Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-cpybrsbb87
Target 2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike
SHA256 99d25ab9d1116c2d763413464b9ceb657e63dbf6c36c48fdc003ed4afc7bcf33
Tags
xmrig miner upx 0 cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99d25ab9d1116c2d763413464b9ceb657e63dbf6c36c48fdc003ed4afc7bcf33

Threat Level: Known bad

The file 2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx 0 cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

xmrig

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 02:15

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 02:15

Reported

2024-06-10 02:38

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MHMZrCd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uLDkDZE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\omIJcXh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rpZcnTN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hUViVJv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nxgsCUx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DyoVQoh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nFYUFAG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MHZdScK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HDQCsCD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LtDEEwh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cIvymCX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\obKdBIH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zDaPLiM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CBuGoUw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jjQTIzE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZQaNtZn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nyTjQxK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\REGmrqC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yPuZbSY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tAvwMYN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\obKdBIH.exe
PID 5092 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\obKdBIH.exe
PID 5092 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPuZbSY.exe
PID 5092 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPuZbSY.exe
PID 5092 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDaPLiM.exe
PID 5092 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\zDaPLiM.exe
PID 5092 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUViVJv.exe
PID 5092 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUViVJv.exe
PID 5092 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAvwMYN.exe
PID 5092 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAvwMYN.exe
PID 5092 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyoVQoh.exe
PID 5092 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyoVQoh.exe
PID 5092 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\nxgsCUx.exe
PID 5092 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\nxgsCUx.exe
PID 5092 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFYUFAG.exe
PID 5092 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFYUFAG.exe
PID 5092 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHMZrCd.exe
PID 5092 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHMZrCd.exe
PID 5092 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQaNtZn.exe
PID 5092 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQaNtZn.exe
PID 5092 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\uLDkDZE.exe
PID 5092 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\uLDkDZE.exe
PID 5092 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\nyTjQxK.exe
PID 5092 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\nyTjQxK.exe
PID 5092 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHZdScK.exe
PID 5092 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHZdScK.exe
PID 5092 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDQCsCD.exe
PID 5092 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\HDQCsCD.exe
PID 5092 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\REGmrqC.exe
PID 5092 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\REGmrqC.exe
PID 5092 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\omIJcXh.exe
PID 5092 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\omIJcXh.exe
PID 5092 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjQTIzE.exe
PID 5092 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjQTIzE.exe
PID 5092 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\LtDEEwh.exe
PID 5092 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\LtDEEwh.exe
PID 5092 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\rpZcnTN.exe
PID 5092 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\rpZcnTN.exe
PID 5092 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\cIvymCX.exe
PID 5092 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\cIvymCX.exe
PID 5092 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\CBuGoUw.exe
PID 5092 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\CBuGoUw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\obKdBIH.exe

C:\Windows\System\obKdBIH.exe

C:\Windows\System\yPuZbSY.exe

C:\Windows\System\yPuZbSY.exe

C:\Windows\System\zDaPLiM.exe

C:\Windows\System\zDaPLiM.exe

C:\Windows\System\hUViVJv.exe

C:\Windows\System\hUViVJv.exe

C:\Windows\System\tAvwMYN.exe

C:\Windows\System\tAvwMYN.exe

C:\Windows\System\DyoVQoh.exe

C:\Windows\System\DyoVQoh.exe

C:\Windows\System\nxgsCUx.exe

C:\Windows\System\nxgsCUx.exe

C:\Windows\System\nFYUFAG.exe

C:\Windows\System\nFYUFAG.exe

C:\Windows\System\MHMZrCd.exe

C:\Windows\System\MHMZrCd.exe

C:\Windows\System\ZQaNtZn.exe

C:\Windows\System\ZQaNtZn.exe

C:\Windows\System\uLDkDZE.exe

C:\Windows\System\uLDkDZE.exe

C:\Windows\System\nyTjQxK.exe

C:\Windows\System\nyTjQxK.exe

C:\Windows\System\MHZdScK.exe

C:\Windows\System\MHZdScK.exe

C:\Windows\System\HDQCsCD.exe

C:\Windows\System\HDQCsCD.exe

C:\Windows\System\REGmrqC.exe

C:\Windows\System\REGmrqC.exe

C:\Windows\System\omIJcXh.exe

C:\Windows\System\omIJcXh.exe

C:\Windows\System\jjQTIzE.exe

C:\Windows\System\jjQTIzE.exe

C:\Windows\System\LtDEEwh.exe

C:\Windows\System\LtDEEwh.exe

C:\Windows\System\rpZcnTN.exe

C:\Windows\System\rpZcnTN.exe

C:\Windows\System\cIvymCX.exe

C:\Windows\System\cIvymCX.exe

C:\Windows\System\CBuGoUw.exe

C:\Windows\System\CBuGoUw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

C:\Windows\System\obKdBIH.exe

MD5 6100e68e8bda0b06075960b3b507338a
SHA1 7377b23561b0faf75081024c9076603a9c515c0b
SHA256 fbbace3a71fae67a2be0b7d1d76af23c3eae072bb881a9b0efcb450031f1907a
SHA512 19136110114856c6e8d19da15b74a3404eb988703f6aeb3730063cd96155c5c62ae4ef45c50a076c2289a09c89f59a351b7fa1b2119adb5bb048811121198a10

C:\Windows\System\yPuZbSY.exe

MD5 9e6042b034a56699e39219510e042edf
SHA1 629f58befba29e2b4cf184d5d33ff97d23d0509c
SHA256 379769e053088ad2c1be5ae8c8e84a7ebd96d0c4b1695ccab4a933b4ae5bbdfa
SHA512 16e5d759cb119fcfa4427237c03873b232b023c5fb70a22ccdd0c134a99216124df9eabae69026082be5cc255b42cc99b83fd6dfae1ca8b7fdd0be14253d2fd5

memory/1364-8-0x00007FF7323A0000-0x00007FF7326F4000-memory.dmp

memory/628-14-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp

memory/1784-20-0x00007FF6B6530000-0x00007FF6B6884000-memory.dmp

C:\Windows\System\hUViVJv.exe

MD5 718a9719d584997246a1c2b8714a7b4e
SHA1 67ebfaa2dc4e3ec9116450be2af9ade40c009b82
SHA256 e7a67b547e60ffb017b063c22509cbd6bafdc90bb9e3aa6e7998e1092161c964
SHA512 8de9cd89a5ae07a335a64e6a06b2103eb24b41be6aa300d046d39ebf01f32b4c961b6a6513a3c6f615876a5dc3d4955b8f9159ecf3d2ba36fbc509236a3bcf5e

C:\Windows\System\tAvwMYN.exe

MD5 0e4916bdc2ef1c266d761f56116a118e
SHA1 9a0cfd04ce43b85bd6c5776431bf7706ff310623
SHA256 6e0042b71e79661f2cdce270f9c8ad31d4e976143fd43faf39f6e47ee2c8503e
SHA512 f59f576233e408dacc195782ba6759e644634f31b400788c06d2b26e104466bf83189b82f5a452f605b748b80823a3324cb814310bc885b6a3e7cabd3a52ebf4

memory/5048-30-0x00007FF6382B0000-0x00007FF638604000-memory.dmp

C:\Windows\System\DyoVQoh.exe

MD5 f643883f259de01dd5329353aba9e3bc
SHA1 8a0c9acc560b2a903e1249b54de084c27f2f7330
SHA256 885d32479d3d931762c4646bd89041e2dc323a00afc74c5ce659e0439525e486
SHA512 4fbee57fc43773ceb767e4aa78bc2879a54950d29e94d06ab5acf504f8c6e1b3a52cc3f816f267cfbe746c86e79bc3431149abbf38cd824127a0e4b7532c9af9

C:\Windows\System\DyoVQoh.exe

MD5 fc039487119680c031c847172e8b36d3
SHA1 5beddf6541d9cd9419920f162e4e22297e197c31
SHA256 7f124be7afb7e79318f0a00234a8d06798cc685d6ea1aa9ba401a63e32b5a56f
SHA512 48b7e0f173d7b3354b0ecbf6530234964b4c9b04ec9ed6eec4db91197f54add5f1d43f132d408351a108919dc08d3e65f5251fbec77c10bfc1d44f6c15d24f98

memory/4980-33-0x00007FF6ECDF0000-0x00007FF6ED144000-memory.dmp

memory/516-38-0x00007FF76E3F0000-0x00007FF76E744000-memory.dmp

C:\Windows\System\nxgsCUx.exe

MD5 bb237d1497148550688196f8c0b58b33
SHA1 4dfb56c31f3d8b83c8d12d4841f54a64ec2a8cd3
SHA256 fa746348ea29453603ec4e9959058a57e069eff1f7f29f1e6c21304df723e336
SHA512 45b7014799dcb1d50b5233d9915234344279a6c5e37b9cae934839ca4767c02573d6ba4c46da6f006949a433cc7887495f03868bac920b182655a7b744ab606a

C:\Windows\System\nFYUFAG.exe

MD5 f7a8288af541c4baa9c88e7fc3b809a8
SHA1 890403d5bfd29ba9349a1760a7c598a635338176
SHA256 f611c2fab3f2c2dc30fe71a7a6d4923eb09e83bbc5cd17d41416fe862eaa2af4
SHA512 14258b4c74720b84d36dcd1e32fc868b8f0d61282a14beea9605499f2fcde88f8b036ca5a453c3fd86a4dfae5b7f2a50e5e5bc079080dc1908041630fec37f8f

C:\Windows\System\nFYUFAG.exe

MD5 f58e08b72cd17e761a2a9f9a3a7d78cc
SHA1 de782543edc8d84dab9d9abe05bbdf2b60d9debc
SHA256 d51134031d6f071ff52e7180e3d9294950682ace4a5b62ba95ca51f8aaf4d416
SHA512 2f3135907838b1783f70fe1e915d25187b71ee9e2054dd7b25c46ddd6b1f79b7bc06ac2680bfd1d5479a23571973dd3ae2d097c1f4404cfc2cde416343d50eb2

C:\Windows\System\ZQaNtZn.exe

MD5 c42167c1b389c3da3baf08d29a4ffb23
SHA1 b17b3c99c168035a635c242e33148a1655229d79
SHA256 ca096026535aad7a5c88f1f3be41e6b8629b5cbde82bec035b64c6e4c5a573cb
SHA512 0ed7e2d6688802525de13634d2d17e2719d4236fd2b19aa5f177a6ac5b6a308b4860efa3a9dd364c5eb8e25186924199f5640d45499c1bc697631ad2d6abe9c9

memory/2012-56-0x00007FF6B7F50000-0x00007FF6B82A4000-memory.dmp

C:\Windows\System\ZQaNtZn.exe

MD5 6236e8172dd53bf62f644cfe0ed886d3
SHA1 8ca18ffe9bbfbe45410d9b59254a1810ea23f357
SHA256 55980b27bd506ab86e4775e25257590aba650464fc27cb5343cc100d30379f6a
SHA512 4824863797edefac6f147b1445a22e460ff9793365a4b1c6e0c38d85cb2d2c1e41561b0e7f68c920e608fbcae38e3c9b7a32f1157a4ef9d9356a07d59fa80beb

C:\Windows\System\uLDkDZE.exe

MD5 26c8f00289cc3bdd26a843c51bedf3c8
SHA1 e14e1dddc9f1049c50e880466809c21b37eff3f5
SHA256 63cfb616d26cc402801abdfa04ad9336ba1e41138d6a9c9dc393fd77fa974599
SHA512 967ab791893a878006d08fe438fca6b46caedb6ffee669211c1b3ee46c50d569a3a42c0ab98c4fa4f730050db56751645005be5a20d415153c19e2a55aba664a

C:\Windows\System\MHZdScK.exe

MD5 4c8c5833e867ba909aecc9d08e7f6301
SHA1 892c9f7c96581e21485ab02da8dcf4a38e5332cd
SHA256 a77b722cf51ae2a9cba37b8299fa5d2ba9c23def99edac7762983cbc3a45f900
SHA512 834bda0212ff60f10bc8bc9b9825ef8eb7ceb8cd2e1cfe2694ddd245474f9657fe9c4745fb3c68a4e5a6c7bf5f21a301636372499f3ff108f7621905b0e2018a

memory/1784-82-0x00007FF6B6530000-0x00007FF6B6884000-memory.dmp

memory/3608-89-0x00007FF7C63B0000-0x00007FF7C6704000-memory.dmp

memory/1812-86-0x00007FF721140000-0x00007FF721494000-memory.dmp

memory/4344-95-0x00007FF7FC5C0000-0x00007FF7FC914000-memory.dmp

memory/4980-94-0x00007FF6ECDF0000-0x00007FF6ED144000-memory.dmp

memory/3896-109-0x00007FF661850000-0x00007FF661BA4000-memory.dmp

C:\Windows\System\jjQTIzE.exe

MD5 129f3d64cbeca05a53ef528b3290734c
SHA1 71740da16ce0c6c904ccb37e278a6ad593c1a480
SHA256 8bff8690eaf4a5e3f573418a963622e185f8d501862caf038cd51f7fb5a2debe
SHA512 678c5888d6fd5cfe6ce1594083820c6bdb4991f848b7bf64517b2c7aae2761350709aee9fa7ba71fac788e0eaf0979bc249996e90211dac6917778ab1bc5ebbe

memory/1608-106-0x00007FF7A3370000-0x00007FF7A36C4000-memory.dmp

memory/4124-105-0x00007FF719C90000-0x00007FF719FE4000-memory.dmp

memory/1132-114-0x00007FF6AA1B0000-0x00007FF6AA504000-memory.dmp

memory/1288-113-0x00007FF645800000-0x00007FF645B54000-memory.dmp

C:\Windows\System\omIJcXh.exe

MD5 7b14f3c14c633ee8244aa174a19c77c2
SHA1 20be5b944aeee15deaa0f6d867d726a44b447a5f
SHA256 55116a4a0ec483097b0ca249d480875a1240a34b0d8dbd30e2646420c3223977
SHA512 faa445d170a8b3a88ae18d7d86ed359fa18478abeca09c06495daf71dbe7be3ccce2c3ede03a3fd5934b65314c2c44d9e117a0e20acaadccef662d86865bb29f

C:\Windows\System\rpZcnTN.exe

MD5 fce36e7a127a9c45d54e1b8d90fdd7dd
SHA1 8542d25e949a7392da2a93826107eaa40ecc4cc5
SHA256 b444293ba0ec99638690f826a0742a8768937b49529c8a6756d6366ed24a602f
SHA512 305798c3491a2a73389f1d7751402c6a23f5215075ba486c290c2f789dc31a38e03eddcf5f70014163a4339376b4bec87bf7595b275ac3d6efe0ee4cac2b7a79

C:\Windows\System\cIvymCX.exe

MD5 eb54c79b111a6637e43c4f642a0f578a
SHA1 7126fb33254f9893bdd1cf918a8c8e9e58a5c486
SHA256 47614a6695ce7c97b28e1f39c3b163ad3c824b5473f3c2eb2389305882a46a3b
SHA512 9387cfbd62c0cf9d8096a58a915fa98f29aba970808faee28634e1422efa6b74c311933c7e78e32fd70490bcc0d5624eda048e3f390eee1a6f7931c06e51a342

memory/4612-129-0x00007FF66FD20000-0x00007FF670074000-memory.dmp

memory/764-128-0x00007FF6E3800000-0x00007FF6E3B54000-memory.dmp

memory/2092-122-0x00007FF603920000-0x00007FF603C74000-memory.dmp

memory/4820-77-0x00007FF799E70000-0x00007FF79A1C4000-memory.dmp

memory/3860-70-0x00007FF7A9150000-0x00007FF7A94A4000-memory.dmp

memory/1364-69-0x00007FF7323A0000-0x00007FF7326F4000-memory.dmp

memory/548-134-0x00007FF79C900000-0x00007FF79CC54000-memory.dmp

memory/764-61-0x00007FF6E3800000-0x00007FF6E3B54000-memory.dmp

memory/5092-60-0x00007FF6AE040000-0x00007FF6AE394000-memory.dmp

C:\Windows\System\MHMZrCd.exe

MD5 23ef65c9adc41eaf6b0c48d81830500d
SHA1 f3b5be1d3ec84f5757d7fc849ba6d57e65986d23
SHA256 c0553c150e476b7238fad5b8e32984e084fbccde943d134cbfc445b319bbb673
SHA512 a8d00840d571f6522efabddf4198b6794e8574c0e3de4c61cb9a6ac099f1151cc82da7ee79e1e0d60a0c763b24394555433441312609090667d2850cf4866007

memory/1288-48-0x00007FF645800000-0x00007FF645B54000-memory.dmp

memory/1608-44-0x00007FF7A3370000-0x00007FF7A36C4000-memory.dmp

C:\Windows\System\nxgsCUx.exe

MD5 9b452c7233bc232406701a6413f016b6
SHA1 0ee1449a3b908a371773125dd1c3f9e4c53fc543
SHA256 5943834ca9546edc3a1b1ca6936a4e21c83013aa8d2e3ef37396408c13242c1e
SHA512 0509ff74bab6a7dddb62fea870311dae0453ea1232d81d9fea499f4990b1514704d891348ce0f3cb8b9cb4847cd2e524d312db1d8c6a1175b113128fcb78ec93

C:\Windows\System\hUViVJv.exe

MD5 30ed13e7d503092e2de1c0d016fa838e
SHA1 7ec796bcc46ac4640be38de97fce01bf3dc94ba8
SHA256 a977e5fa5f4d28e1b00a0d61150d8123cbb7001870c2a635897c069648486b53
SHA512 b37169282b1ff8642bebe0bcc8428366ffcbba9e20af24bbabbb978f80c5f212f6c1067e596f54c49c5244fe73e59cd10d4f4ee152856283314085dda1c510d5

C:\Windows\System\zDaPLiM.exe

MD5 58a4712967944e3af233a6a684eda90b
SHA1 03b472164cb36f194a60ef2f81fdee36116273cd
SHA256 254d0397dbe929b22cf4152777b1b8b37b82405d291c1d12a4d8383f9bbeb290
SHA512 6745334fcc2fc94228948402460d1c9152ed6ed9b4fb6327bad3b2be1c44ba375957a7dafcf9ad02c3dd96f1dda467eda50afcbe909c9cfb04db71984d201a0e

memory/5092-1-0x00000187F8180000-0x00000187F8190000-memory.dmp

memory/5092-0-0x00007FF6AE040000-0x00007FF6AE394000-memory.dmp

memory/3608-135-0x00007FF7C63B0000-0x00007FF7C6704000-memory.dmp

memory/4344-136-0x00007FF7FC5C0000-0x00007FF7FC914000-memory.dmp

memory/1132-137-0x00007FF6AA1B0000-0x00007FF6AA504000-memory.dmp

memory/1364-138-0x00007FF7323A0000-0x00007FF7326F4000-memory.dmp

memory/628-139-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp

memory/1784-140-0x00007FF6B6530000-0x00007FF6B6884000-memory.dmp

memory/5048-141-0x00007FF6382B0000-0x00007FF638604000-memory.dmp

memory/516-143-0x00007FF76E3F0000-0x00007FF76E744000-memory.dmp

memory/4980-142-0x00007FF6ECDF0000-0x00007FF6ED144000-memory.dmp

memory/1608-144-0x00007FF7A3370000-0x00007FF7A36C4000-memory.dmp

memory/1288-145-0x00007FF645800000-0x00007FF645B54000-memory.dmp

memory/2012-146-0x00007FF6B7F50000-0x00007FF6B82A4000-memory.dmp

memory/764-147-0x00007FF6E3800000-0x00007FF6E3B54000-memory.dmp

memory/3860-148-0x00007FF7A9150000-0x00007FF7A94A4000-memory.dmp

memory/4820-149-0x00007FF799E70000-0x00007FF79A1C4000-memory.dmp

memory/1812-150-0x00007FF721140000-0x00007FF721494000-memory.dmp

memory/3608-151-0x00007FF7C63B0000-0x00007FF7C6704000-memory.dmp

memory/4344-152-0x00007FF7FC5C0000-0x00007FF7FC914000-memory.dmp

memory/4124-153-0x00007FF719C90000-0x00007FF719FE4000-memory.dmp

memory/3896-154-0x00007FF661850000-0x00007FF661BA4000-memory.dmp

memory/1132-155-0x00007FF6AA1B0000-0x00007FF6AA504000-memory.dmp

memory/2092-156-0x00007FF603920000-0x00007FF603C74000-memory.dmp

memory/4612-157-0x00007FF66FD20000-0x00007FF670074000-memory.dmp

memory/548-158-0x00007FF79C900000-0x00007FF79CC54000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 02:15

Reported

2024-06-10 02:38

Platform

win7-20240220-en

Max time kernel

133s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wfKljue.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UDIjIQL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IMXdJbI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LilJKaV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NGRXJIc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BAfFvJY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GRmjLhh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YsFvDkz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HVrLhRV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cYlTRKb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZMGjpCt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\twWSwRk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vFklkYU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OzsxXIC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ybgdJoo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IbOaSkR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\buRAnNu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cXMRSyQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YgHYeKa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mZEaiyG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\evXDusf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\buRAnNu.exe
PID 2836 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\buRAnNu.exe
PID 2836 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\buRAnNu.exe
PID 2836 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXMRSyQ.exe
PID 2836 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXMRSyQ.exe
PID 2836 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\cXMRSyQ.exe
PID 2836 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\YsFvDkz.exe
PID 2836 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\YsFvDkz.exe
PID 2836 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\YsFvDkz.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZMGjpCt.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZMGjpCt.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZMGjpCt.exe
PID 2836 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgHYeKa.exe
PID 2836 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgHYeKa.exe
PID 2836 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgHYeKa.exe
PID 2836 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\twWSwRk.exe
PID 2836 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\twWSwRk.exe
PID 2836 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\twWSwRk.exe
PID 2836 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVrLhRV.exe
PID 2836 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVrLhRV.exe
PID 2836 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVrLhRV.exe
PID 2836 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMXdJbI.exe
PID 2836 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMXdJbI.exe
PID 2836 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMXdJbI.exe
PID 2836 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\LilJKaV.exe
PID 2836 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\LilJKaV.exe
PID 2836 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\LilJKaV.exe
PID 2836 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGRXJIc.exe
PID 2836 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGRXJIc.exe
PID 2836 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGRXJIc.exe
PID 2836 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAfFvJY.exe
PID 2836 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAfFvJY.exe
PID 2836 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAfFvJY.exe
PID 2836 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFklkYU.exe
PID 2836 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFklkYU.exe
PID 2836 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFklkYU.exe
PID 2836 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZEaiyG.exe
PID 2836 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZEaiyG.exe
PID 2836 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZEaiyG.exe
PID 2836 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRmjLhh.exe
PID 2836 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRmjLhh.exe
PID 2836 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRmjLhh.exe
PID 2836 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\evXDusf.exe
PID 2836 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\evXDusf.exe
PID 2836 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\evXDusf.exe
PID 2836 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfKljue.exe
PID 2836 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfKljue.exe
PID 2836 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfKljue.exe
PID 2836 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\cYlTRKb.exe
PID 2836 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\cYlTRKb.exe
PID 2836 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\cYlTRKb.exe
PID 2836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzsxXIC.exe
PID 2836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzsxXIC.exe
PID 2836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzsxXIC.exe
PID 2836 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybgdJoo.exe
PID 2836 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybgdJoo.exe
PID 2836 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybgdJoo.exe
PID 2836 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\UDIjIQL.exe
PID 2836 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\UDIjIQL.exe
PID 2836 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\UDIjIQL.exe
PID 2836 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\IbOaSkR.exe
PID 2836 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\IbOaSkR.exe
PID 2836 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe C:\Windows\System\IbOaSkR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_dc4856ea2497f8da830e7c27dd215543_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\buRAnNu.exe

C:\Windows\System\buRAnNu.exe

C:\Windows\System\cXMRSyQ.exe

C:\Windows\System\cXMRSyQ.exe

C:\Windows\System\YsFvDkz.exe

C:\Windows\System\YsFvDkz.exe

C:\Windows\System\ZMGjpCt.exe

C:\Windows\System\ZMGjpCt.exe

C:\Windows\System\YgHYeKa.exe

C:\Windows\System\YgHYeKa.exe

C:\Windows\System\twWSwRk.exe

C:\Windows\System\twWSwRk.exe

C:\Windows\System\HVrLhRV.exe

C:\Windows\System\HVrLhRV.exe

C:\Windows\System\IMXdJbI.exe

C:\Windows\System\IMXdJbI.exe

C:\Windows\System\LilJKaV.exe

C:\Windows\System\LilJKaV.exe

C:\Windows\System\NGRXJIc.exe

C:\Windows\System\NGRXJIc.exe

C:\Windows\System\BAfFvJY.exe

C:\Windows\System\BAfFvJY.exe

C:\Windows\System\vFklkYU.exe

C:\Windows\System\vFklkYU.exe

C:\Windows\System\mZEaiyG.exe

C:\Windows\System\mZEaiyG.exe

C:\Windows\System\GRmjLhh.exe

C:\Windows\System\GRmjLhh.exe

C:\Windows\System\evXDusf.exe

C:\Windows\System\evXDusf.exe

C:\Windows\System\wfKljue.exe

C:\Windows\System\wfKljue.exe

C:\Windows\System\cYlTRKb.exe

C:\Windows\System\cYlTRKb.exe

C:\Windows\System\OzsxXIC.exe

C:\Windows\System\OzsxXIC.exe

C:\Windows\System\ybgdJoo.exe

C:\Windows\System\ybgdJoo.exe

C:\Windows\System\UDIjIQL.exe

C:\Windows\System\UDIjIQL.exe

C:\Windows\System\IbOaSkR.exe

C:\Windows\System\IbOaSkR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2836-1-0x0000000000200000-0x0000000000210000-memory.dmp

C:\Windows\system\YsFvDkz.exe

MD5 73a134cd0574e0ac4f9ae8d368fe6713
SHA1 e2227e959604b37a9bdb02baa39330d0193c4478
SHA256 afdcdfb50c133451b3b918ca491959ae903ca8c4ef613eeb36394efc56a9fc80
SHA512 db2aee929081cf5ff909b429bd2ba38ec570e587cf43a84f3c2620176f47ef63d0f4d9b06b91ca1fe58fbe5fde8028bba9da8589d095c24c9dd7af2d23bc492a

\Windows\system\YgHYeKa.exe

MD5 2b325ba998218e1724cf0adeb30ee980
SHA1 91c91f972b93ca21c02dbae5cc375d4e1212c0a0
SHA256 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9
SHA512 d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

C:\Windows\system\twWSwRk.exe

MD5 fc039487119680c031c847172e8b36d3
SHA1 5beddf6541d9cd9419920f162e4e22297e197c31
SHA256 7f124be7afb7e79318f0a00234a8d06798cc685d6ea1aa9ba401a63e32b5a56f
SHA512 48b7e0f173d7b3354b0ecbf6530234964b4c9b04ec9ed6eec4db91197f54add5f1d43f132d408351a108919dc08d3e65f5251fbec77c10bfc1d44f6c15d24f98

memory/2536-38-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2836-36-0x000000013FEE0000-0x0000000140234000-memory.dmp

C:\Windows\system\mZEaiyG.exe

MD5 8d646e924fd0d1b8f2b6032bf921c68b
SHA1 77143c80f89669f1e640229b6197871994aedd23
SHA256 e35136f6ac4e5d25610db8b767a0f545fd9fe553bb2b7afaf2ded18cac30d498
SHA512 ec7c5a3e370172a6cb8c08d4d14c7c9dfcb67c2875d66b2b75ccefa87b0e450630c685404597ccd6d097f7b105f7bdc76ee9b759b8cea8acda23d945bc5149c3

C:\Windows\system\UDIjIQL.exe

MD5 eb54c79b111a6637e43c4f642a0f578a
SHA1 7126fb33254f9893bdd1cf918a8c8e9e58a5c486
SHA256 47614a6695ce7c97b28e1f39c3b163ad3c824b5473f3c2eb2389305882a46a3b
SHA512 9387cfbd62c0cf9d8096a58a915fa98f29aba970808faee28634e1422efa6b74c311933c7e78e32fd70490bcc0d5624eda048e3f390eee1a6f7931c06e51a342

memory/2836-120-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2004-125-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2836-124-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2024-123-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2456-122-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2672-128-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2572-129-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2836-130-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2836-127-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2836-126-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2836-121-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/1888-119-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2836-114-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2444-111-0x000000013F4C0000-0x000000013F814000-memory.dmp

\Windows\system\UDIjIQL.exe

MD5 b7b3b40f61f1991e9770c1c68e752499
SHA1 a862f3071a84f81fa43a78a7a68aa41997dbb2b6
SHA256 9bf015fad34bff87e5bf5753e9ae26d1f61c246609e6969a684e5128a99c0d62
SHA512 2c4f4eb08d8b65b58f48513702293d03fd6b1f65cad524eab4ff88a151087171421a7c861eb131e89ad30ae5ee96b21bbd41f1893feed3561e4cffe99f701b38

memory/2836-107-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2412-98-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2524-87-0x000000013FD80000-0x00000001400D4000-memory.dmp

\Windows\system\GRmjLhh.exe

MD5 30ed13e7d503092e2de1c0d016fa838e
SHA1 7ec796bcc46ac4640be38de97fce01bf3dc94ba8
SHA256 a977e5fa5f4d28e1b00a0d61150d8123cbb7001870c2a635897c069648486b53
SHA512 b37169282b1ff8642bebe0bcc8428366ffcbba9e20af24bbabbb978f80c5f212f6c1067e596f54c49c5244fe73e59cd10d4f4ee152856283314085dda1c510d5

memory/2512-71-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

C:\Windows\system\OzsxXIC.exe

MD5 f64844b7e414b8a5d0ba8b924cdf01a8
SHA1 4e732905a1b8a8f77211a5bc5f7c94c23443409f
SHA256 90b1557d22cf9e8ed8676924b48e1864ce513f6e0a352ff82929c0815ec85a41
SHA512 053520dda3f572bf3ba1f34d2a05d74332cd3d6fc84b1f95aa1a6d1e74117b79d0441c1b5fb594eff16f953b9466d8b846caeb73a6cebefcd511d5529ab69e34

C:\Windows\system\vFklkYU.exe

MD5 08335df7103abc2469c627c6ab490b75
SHA1 663318a93774d93d6095a04cf5494b48eb7d64be
SHA256 58df3e0732ea3099d265f1cebcc12671ec8cd599b805e002740e15fb8f518f08
SHA512 8f7208f2a7c23589362de25aa76773ad075a6272ad2246f1bcd66d82f26b8b4ae6a99af20bcf359a45f35c2492e458ab92be86502fcd38ae1b4f2c4222058ff7

\Windows\system\cYlTRKb.exe

MD5 60aee69d850ada64830931a6fc7b9ccd
SHA1 7880bc478ec7824830f545eda401e9f95c3c415f
SHA256 14307b2d5f383a974420f2a9777a74c42c68a6cb951ae178d6f299af3f498980
SHA512 c8d1f7d1b9e24384b0f9a048ac1dbd121984a8450751ca27bb785a6bbe758a546ee207f038646cc657aef768102ca1b03828d22d5aec143393f63d708e9abee7

\Windows\system\evXDusf.exe

MD5 cffe3312bc6260e706dbd30103202498
SHA1 a4ed8bd8dfa1e4d1c5e843417946c6c0f3f1ca0a
SHA256 9d3cf73780b622b734a1473e4bf3b98e19a7c48d5a3b1cc60e8d023e1e1205a4
SHA512 b56972964b74d2d6577caf4ea702615721087f290ff7e95fae0803625583dc571b6f53188fb46f5875af0047ddaf8561eaff0c23593e25cf4d04322ae338f746

\Windows\system\BAfFvJY.exe

MD5 f643883f259de01dd5329353aba9e3bc
SHA1 8a0c9acc560b2a903e1249b54de084c27f2f7330
SHA256 885d32479d3d931762c4646bd89041e2dc323a00afc74c5ce659e0439525e486
SHA512 4fbee57fc43773ceb767e4aa78bc2879a54950d29e94d06ab5acf504f8c6e1b3a52cc3f816f267cfbe746c86e79bc3431149abbf38cd824127a0e4b7532c9af9

C:\Windows\system\NGRXJIc.exe

MD5 98745a9aa8ca46cc8241fc16142c1181
SHA1 7c8ca535bb417a65eff33e97abb381f4c1892dd7
SHA256 ccae5953b9ee012fa8730d55ccfa2c5005fa52dab36f2d45ad2c4a7c0588c491
SHA512 5a280e98987bc67ab4ffd2f170ec04c9fff29bd4fadfc3768b28d78be695cda6e37d821e8525b81b419f80642841ae75b5398b2f20af5a835e0f5d8794aa1a52

\Windows\system\NGRXJIc.exe

MD5 9e6042b034a56699e39219510e042edf
SHA1 629f58befba29e2b4cf184d5d33ff97d23d0509c
SHA256 379769e053088ad2c1be5ae8c8e84a7ebd96d0c4b1695ccab4a933b4ae5bbdfa
SHA512 16e5d759cb119fcfa4427237c03873b232b023c5fb70a22ccdd0c134a99216124df9eabae69026082be5cc255b42cc99b83fd6dfae1ca8b7fdd0be14253d2fd5

C:\Windows\system\HVrLhRV.exe

MD5 68879e5e116adbd5e8cd653f155d4826
SHA1 b9b840cc484b877f9d863120dd69b1678cfe5bbb
SHA256 dd4eae2272c69d5569a29c9e6e2621716f32a7d50bc5617df6be7504e46af720
SHA512 c85b5acbfb39cf4eea2d6da1c2b8727e6e9d6ed7a532c7214c3e4b25ebbc20caf0babd11d19492960ba28473a5dc22e360d297d314f333c75a1915a7b5479293

memory/2836-33-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2628-29-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2516-23-0x000000013FEC0000-0x0000000140214000-memory.dmp

C:\Windows\system\ZMGjpCt.exe

MD5 235913608e9b54d59a255fec4c66a00f
SHA1 2bfcc4288e681725bc99002d41f5b62e004a5666
SHA256 8c0da6753b13726704b2bf23cf9307497ab3c191e3e86e5e0f0166640e830c6a
SHA512 edcda04b4a57775355639444a51a5a8029027cbcc92a0b49089391a755477e36c679a5a6b525aba2070090efdafbbc705379b2d64e01e839be15aad06dce39f5

memory/2836-10-0x000000013FEC0000-0x0000000140214000-memory.dmp

\Windows\system\cXMRSyQ.exe

MD5 4b5b10f3552969f051eadcd37a9c7397
SHA1 0f2b41104db736f9360793c29e92119a74fa37e0
SHA256 f633addb5a572461a15c024f25c75063b5d269a87a95a59eded006b1a75cf6d7
SHA512 ff3c4d40b8c5d525ac0a6eea8b3a5d4134595a19a427e51a3372aac1f7c3120344a3a0a217c283ce087f145e2b66cae626a08d41a64181e3520c23f3a9afe269

memory/2836-0-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2836-131-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2836-132-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2836-133-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2836-134-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2516-135-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2536-138-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2572-139-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2412-143-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2024-145-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2004-147-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2456-146-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1888-144-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2444-142-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2524-141-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2512-140-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2672-137-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2628-136-0x000000013F280000-0x000000013F5D4000-memory.dmp