Malware Analysis Report

2024-10-24 18:15

Sample ID 240607-ckmdpsha49
Target 2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike
SHA256 257da9dae6441cd13e0d6cf1ce31ee4afd671d73fb75575fdccfed0278324753
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

257da9dae6441cd13e0d6cf1ce31ee4afd671d73fb75575fdccfed0278324753

Threat Level: Known bad

The file 2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobaltstrike

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

xmrig

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 02:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 02:08

Reported

2024-06-07 02:12

Platform

win7-20240221-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\AdnSqXC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QhTDQSS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZpDQXK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kKplVRb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ahZXqqg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JrFcQpu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wkFXKsM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kqmiLkw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lSWGNCG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GbpjMSq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fXLEPtO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vEDGRff.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ApPyPWY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hauAeiw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LrtQOCy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fAXBSmB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tFcIVPX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lDyqgYu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Djwizkq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uhTZwbG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JIIJpRx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXLEPtO.exe
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXLEPtO.exe
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXLEPtO.exe
PID 2220 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lDyqgYu.exe
PID 2220 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lDyqgYu.exe
PID 2220 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lDyqgYu.exe
PID 2220 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kKplVRb.exe
PID 2220 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kKplVRb.exe
PID 2220 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kKplVRb.exe
PID 2220 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIIJpRx.exe
PID 2220 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIIJpRx.exe
PID 2220 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIIJpRx.exe
PID 2220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ahZXqqg.exe
PID 2220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ahZXqqg.exe
PID 2220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ahZXqqg.exe
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApPyPWY.exe
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApPyPWY.exe
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApPyPWY.exe
PID 2220 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hauAeiw.exe
PID 2220 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hauAeiw.exe
PID 2220 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hauAeiw.exe
PID 2220 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrtQOCy.exe
PID 2220 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrtQOCy.exe
PID 2220 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrtQOCy.exe
PID 2220 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrFcQpu.exe
PID 2220 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrFcQpu.exe
PID 2220 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrFcQpu.exe
PID 2220 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkFXKsM.exe
PID 2220 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkFXKsM.exe
PID 2220 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkFXKsM.exe
PID 2220 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqmiLkw.exe
PID 2220 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqmiLkw.exe
PID 2220 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqmiLkw.exe
PID 2220 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\Djwizkq.exe
PID 2220 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\Djwizkq.exe
PID 2220 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\Djwizkq.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAXBSmB.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAXBSmB.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAXBSmB.exe
PID 2220 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lSWGNCG.exe
PID 2220 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lSWGNCG.exe
PID 2220 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lSWGNCG.exe
PID 2220 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GbpjMSq.exe
PID 2220 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GbpjMSq.exe
PID 2220 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GbpjMSq.exe
PID 2220 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vEDGRff.exe
PID 2220 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vEDGRff.exe
PID 2220 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vEDGRff.exe
PID 2220 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uhTZwbG.exe
PID 2220 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uhTZwbG.exe
PID 2220 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uhTZwbG.exe
PID 2220 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZpDQXK.exe
PID 2220 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZpDQXK.exe
PID 2220 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZpDQXK.exe
PID 2220 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdnSqXC.exe
PID 2220 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdnSqXC.exe
PID 2220 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdnSqXC.exe
PID 2220 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFcIVPX.exe
PID 2220 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFcIVPX.exe
PID 2220 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFcIVPX.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhTDQSS.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhTDQSS.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhTDQSS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fXLEPtO.exe

C:\Windows\System\fXLEPtO.exe

C:\Windows\System\lDyqgYu.exe

C:\Windows\System\lDyqgYu.exe

C:\Windows\System\kKplVRb.exe

C:\Windows\System\kKplVRb.exe

C:\Windows\System\JIIJpRx.exe

C:\Windows\System\JIIJpRx.exe

C:\Windows\System\ahZXqqg.exe

C:\Windows\System\ahZXqqg.exe

C:\Windows\System\ApPyPWY.exe

C:\Windows\System\ApPyPWY.exe

C:\Windows\System\hauAeiw.exe

C:\Windows\System\hauAeiw.exe

C:\Windows\System\LrtQOCy.exe

C:\Windows\System\LrtQOCy.exe

C:\Windows\System\JrFcQpu.exe

C:\Windows\System\JrFcQpu.exe

C:\Windows\System\wkFXKsM.exe

C:\Windows\System\wkFXKsM.exe

C:\Windows\System\kqmiLkw.exe

C:\Windows\System\kqmiLkw.exe

C:\Windows\System\Djwizkq.exe

C:\Windows\System\Djwizkq.exe

C:\Windows\System\fAXBSmB.exe

C:\Windows\System\fAXBSmB.exe

C:\Windows\System\lSWGNCG.exe

C:\Windows\System\lSWGNCG.exe

C:\Windows\System\GbpjMSq.exe

C:\Windows\System\GbpjMSq.exe

C:\Windows\System\vEDGRff.exe

C:\Windows\System\vEDGRff.exe

C:\Windows\System\uhTZwbG.exe

C:\Windows\System\uhTZwbG.exe

C:\Windows\System\uZpDQXK.exe

C:\Windows\System\uZpDQXK.exe

C:\Windows\System\AdnSqXC.exe

C:\Windows\System\AdnSqXC.exe

C:\Windows\System\tFcIVPX.exe

C:\Windows\System\tFcIVPX.exe

C:\Windows\System\QhTDQSS.exe

C:\Windows\System\QhTDQSS.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2220-0-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2220-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\fXLEPtO.exe

MD5 15c2d97864e8c143fb2518e0d79fe7fc
SHA1 e88572ddf165f0fd9684d13af9c029353692e01c
SHA256 f56dcefe5e943360d37621024dfce55002d169a9fc20a0d3be94d0ceb21ce2ea
SHA512 81d7f5d1a85d3230d7a4c1df13f6d160a5072ed0dca0e2479f7dc8ebf2b4e78f88b17bc6533f7a3689abd5114e54b7d80f16d54b57382e98466e1e523e170ec0

\Windows\system\fXLEPtO.exe

MD5 2130f4461ba7262c4b9569c7ad362fbe
SHA1 477f7cc69e47cdff19a52b2da61a04f2127580e1
SHA256 f68cab9e215b5970b95a91cba35e4b211ac827a19d524f2bf913504bdbf08025
SHA512 bd19fb9a7b432908f39c8e2a25f78223abf0f155bd219827a4b513d256827c60c965e975a97433d8f252d3353383a04a3ae742b841c52e2f210a05922493b703

memory/2172-9-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2220-8-0x00000000023A0000-0x00000000026F4000-memory.dmp

\Windows\system\lDyqgYu.exe

MD5 64fc7e100c974b24385b94e08b7141d6
SHA1 c5f7cd27416475b391ae91d0a42f0426fc7799ed
SHA256 d6f623cd605efda5468d6eef002ce27a25402688b3e0aa927ba702c9d765c300
SHA512 4f46e3ee4780451eaa90c083d1818ffe4d89702bafbeeb3ae459a025a35d2c6df4bdcc456f97b263416cae484e428ff6c5f30ec421360553da5b1e24d08e21d3

C:\Windows\system\lDyqgYu.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

memory/2220-13-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2220-28-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\ApPyPWY.exe

MD5 f8ab2f0e6d7f80fb45c5922b46f7c8d5
SHA1 ced5fcf24c2b608260d2b77ed9ad4c6f2737ef1e
SHA256 76609df64a6d4f39efaf9dba71c791ab04546a94c75cdd07b7e19c5921acf679
SHA512 53c5a23263ba20129500fc45cc972ce9ac77b42a278c9257caef4efeead33e64306ae4d0dedd5fa2bb81c08327384c4fd39003c0ae2287651840bcc55aa39508

memory/2704-42-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2220-46-0x000000013F590000-0x000000013F8E4000-memory.dmp

C:\Windows\system\hauAeiw.exe

MD5 3c496c7626c23d5e958a0b6cbfbbb806
SHA1 803d29a6882f8ab5f05080602ce758f426212931
SHA256 7feb59059d33c04ec5e7bc01471639a9ca64667caa4ba8b3d43458ad1fc13d6e
SHA512 48f19c0e4ce520d620c0735a004acda4beb828d62b77a6101178b101e0b7d5adb97d555d9e13ccfb7e6c05d5cc3edef2c07ac8a106f862e57937f83054a1f241

C:\Windows\system\LrtQOCy.exe

MD5 f0f277157362d48b8111b1706409ed29
SHA1 47b5064cc57fda73794448f5bc25e71d4c01a765
SHA256 fb56c91a87608b71e501b648242ded58e010f72f845badded5e27a4153b2fb4c
SHA512 8381f0de2f9d3f9c1df9f712a7978f545c83d147177f0d80577cd99ccd1cbe7ea6de6517d3ff34747e63a351bc3bea5628adc8bdea4003ce18ff11edc9eade0a

memory/2220-57-0x000000013FAE0000-0x000000013FE34000-memory.dmp

C:\Windows\system\JrFcQpu.exe

MD5 2c29c56557704a5af675ac862b6acadc
SHA1 8095e9a472d534a6ef5dc3ab384273149ae12d48
SHA256 ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d
SHA512 f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049

memory/2848-95-0x000000013F760000-0x000000013FAB4000-memory.dmp

C:\Windows\system\uZpDQXK.exe

MD5 4ebd1901e669a14d40cee031fd206e82
SHA1 48b4d9303ce77228a3ead5a9a71386291542a98f
SHA256 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512 c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

C:\Windows\system\AdnSqXC.exe

MD5 8c5942db9626bdc67d19ecda488bdabf
SHA1 dd6bed4baf0bd317e2ac35a545acaa457c560d70
SHA256 3cb81d4d394d5a3d40491e7fe580c60b3108f8e350c8ff343c2bacb831412805
SHA512 c9b5ef2f12fa572138556051846472a8bcc53cad444fed6520f60322f6d77f8e04d558859c7df249cf27fcd327591689d0b21682a6ca97280b128ad6abfb0668

C:\Windows\system\QhTDQSS.exe

MD5 c1518081c0655249ee4f83af3cb7a513
SHA1 08a4bc472701beffbff31e171d92540ce872e59f
SHA256 1be42aaddf0664630bd0c55b81b20bef4504bfd9f8224c0a8be5033e8393b084
SHA512 ffc94d1219b0963d6d2dd090b0558532fb2e074eafbc603ded1132dca1ff59b8b100b60bebdd85da94728ac016e7b3712c85854f9a1078bbfbb804c85be488cb

C:\Windows\system\tFcIVPX.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

\Windows\system\tFcIVPX.exe

MD5 a87d02cdbe7e6add7e29be96af078b04
SHA1 061bd0a5bdb6825d189e4ff9f6d82ad5fd8a6c59
SHA256 88c4bd78d05060188cea642b76603b730396989a40a1f247a6f3067a1fcf3c77
SHA512 9d17685560b55592d030b6396abca098778362db2271bf4cc221812708693866812e286c5067adb9b060d1988021e0fa8251592efaa34c716bd304aaf102ce86

\Windows\system\uZpDQXK.exe

MD5 1d3a027708a48a3c73a911f7d1532fca
SHA1 f960fd40bf0cf951600c386a6a9501a01e54ab51
SHA256 f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda
SHA512 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539

C:\Windows\system\uhTZwbG.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

memory/2220-105-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2808-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2220-140-0x000000013FAE0000-0x000000013FE34000-memory.dmp

C:\Windows\system\fAXBSmB.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/2220-91-0x00000000023A0000-0x00000000026F4000-memory.dmp

\Windows\system\fAXBSmB.exe

MD5 453d1aa4a2ed1e619790ad849668194b
SHA1 af82a47d5872e8c1de2a992dec068927772960e7
SHA256 5ec67bd5afad11e5cb13b6e5276b36bde6c9bb9ae6a5d3707f276c90aa701ff2
SHA512 3733ab98ee77dbdc84b55bb76454b3b6f77aaead8bb09722d9d878fe445210ead6b54afccae45d9f29809df0952f2040627af751ee0fe3f01c808dc92f8367b6

memory/3060-81-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2220-80-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2852-103-0x000000013FFC0000-0x0000000140314000-memory.dmp

C:\Windows\system\lSWGNCG.exe

MD5 2e820f8af7aa3bf225d37608a0a87341
SHA1 b813ceb09756bee341a57c9525bd3abdbe863ab8
SHA256 de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa
SHA512 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4

memory/2220-99-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2704-98-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2540-97-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2980-86-0x000000013FE00000-0x0000000140154000-memory.dmp

\Windows\system\Djwizkq.exe

MD5 9431968fca757c14826bcb9aed267fb5
SHA1 4d1afb273f1c44230d7b7aa43b634d556fa80c6d
SHA256 ac942caaf5b2e9b5944e42d2847d911ab9eb5b859a26742b82d0dedd7638d541
SHA512 67d5e1e741d803f9e64a0665e84855c200d763437dea398e0ee29681b28312ed2eca9e794b643c7c3997fa7c63728b394d2514eb1e59d0985c725280df817acd

\Windows\system\kqmiLkw.exe

MD5 3832e7509acba5a85cd802a5dde9c6c7
SHA1 79f829af4e17241f3cb79f6caa30d62f8c82e872
SHA256 908b5a60f3096d1fe6ebc0c3f2aec8d644c90c871959b040730d63a748b21afc
SHA512 8c9579bf373b33d684820936d11699033b2aef670b1aa4528f483cddf041e4e1b1f08e9584302b182ab4549955ea09f0e874a1fb73c2e280ccf7041d910b3b29

memory/2444-74-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2220-73-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2220-72-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2604-66-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2220-65-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2112-64-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2056-63-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2808-58-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2220-143-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2440-50-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2220-49-0x00000000023A0000-0x00000000026F4000-memory.dmp

\Windows\system\hauAeiw.exe

MD5 8277fedbd3255e17ffda30a6804ad507
SHA1 c32c09de51b706fec128d9564a25a53385cea3fd
SHA256 d43f6e9d0972eb990827edb5a308943ead0705d18dde6862ac212f02acb082bc
SHA512 a30d613628f706b740c6aabb343211e2503cbb8767b966ec9ed17f9d484b9271d2ffdfdc7d123cde9df707e49f67b1b427d4473764aa073d1c3b78c01ea789ed

memory/2540-40-0x000000013F430000-0x000000013F784000-memory.dmp

C:\Windows\system\JIIJpRx.exe

MD5 c83a72fd32d1ea03c4c25e0b40a06534
SHA1 de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1
SHA256 c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359
SHA512 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c

memory/2580-37-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2220-36-0x000000013FAF0000-0x000000013FE44000-memory.dmp

C:\Windows\system\ahZXqqg.exe

MD5 b5d356ba280ba2d74bb0341f065f4cfe
SHA1 b1972bf062af0f0920c9d663f3945bcd4be61a83
SHA256 da27f98ce9b5629a313856afc899854755e2ba954582c5ca0405383eeafb5a33
SHA512 5b3d59d618c10b5594d7a2e73c694cf0bf3436e6658b25b28de492950da37a51683773bdb6d63074313363a3c5017d817a74ae9259b3f8d3c610204e9d4f6155

memory/2220-33-0x00000000023A0000-0x00000000026F4000-memory.dmp

\Windows\system\ApPyPWY.exe

MD5 3c4936ba91eaa69f7fdbfccc9b857022
SHA1 d97c8ba6655ec64594f86192c6bdb9c832040c3a
SHA256 f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10
SHA512 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9

memory/2112-24-0x000000013F550000-0x000000013F8A4000-memory.dmp

\Windows\system\JIIJpRx.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/2220-20-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\kKplVRb.exe

MD5 dd240f409c9a8ba2d8b733d2e2b7fda8
SHA1 ef4a5f4cf09a6b0567ca4a094c1eb56fe5b1b6ab
SHA256 da1546ebc647a64928b54f1bdf601adb00c345b6e23b570ebc34ee68ab593eb6
SHA512 c0c1e0663c973a676d5e7277bdff2401f175e546a813a199acd5677f87232758ddf83084200702a81af1bfb57719b2485be92cb457e900d9e6dcf3a6ecd8e783

memory/2056-15-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2444-145-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2220-144-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/3060-147-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2220-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2980-149-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2220-148-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2220-150-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2220-151-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2852-152-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2220-153-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2172-154-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2580-156-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2056-157-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2440-158-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2704-159-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2540-160-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2112-155-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2808-161-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2444-162-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/3060-164-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2980-163-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2848-165-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2852-166-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2604-167-0x000000013FC40000-0x000000013FF94000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 02:08

Reported

2024-06-07 02:12

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UeSGrdr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vVlkuaz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AXJRpzl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ArfEHlS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OBFEstq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oHfKNjD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WnYJraa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rNqmGvW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wrijRsd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZBLIJmO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vhYMwWc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KcKysmV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LJgIVrw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DiHQWVr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mZgeLVA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Jvxtwxn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NJyxmNH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TAMpxap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TVXWwNs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vCaeTrX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sIBPEfy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vhYMwWc.exe
PID 4796 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vhYMwWc.exe
PID 4796 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UeSGrdr.exe
PID 4796 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UeSGrdr.exe
PID 4796 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vVlkuaz.exe
PID 4796 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vVlkuaz.exe
PID 4796 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXJRpzl.exe
PID 4796 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXJRpzl.exe
PID 4796 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KcKysmV.exe
PID 4796 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KcKysmV.exe
PID 4796 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAMpxap.exe
PID 4796 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAMpxap.exe
PID 4796 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnYJraa.exe
PID 4796 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnYJraa.exe
PID 4796 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ArfEHlS.exe
PID 4796 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ArfEHlS.exe
PID 4796 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LJgIVrw.exe
PID 4796 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LJgIVrw.exe
PID 4796 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVXWwNs.exe
PID 4796 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVXWwNs.exe
PID 4796 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNqmGvW.exe
PID 4796 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNqmGvW.exe
PID 4796 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCaeTrX.exe
PID 4796 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCaeTrX.exe
PID 4796 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DiHQWVr.exe
PID 4796 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DiHQWVr.exe
PID 4796 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OBFEstq.exe
PID 4796 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OBFEstq.exe
PID 4796 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIBPEfy.exe
PID 4796 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIBPEfy.exe
PID 4796 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wrijRsd.exe
PID 4796 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wrijRsd.exe
PID 4796 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBLIJmO.exe
PID 4796 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBLIJmO.exe
PID 4796 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oHfKNjD.exe
PID 4796 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oHfKNjD.exe
PID 4796 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZgeLVA.exe
PID 4796 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZgeLVA.exe
PID 4796 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\Jvxtwxn.exe
PID 4796 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\Jvxtwxn.exe
PID 4796 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJyxmNH.exe
PID 4796 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJyxmNH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vhYMwWc.exe

C:\Windows\System\vhYMwWc.exe

C:\Windows\System\UeSGrdr.exe

C:\Windows\System\UeSGrdr.exe

C:\Windows\System\vVlkuaz.exe

C:\Windows\System\vVlkuaz.exe

C:\Windows\System\AXJRpzl.exe

C:\Windows\System\AXJRpzl.exe

C:\Windows\System\KcKysmV.exe

C:\Windows\System\KcKysmV.exe

C:\Windows\System\TAMpxap.exe

C:\Windows\System\TAMpxap.exe

C:\Windows\System\WnYJraa.exe

C:\Windows\System\WnYJraa.exe

C:\Windows\System\ArfEHlS.exe

C:\Windows\System\ArfEHlS.exe

C:\Windows\System\LJgIVrw.exe

C:\Windows\System\LJgIVrw.exe

C:\Windows\System\TVXWwNs.exe

C:\Windows\System\TVXWwNs.exe

C:\Windows\System\rNqmGvW.exe

C:\Windows\System\rNqmGvW.exe

C:\Windows\System\vCaeTrX.exe

C:\Windows\System\vCaeTrX.exe

C:\Windows\System\DiHQWVr.exe

C:\Windows\System\DiHQWVr.exe

C:\Windows\System\OBFEstq.exe

C:\Windows\System\OBFEstq.exe

C:\Windows\System\sIBPEfy.exe

C:\Windows\System\sIBPEfy.exe

C:\Windows\System\wrijRsd.exe

C:\Windows\System\wrijRsd.exe

C:\Windows\System\ZBLIJmO.exe

C:\Windows\System\ZBLIJmO.exe

C:\Windows\System\oHfKNjD.exe

C:\Windows\System\oHfKNjD.exe

C:\Windows\System\mZgeLVA.exe

C:\Windows\System\mZgeLVA.exe

C:\Windows\System\Jvxtwxn.exe

C:\Windows\System\Jvxtwxn.exe

C:\Windows\System\NJyxmNH.exe

C:\Windows\System\NJyxmNH.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4760 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4796-0-0x00007FF718FC0000-0x00007FF719314000-memory.dmp

memory/4796-1-0x0000017739510000-0x0000017739520000-memory.dmp

C:\Windows\System\vhYMwWc.exe

MD5 ef9f1c31e83699ade1561c5b0f5a56f8
SHA1 f7066b855127e7342b0b07bcb0009e518c755003
SHA256 f43f9f14594171c71bce6a6d4dcd99b64d3b97304220e1e164177d00281a50cb
SHA512 885d3e0a8a72113a59ed7f50c2205d9134245c0fa4bca1da1d633233af988b5d2547bacf01018f6ec74e3c2b0827840274a961853b04b9d59c6d753fac9aeb26

memory/3180-8-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp

C:\Windows\System\UeSGrdr.exe

MD5 20007038785c8b46deabcba2d9e12182
SHA1 70fda0c7a8a83cd87eacb8621a166f852e253d4d
SHA256 272ef349ccb6d60445d3b356875400238f76dbc09a2187b3a0eee9ab0e9b2e6d
SHA512 6c3cb0841287bfff718cf14d54068fc94220d97e473afb690f21692884fb4c4296136feadd33dd6439e52d19afa922f9ec8584b284acb810e96092be6739dad6

memory/1544-14-0x00007FF6DBF50000-0x00007FF6DC2A4000-memory.dmp

C:\Windows\System\vVlkuaz.exe

MD5 9f9d252bb6ae8245b4d9d967e4b1bc78
SHA1 6960fcb92b2b46dbec9ae0624cb7964f9d3f035d
SHA256 d927eac56fa0a06aed3e47bf497179d388b8ae474b358597d7dae7c01d7519b8
SHA512 4552229f0353a40a33d58d80d73a18cd5e7736bde4f744c64afc4b6e6124b9a246bc43c255d7bf982df608e057e652b72c4975ca709977fbc301f6e751e5cfd1

memory/1444-20-0x00007FF7FB420000-0x00007FF7FB774000-memory.dmp

C:\Windows\System\AXJRpzl.exe

MD5 f214cb9198a39970b372cb715b68f128
SHA1 d599aad658c6a286a00a62e74a3b0192a3a5f65f
SHA256 8fa2468069ded1a8769d1b2748917320c16cec0b89e9afaa37ff613521f44a2e
SHA512 e10285a404bc2e1723069568a2e94130cf8ebc2961b5afbafd8cd4528ae66866fb2aab3aba1e88396e6d82843be30af3b5084adfcc9c7d5e2779e72ca4c5f166

memory/3248-25-0x00007FF726AC0000-0x00007FF726E14000-memory.dmp

C:\Windows\System\KcKysmV.exe

MD5 51dd25c412a739a01d24df269451ce17
SHA1 96d5f975ace4d5f83d1d69491d5707f2ca223074
SHA256 022992ab3ba5a0a87f6bdb754deedb9a71f9b6f053f08fe53e9a11f101f66da5
SHA512 a310efd45bbb4a66e3faeaccafb8dc2b1c8f94238f6061431ea2dbfd0debee0c199826cff14daed0bd6cb97e0a4aa2e9ced6c356d606ba1fa3a9ffc1b8af781c

memory/4780-32-0x00007FF77F140000-0x00007FF77F494000-memory.dmp

C:\Windows\System\TAMpxap.exe

MD5 a3789effa85326966e79654aeeae7b7e
SHA1 0292478eba5c1f215d4fa0f8cac907bb961bbdcd
SHA256 9482e8a64ef0518dd7db685c6b4af5c40665078dc547a0855bcdba6f43914c1b
SHA512 fe3bf4038655a186160b7d250e67e73408aebd78635c98de9cfae67689d58f94c1b48e3e56857d577bae1768de217eab608dd4db16ddae6e383f19d905681712

C:\Windows\System\WnYJraa.exe

MD5 4af8ac3d2cf1e4522400ce184e871a29
SHA1 305d0ed356a0cb63c93d76b7dc8ac98b6cd0342e
SHA256 d46f9bb8e063e4e549d8a131d315d8f5f4848c242828b2b015cd32f1f9c687f8
SHA512 1094200ba08c15c2fa480c03fd3a6893cbd18783a6f051101d2e3720f6653b2a9b303c3ccc60be1065ac1177ac4a0686a80ea8ad620d138d90de799fdd20ab57

memory/4640-40-0x00007FF7CACB0000-0x00007FF7CB004000-memory.dmp

C:\Windows\System\ArfEHlS.exe

MD5 15b560f6907d1922a3d324a3303f14df
SHA1 9051c8e2c2d835a8aa86867ae26731b1336aed77
SHA256 064fc63f52941573a0c16b92151b09f5d30145d57ca2ed4e0dd4407d30af7a75
SHA512 4beae9bd8ae4ca0b072489773fd0fc792c731c944f0729158209591f22e1c6d86750f8826f66ebd36b1d60e046fad3083d90c8e5692f1ed908b2259106326efe

memory/1496-47-0x00007FF621D20000-0x00007FF622074000-memory.dmp

C:\Windows\System\LJgIVrw.exe

MD5 6e5b6f84f1b12ed468c3b7936da05fa7
SHA1 d10f4c3bc6b8742bdc34ef204c98856d210328c5
SHA256 77c4a5a707b6df0693dd525fea36dcdc42fcd372ef68a9dbba8832f41c94d1e5
SHA512 4fef6cd35f2647879beeddb3e6aeba81c9d3a42df6327ba9d95adc00b69929a7c4510905868b17f5e8357b7125ca659eae51f1c3be3b48b9e5d42a686e6fd9bd

memory/4340-48-0x00007FF67ABB0000-0x00007FF67AF04000-memory.dmp

C:\Windows\System\TVXWwNs.exe

MD5 13b7fc334f51cc5ca1de928539f65632
SHA1 6ea3a0ffe9f86522e014e16da001c005c43a0301
SHA256 23576af0b1503c887ad6ffbc3561f80902d320e8ac20081ee22eac2bae29613e
SHA512 5b527b0e38e44698a0c7c428ac56ea7424f8ec2d4171daa0f52ce5db4a1807d036fb42ee18defa3fff534388c91e9a0846ef590e2f90ff71ec5b4af8cf691c7d

C:\Windows\System\rNqmGvW.exe

MD5 d222b74cc4b4fac705716becf06cae1a
SHA1 886a0ef56e39e1ca9fa48149c49c3ad1c519252b
SHA256 9229f57793d6f13a8e5eac89e967386730337fb58348d66f1c9ad68ce9b504d7
SHA512 a6280849b8445e467d2b93046221a24f4abf618a8b1e65028c3d1231b7f1d1f792a45a9741e5e0cdc284be480c3eb3753990dcd449ce38926e60c6b0c9e46c69

C:\Windows\System\rNqmGvW.exe

MD5 98ddbea8b700025cfea6cdb4aa3e43e8
SHA1 50ceb41fa98f8da019e896ed8b56fb815ade85c3
SHA256 f3d04b1b505bbd1edfc225f0ff843d2d6e124620e1863f1cebccc8fb38f1e763
SHA512 d10c79b9ffe04655d2ed28a606ef98f8550b5560c30acde63f1522d23a06ada25993e4c72d6366952d8876ac8ea72ef7e8996ba2e92abd973881f2d8a97c9a8a

C:\Windows\System\vCaeTrX.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

C:\Windows\System\DiHQWVr.exe

MD5 002ac8049241c80f5c410544e38d0cbf
SHA1 33613dc0ebb3ba959740ecd34313a51d2540d78e
SHA256 7337764c4ba8069ac208bc86289a3fb05b3e66f639d0154413eb2c9cc41dd5b1
SHA512 0379e3c299bf5e1c59866132171c92623da09a8cfe11243b0a3a6c6c2101eac44cb81faf6ac1968a719df5bdb6dc4492a9e5a9c56bced0dfdb4fd422bf61b6d1

C:\Windows\System\OBFEstq.exe

MD5 6f708884c64011b1b7b4efe237bf3258
SHA1 bd2e2d5073a94e0f1dfdb49449517442daa7f71d
SHA256 1f724237479fe4a3dbbc86fec9a6f17c1838b0c3103fa89d589d30acefe0841a
SHA512 9ecc11c326b3ef06536b7f6e38fa8dfc3819c5e0290a1ae1f4bb5ccb9f59b1be8eadfeccddcc6dd3b8ef67f210b83986eb2ca7e4912b64dec90050bfffbb4513

C:\Windows\System\sIBPEfy.exe

MD5 ef2131eded6f82457b6ff3f0ad490b88
SHA1 ca11cdc97b4555826e7448a96e59eee36b40faed
SHA256 d54dff04bf667ad6323b8ffd99f216e03c552ef139f24e3fbcc9695e83848b22
SHA512 894f21f0ba15f8fa5d4da18d3120e381e389880383d9dd652c416338561e6619c7272869193317cfd15c6fdd1451c4c19fc7ddd479a50fce6ef4f138fdb95798

C:\Windows\System\wrijRsd.exe

MD5 135b436ac96391534afbbeeecb84c492
SHA1 093f4d0f53069c2503d83cd811467ed411b4826f
SHA256 2f81bc43ceeb86e1ee0ee5d218bdb50d54ed5b24bd670e0afa31e188a6380ac2
SHA512 7815d31f33cc6c10caeacf93a73da4b79bc88c461543bec5cc22ad03114f316e1d65916d98ee17dcd6b55f9f1d7638d784decb8ca264228541eda8f736ec7290

C:\Windows\System\ZBLIJmO.exe

MD5 3751a2899762b2a12a2153f55b533921
SHA1 26268046ad64ea5ace7808c7a22fc4cd39b00e5d
SHA256 fa990d4b424dcdb03bb883900fff6392d28bec914a547e012f2ce63aa61435e3
SHA512 9ca2d848aec63787eb85c3019a1ed1f2738ff080633e22629b71ab34fd9435eecdfdf11737fdc696d1a8bb62858645a0d5188845aedd8732c148f5f1548dd312

C:\Windows\System\oHfKNjD.exe

MD5 b82c73c002bf46083d0ff2444ea1db0b
SHA1 47866cf0b20f830226cbeb7501ca060a826163c8
SHA256 068057cec27c51b71e00faa03f8e28d29ee615e1881e831bb6d776793cdd54a4
SHA512 60dc461a2f4b47d15dd53e9e36cbc8cbf187238ccb94ecda2620f438bc21f8e483c00b5383b527196928ff1246f0414cf8dabdf42705ce65acf5f8bf4f738457

C:\Windows\System\mZgeLVA.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

C:\Windows\System\Jvxtwxn.exe

MD5 ad0bc882b54ae48afb2034b714dacb2c
SHA1 a76a975f198ded66f2e4cd8befb78ee2bb67be8e
SHA256 6d9223a495b50db1593b7ad40d2ffd2397b5dd376bcde6f64e781b58c0cc4dfa
SHA512 65f64452f2da926eb7f6990111241d0a295f38e4a6077a250326428d3153f658096bc4ebc4f6765063fa38884ff833dee62536bf94a5324a2a10d4652b764170

C:\Windows\System\NJyxmNH.exe

MD5 289d862207cc53836e60670e67427342
SHA1 072aa7b7acddbfa41d30604820f7a72de99b783b
SHA256 c67427a528c841bc16c01ba95da390039c056a17950c47e2bd4c004e9ee6a2e8
SHA512 4b6d1748fdc41833af9f2870a693de408a674d2c92483716620e40142b1c365d8691d001bdff7d6ebe0a1feb309b7070d9a93473977a08554a9b534e76680e14

C:\Windows\System\mZgeLVA.exe

MD5 9e136eecdd2c9fd44973c17a490e14c6
SHA1 c12d059e76874d6d3637069ac676b5d1ab0e30af
SHA256 d3c5406769d044aab6389d785b34dc0848c603b64b5882adbe39bc4b0d43ace4
SHA512 92d1223defadfdcd80c7b551f20755adb1dafa51c0bca907534648f67443325d17af44a456ec2139d79750f03f59b57704ed7555f8498daaa327250f8b6fcfaa

C:\Windows\System\ZBLIJmO.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\System\vCaeTrX.exe

MD5 4b7216d89e20f49e9c16c0253cc47511
SHA1 2897390157f4ddd1aa5b6b0434e8fd2685151896
SHA256 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f
SHA512 f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84

C:\Windows\System\ArfEHlS.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/4064-115-0x00007FF6A2880000-0x00007FF6A2BD4000-memory.dmp

memory/4040-116-0x00007FF623DD0000-0x00007FF624124000-memory.dmp

memory/3348-119-0x00007FF6CBC20000-0x00007FF6CBF74000-memory.dmp

memory/1412-121-0x00007FF79BA60000-0x00007FF79BDB4000-memory.dmp

memory/3992-120-0x00007FF6325A0000-0x00007FF6328F4000-memory.dmp

memory/3496-118-0x00007FF79C550000-0x00007FF79C8A4000-memory.dmp

memory/4500-117-0x00007FF7372D0000-0x00007FF737624000-memory.dmp

memory/4836-122-0x00007FF6894E0000-0x00007FF689834000-memory.dmp

memory/4684-123-0x00007FF758C30000-0x00007FF758F84000-memory.dmp

memory/708-124-0x00007FF69E610000-0x00007FF69E964000-memory.dmp

memory/4892-126-0x00007FF656640000-0x00007FF656994000-memory.dmp

memory/4312-127-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp

memory/2944-125-0x00007FF651590000-0x00007FF6518E4000-memory.dmp

memory/4796-128-0x00007FF718FC0000-0x00007FF719314000-memory.dmp

memory/3180-129-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp

memory/1544-130-0x00007FF6DBF50000-0x00007FF6DC2A4000-memory.dmp

memory/1444-131-0x00007FF7FB420000-0x00007FF7FB774000-memory.dmp

memory/3248-132-0x00007FF726AC0000-0x00007FF726E14000-memory.dmp

memory/4780-133-0x00007FF77F140000-0x00007FF77F494000-memory.dmp

memory/4640-134-0x00007FF7CACB0000-0x00007FF7CB004000-memory.dmp

memory/4340-135-0x00007FF67ABB0000-0x00007FF67AF04000-memory.dmp

memory/3180-136-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp

memory/1544-137-0x00007FF6DBF50000-0x00007FF6DC2A4000-memory.dmp

memory/1444-138-0x00007FF7FB420000-0x00007FF7FB774000-memory.dmp

memory/3248-139-0x00007FF726AC0000-0x00007FF726E14000-memory.dmp

memory/4780-140-0x00007FF77F140000-0x00007FF77F494000-memory.dmp

memory/4640-141-0x00007FF7CACB0000-0x00007FF7CB004000-memory.dmp

memory/1496-142-0x00007FF621D20000-0x00007FF622074000-memory.dmp

memory/4064-143-0x00007FF6A2880000-0x00007FF6A2BD4000-memory.dmp

memory/4040-144-0x00007FF623DD0000-0x00007FF624124000-memory.dmp

memory/4500-145-0x00007FF7372D0000-0x00007FF737624000-memory.dmp

memory/3496-146-0x00007FF79C550000-0x00007FF79C8A4000-memory.dmp

memory/3348-147-0x00007FF6CBC20000-0x00007FF6CBF74000-memory.dmp

memory/3992-148-0x00007FF6325A0000-0x00007FF6328F4000-memory.dmp

memory/1412-149-0x00007FF79BA60000-0x00007FF79BDB4000-memory.dmp

memory/4836-150-0x00007FF6894E0000-0x00007FF689834000-memory.dmp

memory/4684-151-0x00007FF758C30000-0x00007FF758F84000-memory.dmp

memory/708-152-0x00007FF69E610000-0x00007FF69E964000-memory.dmp

memory/2944-153-0x00007FF651590000-0x00007FF6518E4000-memory.dmp

memory/4312-155-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp

memory/4892-154-0x00007FF656640000-0x00007FF656994000-memory.dmp

memory/4340-156-0x00007FF67ABB0000-0x00007FF67AF04000-memory.dmp