Malware Analysis Report

2024-10-16 03:09

Sample ID 240608-1kwt5she42
Target 2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike
SHA256 f1e11b8a88c3a69f98cafe4c1d1b4476c17f12e9bf0c028e4cdb545291cab9de
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1e11b8a88c3a69f98cafe4c1d1b4476c17f12e9bf0c028e4cdb545291cab9de

Threat Level: Known bad

The file 2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Xmrig family

XMRig Miner payload

Cobaltstrike family

xmrig

UPX dump on OEP (original entry point)

Cobaltstrike

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 21:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 21:43

Reported

2024-06-08 21:46

Platform

win7-20240221-en

Max time kernel

132s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KNwfySR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\knllakV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JCCxDHe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZCiMwrI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qkaAYEm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vlsTMGv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WuTSdyc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uibHlBe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LTPprxh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\axyrVxp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WRiPcvL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EbSOoWF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EzvMjfE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vFWIPRp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HSCTHvB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\znlPPXA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vslijfQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kSRMgEM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\faeCEoD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YIpYbwP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ukeeNSN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSRMgEM.exe
PID 2868 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSRMgEM.exe
PID 2868 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\kSRMgEM.exe
PID 2868 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSCTHvB.exe
PID 2868 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSCTHvB.exe
PID 2868 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSCTHvB.exe
PID 2868 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCiMwrI.exe
PID 2868 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCiMwrI.exe
PID 2868 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCiMwrI.exe
PID 2868 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WRiPcvL.exe
PID 2868 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WRiPcvL.exe
PID 2868 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WRiPcvL.exe
PID 2868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkaAYEm.exe
PID 2868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkaAYEm.exe
PID 2868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkaAYEm.exe
PID 2868 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlsTMGv.exe
PID 2868 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlsTMGv.exe
PID 2868 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlsTMGv.exe
PID 2868 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuTSdyc.exe
PID 2868 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuTSdyc.exe
PID 2868 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuTSdyc.exe
PID 2868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\uibHlBe.exe
PID 2868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\uibHlBe.exe
PID 2868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\uibHlBe.exe
PID 2868 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNwfySR.exe
PID 2868 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNwfySR.exe
PID 2868 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\KNwfySR.exe
PID 2868 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\knllakV.exe
PID 2868 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\knllakV.exe
PID 2868 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\knllakV.exe
PID 2868 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\faeCEoD.exe
PID 2868 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\faeCEoD.exe
PID 2868 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\faeCEoD.exe
PID 2868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCCxDHe.exe
PID 2868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCCxDHe.exe
PID 2868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCCxDHe.exe
PID 2868 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTPprxh.exe
PID 2868 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTPprxh.exe
PID 2868 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTPprxh.exe
PID 2868 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\axyrVxp.exe
PID 2868 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\axyrVxp.exe
PID 2868 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\axyrVxp.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\znlPPXA.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\znlPPXA.exe
PID 2868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\znlPPXA.exe
PID 2868 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbSOoWF.exe
PID 2868 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbSOoWF.exe
PID 2868 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbSOoWF.exe
PID 2868 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIpYbwP.exe
PID 2868 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIpYbwP.exe
PID 2868 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIpYbwP.exe
PID 2868 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ukeeNSN.exe
PID 2868 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ukeeNSN.exe
PID 2868 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ukeeNSN.exe
PID 2868 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\vslijfQ.exe
PID 2868 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\vslijfQ.exe
PID 2868 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\vslijfQ.exe
PID 2868 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzvMjfE.exe
PID 2868 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzvMjfE.exe
PID 2868 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzvMjfE.exe
PID 2868 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFWIPRp.exe
PID 2868 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFWIPRp.exe
PID 2868 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFWIPRp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\kSRMgEM.exe

C:\Windows\System\kSRMgEM.exe

C:\Windows\System\HSCTHvB.exe

C:\Windows\System\HSCTHvB.exe

C:\Windows\System\ZCiMwrI.exe

C:\Windows\System\ZCiMwrI.exe

C:\Windows\System\WRiPcvL.exe

C:\Windows\System\WRiPcvL.exe

C:\Windows\System\qkaAYEm.exe

C:\Windows\System\qkaAYEm.exe

C:\Windows\System\vlsTMGv.exe

C:\Windows\System\vlsTMGv.exe

C:\Windows\System\WuTSdyc.exe

C:\Windows\System\WuTSdyc.exe

C:\Windows\System\uibHlBe.exe

C:\Windows\System\uibHlBe.exe

C:\Windows\System\KNwfySR.exe

C:\Windows\System\KNwfySR.exe

C:\Windows\System\knllakV.exe

C:\Windows\System\knllakV.exe

C:\Windows\System\faeCEoD.exe

C:\Windows\System\faeCEoD.exe

C:\Windows\System\JCCxDHe.exe

C:\Windows\System\JCCxDHe.exe

C:\Windows\System\LTPprxh.exe

C:\Windows\System\LTPprxh.exe

C:\Windows\System\axyrVxp.exe

C:\Windows\System\axyrVxp.exe

C:\Windows\System\znlPPXA.exe

C:\Windows\System\znlPPXA.exe

C:\Windows\System\EbSOoWF.exe

C:\Windows\System\EbSOoWF.exe

C:\Windows\System\YIpYbwP.exe

C:\Windows\System\YIpYbwP.exe

C:\Windows\System\ukeeNSN.exe

C:\Windows\System\ukeeNSN.exe

C:\Windows\System\vslijfQ.exe

C:\Windows\System\vslijfQ.exe

C:\Windows\System\EzvMjfE.exe

C:\Windows\System\EzvMjfE.exe

C:\Windows\System\vFWIPRp.exe

C:\Windows\System\vFWIPRp.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2868-0-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2868-1-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2072-24-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2680-32-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\vlsTMGv.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/2064-45-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2548-81-0x000000013F760000-0x000000013FAB4000-memory.dmp

C:\Windows\system\znlPPXA.exe

MD5 ce95ecfd82cad989d07f01bb5a4e0e62
SHA1 9c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512 c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

C:\Windows\system\EbSOoWF.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

memory/2868-107-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2868-130-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/1456-126-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2904-120-0x000000013F5E0000-0x000000013F934000-memory.dmp

C:\Windows\system\ukeeNSN.exe

MD5 d872631fef320bcfe95799f5b4c466cb
SHA1 451a1400f207f69d35ba907e243aed76879dcd2c
SHA256 2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438
SHA512 2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d

memory/2456-110-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2868-103-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2868-100-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2868-99-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2868-93-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2892-92-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2516-89-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2208-85-0x000000013FF70000-0x00000001402C4000-memory.dmp

C:\Windows\system\axyrVxp.exe

MD5 182702f8c189f2105671b3b193ea01bd
SHA1 5cbe4a492c7f661166b4ece7955c0ec73fadc31d
SHA256 a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f
SHA512 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1

\Windows\system\axyrVxp.exe

MD5 ffafad94c04d076c16e861ff07a4cb57
SHA1 c3501d64aef8c1b093200710a06e749c69db782a
SHA256 8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295
SHA512 64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700

memory/2868-75-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2868-64-0x000000013F980000-0x000000013FCD4000-memory.dmp

C:\Windows\system\KNwfySR.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

C:\Windows\system\uibHlBe.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

memory/2868-46-0x00000000023D0000-0x0000000002724000-memory.dmp

C:\Windows\system\WuTSdyc.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

memory/1152-41-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2616-36-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2964-31-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2740-25-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2868-17-0x000000013FFF0000-0x0000000140344000-memory.dmp

C:\Windows\system\HSCTHvB.exe

MD5 6b5887af4274a78686a788865765637c
SHA1 5afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256 ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA512 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

C:\Windows\system\kSRMgEM.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/2868-131-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1152-132-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2868-133-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2064-134-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2680-138-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2616-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1152-140-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2064-141-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2548-142-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2456-145-0x000000013F140000-0x000000013F494000-memory.dmp

memory/1456-148-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2904-147-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2892-146-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2516-144-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2208-143-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2964-137-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2740-136-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2072-135-0x000000013FFF0000-0x0000000140344000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 21:43

Reported

2024-06-08 21:46

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nVJlkte.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ekLYzOz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dumJeqv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BReRRRn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GVOfoeo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IbjbNpU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SdTBnfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IKfYzcX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BUpMDFm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WSOhwQN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qMsxQVS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fKbaSQF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uQiBcgq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EQUDfic.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KdgiKvn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AtKPFLw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xMrDkXy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jXdTBwD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wPjIRHo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mZKmuge.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DhdUPjQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\uQiBcgq.exe
PID 4556 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\uQiBcgq.exe
PID 4556 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\IbjbNpU.exe
PID 4556 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\IbjbNpU.exe
PID 4556 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdTBnfZ.exe
PID 4556 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdTBnfZ.exe
PID 4556 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQUDfic.exe
PID 4556 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQUDfic.exe
PID 4556 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\nVJlkte.exe
PID 4556 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\nVJlkte.exe
PID 4556 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdgiKvn.exe
PID 4556 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdgiKvn.exe
PID 4556 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtKPFLw.exe
PID 4556 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtKPFLw.exe
PID 4556 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMrDkXy.exe
PID 4556 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMrDkXy.exe
PID 4556 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKfYzcX.exe
PID 4556 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKfYzcX.exe
PID 4556 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXdTBwD.exe
PID 4556 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\jXdTBwD.exe
PID 4556 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\BReRRRn.exe
PID 4556 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\BReRRRn.exe
PID 4556 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUpMDFm.exe
PID 4556 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUpMDFm.exe
PID 4556 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekLYzOz.exe
PID 4556 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekLYzOz.exe
PID 4556 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\GVOfoeo.exe
PID 4556 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\GVOfoeo.exe
PID 4556 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPjIRHo.exe
PID 4556 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPjIRHo.exe
PID 4556 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKbaSQF.exe
PID 4556 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKbaSQF.exe
PID 4556 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WSOhwQN.exe
PID 4556 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WSOhwQN.exe
PID 4556 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZKmuge.exe
PID 4556 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZKmuge.exe
PID 4556 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\DhdUPjQ.exe
PID 4556 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\DhdUPjQ.exe
PID 4556 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\qMsxQVS.exe
PID 4556 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\qMsxQVS.exe
PID 4556 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\dumJeqv.exe
PID 4556 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe C:\Windows\System\dumJeqv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\uQiBcgq.exe

C:\Windows\System\uQiBcgq.exe

C:\Windows\System\IbjbNpU.exe

C:\Windows\System\IbjbNpU.exe

C:\Windows\System\SdTBnfZ.exe

C:\Windows\System\SdTBnfZ.exe

C:\Windows\System\EQUDfic.exe

C:\Windows\System\EQUDfic.exe

C:\Windows\System\nVJlkte.exe

C:\Windows\System\nVJlkte.exe

C:\Windows\System\KdgiKvn.exe

C:\Windows\System\KdgiKvn.exe

C:\Windows\System\AtKPFLw.exe

C:\Windows\System\AtKPFLw.exe

C:\Windows\System\xMrDkXy.exe

C:\Windows\System\xMrDkXy.exe

C:\Windows\System\IKfYzcX.exe

C:\Windows\System\IKfYzcX.exe

C:\Windows\System\jXdTBwD.exe

C:\Windows\System\jXdTBwD.exe

C:\Windows\System\BReRRRn.exe

C:\Windows\System\BReRRRn.exe

C:\Windows\System\BUpMDFm.exe

C:\Windows\System\BUpMDFm.exe

C:\Windows\System\ekLYzOz.exe

C:\Windows\System\ekLYzOz.exe

C:\Windows\System\GVOfoeo.exe

C:\Windows\System\GVOfoeo.exe

C:\Windows\System\wPjIRHo.exe

C:\Windows\System\wPjIRHo.exe

C:\Windows\System\fKbaSQF.exe

C:\Windows\System\fKbaSQF.exe

C:\Windows\System\WSOhwQN.exe

C:\Windows\System\WSOhwQN.exe

C:\Windows\System\mZKmuge.exe

C:\Windows\System\mZKmuge.exe

C:\Windows\System\DhdUPjQ.exe

C:\Windows\System\DhdUPjQ.exe

C:\Windows\System\qMsxQVS.exe

C:\Windows\System\qMsxQVS.exe

C:\Windows\System\dumJeqv.exe

C:\Windows\System\dumJeqv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4556-0-0x00007FF7D1590000-0x00007FF7D18E4000-memory.dmp

memory/4556-1-0x000001AFC4460000-0x000001AFC4470000-memory.dmp

C:\Windows\System\uQiBcgq.exe

MD5 61417d8bdb05c74838f6dadddfacb912
SHA1 6e5dbd29f806f492d31335f75ca4abb49835317b
SHA256 2c63cc36548a012a80a6ff380d2cd0ce4b3225713c9f736d961bd52abf82cecd
SHA512 0200720868f9525edba68a6648819af660b4fcc1a68f27e445649dcbd546e71ece469f80a32f2d155f891f978fd8684f6d187baa9c844cbd6aaeaa7ae3ce0e83

memory/412-8-0x00007FF685440000-0x00007FF685794000-memory.dmp

memory/212-13-0x00007FF6BDDC0000-0x00007FF6BE114000-memory.dmp

C:\Windows\System\IbjbNpU.exe

MD5 86b5431da16a8ac038ef5f437acb15e5
SHA1 4daf4dc22156e8a6e87fb9a91520e223328b9bb1
SHA256 46d7e576e6885eb292c197f8af1840ea8bbe54b280302b68159f95eebaa2509e
SHA512 448d9b9ec8190ba0624eb227e498bcb915caa0d0ad34e0ad3011499fc01d1b68afd8760673a3299647952278b5bc897bee3b4e68a6f92585effd33a9a718df7e

C:\Windows\System\SdTBnfZ.exe

MD5 e3351379961bab5333c4177ba47d4970
SHA1 e0475ed9b0b8ad298a1d78635ac689c46d796982
SHA256 12490bbfcbf4b0a2725cc2fc2d36bd563e55865800e9493b250111b3112e3f54
SHA512 7e34a0d22be6b92fc508c78842df84105f6e4eedb711313b35c7b4cbb41daf84c0b737cf08383fe8de7002294edc31244cb11cc235a598560632978e61f4a7e2

memory/388-20-0x00007FF676D30000-0x00007FF677084000-memory.dmp

C:\Windows\System\EQUDfic.exe

MD5 8ab0195ea49d9cc01f9112ee773bfe4c
SHA1 c3086f16a0e4b237b83d256090db4d8dbf302c8f
SHA256 8a36840b8934bddbc0f291afc784723c200854097831233c0fba366db89a797e
SHA512 ea5b7fd138c3d16df87d9558cb70fb7b38edc7211f9bafb2276ad01b537aaef609734fb0f0d221c48f0525499251431e35a771648a81e5eb4f81a4869f3d163b

C:\Windows\System\nVJlkte.exe

MD5 9b1d5c74954e4bfcd7545c5117742f98
SHA1 390db9b2906e07b95672a49d523c6896e3e2b126
SHA256 1f6c0579f17db30d2f989f09851715be10676a81b9aa259fd1fafeeb32cfea28
SHA512 0c026ea53fbc4d8d297f674826647438910d95890a3055a2dbf3ce7261a6355d5518fa42e7d31bf6a764931617c95a65c50cebb64d9d19ae77fdb95a1cae44b7

C:\Windows\System\KdgiKvn.exe

MD5 90d232670d7f0b2c7bfa93fc8d018e38
SHA1 7b6ccce15ddd708fa6a21b98aea7cef9abe94277
SHA256 d4507fa8e0bc55687a9e44a8e286e8e7568c584392b04a7327be525067ced312
SHA512 9a672de740430cb2da77a750508db69869359f7de175c978bb087dd3c75c5dba6ec7c32407df0bae6bdbff049e5aa3c16334a4c00053b476ca9387ba7bd77850

memory/588-41-0x00007FF78F800000-0x00007FF78FB54000-memory.dmp

memory/3416-43-0x00007FF7F9A20000-0x00007FF7F9D74000-memory.dmp

C:\Windows\System\xMrDkXy.exe

MD5 d5c119b9f139a294613834b872933b88
SHA1 a1a9eb7b87411c86255aa3d33aae4cfdc2b48fe4
SHA256 326c2aabcd865a129bb778835976b259be4a0e838042a89c38b44c604c9c5b84
SHA512 5e102f21b7d3b9e05deb93ddcfe2500381d5eeec2f3b5503b85946c188b2bf6c34e88fb92a7ceaf6a2daeb57af24e3f33ce728d5cb681033a6513a95e27643ad

C:\Windows\System\IKfYzcX.exe

MD5 03cb6cafbcd14f879d8012c3920467d8
SHA1 6015d1fcabbd3208a570449ce43c8f470432fcfc
SHA256 e9efa1a57e875fc0ce1c0c89cd314933851f8c7597ec54ff6d7973a147c2af81
SHA512 284f5004ba69dab4a096195946e7b2186b06bda066f74e20c527d2c3c83a720e3737788ef0988034184f3cfb6d3414bcf4c254f8a8e41e4813905232ecce9054

C:\Windows\System\jXdTBwD.exe

MD5 5fe832aad1000e71003c2889237c24f0
SHA1 7fed0cec68e97f00937797b6f15403286e797308
SHA256 f14a12d25fed145d440cc63c4068467e2a360a6d50110caae96e89ebe421f7d1
SHA512 17a0e3d2228e1e06de1a96d7e411c0db16edf1f13361e4edcd32126b97b03efdea90ef146407cbc90de83812fdfe27c5ba4261231b4665ab049466815f178a43

C:\Windows\System\BReRRRn.exe

MD5 fd9678fe8a937d94418ffb950495fe6a
SHA1 9a993f4a4ceba84419725951ae5203395facc1e5
SHA256 f6e4085687ba7019bc209af1456c7437bfe7136a867025846cba61ebb0f477a4
SHA512 1d64e2c0301346bdd80334add3ff6533e3d03a5a337ed53a6c8b76a69d04097dc2219172759f2e834efe1e9ec2cdab49810872bbfa503f4f7b16603cd7180bba

C:\Windows\System\BUpMDFm.exe

MD5 8665fb019c8c4e10eac6e31743736e90
SHA1 bf5e740cc607ccdffff4fb4043d7e72f4cd7d6d9
SHA256 700e414671c51f69554e920299dc16465630c9c6cb2d1047236261469bd22d30
SHA512 d7a4fb6ab9b2d63107e5f36144121635e1861017ea3d4b72eee75096f4777154737be205865bcf3dc583e6fa55a18f75e1939e98e76248e45bed3d7f52aeb96d

C:\Windows\System\wPjIRHo.exe

MD5 5de921193358e5eee68867614656deaf
SHA1 f8af5052de3536f9340b5fdfaf857d0e4b242be5
SHA256 376ac12c5cf75c788d9946379c336b1a15c401c0dc85d2963d3dd082251fb938
SHA512 5358c903920d6610daa51e2393a4a13c959a79e0538f140d33212ade9648324c2f38f455c1fcd339ef9e5e7924122c77ee892d724167449d1ecec7c2fc1f185b

C:\Windows\System\mZKmuge.exe

MD5 e160d59e4128b83f38ca4c65a2dbf9c5
SHA1 04089e8b5c9c18a73059c2906f43e327c6c552f0
SHA256 c020ac99b8b9affc75f601ab787732ceeb6fc8560e0505fec4f8b1a78bc923c8
SHA512 fae71d067ac9d4c51981eef4a023ab1769a9d86f772d736d45539a848d4b94dbd7576f66dd3096beb22b235b882b5c3844c694e5b535b811419149a3e13ec97d

C:\Windows\System\qMsxQVS.exe

MD5 9a68c783c88791fe36369890008903cf
SHA1 f4603fe8fc3c4aac2bb06ccad5f63506cbed6dc9
SHA256 e55c4a12551a18709d33ced008b0288b462a94223def2bf80bb7e64eca642fb8
SHA512 a3332d2bbaa3a98205dcbbe3da6ff8018e18ed9bcecdef6f4ea6972dde0f98e7f24cd074417c0b7864547aacb4cfb446336b027f40c153310f2d5bdc929984e8

C:\Windows\System\dumJeqv.exe

MD5 2fca0fa9c896ca1d80c7afb43a289c1b
SHA1 22153ce0d37e34f6c44da6f937417e1144dfa951
SHA256 7b7dcbc9d13971372fa1cc59d31487aa1857350e722d5b40b9f54d1d74d8ec99
SHA512 fd9ed069cde27f168fe0a234d03f4f7472b7352a8aa85c9fd54bce070dcaac1dbeac6741003df03a9ac6f805f8931b308653ded88e5b266b767ca5018bb7a693

C:\Windows\System\DhdUPjQ.exe

MD5 4cf8b58b7b188df275d4f809318e9a0a
SHA1 2a5603a8afb36eccab8ce9c7c5093c402fd5ab88
SHA256 ad9da2fef891b4cc14386a06b2ae25c89eb5cac51cebc729cde6c14e853c2b98
SHA512 393519116d8c6dbe76aeada34a3db55f35e31b23905249aa82b6694bad34775c638b81cad0e1237b80b87bf652a5cef3b23a4cddcaf6c9ace11ec2f6dcc2d051

C:\Windows\System\WSOhwQN.exe

MD5 184dcbbe12aada8cfbcc9a38a5ead7c4
SHA1 aa29ca4ef34e61682e73a24272c6da74174baa9a
SHA256 23582b57d09ca4d2fdac73143031e082f4e28d7471550f6a9f17637e152f8f38
SHA512 9fa609d637076dbd668e8dc25298648c359c8c75eef923c4d57ba44fb48b06b0bc9d93a681f4d636381775c568076c38ff11fef7448cf60a9e9c84d45a909f8d

C:\Windows\System\fKbaSQF.exe

MD5 f6be8c656cc712cb597797208519aeeb
SHA1 fb6c4ed57afb1510c161d3f18fdfd3751e28a405
SHA256 c1e9f049b14c6952785cce893c3dc33cc4aaf040b7e607a1cc5f11cbe64e9cb5
SHA512 0b9c3affce1b364c0161ff5dd53ac14ac3f5c0605035142ea0af06f2583cc3320677e394dc334c144310deb0d9219d03fae470eab4d6fba82a9b0f3724c5e82c

C:\Windows\System\GVOfoeo.exe

MD5 5d7ae4c4677beaf7edfe9770e82e9856
SHA1 9becaf8697a1f9856b81fd3e4a03728dd416b2d9
SHA256 aaaa450c3bc32ffac2917e8aaa9831b4aa74540e060ce6e163c1c53a01bf2cdd
SHA512 88aeebfa4872036029e4ef3a65b43527032bc6a68fe20ba6d3fc1d3397df7ff301b8472fabf33e0e29fe51edc6bf2f2d57899a3c1c739675ce98f55ee5b268fe

C:\Windows\System\ekLYzOz.exe

MD5 bf90052f5aef888c51198ef04756f787
SHA1 cc97b6fbb27a565472b45cdb29ffe63a69ed81c2
SHA256 4ced666560d730eef7964906cc0c5bd769058c8ab0a8cf9c3446f6254ce5b3da
SHA512 b2858c764885015463e634a0445d53d5a1c46f807c6a2140716aaeefe87ab07e59864712509329a294ea26f5ef563c88da828f419586f030b4950a08b85d004f

memory/2412-52-0x00007FF611BF0000-0x00007FF611F44000-memory.dmp

C:\Windows\System\AtKPFLw.exe

MD5 5efd1d347fb20ef2be9e1a7a812c558d
SHA1 d085466506680cea9668910ce08261c0aebda9e9
SHA256 c087d8b23d564a49932585d8d28d414e4c6633701ed1c6fb791bba71f6b0f9bd
SHA512 67768253b73ab71f4f9f9a17610f0364ec26f074822fc1b24b460180ba0cf363ab39fd9d89d7369fc53ac55dbbc1eee1b7e2910d76eb5607f9f8cf2bfb3a3d3f

memory/764-33-0x00007FF742E00000-0x00007FF743154000-memory.dmp

memory/1796-24-0x00007FF690B30000-0x00007FF690E84000-memory.dmp

memory/4832-115-0x00007FF633C50000-0x00007FF633FA4000-memory.dmp

memory/2104-116-0x00007FF746D10000-0x00007FF747064000-memory.dmp

memory/3688-117-0x00007FF73FC90000-0x00007FF73FFE4000-memory.dmp

memory/3588-118-0x00007FF77C240000-0x00007FF77C594000-memory.dmp

memory/2252-119-0x00007FF62B590000-0x00007FF62B8E4000-memory.dmp

memory/2292-122-0x00007FF74E4B0000-0x00007FF74E804000-memory.dmp

memory/1220-120-0x00007FF6E1A10000-0x00007FF6E1D64000-memory.dmp

memory/1696-121-0x00007FF64B400000-0x00007FF64B754000-memory.dmp

memory/2220-123-0x00007FF7D58D0000-0x00007FF7D5C24000-memory.dmp

memory/4616-124-0x00007FF683920000-0x00007FF683C74000-memory.dmp

memory/1132-125-0x00007FF623EB0000-0x00007FF624204000-memory.dmp

memory/1920-126-0x00007FF773020000-0x00007FF773374000-memory.dmp

memory/4068-127-0x00007FF6DAB60000-0x00007FF6DAEB4000-memory.dmp

memory/4556-128-0x00007FF7D1590000-0x00007FF7D18E4000-memory.dmp

memory/212-129-0x00007FF6BDDC0000-0x00007FF6BE114000-memory.dmp

memory/388-130-0x00007FF676D30000-0x00007FF677084000-memory.dmp

memory/1796-131-0x00007FF690B30000-0x00007FF690E84000-memory.dmp

memory/764-132-0x00007FF742E00000-0x00007FF743154000-memory.dmp

memory/3416-133-0x00007FF7F9A20000-0x00007FF7F9D74000-memory.dmp

memory/412-134-0x00007FF685440000-0x00007FF685794000-memory.dmp

memory/212-135-0x00007FF6BDDC0000-0x00007FF6BE114000-memory.dmp

memory/388-136-0x00007FF676D30000-0x00007FF677084000-memory.dmp

memory/1796-137-0x00007FF690B30000-0x00007FF690E84000-memory.dmp

memory/764-138-0x00007FF742E00000-0x00007FF743154000-memory.dmp

memory/588-139-0x00007FF78F800000-0x00007FF78FB54000-memory.dmp

memory/3416-140-0x00007FF7F9A20000-0x00007FF7F9D74000-memory.dmp

memory/2412-141-0x00007FF611BF0000-0x00007FF611F44000-memory.dmp

memory/4832-142-0x00007FF633C50000-0x00007FF633FA4000-memory.dmp

memory/2104-143-0x00007FF746D10000-0x00007FF747064000-memory.dmp

memory/3688-144-0x00007FF73FC90000-0x00007FF73FFE4000-memory.dmp

memory/3588-145-0x00007FF77C240000-0x00007FF77C594000-memory.dmp

memory/2252-146-0x00007FF62B590000-0x00007FF62B8E4000-memory.dmp

memory/1220-147-0x00007FF6E1A10000-0x00007FF6E1D64000-memory.dmp

memory/1696-148-0x00007FF64B400000-0x00007FF64B754000-memory.dmp

memory/2292-149-0x00007FF74E4B0000-0x00007FF74E804000-memory.dmp

memory/2220-150-0x00007FF7D58D0000-0x00007FF7D5C24000-memory.dmp

memory/4616-151-0x00007FF683920000-0x00007FF683C74000-memory.dmp

memory/1132-152-0x00007FF623EB0000-0x00007FF624204000-memory.dmp

memory/1920-153-0x00007FF773020000-0x00007FF773374000-memory.dmp

memory/4068-154-0x00007FF6DAB60000-0x00007FF6DAEB4000-memory.dmp