Malware Analysis Report

2025-01-06 18:18

Sample ID 240527-wlhlpade49
Target 2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike
SHA256 70a8ac6acceba85de93d36e305c7269de68acdb6d82bb503fb675bbe00d9e614
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70a8ac6acceba85de93d36e305c7269de68acdb6d82bb503fb675bbe00d9e614

Threat Level: Known bad

The file 2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Cobaltstrike

xmrig

Xmrig family

XMRig Miner payload

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 18:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 18:00

Reported

2024-05-27 18:00

Platform

win10v2004-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 18:00

Reported

2024-05-27 18:03

Platform

win7-20240221-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KLeSGtN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yLBrHWA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iYXJfMX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mgMlRlZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rpfuRYw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jzWXUBQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\emOwPkj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sOiZuVH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kMFKoKK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lhYGUVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BDedelo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rqqiBMj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vsHGiNh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UNShqLs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cqeJkYs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fXIOItp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WFQSFlz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mOJAdbh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EbMXaXL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LMslXBE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ngvyGAY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDedelo.exe
PID 3000 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDedelo.exe
PID 3000 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDedelo.exe
PID 3000 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KLeSGtN.exe
PID 3000 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KLeSGtN.exe
PID 3000 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KLeSGtN.exe
PID 3000 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rpfuRYw.exe
PID 3000 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rpfuRYw.exe
PID 3000 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rpfuRYw.exe
PID 3000 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXIOItp.exe
PID 3000 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXIOItp.exe
PID 3000 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXIOItp.exe
PID 3000 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqqiBMj.exe
PID 3000 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqqiBMj.exe
PID 3000 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqqiBMj.exe
PID 3000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzWXUBQ.exe
PID 3000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzWXUBQ.exe
PID 3000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzWXUBQ.exe
PID 3000 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFQSFlz.exe
PID 3000 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFQSFlz.exe
PID 3000 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFQSFlz.exe
PID 3000 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mOJAdbh.exe
PID 3000 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mOJAdbh.exe
PID 3000 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mOJAdbh.exe
PID 3000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vsHGiNh.exe
PID 3000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vsHGiNh.exe
PID 3000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vsHGiNh.exe
PID 3000 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbMXaXL.exe
PID 3000 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbMXaXL.exe
PID 3000 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbMXaXL.exe
PID 3000 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\emOwPkj.exe
PID 3000 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\emOwPkj.exe
PID 3000 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\emOwPkj.exe
PID 3000 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOiZuVH.exe
PID 3000 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOiZuVH.exe
PID 3000 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOiZuVH.exe
PID 3000 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLBrHWA.exe
PID 3000 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLBrHWA.exe
PID 3000 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLBrHWA.exe
PID 3000 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kMFKoKK.exe
PID 3000 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kMFKoKK.exe
PID 3000 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kMFKoKK.exe
PID 3000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lhYGUVQ.exe
PID 3000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lhYGUVQ.exe
PID 3000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lhYGUVQ.exe
PID 3000 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYXJfMX.exe
PID 3000 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYXJfMX.exe
PID 3000 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYXJfMX.exe
PID 3000 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMslXBE.exe
PID 3000 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMslXBE.exe
PID 3000 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMslXBE.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UNShqLs.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UNShqLs.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UNShqLs.exe
PID 3000 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cqeJkYs.exe
PID 3000 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cqeJkYs.exe
PID 3000 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cqeJkYs.exe
PID 3000 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ngvyGAY.exe
PID 3000 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ngvyGAY.exe
PID 3000 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ngvyGAY.exe
PID 3000 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgMlRlZ.exe
PID 3000 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgMlRlZ.exe
PID 3000 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgMlRlZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_50f086da7ee2725d5de1c4956e94121f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BDedelo.exe

C:\Windows\System\BDedelo.exe

C:\Windows\System\KLeSGtN.exe

C:\Windows\System\KLeSGtN.exe

C:\Windows\System\rpfuRYw.exe

C:\Windows\System\rpfuRYw.exe

C:\Windows\System\fXIOItp.exe

C:\Windows\System\fXIOItp.exe

C:\Windows\System\rqqiBMj.exe

C:\Windows\System\rqqiBMj.exe

C:\Windows\System\jzWXUBQ.exe

C:\Windows\System\jzWXUBQ.exe

C:\Windows\System\WFQSFlz.exe

C:\Windows\System\WFQSFlz.exe

C:\Windows\System\mOJAdbh.exe

C:\Windows\System\mOJAdbh.exe

C:\Windows\System\vsHGiNh.exe

C:\Windows\System\vsHGiNh.exe

C:\Windows\System\EbMXaXL.exe

C:\Windows\System\EbMXaXL.exe

C:\Windows\System\emOwPkj.exe

C:\Windows\System\emOwPkj.exe

C:\Windows\System\sOiZuVH.exe

C:\Windows\System\sOiZuVH.exe

C:\Windows\System\yLBrHWA.exe

C:\Windows\System\yLBrHWA.exe

C:\Windows\System\kMFKoKK.exe

C:\Windows\System\kMFKoKK.exe

C:\Windows\System\lhYGUVQ.exe

C:\Windows\System\lhYGUVQ.exe

C:\Windows\System\iYXJfMX.exe

C:\Windows\System\iYXJfMX.exe

C:\Windows\System\LMslXBE.exe

C:\Windows\System\LMslXBE.exe

C:\Windows\System\UNShqLs.exe

C:\Windows\System\UNShqLs.exe

C:\Windows\System\cqeJkYs.exe

C:\Windows\System\cqeJkYs.exe

C:\Windows\System\ngvyGAY.exe

C:\Windows\System\ngvyGAY.exe

C:\Windows\System\mgMlRlZ.exe

C:\Windows\System\mgMlRlZ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3000-0-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/3000-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\BDedelo.exe

MD5 9155f28ba857d3f78726bbec92192659
SHA1 3d65d8b0ef8a7fb72fa383b6ee94cc793875775a
SHA256 fdb931cb5fcb826b0422f416a0851b557f467ee99765af587646f5181ec07748
SHA512 776106d5dba6e59e945e0a0f3a53e2e02bab03730e55049eb816b3aecb565dc05e1f6cca05716c355a6f87eea4f9c867c60033416358f0047f8086b4b14d1e23

C:\Windows\system\KLeSGtN.exe

MD5 71f1c83fac495629f70811954647e716
SHA1 ba225743a2f65c6ccc01a190e75fa85ba2678c4f
SHA256 dc16f21b7556aba6875b124bee2f27b864282e05c1e611452a310c61374b3b24
SHA512 e75d81463b3dc2b20cb977ef1f584bf2ef0af3038f56d60b4c625febbbcfe5ada5dc27344c76d107d2621928eec2a9c94682985e5936a9105aab20a80770e302

C:\Windows\system\rpfuRYw.exe

MD5 883552ad9704a0621596ace69c91b897
SHA1 318c5dc9d44e2a3775b1aa75f750ea4677a4282d
SHA256 f2590bfc8b18fbdf671b06b50d9fbfbdf4d3ca4a84ae3b4da9d7a0ec0ae6466d
SHA512 0294ad880f7d77717485e58e0e0b8d500ff7992e8473ad78583f7894a11eedd9f1f217445d69a6a1bf3ac850078cbb313b3926d2b01ad3c56d216aa252e2f026

memory/2692-13-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2524-26-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/3000-15-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/3000-24-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/3060-36-0x000000013FFA0000-0x00000001402F4000-memory.dmp

\Windows\system\jzWXUBQ.exe

MD5 9d845236df870801961af023805adde7
SHA1 7bccb4239484f66a208ca22d0f9e840d0cb5de66
SHA256 0e7780b4f9ee3445f9835ddc7f0e0fd308dbb15bc0880109d3a886009882cd54
SHA512 af7d697dcdb7e10553b0720271e8c1f067926608901784788b0a71e00f24140d965f024cf791c2e446cd443643d5afecb24e1aaebd4916da0b799e69c99ff5e5

memory/3000-38-0x000000013F9D0000-0x000000013FD24000-memory.dmp

\Windows\system\fXIOItp.exe

MD5 f3decf36fb5820c66b40aa1cd01f694e
SHA1 fdf5af81222ea902c4f3094646124b4875d228d7
SHA256 0183ffc036d90b918511c4f60da80a164749124b196e13b599c89bd6812ec22d
SHA512 c6d29a291fab749881d89205bd2d99019362f29e9a2072c255a703f97ab0fa4bc9d77fa87f1c7186f9e4f6b21cce03706152cfaf9ea141983f8a1699c5c54bad

memory/2108-14-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2772-33-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/3000-32-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/3000-30-0x000000013FFA0000-0x00000001402F4000-memory.dmp

C:\Windows\system\rqqiBMj.exe

MD5 2ba7adf8b1e75516882d7ca3747023ce
SHA1 3975cc8380e0b0ef5af647e336f379c78df11e40
SHA256 b34253e7af1472c447219ca57fc16948864933f8aa2c33a6a90a6e882656bbb3
SHA512 2d302d71d73adbce105a2e8f620c9f1dce9cda348f865d2e73eb66a28a7b940e9665a64523cde0028f962d80daa13cffb0f9def7d85dcf8819af76df2060eb0c

\Windows\system\EbMXaXL.exe

MD5 5cb483c508de3690e8b84257e46e355f
SHA1 8c9c16ca06baaa8cab76ab4877fa0a57da20b8b9
SHA256 2e23acde8ef759b6613e19c007d5b62f0b54920cc73004d0c7c9a624fb24c879
SHA512 697f2614ccd995f8505a67f087e26183a654e53c9029a2062b81d725c702ac4192d0b13ee7973ff5aa891dd84cacb4af3fe25022c1dc0e0613b358988b82d845

\Windows\system\vsHGiNh.exe

MD5 e72550e33e1ba2a2dde75a2976ea7023
SHA1 2840a04e61981d503f07c73e677e809397e20c8a
SHA256 ac5a5b8ad9e1fc891988ba70df2477842b856e9be1048dae96eab6f26ca3bff2
SHA512 b2ac384911d8f303bf44973ac01754c1caa0b1e174e0ba1fa1d7b0dbd403f07069559efb3fac92f86e104cf7a1dbe0b4af38bb74b67475b581c579c5fe445371

memory/1640-119-0x000000013F200000-0x000000013F554000-memory.dmp

\Windows\system\sOiZuVH.exe

MD5 81a34846f761adb98847a0ad6ed635e9
SHA1 84fae37d527e0c065efc1d3713fd95717dadc2ae
SHA256 731ba4f95509af81da6e6b2d1a66ede5a593f02d07d61785fd673d1b43481bb8
SHA512 a464271792cff7266c016f1d5ff094a1d7ec6596f7f5fedc7f0f0f0475b2c83bb0e5a76c55030888b89e1e6d0c45f8ac9beca6cdd7e2a3ad82af196332430e61

C:\Windows\system\cqeJkYs.exe

MD5 0592ccf30f26a14a95d508fbbc356d5e
SHA1 45a902b87c96ca7a43df739a1d6fd91f1f5fe06e
SHA256 d9ce07f31e8bb6322c8472887d284ea48fdd4e2662af1f09831841f769b9c5c3
SHA512 39d7d1313eaaa83013111cba0cac83153fe7a2e0f7b27468d18e70094dff4c4cff1ca077679055a297edfedb2baf07aa5292e580c93a6481790968528f66dc4e

\Windows\system\ngvyGAY.exe

MD5 895de2d6b57252dbe62eadc967d57e86
SHA1 3881a19ef4ba507edea8b7cc8b1ba3afe62d50d9
SHA256 9e16e04689d43e5ae8dd8a298b20201c324ba3111999d0c331c9ce475e965fad
SHA512 e1acf1ce6f37cbadea53de46cf767d66d5d0e3c02f45514e9e2755858be11b0db7d647e5dc238ad1681a0bd043b29bb1e5d1a76a81f7fd5669569d9259231cb8

memory/3000-102-0x000000013FC30000-0x000000013FF84000-memory.dmp

\Windows\system\UNShqLs.exe

MD5 d0be02233b023f03ebf19098b0fcf11d
SHA1 0a15008612bee287c85238b0b92dc9e0f9f0dceb
SHA256 8a023c3dbfd5e2a2eb76d0f2a72d0df402a7abe335bf8d80f6a6a62768120cf2
SHA512 524cf931ce43513430349d7058af3c428cc544f187ffb163725cb9a9cbfa7b494c2be73b26ab8dd31e0de11c7c25cf708179a20b0e8d17a3bd4b69ccc3931e71

memory/3000-91-0x000000013F870000-0x000000013FBC4000-memory.dmp

\Windows\system\iYXJfMX.exe

MD5 56d573fd0a2121de80767ad887105637
SHA1 653319af456908f14b6650d3ccc494c61fad5fb4
SHA256 3c668089b3e421f5fd6657e5c8bf00d49c0a29e30f8a2d65cab45c5867391b1e
SHA512 18430959c6426ea68fc50546a0225d9622c36b18bf25ddc33ef693aef773d8c396b9d369132551194e28bd1e7aef2b21b7e568055ba605efd947c7ee206ad045

memory/1352-82-0x000000013F4E0000-0x000000013F834000-memory.dmp

\Windows\system\kMFKoKK.exe

MD5 37b76a1826d39c9a6a0f2702106fe537
SHA1 dbf9819ba6bee99f9e6e23718e6777348c08905c
SHA256 c8d4240d2459b26a399f7fdf145c44f7e94641661a712ecc22192c3fe36488d0
SHA512 a40bd8c9f027ad2dac64358fb06ba3c189525fd090378e6e6402ea1518ec864138be0e2d3ad0da7699576beed7396b11330a1cc77754542548e7674b730dfc1b

memory/2436-74-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/3000-118-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/3000-117-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/3000-116-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/3000-115-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/3000-114-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\mgMlRlZ.exe

MD5 4490cd74fdc65b399ecc1c73c2f663b1
SHA1 32123d86508d5badfc9431d53d2d7e08341b9c9f
SHA256 1c6992103c6ba30b22a9cf2439f5910e76b49ebd20cf46eda2613ec366e1cd82
SHA512 b677619915621e7334034458a30a0ddd214e8ddea476192f5360306c87677f38e22b0e5a2a2b894b9d1374b34c7584078db1b09ff4d16334a247b19c01ef30b1

memory/2932-112-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2688-98-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/3000-96-0x000000013F880000-0x000000013FBD4000-memory.dmp

C:\Windows\system\LMslXBE.exe

MD5 c71747292c680718dba336dac396ce8b
SHA1 2d7acbe3decb937709594ea22c6d2e7e33a14141
SHA256 09cf7e0d255c6af9faa98a2118d1c4e42343baf07c310e6c025ec3f270e9d726
SHA512 b46eb0670e3606839bed8b8e05c5b9293215299795d26226159c6492a2d48e2f53a867cd5da5ac1a164f89e4b77d21f95e20ec5afe4a5d6557753d99c3308559

memory/2692-125-0x000000013FDD0000-0x0000000140124000-memory.dmp

C:\Windows\system\lhYGUVQ.exe

MD5 15a63fa93460f584b6d7c68dbee29952
SHA1 f6dc231a839819ceb50c7647e2911c63936ac6d7
SHA256 316567040d3a70809f960446dc44e09884e460475fdf18a1c731fe189aeddf78
SHA512 ba98b6b266426bd4c0f39a58c9a77add09759946a185c3ca3c3cfa295702e7550fd1cba163b74405801844ffa53dcb5113b2e6af576c0de2e32ab3bf89203e00

memory/524-79-0x000000013FC30000-0x000000013FF84000-memory.dmp

C:\Windows\system\yLBrHWA.exe

MD5 6d8fd52e59e82f0f4724ca170fb4bf4e
SHA1 1716f65a7d28cc794404d2744b3c93cfa8daf4e3
SHA256 74ce42a68b12984865104a1ce2561818c7890bd26b2a834fcb99587b4e24a3f7
SHA512 ab926852abbf740d6bd0a1afb4a355ef979c4a490100709e77ad7ee225f020eb7d36c2e6a1b0c0efaeb6340ec0004054be7db678b0ed79267d9774ae87bfe4c6

memory/2484-70-0x000000013F880000-0x000000013FBD4000-memory.dmp

C:\Windows\system\emOwPkj.exe

MD5 9813d25f4377687c0597c4791bc7e0d9
SHA1 9a24d5d4b37aa81fc65c644cda9c13041ada4170
SHA256 de96f183f96c258a2e9251e3a8a44cc9c1b65683bd602740dd3a37b64deff378
SHA512 baf339f9445ddcf322808cf70585a63b394cd0f81820ece4f2c1ed1299c0bef45f69e0fdaf2431043b0da4c0adc14756aa4d5884abb24e599eed856ce5cfd279

memory/3000-64-0x000000013F520000-0x000000013F874000-memory.dmp

C:\Windows\system\mOJAdbh.exe

MD5 4ed1701bc8ddd47385e96a459a9b6f38
SHA1 ad467b0ca948aaa25b21688e9a10167fbd19b7b1
SHA256 768ee3d3cfdcf274616d6bd8cd7fda6a333ca1b7287bb42e9513a5901c1c7645
SHA512 4b6da1875152c4c46a510004c1a02a518133934c67b1f51535bb9b44cb6a541133555eef22ba57cb2a55db3e940c25727fb2034c44acff39fa9e7d961bfdbfe3

C:\Windows\system\WFQSFlz.exe

MD5 349875c45f56cab51f3d197bda5e321e
SHA1 9efeca14d020cd82be80540cae8746220f20aba1
SHA256 7e74562f62a6a75d4aeea57a9f7b9de0911c08120fe78a915b77565ff3397574
SHA512 df7c88b38de865ea7b64bf7d87ba1ad4c46b16088722089ef3d3634eedead1a6816ca6ba75373bc159c5ca9efa71c67ccbd33cef4f0cf54653befc839fa853d3

memory/2584-55-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2584-135-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1352-136-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/1640-137-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2108-138-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2524-139-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2772-141-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2692-140-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/3060-142-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2584-143-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2688-144-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2484-145-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2932-148-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2436-147-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/524-146-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/1352-149-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/1640-150-0x000000013F200000-0x000000013F554000-memory.dmp