Malware Analysis Report

2024-10-24 18:15

Sample ID 240607-b5ec6agf66
Target 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike
SHA256 ceab942ce0f34d496e9bc456dffff321cbe25a88c5872fdd8b59fdf88a89b368
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ceab942ce0f34d496e9bc456dffff321cbe25a88c5872fdd8b59fdf88a89b368

Threat Level: Known bad

The file 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Xmrig family

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 01:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 01:43

Reported

2024-06-07 01:56

Platform

win7-20240508-en

Max time kernel

142s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fTKdHwh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IciMNyV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EvgaWoa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GNozFdd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ywTWRQU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZQoQykr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fRYCedK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pRBfYAq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rrMYrHS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nrAKZPi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZojZUZx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wVBcqVK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MrYcRAI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lmTNXSn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WrVzcxN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yeuSBZC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tSPNrqG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yITuXyf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BnkMXrr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\huyjgfH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HcSzbnx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 572 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQoQykr.exe
PID 572 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQoQykr.exe
PID 572 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQoQykr.exe
PID 572 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeuSBZC.exe
PID 572 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeuSBZC.exe
PID 572 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeuSBZC.exe
PID 572 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\wVBcqVK.exe
PID 572 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\wVBcqVK.exe
PID 572 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\wVBcqVK.exe
PID 572 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSPNrqG.exe
PID 572 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSPNrqG.exe
PID 572 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSPNrqG.exe
PID 572 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrYcRAI.exe
PID 572 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrYcRAI.exe
PID 572 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrYcRAI.exe
PID 572 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTKdHwh.exe
PID 572 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTKdHwh.exe
PID 572 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTKdHwh.exe
PID 572 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\IciMNyV.exe
PID 572 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\IciMNyV.exe
PID 572 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\IciMNyV.exe
PID 572 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\fRYCedK.exe
PID 572 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\fRYCedK.exe
PID 572 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\fRYCedK.exe
PID 572 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRBfYAq.exe
PID 572 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRBfYAq.exe
PID 572 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRBfYAq.exe
PID 572 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\yITuXyf.exe
PID 572 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\yITuXyf.exe
PID 572 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\yITuXyf.exe
PID 572 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\BnkMXrr.exe
PID 572 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\BnkMXrr.exe
PID 572 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\BnkMXrr.exe
PID 572 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\EvgaWoa.exe
PID 572 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\EvgaWoa.exe
PID 572 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\EvgaWoa.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNozFdd.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNozFdd.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNozFdd.exe
PID 572 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\lmTNXSn.exe
PID 572 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\lmTNXSn.exe
PID 572 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\lmTNXSn.exe
PID 572 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrVzcxN.exe
PID 572 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrVzcxN.exe
PID 572 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrVzcxN.exe
PID 572 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ywTWRQU.exe
PID 572 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ywTWRQU.exe
PID 572 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ywTWRQU.exe
PID 572 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrMYrHS.exe
PID 572 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrMYrHS.exe
PID 572 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrMYrHS.exe
PID 572 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrAKZPi.exe
PID 572 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrAKZPi.exe
PID 572 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrAKZPi.exe
PID 572 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZojZUZx.exe
PID 572 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZojZUZx.exe
PID 572 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZojZUZx.exe
PID 572 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\huyjgfH.exe
PID 572 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\huyjgfH.exe
PID 572 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\huyjgfH.exe
PID 572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\HcSzbnx.exe
PID 572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\HcSzbnx.exe
PID 572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\HcSzbnx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZQoQykr.exe

C:\Windows\System\ZQoQykr.exe

C:\Windows\System\yeuSBZC.exe

C:\Windows\System\yeuSBZC.exe

C:\Windows\System\wVBcqVK.exe

C:\Windows\System\wVBcqVK.exe

C:\Windows\System\tSPNrqG.exe

C:\Windows\System\tSPNrqG.exe

C:\Windows\System\MrYcRAI.exe

C:\Windows\System\MrYcRAI.exe

C:\Windows\System\fTKdHwh.exe

C:\Windows\System\fTKdHwh.exe

C:\Windows\System\IciMNyV.exe

C:\Windows\System\IciMNyV.exe

C:\Windows\System\fRYCedK.exe

C:\Windows\System\fRYCedK.exe

C:\Windows\System\pRBfYAq.exe

C:\Windows\System\pRBfYAq.exe

C:\Windows\System\yITuXyf.exe

C:\Windows\System\yITuXyf.exe

C:\Windows\System\BnkMXrr.exe

C:\Windows\System\BnkMXrr.exe

C:\Windows\System\EvgaWoa.exe

C:\Windows\System\EvgaWoa.exe

C:\Windows\System\GNozFdd.exe

C:\Windows\System\GNozFdd.exe

C:\Windows\System\lmTNXSn.exe

C:\Windows\System\lmTNXSn.exe

C:\Windows\System\WrVzcxN.exe

C:\Windows\System\WrVzcxN.exe

C:\Windows\System\ywTWRQU.exe

C:\Windows\System\ywTWRQU.exe

C:\Windows\System\rrMYrHS.exe

C:\Windows\System\rrMYrHS.exe

C:\Windows\System\nrAKZPi.exe

C:\Windows\System\nrAKZPi.exe

C:\Windows\System\ZojZUZx.exe

C:\Windows\System\ZojZUZx.exe

C:\Windows\System\huyjgfH.exe

C:\Windows\System\huyjgfH.exe

C:\Windows\System\HcSzbnx.exe

C:\Windows\System\HcSzbnx.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/572-0-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/572-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\ZQoQykr.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

C:\Windows\system\yeuSBZC.exe

MD5 03686cfd6bbb43c8ac4dc50889b137b9
SHA1 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee
SHA256 ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471
SHA512 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2

C:\Windows\system\wVBcqVK.exe

MD5 bd55c8a37850d0626737d11717469d79
SHA1 53fb884c07b58454b3817a2512669857b9e86703
SHA256 0eb0ec4dbf191a3181b21c1417c5a32b7f793d882da7f301a8ece452991bb9af
SHA512 c1186a03a91b6f18a4443f429935f99a90a2866f36a83812558e86e5b67b26cc5da056c7727c190dd31a1adcb8fe79982985e6c2c66bfc39efa36d9c3a74a1e4

memory/572-25-0x000000013F2F0000-0x000000013F644000-memory.dmp

\Windows\system\tSPNrqG.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/2824-20-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2136-31-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/572-36-0x000000013F5B0000-0x000000013F904000-memory.dmp

C:\Windows\system\fTKdHwh.exe

MD5 45c6005e9880ef815bd2cc24ba9d29f7
SHA1 199e963ebcaf214a938d8a83ba63929c612a41f4
SHA256 d9d8614b9c3e6832e222f8a885ebebdb81eee31a43b7a0489b01ad99a2dd13cb
SHA512 cfe1021608a188660c18e9fa60ee01b5b971f32e1c7357d8c406ab06dd41c5ec8cd1631d3d4f1ce97259f3fe545f3597d740241f00c18ef1c267cb012dc5fa61

memory/2776-37-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2640-38-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/572-41-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2692-49-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2608-54-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/572-55-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

C:\Windows\system\fRYCedK.exe

MD5 5fa795b3b7fbfdb00bd1230752e0c717
SHA1 c04df1c0104752fc707883394c20b7a38d950291
SHA256 824077dfd6a62e9e36be5c206334d0508de5a3b956ad1bd496fa2e71eb9a9179
SHA512 de08f47b777576f6d8782f91ad503bcf8fdc3c8ebfac425ac7200b990be02ae05d557511a5745c3ce08c930b4d0fe264f704e0ed5826f20f19f9a35af8cd315a

\Windows\system\fRYCedK.exe

MD5 4f0cb466323d60e5a42b8bbca13af789
SHA1 0b0d1d7c3420f9b8951eedc6f694291aa6860683
SHA256 14e8c6e62596f8ac3b95156893bec3348d06084f939b1ae4b0666ae0bbad22c1
SHA512 fe9b813ed2de6a08ddd4b2fb045773ce294012803d0eb1907aa77feef2f33d34b6606370f174e33cd257b2911bac027bcc9256c0387c11941a9dede8f4cf2c8a

C:\Windows\system\IciMNyV.exe

MD5 98ddbea8b700025cfea6cdb4aa3e43e8
SHA1 50ceb41fa98f8da019e896ed8b56fb815ade85c3
SHA256 f3d04b1b505bbd1edfc225f0ff843d2d6e124620e1863f1cebccc8fb38f1e763
SHA512 d10c79b9ffe04655d2ed28a606ef98f8550b5560c30acde63f1522d23a06ada25993e4c72d6366952d8876ac8ea72ef7e8996ba2e92abd973881f2d8a97c9a8a

\Windows\system\fTKdHwh.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/2796-67-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/572-66-0x0000000002220000-0x0000000002574000-memory.dmp

C:\Windows\system\EvgaWoa.exe

MD5 da49f1b1f2b96b49705866203751f59f
SHA1 1fb490e694febd4abb5609eba7058906c7c62fc1
SHA256 db17ce16538e3104d76c2865f6043929089867615332842fb4539363fa1e158f
SHA512 64230d121060a4ecf7e8546c8f3f841eea180c2377add458625a54155c0dd3d899c021538950ea3047fd426aed50dfc97cdf1f7e2bcab143f2777fd079bf8bf0

memory/2824-81-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/3052-74-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/3020-82-0x000000013F0C0000-0x000000013F414000-memory.dmp

C:\Windows\system\lmTNXSn.exe

MD5 79cb800fff47a06afebef72028461c94
SHA1 ff75505398b632020d3756d39d393f7d0d663647
SHA256 2760b590a3c4c257a39f7b7571e6c124eaff33574997b2f854f74eb79aa5ddcd
SHA512 78f1927d2b050cb370b68ab097fb94c3e648811aa84b2fd62943b155b74ce09079cdacc50c8966802fcb433c83f629e8829ddc1d359fa6ac0fd803671d765d22

memory/572-95-0x0000000002220000-0x0000000002574000-memory.dmp

C:\Windows\system\huyjgfH.exe

MD5 04d51d193560bd7cbe3c1aa4176588ed
SHA1 50c403f2cdd24613871102930823a4077a309a84
SHA256 d2f2e6f71c7392c54365bfeba96646f1b48bfc2b35cee99399fabe8555745a79
SHA512 16c84370d3456e4b479306cb1207e32853b3b3dacdc34ee2c06bac6f00e0ed99d27f6c49bc2894052479d03d45c8d3898044a71ee9425a44f4f5a31a42b6918a

\Windows\system\huyjgfH.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

C:\Windows\system\ZojZUZx.exe

MD5 17fc50ceee2e03d90dc66d1b696ae04c
SHA1 edb9bfabb63dae8151ef58d586ad8bd320e46954
SHA256 fc4616ed39d09901bce558c977cf8c1b0bb141044fdc081427724967ba6dd3fa
SHA512 d8c3393f993fa67b8b0595df5ee762653e8d56a623f080da9228a5a0d869ef0a7edc1d904724d72b970bf2e625e4a5f9c12c3697e318c3a3b3b8ac5cb30955dc

\Windows\system\ZojZUZx.exe

MD5 6fc1d2a6aa4e5fec1598640195150caa
SHA1 163971d08fea512c74e8dc6194438875b3a4e2dd
SHA256 c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b
SHA512 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4

\Windows\system\nrAKZPi.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

memory/572-103-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

C:\Windows\system\WrVzcxN.exe

MD5 77dba91fb3c2cde72cb349d9f90ca79c
SHA1 b84a9e63676a0ad38ca01ffd44702e7c9744ca69
SHA256 ed264866c0bae9fa9d4a16e9bcbd3d21ee672ee0eb5b22b64a5a0fa3926ac6d7
SHA512 7688eeb8dd7644b0c13094022c2cf5cb3e8225b2176f2a6c3aa2c5fffd3842d1f2840ab41b990e0e98d17fd029498949a429fd63ec10fb6afac0d993f6b2e67c

\Windows\system\WrVzcxN.exe

MD5 b904aa0b11b0001a5ee4d5f997afb7f9
SHA1 fe30e7c589efc57d31b042431828ddb0017008a9
SHA256 dd48781d092db4f763ea1f07dee9fd7d000fa191eaf31eeec77e9202ae4a432a
SHA512 8ecfd8bd36314ad31f899d583e9568e4017c7e6c80700dd6b0eb9cbec0631adddba3a44e2a90145ed00fa83c71d26062a01424b58e26f9c539d4f9f452a8696d

C:\Windows\system\ywTWRQU.exe

MD5 2130f4461ba7262c4b9569c7ad362fbe
SHA1 477f7cc69e47cdff19a52b2da61a04f2127580e1
SHA256 f68cab9e215b5970b95a91cba35e4b211ac827a19d524f2bf913504bdbf08025
SHA512 bd19fb9a7b432908f39c8e2a25f78223abf0f155bd219827a4b513d256827c60c965e975a97433d8f252d3353383a04a3ae742b841c52e2f210a05922493b703

memory/2692-134-0x000000013F720000-0x000000013FA74000-memory.dmp

\Windows\system\ywTWRQU.exe

MD5 06e7776c45522cd727375134e965e22f
SHA1 b3c6cc8ec21bae0f0aa8708062a4e0f18fd21432
SHA256 2e168c5305fc6931df6647569f2eac771398a9fe5bbc1782667bc1c201007bfb
SHA512 0b18810a5223438d648db6031a4bc963ddc222296395333088b069467dd1914822ad34fd9a3ff6c6694db24c914bdda3b30ab67d7943ad9a074d0ee7d9dc226d

memory/2860-96-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2640-94-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2728-88-0x000000013FD40000-0x0000000140094000-memory.dmp

C:\Windows\system\GNozFdd.exe

MD5 2e820f8af7aa3bf225d37608a0a87341
SHA1 b813ceb09756bee341a57c9525bd3abdbe863ab8
SHA256 de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa
SHA512 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4

memory/2776-93-0x000000013FA80000-0x000000013FDD4000-memory.dmp

\Windows\system\lmTNXSn.exe

MD5 8a74009f7dd9c036cc12b3f189bd9ac6
SHA1 e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0
SHA256 b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932
SHA512 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876

memory/572-73-0x000000013F160000-0x000000013F4B4000-memory.dmp

C:\Windows\system\BnkMXrr.exe

MD5 b5d6c8b472f6137523570f20868f4041
SHA1 61a520c4e5802e3278d223745c0d5b53798489c3
SHA256 df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324
SHA512 310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229

memory/572-80-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2800-59-0x000000013FB50000-0x000000013FEA4000-memory.dmp

C:\Windows\system\pRBfYAq.exe

MD5 3ee04f109da47a1ec064d84e674f1c93
SHA1 644e873cc5a86065097d9d560d0304443e10d64c
SHA256 47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f
SHA512 9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4

memory/2748-29-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2332-13-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2608-135-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

\Windows\system\wVBcqVK.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

\Windows\system\yeuSBZC.exe

MD5 948b882543fffcfed1e8fd506bf69b4f
SHA1 4106171cc4cbd2f2efe65b5c9903b40142dccf78
SHA256 14bab81489dca2e1cc74e44d208189e8f32e1a366d57a3f472ef8c9e19634c02
SHA512 3128d5caadaea73f75706ba13001ce10cce7e244d6a1a742d007cc416105b76c631483f42081f89f218d68a5a88953bc0714cc853edc5e5dda5141b09235a8c9

memory/572-7-0x0000000002220000-0x0000000002574000-memory.dmp

memory/572-136-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2800-137-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2796-139-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/572-138-0x0000000002220000-0x0000000002574000-memory.dmp

memory/572-140-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/3052-141-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/3020-142-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2728-143-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2860-144-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/572-145-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2332-146-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2136-148-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2748-149-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2824-147-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2640-150-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2776-151-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2692-153-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2608-152-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2800-154-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2796-155-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/3052-156-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/3020-157-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2728-158-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2860-159-0x000000013FF10000-0x0000000140264000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 01:43

Reported

2024-06-07 01:57

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZcrGNoP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xEonPre.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OeyFlxe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iYbvcpk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eyVKxxT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLupGEA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iuqHQns.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Jtdrhcd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HCfTmfe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DfVRHtb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pvRluMw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WobcRnx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WPccKzt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TgTWcfc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uCSqTCl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MfCoHdg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\slJLaCF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xOYVyGL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LVUxBpM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xOrzLHe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mMomgcf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 556 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVUxBpM.exe
PID 556 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVUxBpM.exe
PID 556 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEonPre.exe
PID 556 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEonPre.exe
PID 556 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\OeyFlxe.exe
PID 556 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\OeyFlxe.exe
PID 556 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\xOrzLHe.exe
PID 556 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\xOrzLHe.exe
PID 556 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\mMomgcf.exe
PID 556 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\mMomgcf.exe
PID 556 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\WobcRnx.exe
PID 556 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\WobcRnx.exe
PID 556 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfCoHdg.exe
PID 556 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfCoHdg.exe
PID 556 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyVKxxT.exe
PID 556 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyVKxxT.exe
PID 556 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\WPccKzt.exe
PID 556 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\WPccKzt.exe
PID 556 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgTWcfc.exe
PID 556 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgTWcfc.exe
PID 556 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYbvcpk.exe
PID 556 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYbvcpk.exe
PID 556 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\iuqHQns.exe
PID 556 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\iuqHQns.exe
PID 556 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLupGEA.exe
PID 556 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLupGEA.exe
PID 556 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\Jtdrhcd.exe
PID 556 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\Jtdrhcd.exe
PID 556 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCfTmfe.exe
PID 556 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCfTmfe.exe
PID 556 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcrGNoP.exe
PID 556 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcrGNoP.exe
PID 556 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\DfVRHtb.exe
PID 556 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\DfVRHtb.exe
PID 556 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\pvRluMw.exe
PID 556 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\pvRluMw.exe
PID 556 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\slJLaCF.exe
PID 556 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\slJLaCF.exe
PID 556 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\xOYVyGL.exe
PID 556 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\xOYVyGL.exe
PID 556 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCSqTCl.exe
PID 556 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCSqTCl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LVUxBpM.exe

C:\Windows\System\LVUxBpM.exe

C:\Windows\System\xEonPre.exe

C:\Windows\System\xEonPre.exe

C:\Windows\System\OeyFlxe.exe

C:\Windows\System\OeyFlxe.exe

C:\Windows\System\xOrzLHe.exe

C:\Windows\System\xOrzLHe.exe

C:\Windows\System\mMomgcf.exe

C:\Windows\System\mMomgcf.exe

C:\Windows\System\WobcRnx.exe

C:\Windows\System\WobcRnx.exe

C:\Windows\System\MfCoHdg.exe

C:\Windows\System\MfCoHdg.exe

C:\Windows\System\eyVKxxT.exe

C:\Windows\System\eyVKxxT.exe

C:\Windows\System\WPccKzt.exe

C:\Windows\System\WPccKzt.exe

C:\Windows\System\TgTWcfc.exe

C:\Windows\System\TgTWcfc.exe

C:\Windows\System\iYbvcpk.exe

C:\Windows\System\iYbvcpk.exe

C:\Windows\System\iuqHQns.exe

C:\Windows\System\iuqHQns.exe

C:\Windows\System\JLupGEA.exe

C:\Windows\System\JLupGEA.exe

C:\Windows\System\Jtdrhcd.exe

C:\Windows\System\Jtdrhcd.exe

C:\Windows\System\HCfTmfe.exe

C:\Windows\System\HCfTmfe.exe

C:\Windows\System\ZcrGNoP.exe

C:\Windows\System\ZcrGNoP.exe

C:\Windows\System\DfVRHtb.exe

C:\Windows\System\DfVRHtb.exe

C:\Windows\System\pvRluMw.exe

C:\Windows\System\pvRluMw.exe

C:\Windows\System\slJLaCF.exe

C:\Windows\System\slJLaCF.exe

C:\Windows\System\xOYVyGL.exe

C:\Windows\System\xOYVyGL.exe

C:\Windows\System\uCSqTCl.exe

C:\Windows\System\uCSqTCl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/556-1-0x0000026725680000-0x0000026725690000-memory.dmp

memory/556-0-0x00007FF7CED20000-0x00007FF7CF074000-memory.dmp

C:\Windows\System\LVUxBpM.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

C:\Windows\System\xEonPre.exe

MD5 7ce4ba1725e83a50f64ba525f8815dcf
SHA1 b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA256 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA512 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

memory/1804-20-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp

memory/4812-55-0x00007FF6715B0000-0x00007FF671904000-memory.dmp

memory/3624-67-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp

memory/940-102-0x00007FF714490000-0x00007FF7147E4000-memory.dmp

memory/3668-105-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp

memory/4812-123-0x00007FF6715B0000-0x00007FF671904000-memory.dmp

memory/2888-136-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp

memory/1688-135-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp

C:\Windows\System\uCSqTCl.exe

MD5 4a486a2a371d8db348dc0ad03e9fd9f0
SHA1 edd912c5d606628022dc3216eaf2db7c93554ff7
SHA256 93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b
SHA512 deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

memory/412-129-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp

memory/636-124-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp

memory/740-119-0x00007FF62D4B0000-0x00007FF62D804000-memory.dmp

memory/544-114-0x00007FF635A10000-0x00007FF635D64000-memory.dmp

memory/1496-111-0x00007FF664240000-0x00007FF664594000-memory.dmp

memory/4824-99-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp

memory/4504-94-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp

memory/2292-90-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp

memory/5108-89-0x00007FF663450000-0x00007FF6637A4000-memory.dmp

memory/1804-86-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp

C:\Windows\System\Jtdrhcd.exe

MD5 6207c08555e637186de329c9179e16d9
SHA1 09098b1d2cbfb2ab317439f6c4fc0121d5b8f70a
SHA256 90e60744ec9da51fba847be626db348bca6bdaf98ac91b116446f5b42433003b
SHA512 a17015ce5be9dbe107f45a5361c78d0722d3574d1684f1ab5a78044304a8f13b281179a8bde4be29c0529678da2d8332817db568d46fd1e81541274c1a2a6ea7

memory/4536-78-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp

memory/1176-74-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp

memory/1688-68-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp

memory/3660-66-0x00007FF772670000-0x00007FF7729C4000-memory.dmp

memory/556-62-0x00007FF7CED20000-0x00007FF7CF074000-memory.dmp

memory/544-49-0x00007FF635A10000-0x00007FF635D64000-memory.dmp

memory/4688-44-0x00007FF60A7B0000-0x00007FF60AB04000-memory.dmp

memory/4536-137-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp

memory/3668-39-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp

memory/4824-32-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp

memory/208-26-0x00007FF7FBAA0000-0x00007FF7FBDF4000-memory.dmp

memory/1176-14-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp

memory/3624-8-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp

memory/5108-138-0x00007FF663450000-0x00007FF6637A4000-memory.dmp

memory/4504-139-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp

memory/940-140-0x00007FF714490000-0x00007FF7147E4000-memory.dmp

memory/1496-141-0x00007FF664240000-0x00007FF664594000-memory.dmp

memory/412-142-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp

memory/3624-143-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp

memory/208-146-0x00007FF7FBAA0000-0x00007FF7FBDF4000-memory.dmp

memory/4824-147-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp

memory/4688-149-0x00007FF60A7B0000-0x00007FF60AB04000-memory.dmp

memory/544-150-0x00007FF635A10000-0x00007FF635D64000-memory.dmp

memory/4812-151-0x00007FF6715B0000-0x00007FF671904000-memory.dmp

memory/3660-152-0x00007FF772670000-0x00007FF7729C4000-memory.dmp

memory/3668-148-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp

memory/1688-154-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp

memory/5108-156-0x00007FF663450000-0x00007FF6637A4000-memory.dmp

memory/2292-155-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp

memory/940-157-0x00007FF714490000-0x00007FF7147E4000-memory.dmp

memory/4504-158-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp

memory/1496-159-0x00007FF664240000-0x00007FF664594000-memory.dmp

memory/740-160-0x00007FF62D4B0000-0x00007FF62D804000-memory.dmp

memory/636-161-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp

memory/412-163-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp

memory/2888-162-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp

memory/4536-153-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp

memory/1804-145-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp

memory/1176-144-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp