Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-bybzfsag88
Target 2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike
SHA256 5b5b19bc9b27ed124722c514b9d3ec678f16dd3b4c8ef91a3037ec169827734a
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b5b19bc9b27ed124722c514b9d3ec678f16dd3b4c8ef91a3037ec169827734a

Threat Level: Known bad

The file 2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

XMRig Miner payload

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Xmrig family

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 01:35

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 01:32

Reported

2024-06-10 01:38

Platform

win7-20240419-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UrvPwGA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IvAvOmz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\amatrNn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xctniYR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eyHqTAS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TtMPiYE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uYsmkoD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RGYTFWg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OoqeGHb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PQeRWuj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KaHnOoV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aLVAZfg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XftqwsA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CUULIXo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yiwCWYU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YcWEyCt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AUZorGX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sZSVjQw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kIJOZzw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BFtumeI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BGGcmNw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BGGcmNw.exe
PID 2952 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BGGcmNw.exe
PID 2952 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BGGcmNw.exe
PID 2952 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGYTFWg.exe
PID 2952 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGYTFWg.exe
PID 2952 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGYTFWg.exe
PID 2952 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XftqwsA.exe
PID 2952 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XftqwsA.exe
PID 2952 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XftqwsA.exe
PID 2952 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrvPwGA.exe
PID 2952 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrvPwGA.exe
PID 2952 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrvPwGA.exe
PID 2952 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZSVjQw.exe
PID 2952 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZSVjQw.exe
PID 2952 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZSVjQw.exe
PID 2952 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CUULIXo.exe
PID 2952 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CUULIXo.exe
PID 2952 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CUULIXo.exe
PID 2952 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvAvOmz.exe
PID 2952 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvAvOmz.exe
PID 2952 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvAvOmz.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OoqeGHb.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OoqeGHb.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OoqeGHb.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yiwCWYU.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yiwCWYU.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yiwCWYU.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kIJOZzw.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kIJOZzw.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kIJOZzw.exe
PID 2952 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQeRWuj.exe
PID 2952 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQeRWuj.exe
PID 2952 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQeRWuj.exe
PID 2952 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\amatrNn.exe
PID 2952 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\amatrNn.exe
PID 2952 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\amatrNn.exe
PID 2952 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xctniYR.exe
PID 2952 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xctniYR.exe
PID 2952 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xctniYR.exe
PID 2952 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcWEyCt.exe
PID 2952 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcWEyCt.exe
PID 2952 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcWEyCt.exe
PID 2952 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyHqTAS.exe
PID 2952 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyHqTAS.exe
PID 2952 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyHqTAS.exe
PID 2952 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUZorGX.exe
PID 2952 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUZorGX.exe
PID 2952 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUZorGX.exe
PID 2952 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KaHnOoV.exe
PID 2952 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KaHnOoV.exe
PID 2952 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KaHnOoV.exe
PID 2952 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtMPiYE.exe
PID 2952 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtMPiYE.exe
PID 2952 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtMPiYE.exe
PID 2952 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFtumeI.exe
PID 2952 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFtumeI.exe
PID 2952 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFtumeI.exe
PID 2952 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uYsmkoD.exe
PID 2952 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uYsmkoD.exe
PID 2952 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uYsmkoD.exe
PID 2952 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLVAZfg.exe
PID 2952 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLVAZfg.exe
PID 2952 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLVAZfg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BGGcmNw.exe

C:\Windows\System\BGGcmNw.exe

C:\Windows\System\RGYTFWg.exe

C:\Windows\System\RGYTFWg.exe

C:\Windows\System\XftqwsA.exe

C:\Windows\System\XftqwsA.exe

C:\Windows\System\UrvPwGA.exe

C:\Windows\System\UrvPwGA.exe

C:\Windows\System\sZSVjQw.exe

C:\Windows\System\sZSVjQw.exe

C:\Windows\System\CUULIXo.exe

C:\Windows\System\CUULIXo.exe

C:\Windows\System\IvAvOmz.exe

C:\Windows\System\IvAvOmz.exe

C:\Windows\System\OoqeGHb.exe

C:\Windows\System\OoqeGHb.exe

C:\Windows\System\yiwCWYU.exe

C:\Windows\System\yiwCWYU.exe

C:\Windows\System\kIJOZzw.exe

C:\Windows\System\kIJOZzw.exe

C:\Windows\System\PQeRWuj.exe

C:\Windows\System\PQeRWuj.exe

C:\Windows\System\amatrNn.exe

C:\Windows\System\amatrNn.exe

C:\Windows\System\xctniYR.exe

C:\Windows\System\xctniYR.exe

C:\Windows\System\YcWEyCt.exe

C:\Windows\System\YcWEyCt.exe

C:\Windows\System\eyHqTAS.exe

C:\Windows\System\eyHqTAS.exe

C:\Windows\System\AUZorGX.exe

C:\Windows\System\AUZorGX.exe

C:\Windows\System\KaHnOoV.exe

C:\Windows\System\KaHnOoV.exe

C:\Windows\System\TtMPiYE.exe

C:\Windows\System\TtMPiYE.exe

C:\Windows\System\BFtumeI.exe

C:\Windows\System\BFtumeI.exe

C:\Windows\System\uYsmkoD.exe

C:\Windows\System\uYsmkoD.exe

C:\Windows\System\aLVAZfg.exe

C:\Windows\System\aLVAZfg.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2952-0-0x000000013FE10000-0x0000000140164000-memory.dmp

C:\Windows\system\BGGcmNw.exe

MD5 39dd9a091374393fe2ae20e4a576d4d3
SHA1 df178a0d49aacd3b53bbeece54f74f4ad3c2e318
SHA256 cfaa56d0571c6b53cbccc9dd9e332f731ef5be45ce586506379694d1043cff68
SHA512 acf6762062831b8a125aac91ae6f4062934e6764b4954e05e8bc0307cee6cb52a64413f14efe520f0827edaf22442bc47b59c351cc2b82224ae1bbc3b15404a4

memory/2952-17-0x000000013F960000-0x000000013FCB4000-memory.dmp

C:\Windows\system\UrvPwGA.exe

MD5 ded20fb731680b57de94ecd097b1b15e
SHA1 e0ae701119a0800d52f5f6e6225e387773a822be
SHA256 c17c45f6ccd3a6b6d2c67c53fd10a2b075e235fef455f06a41584bf21fdeb272
SHA512 a22e9adaac63a8a31c4157794ecce0ad2fbfb7582441e099433e90779f36d63187a3ad8d525eb495dd64c4042b51de410ee710120527e8f23547351481857a55

C:\Windows\system\sZSVjQw.exe

MD5 3841d3131bdc70a1cf74942213460680
SHA1 e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9
SHA256 b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4
SHA512 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe

memory/2608-53-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2428-59-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\PQeRWuj.exe

MD5 484f9bd860840f7d2331986e4199e3d2
SHA1 eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2
SHA256 d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41
SHA512 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2

C:\Windows\system\YcWEyCt.exe

MD5 b12f50740eef66714200750b921dca91
SHA1 8373966e5ed792f21420a1f96bf3bbb6923ce01a
SHA256 719552d5e050d5b6103aeabc2599e37e66f0dc2dc083f0cf409b7b43085c6d59
SHA512 7a4e91a3c8d86a2c7d2864f022b2bc699138cd2829346c866cd8c934865e794d9cf66725904fe7973648c3a72b48057f93b8dc315697f02e4e9bbb78689e94d8

memory/2952-95-0x000000013FA70000-0x000000013FDC4000-memory.dmp

\Windows\system\aLVAZfg.exe

MD5 93939ce4f0f7aa941ab87b1e2295318a
SHA1 a870e3b604e35465cd5814870217da02f6c1f70a
SHA256 011e7b1cabb94ad42048925a48c699815c20a038e862ca2f1b43b5352a726642
SHA512 33b61a5d8e2daf5ddc75ea2fd527f1b0b2334b4d9a5cc819dd4bd1220af540dab8189f0960a82e20fe7307136c2f829424f56117fb23c7260bd9d130b3cc8006

C:\Windows\system\aLVAZfg.exe

MD5 917f08214ec64cdb82fcdb5f69fd86e6
SHA1 4f81ba3dc7b31dac080b9fecca1306682ff61ba0
SHA256 1d9dacef7ba4eb8be0086c81e945030e4ff40f033c3dee3082f3eb505ccaa17d
SHA512 de22953d77d770c06ce2e7971f51cda1f131f78a6f8ed3c8a9aad8faba50758dab1da1c4b6c3b881936734a596ccb57187c805c1d72e7280ffd30e5369de0c79

\Windows\system\BFtumeI.exe

MD5 0964a3ad683f4555a66bf7b4d2e6028c
SHA1 1db6475c6e1bb01337600c115c0d53081649c406
SHA256 6c884441906bfcdb51fa9f15c41c049ee26d08c7e84732f52a14024cfa2ceb0e
SHA512 245019c4eea298b96d2e308bc646e4c8e5126fb1301c127f3e8c84bcbf4f3bfcdf4db49509b4289a7c20753229c201999690e711a882f5df4b263f7f43cfc530

\Windows\system\uYsmkoD.exe

MD5 cf1dfa3398fc7a5a3e4aa28a33021420
SHA1 92ec7e1793049f05d8929127974c688764686f20
SHA256 7641ca4766ae524c827c88f2ee88ac772b0e00345b34712c04fd3e150364b4d4
SHA512 a5e45e07e58dc3572cbc5d0ceafd19b3958197e95a20fae2b322066d7372fd3f608cbda4e832e690e9485a6db352f2dedacbdcd1bea9412fa871bbfb05f4fe6b

memory/2952-109-0x000000013F3D0000-0x000000013F724000-memory.dmp

C:\Windows\system\AUZorGX.exe

MD5 89006a968517b0cbdbc39b74d463a904
SHA1 1cbd461bc44d7b6c2637f8e0c4fac5c863af7236
SHA256 8ba14bdc980f9d349e23cbcc79daca3b25552743c407ef3d0ac0562ad535af55
SHA512 4e04a919347393a7ffee502348bf8f78a3a58cb1eda670a149f7534c733f4a5dfe41b9b820c8e978b97ecb4cf5040858584b77d0158512ee9cd537ffc62f37a4

memory/2388-103-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2776-101-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2952-98-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2952-97-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2952-90-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2840-89-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2952-88-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2952-86-0x000000013F410000-0x000000013F764000-memory.dmp

\Windows\system\YcWEyCt.exe

MD5 f9bb666c375bafe5bb759561167fb359
SHA1 8db0504bfc2103d6012f3daba3c9c3b53485f363
SHA256 3cb3ce6b25098e8f80c56c963d9195fc1c3535964d63e5973f7c37284dcb50c6
SHA512 448c21a8ecb9cbdc1ac62a52f9c18e59b95ad9c895fdbd3e281dcc94d2026ea104c48d56ae789eb7ac1da59c5d78594ff22d85baa63f338d432285e3f512a734

memory/2696-81-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/1776-80-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2432-77-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2520-72-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2616-66-0x000000013FA70000-0x000000013FDC4000-memory.dmp

C:\Windows\system\kIJOZzw.exe

MD5 88fd740fd0feab261c49fc6e0da4433c
SHA1 fad8f91148f0311257ff5a3ff1cb12d17b64dd1d
SHA256 151c1e209db6d9f881b9b5746a1c76a55c2a35c02a3f843f2ba8902bfd352101
SHA512 94a7a242d12b72d818d17251f4ef64bc7e04934aee79fec3086aebfd3ec7ed5ac8e5c93489c2dfc6b50a01f9c925430d2d5e968bddb2ca274e573b6385642efd

memory/2120-55-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2916-47-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2284-34-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2952-41-0x000000013F360000-0x000000013F6B4000-memory.dmp

C:\Windows\system\IvAvOmz.exe

MD5 70ff90aa4744113bd0310fc0d9642696
SHA1 4f02a897376e5e156044a81d440bc1b6f5e73eda
SHA256 850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5
SHA512 bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f

memory/2952-22-0x000000013F540000-0x000000013F894000-memory.dmp

\Windows\system\UrvPwGA.exe

MD5 57c3995ca3c4628d92183ba8539d0091
SHA1 ad516b609d389143043ab0756c497e020432614b
SHA256 f1791b274e114fce44ac82b6c6e1b3082050ab862f68b0f7bd404aaf81dff570
SHA512 d92d685ec3382897516d36ff55d494dee48ce659c7baf57a9dfe10febdcf5a8e998f9b872c6f2e6843610174c95135c0f44d23d07ce80074e70a39af3fd01b9d

memory/2584-19-0x000000013F960000-0x000000013FCB4000-memory.dmp

C:\Windows\system\XftqwsA.exe

MD5 3dd3dcd306f0efc9bbfa800cbd31ae40
SHA1 d052cb1858658159c0105a89f05e8ea0bb515259
SHA256 7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304
SHA512 59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3

\Windows\system\XftqwsA.exe

MD5 8501e1b3ec042e7e35c8a420be40052e
SHA1 9387a8c36b178a4031ee833ba9d467062f0b27bf
SHA256 586fd82b12dec2e295dad7b24bce29753bf165ba24b0179a447f67e307ffac12
SHA512 2feaf4546e56b98718cbacd9b99cd23d02716607d121943151d374b64f8005f9acb6bb2fb4a0e77cd659eeb064ad22db5e63fb4907d0763d44622f3bc9887ac1

C:\Windows\system\XftqwsA.exe

MD5 333f3ff58619cd555118abbe0cf30095
SHA1 3b5cf06e2cfdb03b6427d5e3cb860051a3d4e3fa
SHA256 0b49bbb568888605d8fea396434b0bda1b81b9725de32bb5223ed8a1830dee2f
SHA512 af3b7f6a9079e0106cd7ff3ce699f5acc9e96602f8d93757e1d7008395d4ff277c484aff3304ccc36311b7845a2c4029e299b6711d6491e994dabaed3dc23413

\Windows\system\RGYTFWg.exe

MD5 ac8bc860b5a7212c112d44b35b0dda82
SHA1 08ba22910be31dd3241b2fbabdc05694b3432d91
SHA256 878936601faa0a628fa09e6778b4b310d70625681a81796ecc989d20f6b5a0db
SHA512 48c6c914fcbac673d99937455bf4481601445bda9fbb07b57a14dbefab9bb18f59f9a795ffc8c7b93010077e1fc4d6745583ff416b15f3761841064b83925e78

\Windows\system\BGGcmNw.exe

MD5 a8f0fa13e61bbd3f9e95e42e0a23b16b
SHA1 d6500a11c562575dbe32a10db497e559d9021ec4
SHA256 560257467b5a2af9de18ba9c8ceb15720b25e5eaccf341a869496e4022b7056a
SHA512 44c43576455afc371d94b87e0707c3f996d897d31464d8ec0a43091cc4ced76674280d6127e181eae43286481e2984a50d635c9cf39f1f68b58b8d28ddcd5ba2

memory/2952-1-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/2952-131-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2952-132-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2432-135-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2520-134-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2616-133-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2952-136-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2952-137-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2952-138-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2284-141-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2428-147-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2840-146-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2616-148-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2388-151-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2776-152-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2432-150-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2520-149-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2120-145-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2608-144-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2916-143-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2696-142-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/1776-140-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2584-139-0x000000013F960000-0x000000013FCB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 01:32

Reported

2024-06-10 01:39

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fGKMcgI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nnDKvGj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ELvlIcL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZLXQyoc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vQYeGHm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RVMmNuu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jpwKzJk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ThrEkNQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bIXFoyG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WhSOpFn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GzgFcJL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DiPfdMX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ajEuOWN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XYPxxyL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yxSKhOk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BQKjLtb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rdflAQx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ejfKdAW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MAlzjIi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MLGIwzI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hBGgHyD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vQYeGHm.exe
PID 1408 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vQYeGHm.exe
PID 1408 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\MAlzjIi.exe
PID 1408 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\MAlzjIi.exe
PID 1408 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\MLGIwzI.exe
PID 1408 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\MLGIwzI.exe
PID 1408 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVMmNuu.exe
PID 1408 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVMmNuu.exe
PID 1408 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ajEuOWN.exe
PID 1408 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ajEuOWN.exe
PID 1408 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzgFcJL.exe
PID 1408 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzgFcJL.exe
PID 1408 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jpwKzJk.exe
PID 1408 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jpwKzJk.exe
PID 1408 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XYPxxyL.exe
PID 1408 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XYPxxyL.exe
PID 1408 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DiPfdMX.exe
PID 1408 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DiPfdMX.exe
PID 1408 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxSKhOk.exe
PID 1408 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxSKhOk.exe
PID 1408 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fGKMcgI.exe
PID 1408 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fGKMcgI.exe
PID 1408 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BQKjLtb.exe
PID 1408 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BQKjLtb.exe
PID 1408 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThrEkNQ.exe
PID 1408 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThrEkNQ.exe
PID 1408 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnDKvGj.exe
PID 1408 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnDKvGj.exe
PID 1408 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rdflAQx.exe
PID 1408 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rdflAQx.exe
PID 1408 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ejfKdAW.exe
PID 1408 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ejfKdAW.exe
PID 1408 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIXFoyG.exe
PID 1408 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIXFoyG.exe
PID 1408 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELvlIcL.exe
PID 1408 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELvlIcL.exe
PID 1408 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLXQyoc.exe
PID 1408 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLXQyoc.exe
PID 1408 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBGgHyD.exe
PID 1408 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBGgHyD.exe
PID 1408 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WhSOpFn.exe
PID 1408 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WhSOpFn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vQYeGHm.exe

C:\Windows\System\vQYeGHm.exe

C:\Windows\System\MAlzjIi.exe

C:\Windows\System\MAlzjIi.exe

C:\Windows\System\MLGIwzI.exe

C:\Windows\System\MLGIwzI.exe

C:\Windows\System\RVMmNuu.exe

C:\Windows\System\RVMmNuu.exe

C:\Windows\System\ajEuOWN.exe

C:\Windows\System\ajEuOWN.exe

C:\Windows\System\GzgFcJL.exe

C:\Windows\System\GzgFcJL.exe

C:\Windows\System\jpwKzJk.exe

C:\Windows\System\jpwKzJk.exe

C:\Windows\System\XYPxxyL.exe

C:\Windows\System\XYPxxyL.exe

C:\Windows\System\DiPfdMX.exe

C:\Windows\System\DiPfdMX.exe

C:\Windows\System\yxSKhOk.exe

C:\Windows\System\yxSKhOk.exe

C:\Windows\System\fGKMcgI.exe

C:\Windows\System\fGKMcgI.exe

C:\Windows\System\BQKjLtb.exe

C:\Windows\System\BQKjLtb.exe

C:\Windows\System\ThrEkNQ.exe

C:\Windows\System\ThrEkNQ.exe

C:\Windows\System\nnDKvGj.exe

C:\Windows\System\nnDKvGj.exe

C:\Windows\System\rdflAQx.exe

C:\Windows\System\rdflAQx.exe

C:\Windows\System\ejfKdAW.exe

C:\Windows\System\ejfKdAW.exe

C:\Windows\System\bIXFoyG.exe

C:\Windows\System\bIXFoyG.exe

C:\Windows\System\ELvlIcL.exe

C:\Windows\System\ELvlIcL.exe

C:\Windows\System\ZLXQyoc.exe

C:\Windows\System\ZLXQyoc.exe

C:\Windows\System\hBGgHyD.exe

C:\Windows\System\hBGgHyD.exe

C:\Windows\System\WhSOpFn.exe

C:\Windows\System\WhSOpFn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1408-0-0x00007FF7F62B0000-0x00007FF7F6604000-memory.dmp

memory/1408-1-0x0000025A288C0000-0x0000025A288D0000-memory.dmp

C:\Windows\System\vQYeGHm.exe

MD5 73a986c9493930f4cd8a8093981caf97
SHA1 d56e4ec277c46c1f501f0380990a8cb52fc97921
SHA256 79658989fc6265b27479193101b06b4d07a3afc14a90cac7cd0c2fd5a470fdb1
SHA512 df908858efce8052aba32afa73708ab41a555ed2fb2054faebcbf306cccde59229ad974697075f78113c385920705044fa084d6313ac5116bfcc6a59748d37e7

C:\Windows\System\MAlzjIi.exe

MD5 460a560d9343614b4f5d3d4dba3f4ee8
SHA1 b7e4e11f7bd5df3f2363cf6c1fa4d5ae53e0122e
SHA256 fd744e6808c52535a94243828181a8d013638b8f8817cf398b9172e0ee7b110d
SHA512 1f115a8993e51d1f37533d08960597baad579468fd9fc33ed73870d8dbecffbacf74c482d28ec7d6893e63aba21811f0abf2dfee545d005b933bc73799ad2c80

C:\Windows\System\ajEuOWN.exe

MD5 cf1dfa3398fc7a5a3e4aa28a33021420
SHA1 92ec7e1793049f05d8929127974c688764686f20
SHA256 7641ca4766ae524c827c88f2ee88ac772b0e00345b34712c04fd3e150364b4d4
SHA512 a5e45e07e58dc3572cbc5d0ceafd19b3958197e95a20fae2b322066d7372fd3f608cbda4e832e690e9485a6db352f2dedacbdcd1bea9412fa871bbfb05f4fe6b

C:\Windows\System\GzgFcJL.exe

MD5 586c9547493a88de16fd09ad19df758b
SHA1 8a50178682c692f204a45b7798c63d3f6375432b
SHA256 991f4d210c6e659974dd43deb7cc93077b9ed3c337c5951172529c0bae179e02
SHA512 63d13596bcc59b486c85cd55cf9779d952b67ccbfc54495f389035c1d68fd043ac79c180dc1fc0d479811fe4e468b78c5250d0acdb5b23ce7e1ec600b69b0629

memory/4048-38-0x00007FF6FFC30000-0x00007FF6FFF84000-memory.dmp

C:\Windows\System\XYPxxyL.exe

MD5 9b577ffff6c1f5ffff7f64441d883431
SHA1 10ba0bbbec3c90794664c7d383f12f8e5eb6c74b
SHA256 91f3e82906a538100a99ed926f9fc65724c6b25f34a3a65f82125b966c8582db
SHA512 f8bb3727a9f20749433ece4d83348bcfd5e5e28efa7ccba238d5a6d724481df6d5f37b94f4ffcea847376be6b1b47a9ca7c6e243f6823afe20547eef85d0ed8f

C:\Windows\System\yxSKhOk.exe

MD5 b12f50740eef66714200750b921dca91
SHA1 8373966e5ed792f21420a1f96bf3bbb6923ce01a
SHA256 719552d5e050d5b6103aeabc2599e37e66f0dc2dc083f0cf409b7b43085c6d59
SHA512 7a4e91a3c8d86a2c7d2864f022b2bc699138cd2829346c866cd8c934865e794d9cf66725904fe7973648c3a72b48057f93b8dc315697f02e4e9bbb78689e94d8

memory/3640-73-0x00007FF798D90000-0x00007FF7990E4000-memory.dmp

memory/4932-108-0x00007FF6C60C0000-0x00007FF6C6414000-memory.dmp

memory/2308-117-0x00007FF7B4010000-0x00007FF7B4364000-memory.dmp

C:\Windows\System\WhSOpFn.exe

MD5 3841d3131bdc70a1cf74942213460680
SHA1 e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9
SHA256 b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4
SHA512 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe

memory/5012-131-0x00007FF659580000-0x00007FF6598D4000-memory.dmp

memory/4228-133-0x00007FF6661E0000-0x00007FF666534000-memory.dmp

memory/3828-132-0x00007FF7E5790000-0x00007FF7E5AE4000-memory.dmp

memory/5068-127-0x00007FF6C1000000-0x00007FF6C1354000-memory.dmp

memory/4680-115-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp

C:\Windows\System\ELvlIcL.exe

MD5 8501e1b3ec042e7e35c8a420be40052e
SHA1 9387a8c36b178a4031ee833ba9d467062f0b27bf
SHA256 586fd82b12dec2e295dad7b24bce29753bf165ba24b0179a447f67e307ffac12
SHA512 2feaf4546e56b98718cbacd9b99cd23d02716607d121943151d374b64f8005f9acb6bb2fb4a0e77cd659eeb064ad22db5e63fb4907d0763d44622f3bc9887ac1

memory/3480-111-0x00007FF7C3AE0000-0x00007FF7C3E34000-memory.dmp

C:\Windows\System\bIXFoyG.exe

MD5 0e2fd2a522d2418bc7dbaf689ef76673
SHA1 5f1c27d705b7b859dfc3a6c555a6c8b3ab244763
SHA256 40742f91cd985eb524bd3891d1dd35d24592ad177108d69ed9cd6d4b18b99360
SHA512 64301bc0310c56dee53197109af15147dcdc7fc2e4ce1b977cb7e6dcd2f13af6e165bd17c6af06ed25d21fbd4c9cf4f3e78ae062fc175d24eb2fa93590a4ee28

memory/1564-100-0x00007FF6CC570000-0x00007FF6CC8C4000-memory.dmp

memory/4028-97-0x00007FF643140000-0x00007FF643494000-memory.dmp

memory/4796-90-0x00007FF6D7D00000-0x00007FF6D8054000-memory.dmp

memory/3372-86-0x00007FF619CD0000-0x00007FF61A024000-memory.dmp

C:\Windows\System\nnDKvGj.exe

MD5 0b4145c2cc110331e4da5e560102704d
SHA1 c566b9a6ceb44b7f1c214b316c08f6bec9d9b2b1
SHA256 45685ced1acb15c50a2e82577fa387cda30481d8f7a525239c32c5f5bf6e48b4
SHA512 abf913119d63f487a6aab21c7aef0828fd1abea0d0c9a3b66bf2a375882b42bf9f76fd9b59dbd74e92020f35616ebd4ca75dc1ea4b5b55a7e8ed17cc28d58dc6

memory/4244-81-0x00007FF603320000-0x00007FF603674000-memory.dmp

memory/4600-80-0x00007FF70F8D0000-0x00007FF70FC24000-memory.dmp

C:\Windows\System\ThrEkNQ.exe

MD5 a1df3420cf46306b933f609aa091bde6
SHA1 03ce76e9fe6f2cdeb3378102ed49d48485ec7843
SHA256 bcae40deb504422275dc41ae536981fa1c76529cec89792a5d25e945abde44e6
SHA512 3e324e98cff88b9150fadb48b306851323411ebcf6295fe7b9fbe18ab5bc686dfb423f26e2dbc80e5e8b763023d53f53f102d1a25698637c3423030b33d31eb2

C:\Windows\System\fGKMcgI.exe

MD5 bbf23c91072b235dccbb03719d0f1c51
SHA1 cc1894496de64a877d577c6d924f720bc062b1c4
SHA256 f2b14f12a3322e4999332550f1eeb7bf5516e56163046f53ef3f2aeaf0704a68
SHA512 2d4c36aa5b1abb32c021916d658051e6c37b0399e5b756d786d221806a8e81a3fc61b8802989413cc0d9cd8af4a3f29fd73f375ace04515a21c8f6e3dfd0473f

memory/4228-67-0x00007FF6661E0000-0x00007FF666534000-memory.dmp

memory/2124-63-0x00007FF6D37E0000-0x00007FF6D3B34000-memory.dmp

memory/1408-62-0x00007FF7F62B0000-0x00007FF7F6604000-memory.dmp

memory/2308-56-0x00007FF7B4010000-0x00007FF7B4364000-memory.dmp

memory/3480-50-0x00007FF7C3AE0000-0x00007FF7C3E34000-memory.dmp

C:\Windows\System\XYPxxyL.exe

MD5 6f79929539cf65dcb1e405ed0a538ec1
SHA1 46963681601be609a978fb70a544460fdecbb830
SHA256 8292e8db4cea39d46d950b64cc55f87ab625ecdebcbe27f469743b8d918b78e8
SHA512 e991eb3fcf3d9e8bf2f4b7d6bc5ccb92f66bf173e56c3693b2cbd12083aeda0fcdb439b0c82e3da3f8abfa3d37b16394bcf458c3b338809e1ffa376eff9aa3d0

memory/2424-44-0x00007FF716990000-0x00007FF716CE4000-memory.dmp

memory/2884-32-0x00007FF722040000-0x00007FF722394000-memory.dmp

memory/3640-134-0x00007FF798D90000-0x00007FF7990E4000-memory.dmp

memory/3372-26-0x00007FF619CD0000-0x00007FF61A024000-memory.dmp

memory/4600-20-0x00007FF70F8D0000-0x00007FF70FC24000-memory.dmp

memory/1368-14-0x00007FF7992D0000-0x00007FF799624000-memory.dmp

memory/4660-8-0x00007FF714E00000-0x00007FF715154000-memory.dmp

memory/4244-135-0x00007FF603320000-0x00007FF603674000-memory.dmp

memory/4796-136-0x00007FF6D7D00000-0x00007FF6D8054000-memory.dmp

memory/1564-137-0x00007FF6CC570000-0x00007FF6CC8C4000-memory.dmp

memory/4680-138-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp

memory/5068-139-0x00007FF6C1000000-0x00007FF6C1354000-memory.dmp

memory/4660-140-0x00007FF714E00000-0x00007FF715154000-memory.dmp

memory/1368-141-0x00007FF7992D0000-0x00007FF799624000-memory.dmp

memory/4600-142-0x00007FF70F8D0000-0x00007FF70FC24000-memory.dmp

memory/3372-143-0x00007FF619CD0000-0x00007FF61A024000-memory.dmp

memory/2884-144-0x00007FF722040000-0x00007FF722394000-memory.dmp

memory/4048-145-0x00007FF6FFC30000-0x00007FF6FFF84000-memory.dmp

memory/2424-146-0x00007FF716990000-0x00007FF716CE4000-memory.dmp

memory/3480-147-0x00007FF7C3AE0000-0x00007FF7C3E34000-memory.dmp

memory/2308-148-0x00007FF7B4010000-0x00007FF7B4364000-memory.dmp

memory/2124-149-0x00007FF6D37E0000-0x00007FF6D3B34000-memory.dmp

memory/4244-152-0x00007FF603320000-0x00007FF603674000-memory.dmp

memory/4796-153-0x00007FF6D7D00000-0x00007FF6D8054000-memory.dmp

memory/4028-154-0x00007FF643140000-0x00007FF643494000-memory.dmp

memory/4932-156-0x00007FF6C60C0000-0x00007FF6C6414000-memory.dmp

memory/1564-155-0x00007FF6CC570000-0x00007FF6CC8C4000-memory.dmp

memory/4680-158-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp

memory/3828-160-0x00007FF7E5790000-0x00007FF7E5AE4000-memory.dmp

memory/5012-159-0x00007FF659580000-0x00007FF6598D4000-memory.dmp

memory/5068-157-0x00007FF6C1000000-0x00007FF6C1354000-memory.dmp

memory/3640-151-0x00007FF798D90000-0x00007FF7990E4000-memory.dmp

memory/4228-150-0x00007FF6661E0000-0x00007FF666534000-memory.dmp