5bb3e71c70c28c216f96eb0045e09936b776da27922af498e83bd08
SHA512 fa722c8cb39ce79d68af71f0d4aa57010e21ea33c66ea586b04d674e761f5db9e0c714e937aaf512ddf093a0fd746a22984633370c5d93778b751f5e1889d62e

\Windows\system\jYRvaIy.exe

MD5 970f6f8c81bb1e109e7b1a9dc7f6d560
SHA1 5b3fbb29089a923636fafaae1fbe2653bd7a070b
SHA256 964e6b67de000b9f3b357fe409812af26e7b1a592051925fde60652ccfde2b8e
SHA512 cb63d04db617b190c6c2ceef5c13a5210d233abb6c74f9ee24b9741dbede23cfbf989f704547048e2139067e2d144c72f372929a9d842a1e6fe3d38434678b23

memory/1924-8-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/3040-13-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/1924-16-0x000000013FD90000-0x00000001400E4000-memory.dmp

C:\Windows\system\HuFrfAY.exe

MD5 7e5e0fba2d05367612198c9c1473f985
SHA1 08971a69403c7428ea84cb3c3e2ba30c62cd0878
SHA256 98b424fb37668798374d65e4927b8fade42c55ba8abc94b94c2072a74e5e7ddf
SHA512 adfceb8783efe311808773b94805e5ae9c58901e779da4a7b876abeca7b45891966bbf067f04b7e02baf48fb559746b21b2cc2dedf94ccf2db321f3ecb752bbf

memory/2796-22-0x000000013F910000-0x000000013FC64000-memory.dmp

C:\Windows\system\YkMUdli.exe

MD5 a38372331de6de62a2c9a619bfb5e2a9
SHA1 b536bd6a2f42a5acf8c9f9f03f6ecd0a1019c8f7
SHA256 12cc5555a8791af74993c495d9c0c10b061d180ee48a87da35129b44683b9c5d
SHA512 153559165cc99460a57718c5f3273224fdeae79df67ad7efbe15d246267893d916d8cfcb8d66286af2d31df6e090520b9e3e7c694ac30c1703f9cdf4513e2e08

memory/1924-35-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2648-49-0x000000013F4B0000-0x000000013F804000-memory.dmp

C:\Windows\system\eXuzHFn.exe

MD5 eef6609fa002c3e6da3ba58a4eb2d8f2
SHA1 5a9a87e2b7a1dd53686066fada348932eb1c2c36
SHA256 e4f96a70f366148ad871898cd0eb4618f2ea4913705fc86dd43453d03a67945d
SHA512 1f9318a0d887c444f98a7c8a6fe03385a08e6d740c7fac9aeb00029b0313e18786fdf0b3110e317a487e1d07a1910a02d48b614d8b6eb00ac0084b076656abab

C:\Windows\system\VCqlqmF.exe

MD5 770596b86c298a3e733123216095919c
SHA1 ccde8cab4ea5bb44406c22d56e74e9a7d213ce1d
SHA256 c506f792da412ad152cb617e51fd081381d64a771e48f3ff82ff4bc3db617b51
SHA512 f3d3b74e7e2a0ff718aaa2dcc7ce16fcec5d628a235781719fe6675f433a6011e51390444e797b3afe4d4947f6b10b8e46a452c9c710e79521d0c405a30c6b36

memory/1924-76-0x0000000002310000-0x0000000002664000-memory.dmp

\Windows\system\CrKkQCd.exe

MD5 5a12ca0daed85d511b237243807b97d5
SHA1 8ddcd3cd750621265cfcbdfbe7d61e34a7b6d3c0
SHA256 6918e18e3bb16caba142aaeb1bab39dd521de834676c885234baa5243afdf7f2
SHA512 555f63b848b48204f2bb7a74a2885ff7bc21107310200e5c944b099f7278220df163b31505b1160bd0800b9bae555b8815f2b80801da464fbb1159c213d8b91e

\Windows\system\ocoVoby.exe

MD5 2dfec3d75cb59469e28bcb4b83d419d2
SHA1 486df894cb4ecdd5a4da0d103883016b04235c7c
SHA256 0e584c3a06571534f0206bcdb26f1e67e6680f30f056f0d1b0a4a7b170eeea43
SHA512 ac8a69b4ca18d1cfac89f87b7b02c78ec3912fc9b489eb246d376c47cac9d4ad674fc451be2a1967c5fb02a6c1338d93f9705b6005233bc894772db8a72a5cdd

C:\Windows\system\dXrohOk.exe

MD5 a05ce51370a82523a86990eea77dc173
SHA1 8abd2d3ad22c62aba38ab4c507ea818876b6216f
SHA256 876d7ea6e0c1436728da7b29f7c7e06124f75f76d04ca574a2681499ced9c5a6
SHA512 18d74cd1b9519a502b4bf6d51a3f006c882b711feb79c720ef8b2e3e13b7516151d9cd560c225497c8a97a468e6c3fdc9dcef97773aed3b0e3b6e292c308598d

C:\Windows\system\cRjmnTg.exe

MD5 a34b39730dc44ae8a5f7801c239af399
SHA1 fe1298d7a589a670387b67b60cebff2bfee84300
SHA256 e81b8a6b222e1978dd5ce2ed9e5b5c1ab2790532447fcb61c26e8b4a77c9c370
SHA512 c054d9830c4da61b99dac6fbf16e14d8a3d829e32340f706ef62f7517ec436e7a539e8a488909a7f44b4824fa7bf98c08f6183b8fa177138a4788f5693b0247e

\Windows\system\bRCgLDC.exe

MD5 12325dcfa7a8a79433fb1de17d9f2e2b
SHA1 c52f2650251e42a48e12c805cf8ced51dc24d749
SHA256 b1e5a60b1a565f144e8198354fd99cc26bd322f3bf57feff4ce193a843476afe
SHA512 64f96b56da2876c16578bac2e6247b89b85b5f22de8d777c9dc341ceb446d13200508995af5e8e9901ea964e09d98fafc5817f28fa2d24334974e029ecf72eaa

memory/1924-108-0x0000000002310000-0x0000000002664000-memory.dmp

memory/1924-107-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/1924-106-0x0000000002310000-0x0000000002664000-memory.dmp

C:\Windows\system\HBjYjMm.exe

MD5 a0afd247e882c8611ed2570c81760ceb
SHA1 b6d0518f534a1a1c7cc5e53d0a181dd132e05f05
SHA256 7ef21bbb20070bccf48c52a5bf022128a068a390aa7c3942c5064744cc2ca8ad
SHA512 b7af299b10d197518305cc81d30ff2cd928eeb93992f54a7a935107e28d59a2dfc48c85b2423376ef3c2cc800cd4130ad029b14b74a8886fa745b7d52284c89d

\Windows\system\OJQUCbr.exe

MD5 37f27559609c0c96ba94ff8b0d4a61c1
SHA1 074f09acc937a0465b47efd3093498099fb1ba9b
SHA256 8bc1705b40fce31098d9480bfc1022f7d5ec48fc0976fd09198d4d6d1b5b7c83
SHA512 e31fed598ca42b1c84cbd46591c024a6dd61e08de5e1d92a0d23db60038e3e8c24aa3066a77c60c1a2f462cdcf1b0612b10ea131740dba137b19e895015c0f43

C:\Windows\system\FVoneKt.exe

MD5 2758f2baedfed3c7f77b35edc977e0ef
SHA1 08a34e53579edd5bce54fad534d03b95be7b275b
SHA256 feb143d1f72abd87e59ac084b9fb58a29386a2394888f8a09748883c14173d72
SHA512 06c55ba2d8dbc454a7cd9a9bb65708b2a43a51fcdc127fc7e5bc39f8486f539fd5dd2feaaf10b36f9f42c064e472c811df66b08a2a7798be086672a190cbb9f6

C:\Windows\system\SDMhvZF.exe

MD5 959bd4101e2dcfdd52e2ac9ac3500c9c
SHA1 24469331ff37ba8b199e54464f38fdc4861e5b93
SHA256 7d9a96fa27f722915e5077c439c1dab22705d88ec7137de49e9cdae8c9214ba6
SHA512 99fa097acd11d1d698ab8d234c6259c3e0b7a26f47438e14b48f43d63ae99dceaec58d768f46764f99a221235c0182f8a4784468d146f4f086781d9db4f93b76

memory/2832-95-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2480-138-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2648-94-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/1924-89-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2668-88-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2724-87-0x000000013F500000-0x000000013F854000-memory.dmp

C:\Windows\system\udICoVH.exe

MD5 cc03fa67c5b6a6bd628723b130934c5c
SHA1 b7a159c21f8164f37470acc5f0ca18f1ef3229a7
SHA256 b0ecae4033aee42b011b96b655edca290f95c3c32e6f4e59241e9f34e4acd19d
SHA512 d2dd19eb3fbee6f41ae554eafd875e0c7437a4488d9816a7f0d06f0b39702ddcdf7f38b8b84c09a4c30a64b942d417f64ee4da94aa9b08aad96a7631964674cf

memory/1924-81-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2796-80-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/1924-79-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/1928-78-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2292-70-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1924-69-0x0000000002310000-0x0000000002664000-memory.dmp

C:\Windows\system\wFCelRk.exe

MD5 93626213ba9a78ddbbd36cf0799f3b75
SHA1 5ca91eae31448631513e46e306cd5abd2d553346
SHA256 118009b3b250e561fd63137f2a7ccd9d29fb5ba5093ba8647f4458354ba51b5a
SHA512 35eaed43effbcdeb7454fae101e3348439bafd0a3bf390c9879f071337d305029520b5f8cab876e1a690ccc7484bdb77cf894bdb9111357b3b4822000fc01260

C:\Windows\system\yQCsUmD.exe

MD5 224401a470fd193212b93b4b8bef17b2
SHA1 1ae14e45bd4d15ecd566dea2ec10d5743f9b473f
SHA256 57eab6e33c2098da0df3e60c7b9901a774e23adb582a3bca2406d4db36065967
SHA512 dcd64cda95d25a7e5a289ebc718241cd84a6d292dbca7a38338f85a35356c8194a525c699176271189037c5b5af37c8b815a5e335219cfde0ef58eb5e481e588

memory/2548-62-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2480-56-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/1924-55-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\Nomofzt.exe

MD5 248dd75cdabe1be06584624ef6fdf221
SHA1 a0b895e14866772a0c9606b948369cbc73acd5f5
SHA256 101d23fa5d5e2b7c9f71d34f9d83ab7bd564096879087b1221aeaa67e8f07dad
SHA512 42ddb83256adbb142e7fa23b4fdc20d40989fa4f7d4d4cde31a5ab5672ed27ed343217766de99d0ea6d34d6dc1c8826996df1ab543270225a2a68acdafed3fd2

memory/1924-40-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2484-37-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/1924-48-0x0000000002310000-0x0000000002664000-memory.dmp

memory/2512-47-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2548-139-0x000000013F610000-0x000000013F964000-memory.dmp

C:\Windows\system\lbxXGNd.exe

MD5 b2ed3ddedd8529f18ebf9acba1ea2418
SHA1 43e785ea8ed66c2c756035a397136e97169994fa
SHA256 7af2909ccc19a639371c9a4be53b12e789f2b117bf2f915e9775c7670c613d5d
SHA512 24cea93b3cf0ad557c1b8421afa8e7f2bac16522e020889251ba7e6920e661a82903d972ca6fd8b0d05159be88903506ac5e420b0f62e44d55b3aaf206830698

C:\Windows\system\CrxLUMw.exe

MD5 a90822bb5a45cecbfe43b80d4afa0550
SHA1 bb038b187acf5184022a83228a3983fcce45c92c
SHA256 47be73d5c3ff43603c6658cf745f630bb9d7bdc8decbe3bbbdac38e7b1be22de
SHA512 8ad7307152fcb3bd384562645f8631e7e3bd74a382f5631e5409adef1823c72d736294af3799d0d9eca48c27f96e7aca34a49b60a31e8d243a2dfd38fca79f8c

memory/2724-28-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1924-27-0x0000000002310000-0x0000000002664000-memory.dmp

memory/2580-15-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1924-140-0x0000000002310000-0x0000000002664000-memory.dmp

memory/1924-141-0x0000000002310000-0x0000000002664000-memory.dmp

memory/1924-142-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/1924-143-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/3040-144-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2580-145-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2796-146-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2484-148-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2512-149-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2648-150-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2724-147-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2480-151-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2548-152-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2292-153-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1928-154-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2668-155-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2832-156-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 00:56

Reported

2024-06-07 01:03

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yIGtvEm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cnblRxE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qvTTBuY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cfYXkgV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wZMKTbk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pOKoUoT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVrHUux.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cZfnBgg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vKaHgKK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\orjaJAl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YDmEaIy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HPMUNiw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rTafcKj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gOrZmOi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QDNnArh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lcWDMzw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FQrDjlG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rZnfcXq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VkRCXWF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aNaLoyt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ODlrBaj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfYXkgV.exe
PID 3532 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfYXkgV.exe
PID 3532 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQrDjlG.exe
PID 3532 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQrDjlG.exe
PID 3532 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\aNaLoyt.exe
PID 3532 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\aNaLoyt.exe
PID 3532 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\orjaJAl.exe
PID 3532 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\orjaJAl.exe
PID 3532 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\ODlrBaj.exe
PID 3532 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\ODlrBaj.exe
PID 3532 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\wZMKTbk.exe
PID 3532 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\wZMKTbk.exe
PID 3532 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\YDmEaIy.exe
PID 3532 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\YDmEaIy.exe
PID 3532 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZnfcXq.exe
PID 3532 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZnfcXq.exe
PID 3532 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\VkRCXWF.exe
PID 3532 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\VkRCXWF.exe
PID 3532 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\HPMUNiw.exe
PID 3532 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\HPMUNiw.exe
PID 3532 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTafcKj.exe
PID 3532 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTafcKj.exe
PID 3532 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVrHUux.exe
PID 3532 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVrHUux.exe
PID 3532 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\cZfnBgg.exe
PID 3532 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\cZfnBgg.exe
PID 3532 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\pOKoUoT.exe
PID 3532 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\pOKoUoT.exe
PID 3532 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\vKaHgKK.exe
PID 3532 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\vKaHgKK.exe
PID 3532 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\yIGtvEm.exe
PID 3532 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\yIGtvEm.exe
PID 3532 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\gOrZmOi.exe
PID 3532 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\gOrZmOi.exe
PID 3532 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDNnArh.exe
PID 3532 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDNnArh.exe
PID 3532 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\cnblRxE.exe
PID 3532 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\cnblRxE.exe
PID 3532 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcWDMzw.exe
PID 3532 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcWDMzw.exe
PID 3532 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\qvTTBuY.exe
PID 3532 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe C:\Windows\System\qvTTBuY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\cfYXkgV.exe

C:\Windows\System\cfYXkgV.exe

C:\Windows\System\FQrDjlG.exe

C:\Windows\System\FQrDjlG.exe

C:\Windows\System\aNaLoyt.exe

C:\Windows\System\aNaLoyt.exe

C:\Windows\System\orjaJAl.exe

C:\Windows\System\orjaJAl.exe

C:\Windows\System\ODlrBaj.exe

C:\Windows\System\ODlrBaj.exe

C:\Windows\System\wZMKTbk.exe

C:\Windows\System\wZMKTbk.exe

C:\Windows\System\YDmEaIy.exe

C:\Windows\System\YDmEaIy.exe

C:\Windows\System\rZnfcXq.exe

C:\Windows\System\rZnfcXq.exe

C:\Windows\System\VkRCXWF.exe

C:\Windows\System\VkRCXWF.exe

C:\Windows\System\HPMUNiw.exe

C:\Windows\System\HPMUNiw.exe

C:\Windows\System\rTafcKj.exe

C:\Windows\System\rTafcKj.exe

C:\Windows\System\uVrHUux.exe

C:\Windows\System\uVrHUux.exe

C:\Windows\System\cZfnBgg.exe

C:\Windows\System\cZfnBgg.exe

C:\Windows\System\pOKoUoT.exe

C:\Windows\System\pOKoUoT.exe

C:\Windows\System\vKaHgKK.exe

C:\Windows\System\vKaHgKK.exe

C:\Windows\System\yIGtvEm.exe

C:\Windows\System\yIGtvEm.exe

C:\Windows\System\gOrZmOi.exe

C:\Windows\System\gOrZmOi.exe

C:\Windows\System\QDNnArh.exe

C:\Windows\System\QDNnArh.exe

C:\Windows\System\cnblRxE.exe

C:\Windows\System\cnblRxE.exe

C:\Windows\System\lcWDMzw.exe

C:\Windows\System\lcWDMzw.exe

C:\Windows\System\qvTTBuY.exe

C:\Windows\System\qvTTBuY.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/3532-0-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp

memory/3532-1-0x000001F845D70000-0x000001F845D80000-memory.dmp

C:\Windows\System\cfYXkgV.exe

MD5 139b2d12beab805528f87e12c8580dd7
SHA1 a9e27bbf24835bce4e2d4df2b98f161bed5c31b0
SHA256 315f67ce62001b837ed96623ec5f467e9e205ebd341307a44a2d5643c7050460
SHA512 61953af810bb76e4af6be344cb8ee798bb0ac67107a54c017af81e07279a2b0e63ee7283627c0c9c29e259cd5597e89a8422ccf699ed6305b7143bc623ee4804

memory/3284-8-0x00007FF798450000-0x00007FF7987A4000-memory.dmp

C:\Windows\System\FQrDjlG.exe

MD5 807ea75b7475fd84f39f9ecea9223a24
SHA1 3469f9e828116a5d7566cfaaf3b96944124cc171
SHA256 d25f38e049a50d9c1b2975d8260d367ec714ee36ca63952ed79dced50df97849
SHA512 7aa60bc5eb0df2eb0b539da87bb6345b3c3e787c628745499fa91485a13a848920f3dce940f2eb39880e6b522fe243c6714b01a11ebbb762463f20babdb075bb

memory/3296-14-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp

C:\Windows\System\aNaLoyt.exe

MD5 e6d61b1d9f5b25f8112ef69709f34d95
SHA1 b8128fe73f9b3219b1d5388a8535befbc57048c3
SHA256 e2f419383c0b200ccb12ee6178bba39e7fe4f7ad18b4d026ac0978e584c85351
SHA512 b5152957459924875ac58795d7f5d1d4ba313bf3ccec96e36d4e5e8672192da4ec459bf4b3db71874eb6c643bd1d8bfb94fc09839178885547a59424cd42f797

C:\Windows\System\FQrDjlG.exe

MD5 18247d7880140b18ecd39ee1adfc731b
SHA1 a157eaa9dd320bef6dfdb40a50d13608394c09ca
SHA256 652d7057f0ddb4d1a2f5d0f36605fc024f3683e540781cf247d44de8bd9de6cf
SHA512 86e803ee8318313ac7802d21e9ddf99485d8242e09c937616b13b7f0891cbb086eda558be30105ad71b938275dcac935eb0d6bca4b99ccf49510a012cfc00f29

memory/1120-20-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp

C:\Windows\System\orjaJAl.exe

MD5 5e178e96bebad3d9aedbb0a4c16b0b04
SHA1 eb2e8ed2fe5d924d8996dc4967b038c6d862b890
SHA256 0dc0260993f913e8203ce62a7ee17637350536abc81011cb9e61f53f2f1b3aff
SHA512 c81656157bea48bcd162ddba3c6f83e034cdf9d6c96af791c16a6bbc8d560fad22aee1403efcc16e6d971de2f43a35dc97ddf2fd94aadb6fdeb4297a87c6ae81

C:\Windows\System\orjaJAl.exe

MD5 a1df3420cf46306b933f609aa091bde6
SHA1 03ce76e9fe6f2cdeb3378102ed49d48485ec7843
SHA256 bcae40deb504422275dc41ae536981fa1c76529cec89792a5d25e945abde44e6
SHA512 3e324e98cff88b9150fadb48b306851323411ebcf6295fe7b9fbe18ab5bc686dfb423f26e2dbc80e5e8b763023d53f53f102d1a25698637c3423030b33d31eb2

memory/2144-26-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp

C:\Windows\System\ODlrBaj.exe

MD5 88424a7d6ba0ed42916fcbedf9cfc771
SHA1 681bd1e9be2f1ec7d32463a0b288718d32a5bc6c
SHA256 d6fb17bb30c66883dcb0441bc383b9aa2f865bb6d84f619a01627fd346419f93
SHA512 5c8fd0e37d9c461282f92a0bbc790c7a4a1204d903c2e69f607f52f295c84904ab3aa8016ca53e2bbdfe312d926b4625c66b90bd58bfaeaea893056695da6e4d

memory/1292-32-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

C:\Windows\System\wZMKTbk.exe

MD5 32041569ce29a5ef50883ca4e87e40ae
SHA1 62752d482ea7fbac09b013a4fe013fc0d3df3abe
SHA256 2e3378fbc771dcf65b54c5f4fc3d8b2f4d91a4c0824d0dd8ab6cf9cad9802f08
SHA512 f73e85b6685b7d4ce370cfab3ac9dd8c2d17fe49cb93ecb85f5f1ba15be35390697e7a824474b95109c653c60fc79b37d0e3c8a6792ee455c62ff2a12d3837b4

memory/2912-38-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp

C:\Windows\System\YDmEaIy.exe

MD5 6ba366f6e62a740517f1f3c880a87367
SHA1 5036a67d70b28ae4a847548f559883473e13ed46
SHA256 7a22ecddc14a8525b748e17ad9851fba8e77fd48b3862600c357764426ea2c71
SHA512 0245dd039c9c5f1ec164d0873cfe5d4ba85903f054b68eba14e39262884a6bdb52087e4264b2b61239b7bed4503b9c792da751be4421038cf3110a29f4eb7679

memory/1724-47-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp

memory/4356-50-0x00007FF6713C0000-0x00007FF671714000-memory.dmp

C:\Windows\System\VkRCXWF.exe

MD5 484f9bd860840f7d2331986e4199e3d2
SHA1 eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2
SHA256 d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41
SHA512 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2

C:\Windows\System\HPMUNiw.exe

MD5 b731781bf85531537282fd235875b3ac
SHA1 59206fda46b1e56bdb976d7da35012e4e6f8f1d4
SHA256 2657a1b1a648dd161d8d3ed50a75150d2dc010da365b30b7a3795fcb1daf19d8
SHA512 9c8f38979f392f1b992869e4ca74bbf964e203e775e31879ef15724590f704e0e57e3157344250ce39807469b2b0c7b88f0fe314e1bd06187f5de3c3f57f7a8f

C:\Windows\System\HPMUNiw.exe

MD5 48ed09ccb47c2d0061d7ca0959599a3b
SHA1 4b5104633fa16dde0ac56661e256a89879c8cf87
SHA256 aebfbcd727c18a08d8507cc97ac1a07252b8a5f85826001453c4d02d64c1e68c
SHA512 c985a47937a0f119b279a4b87098ceeb96c2a9c8c235254350044b804ce53b78d30413b79b2bd9c7ea52ebd67a5c66e7d1192c9339dcd5d950e15b1cc27150ec

C:\Windows\System\rTafcKj.exe

MD5 3dd3dcd306f0efc9bbfa800cbd31ae40
SHA1 d052cb1858658159c0105a89f05e8ea0bb515259
SHA256 7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304
SHA512 59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3

C:\Windows\System\rTafcKj.exe

MD5 70ff90aa4744113bd0310fc0d9642696
SHA1 4f02a897376e5e156044a81d440bc1b6f5e73eda
SHA256 850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5
SHA512 bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f

C:\Windows\System\uVrHUux.exe

MD5 8df1691dac6b60a816c236703f0cebf3
SHA1 7c5445def5ef4c87096d307cb550b679518f0c1c
SHA256 ec7edbcbd8a02b4a46d1e98b549c0731fb22e7b209ea8fa967bb4b803a4d0706
SHA512 9543c1b74f90c0e5fac8971b09b5abef7826fb835ef0ec0dc13e134a1176bc1d17b6a787f0b1dd52eb2cd83f4898c2c6103f6424cd76620dc18c5f82dd00e432

C:\Windows\System\cZfnBgg.exe

MD5 59495c785359918f39450f79bc21ec2e
SHA1 68661d4794b87ed1d5832f89a1706cc1a9c0b252
SHA256 d3c72a3bbb2798f34d61112e787411744212e3b0ede68f28e3e8f7827c8f9900
SHA512 41f6d7811d3ab91c109025e4043b295171c28aa9a29d7cd3a4b579f28d1463d0a0157f2cc33a2ad0cb093046168635db4a0c9b7d628eec14a9174fdb50459a71

C:\Windows\System\pOKoUoT.exe

MD5 3841d3131bdc70a1cf74942213460680
SHA1 e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9
SHA256 b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4
SHA512 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe

C:\Windows\System\pOKoUoT.exe

MD5 e3a5ca072423a5bfa87fa861c2822136
SHA1 f2fee41c89e0bf3961ae79cf0298e1aa91af9cfd
SHA256 b1103dfc01acf0daf78cdb2beae5dfea2f910fdfe954ecc3b4b3492ada1d33b0
SHA512 c0c8cf900da6a923a508180942d44bf9f0a2065ad664af3bc7f398840ac4dc072e4118f47692b93077b455a6ff33e370f59e3752b91104e5295ac54036059891

C:\Windows\System\vKaHgKK.exe

MD5 ec3c27800dac2a6b9b0ea96101a54f37
SHA1 ec0f43f00db33334d9e2bbac3cd5e14452a3fd80
SHA256 094638fa7a18922d606c2dd53831db636d57cd51d19aa58509675349b8f291cd
SHA512 613419bfcf6184aa9eaf4596cf34b33658259b0e4b5fcf0053982e02c54e27373ab7ac9c0150c1cd6c04b0eb3b216d87578598152e058add9cb46617215927e8

C:\Windows\System\yIGtvEm.exe

MD5 fd6fecc5470792baa12718d604fb8033
SHA1 696c0ab10e1d367a8ff4c2a89d76ac7de471254b
SHA256 82adf80733cc1f6ec234562b986ea9f1e7350181fa23bc505d58628a647d0c11
SHA512 20634a64494ff4ce591628046255e1c5b668a743bb7f9e896ded0e6954111906d52e9aefd050b934f747e4d46527d55c0948e9cc240b7c30f73eb25d9d15e050

C:\Windows\System\gOrZmOi.exe

MD5 78c4731e825585b10b6dd69a07c462fe
SHA1 ef755bc025edf0463d7771f813dd31a0d0874302
SHA256 0fc9ba59f78e87fb8b25ddc4218386717f52e43327524471fa7097be4c51b1ef
SHA512 43f5e316e91b590317baeacba2e1bc60734872d394bdca44c25f30e6887193f071e08a305c6cd23643dc4c51a4e42f62293484bba75ed9a3e72255b64dc98e58

memory/664-102-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp

memory/2116-110-0x00007FF69A030000-0x00007FF69A384000-memory.dmp

memory/1988-112-0x00007FF6C2DA0000-0x00007FF6C30F4000-memory.dmp

memory/2488-117-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp

memory/3540-121-0x00007FF76FF10000-0x00007FF770264000-memory.dmp

C:\Windows\System\qvTTBuY.exe

MD5 fe57f8188564cd40e581d657eb39a51c
SHA1 a769db5a955895999e8cfad6f9c2156a7679ab61
SHA256 509f676438e0a62ce998520d6b512997df34dab53b716afecb70fde12451e067
SHA512 bedc7b8c666d75b4b2a51cdf1cbb44229891d399ac024af5950af15345f2453cff67fc09503257cefbe1a68d8da92c49e28e020e981fdb43101104e23819a72e

memory/3080-127-0x00007FF707250000-0x00007FF7075A4000-memory.dmp

memory/3104-126-0x00007FF717960000-0x00007FF717CB4000-memory.dmp

memory/3532-123-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp

memory/3676-122-0x00007FF7B4790000-0x00007FF7B4AE4000-memory.dmp

memory/3516-118-0x00007FF7BC0E0000-0x00007FF7BC434000-memory.dmp

C:\Windows\System\cnblRxE.exe

MD5 2b9b2bef54472989cbeda5ceb4bcfc61
SHA1 f42c406c54d876b0104dd76a4bb7bd110ce3f1a8
SHA256 3ce4061e372c35951e9e9715456a04701ca4649466006232b89c40b65a5677cf
SHA512 7e58e106ba007d63bcc9701f264c627e9c99994f16aa069598abaaf9e29af537d63a6c6991f5682135a651e8ebfdca5bf2d6fea7ba695c60cc36a15d44340337

memory/3416-114-0x00007FF725A60000-0x00007FF725DB4000-memory.dmp

C:\Windows\System\lcWDMzw.exe

MD5 cf1dfa3398fc7a5a3e4aa28a33021420
SHA1 92ec7e1793049f05d8929127974c688764686f20
SHA256 7641ca4766ae524c827c88f2ee88ac772b0e00345b34712c04fd3e150364b4d4
SHA512 a5e45e07e58dc3572cbc5d0ceafd19b3958197e95a20fae2b322066d7372fd3f608cbda4e832e690e9485a6db352f2dedacbdcd1bea9412fa871bbfb05f4fe6b

memory/2500-111-0x00007FF774610000-0x00007FF774964000-memory.dmp

C:\Windows\System\lcWDMzw.exe

MD5 a25afbcddc0d441611a4c84ac85a2912
SHA1 10edd9a79f03a65bdaf88bf3053112577b521f64
SHA256 49181bc14ad9f5f572fa09159a9cb3e2ffa81e400593603e8554f2f3c7d027ca
SHA512 85a72a52481c675a3800d6a1b68ba79f9c4a554e83f76c8892e31b4b58d6168a93689f11765aad0636dafb8af887ec8ef9cb7ebc268a5bd7d448df1a1a8c8ae2

C:\Windows\System\cnblRxE.exe

MD5 95b3d20946bea955069b7e2b7677e0e9
SHA1 3e3a35812edae6365c21af8a0799068b8531b632
SHA256 3d44b2ba9121cb6fcbc18df3c20c5d90b4073a02faf71e5c97bd9892579ea633
SHA512 85b56acb1b96db30e696daaf608535b2683c13f8f4cc6ddad6157cffc3a7c0721f7a1490e2fd9049e534ec4677271a86032925210fd93e112efaa884bac90d5b

memory/4748-107-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp

memory/4056-104-0x00007FF7C62F0000-0x00007FF7C6644000-memory.dmp

C:\Windows\System\QDNnArh.exe

MD5 caf2c55b56fb31072c5da51d5f8a3dd9
SHA1 56b11365326369797aab916004e4c1754ecbbc3a
SHA256 7f54759979100b979e1411df1bd2dbb6e914939255b5660e8ee6497fb20055cb
SHA512 9245aee92500d53bc42cc37b163e0ae43441e31fef41cb95b6f608ae58a4640013108b42a2c5fcc16c0a0b4b9e2c1cce0beed889ada0e5a2675d3bf6c69eda26

memory/3284-129-0x00007FF798450000-0x00007FF7987A4000-memory.dmp

memory/1120-130-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp

memory/2912-131-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp

memory/4356-132-0x00007FF6713C0000-0x00007FF671714000-memory.dmp

memory/3104-133-0x00007FF717960000-0x00007FF717CB4000-memory.dmp

memory/3284-134-0x00007FF798450000-0x00007FF7987A4000-memory.dmp

memory/3296-135-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp

memory/1120-136-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp

memory/2144-137-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp

memory/1292-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

memory/2912-139-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp

memory/1724-140-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp

memory/4356-141-0x00007FF6713C0000-0x00007FF671714000-memory.dmp

memory/664-142-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp

memory/4056-143-0x00007FF7C62F0000-0x00007FF7C6644000-memory.dmp

memory/4748-144-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp

memory/2116-145-0x00007FF69A030000-0x00007FF69A384000-memory.dmp

memory/2500-146-0x00007FF774610000-0x00007FF774964000-memory.dmp

memory/1988-147-0x00007FF6C2DA0000-0x00007FF6C30F4000-memory.dmp

memory/3416-148-0x00007FF725A60000-0x00007FF725DB4000-memory.dmp

memory/2488-149-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp

memory/3516-150-0x00007FF7BC0E0000-0x00007FF7BC434000-memory.dmp

memory/3540-151-0x00007FF76FF10000-0x00007FF770264000-memory.dmp

memory/3676-152-0x00007FF7B4790000-0x00007FF7B4AE4000-memory.dmp

memory/3080-153-0x00007FF707250000-0x00007FF7075A4000-memory.dmp

memory/3104-154-0x00007FF717960000-0x00007FF717CB4000-memory.dmp