xmrig | b9671e0fd26205896114e00ec6650b3437f76ff5f285ac405ac58bc8d87ca6cc

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

6eb8256a80606d7baaad352f11b6b667
SHA1

6f70760716395cd1ccb21a5bdd0593e481d8f1aa
SHA256

b9671e0fd26205896114e00ec6650b3437f76ff5f285ac405ac58bc8d87ca6cc
SHA512

936edca7db76fdf9743d629c74a81054727150f0a7ea6def0603bf2c98f61f14fcb78f51f3f684344bb6efdb57fcb95951b4c241230bacb22e8aab77b54ed26d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 22 IoCs

miner

resource	yara_rule
behavioral1/memory/2704-48-0x000000013F6D0000-0x000000013FA21000-memory.dmp	xmrig
behavioral1/memory/2092-55-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2452-88-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2956-111-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/1652-128-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2340-133-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/2524-135-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/1640-137-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/940-132-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/772-130-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/2412-129-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2952-92-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2616-83-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2816-79-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2604-49-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2644-43-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/1840-37-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2012-26-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/2336-19-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2224-14-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2200-138-0x000000013F8C0000-0x000000013FC11000-memory.dmp	xmrig
behavioral1/memory/2200-160-0x000000013F8C0000-0x000000013FC11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2224	OcOCYep.exe
2336	tnDaqyN.exe
2012	fHERPIL.exe
1840	KwUzSrE.exe
2644	Chysstw.exe
2704	ueuqOob.exe
2604	pmWuzqG.exe
2092	PVImEGS.exe
2816	KKiidYM.exe
2616	FvQRosz.exe
2452	OOoJCBO.exe
2524	VUxdGvE.exe
2952	HVdpYHF.exe
2956	cLTxivg.exe
2788	DzwhdbV.exe
1652	TgIRJYs.exe
2412	NwZarxD.exe
772	fFmGvRs.exe
940	jsYjToZ.exe
2340	HWCZnyf.exe
1640	HmPSnvk.exe

Loads dropped DLL 21 IoCs

pid	Process
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2704-48-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
behavioral1/memory/2092-55-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/memory/2452-88-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2956-111-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/2788-121-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/1652-128-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2340-133-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/2524-135-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/1640-137-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
behavioral1/memory/940-132-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/772-130-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/memory/2412-129-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2952-92-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/memory/2616-83-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/2816-79-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2604-49-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2644-43-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/1840-37-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/memory/2012-26-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/memory/2336-19-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2224-14-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/files/0x0009000000014120-5.dat	upx
behavioral1/memory/2200-0-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx
behavioral1/memory/2200-138-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx
behavioral1/memory/2200-160-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx
behavioral1/memory/2200-161-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pmWuzqG.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PVImEGS.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KKiidYM.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VUxdGvE.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HVdpYHF.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TgIRJYs.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Chysstw.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cLTxivg.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DzwhdbV.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fHERPIL.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KwUzSrE.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FvQRosz.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NwZarxD.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HWCZnyf.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OcOCYep.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tnDaqyN.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ueuqOob.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OOoJCBO.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fFmGvRs.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jsYjToZ.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HmPSnvk.exe	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2224	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	37
PID 2200 wrote to memory of 2224	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	37
PID 2200 wrote to memory of 2224	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	37
PID 2200 wrote to memory of 2336	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	36
PID 2200 wrote to memory of 2336	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	36
PID 2200 wrote to memory of 2336	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	36
PID 2200 wrote to memory of 2012	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	35
PID 2200 wrote to memory of 2012	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	35
PID 2200 wrote to memory of 2012	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	35
PID 2200 wrote to memory of 1840	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	17
PID 2200 wrote to memory of 1840	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	17
PID 2200 wrote to memory of 1840	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	17
PID 2200 wrote to memory of 2644	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	34
PID 2200 wrote to memory of 2644	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	34
PID 2200 wrote to memory of 2644	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	34
PID 2200 wrote to memory of 2704	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	33
PID 2200 wrote to memory of 2704	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	33
PID 2200 wrote to memory of 2704	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	33
PID 2200 wrote to memory of 2604	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	32
PID 2200 wrote to memory of 2604	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	32
PID 2200 wrote to memory of 2604	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	32
PID 2200 wrote to memory of 2092	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	31
PID 2200 wrote to memory of 2092	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	31
PID 2200 wrote to memory of 2092	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	31
PID 2200 wrote to memory of 2816	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	30
PID 2200 wrote to memory of 2816	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	30
PID 2200 wrote to memory of 2816	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	30
PID 2200 wrote to memory of 2616	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	29
PID 2200 wrote to memory of 2616	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	29
PID 2200 wrote to memory of 2616	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	29
PID 2200 wrote to memory of 2452	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	28
PID 2200 wrote to memory of 2452	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	28
PID 2200 wrote to memory of 2452	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	28
PID 2200 wrote to memory of 2524	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	27
PID 2200 wrote to memory of 2524	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	27
PID 2200 wrote to memory of 2524	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	27
PID 2200 wrote to memory of 2952	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	26
PID 2200 wrote to memory of 2952	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	26
PID 2200 wrote to memory of 2952	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	26
PID 2200 wrote to memory of 2956	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	25
PID 2200 wrote to memory of 2956	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	25
PID 2200 wrote to memory of 2956	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	25
PID 2200 wrote to memory of 2788	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	24
PID 2200 wrote to memory of 2788	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	24
PID 2200 wrote to memory of 2788	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	24
PID 2200 wrote to memory of 1652	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	23
PID 2200 wrote to memory of 1652	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	23
PID 2200 wrote to memory of 1652	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	23
PID 2200 wrote to memory of 772	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	22
PID 2200 wrote to memory of 772	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	22
PID 2200 wrote to memory of 772	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	22
PID 2200 wrote to memory of 2412	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	21
PID 2200 wrote to memory of 2412	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	21
PID 2200 wrote to memory of 2412	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	21
PID 2200 wrote to memory of 940	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	20
PID 2200 wrote to memory of 940	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	20
PID 2200 wrote to memory of 940	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	20
PID 2200 wrote to memory of 2340	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	19
PID 2200 wrote to memory of 2340	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	19
PID 2200 wrote to memory of 2340	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	19
PID 2200 wrote to memory of 1640	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	18
PID 2200 wrote to memory of 1640	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	18
PID 2200 wrote to memory of 1640	2200	2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe	18

C:\Windows\System\KwUzSrE.exe
C:\Windows\System\KwUzSrE.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\System\HmPSnvk.exe
C:\Windows\System\HmPSnvk.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\System\HWCZnyf.exe
C:\Windows\System\HWCZnyf.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\System\jsYjToZ.exe
C:\Windows\System\jsYjToZ.exe
1⤵
- Executes dropped EXE
PID:940

C:\Windows\System\NwZarxD.exe
C:\Windows\System\NwZarxD.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\System\fFmGvRs.exe
C:\Windows\System\fFmGvRs.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\System\TgIRJYs.exe
C:\Windows\System\TgIRJYs.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\System\DzwhdbV.exe
C:\Windows\System\DzwhdbV.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\cLTxivg.exe
C:\Windows\System\cLTxivg.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\HVdpYHF.exe
C:\Windows\System\HVdpYHF.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\System\VUxdGvE.exe
C:\Windows\System\VUxdGvE.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\OOoJCBO.exe
C:\Windows\System\OOoJCBO.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\System\FvQRosz.exe
C:\Windows\System\FvQRosz.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\KKiidYM.exe
C:\Windows\System\KKiidYM.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\System\PVImEGS.exe
C:\Windows\System\PVImEGS.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\System\pmWuzqG.exe
C:\Windows\System\pmWuzqG.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\ueuqOob.exe
C:\Windows\System\ueuqOob.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\System\Chysstw.exe
C:\Windows\System\Chysstw.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\fHERPIL.exe
C:\Windows\System\fHERPIL.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\System\tnDaqyN.exe
C:\Windows\System\tnDaqyN.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\System\OcOCYep.exe
C:\Windows\System\OcOCYep.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Users\Admin\AppData\Local\Temp\2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_6eb8256a80606d7baaad352f11b6b667_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\OcOCYep.exe

Filesize
92KB

MD5
c0a1f9d0ce822fd5a553f147af935af9

SHA1
027dbd37dc830a0fd1b1bf99e6b564d8c7359169

SHA256
eb646d130947a081c4572798a62e2be0232b6c564905901e7431246c453217da

SHA512
43783a21a7a504f0b11baf1a11dbde721bf24983e011739a278152adfa56be536d88d1569bd980ee736af53acb0ef0faaec17f94dc4942facb3b3e135f152943

Download Submit
memory/772-130-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/772-249-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/940-132-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/940-253-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1640-137-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-254-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-128-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-248-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-221-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-37-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-219-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2012-26-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2092-55-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2092-230-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-136-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-138-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2200-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2200-127-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2200-183-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2200-7-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-69-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2200-76-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-70-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2200-63-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2200-59-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2200-134-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2200-161-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2200-160-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2200-0-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2200-131-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-14-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-215-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-19-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2336-217-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2340-133-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2340-255-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2412-250-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-129-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-236-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2452-88-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2524-135-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-237-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-49-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2604-226-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2616-234-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2616-83-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2644-43-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-228-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-48-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/2704-225-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/2788-121-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2788-243-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2816-232-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-79-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-239-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-92-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-111-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-241-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download