Malware Analysis Report

2024-10-16 03:10

Sample ID 240609-1ffmcsfh73
Target 2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike
SHA256 562b315233cb000ad89b12ac77530bd90cabe1def5772c6523920f1dac1652a0
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

562b315233cb000ad89b12ac77530bd90cabe1def5772c6523920f1dac1652a0

Threat Level: Known bad

The file 2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike

Detects Reflective DLL injection artifacts

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 21:35

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 21:35

Reported

2024-06-09 21:38

Platform

win7-20240419-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RQmmvEH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MkRJwXK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLWsAjW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ExphGhO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uaSPkIg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xhxRreR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qJYxZcg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JrUblFY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\okZETgH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lVPYlcm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PMrexzj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yqFsaNw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JSAsJni.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nOicpOD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qDkBOVF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pIMnxdz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ruYIdbj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lpNfSLt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWMJJeu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UriPApj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FQhzerE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\RQmmvEH.exe
PID 2424 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\RQmmvEH.exe
PID 2424 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\RQmmvEH.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIMnxdz.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIMnxdz.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIMnxdz.exe
PID 2424 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrUblFY.exe
PID 2424 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrUblFY.exe
PID 2424 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrUblFY.exe
PID 2424 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\okZETgH.exe
PID 2424 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\okZETgH.exe
PID 2424 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\okZETgH.exe
PID 2424 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nOicpOD.exe
PID 2424 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nOicpOD.exe
PID 2424 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nOicpOD.exe
PID 2424 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkRJwXK.exe
PID 2424 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkRJwXK.exe
PID 2424 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkRJwXK.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVPYlcm.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVPYlcm.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVPYlcm.exe
PID 2424 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMrexzj.exe
PID 2424 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMrexzj.exe
PID 2424 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMrexzj.exe
PID 2424 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruYIdbj.exe
PID 2424 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruYIdbj.exe
PID 2424 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruYIdbj.exe
PID 2424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLWsAjW.exe
PID 2424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLWsAjW.exe
PID 2424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLWsAjW.exe
PID 2424 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqFsaNw.exe
PID 2424 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqFsaNw.exe
PID 2424 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqFsaNw.exe
PID 2424 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDkBOVF.exe
PID 2424 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDkBOVF.exe
PID 2424 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDkBOVF.exe
PID 2424 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpNfSLt.exe
PID 2424 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpNfSLt.exe
PID 2424 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpNfSLt.exe
PID 2424 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWMJJeu.exe
PID 2424 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWMJJeu.exe
PID 2424 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWMJJeu.exe
PID 2424 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ExphGhO.exe
PID 2424 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ExphGhO.exe
PID 2424 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ExphGhO.exe
PID 2424 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaSPkIg.exe
PID 2424 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaSPkIg.exe
PID 2424 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaSPkIg.exe
PID 2424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\UriPApj.exe
PID 2424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\UriPApj.exe
PID 2424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\UriPApj.exe
PID 2424 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSAsJni.exe
PID 2424 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSAsJni.exe
PID 2424 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSAsJni.exe
PID 2424 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhxRreR.exe
PID 2424 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhxRreR.exe
PID 2424 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhxRreR.exe
PID 2424 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQhzerE.exe
PID 2424 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQhzerE.exe
PID 2424 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQhzerE.exe
PID 2424 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJYxZcg.exe
PID 2424 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJYxZcg.exe
PID 2424 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJYxZcg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\RQmmvEH.exe

C:\Windows\System\RQmmvEH.exe

C:\Windows\System\pIMnxdz.exe

C:\Windows\System\pIMnxdz.exe

C:\Windows\System\JrUblFY.exe

C:\Windows\System\JrUblFY.exe

C:\Windows\System\okZETgH.exe

C:\Windows\System\okZETgH.exe

C:\Windows\System\nOicpOD.exe

C:\Windows\System\nOicpOD.exe

C:\Windows\System\MkRJwXK.exe

C:\Windows\System\MkRJwXK.exe

C:\Windows\System\lVPYlcm.exe

C:\Windows\System\lVPYlcm.exe

C:\Windows\System\PMrexzj.exe

C:\Windows\System\PMrexzj.exe

C:\Windows\System\ruYIdbj.exe

C:\Windows\System\ruYIdbj.exe

C:\Windows\System\JLWsAjW.exe

C:\Windows\System\JLWsAjW.exe

C:\Windows\System\yqFsaNw.exe

C:\Windows\System\yqFsaNw.exe

C:\Windows\System\qDkBOVF.exe

C:\Windows\System\qDkBOVF.exe

C:\Windows\System\lpNfSLt.exe

C:\Windows\System\lpNfSLt.exe

C:\Windows\System\sWMJJeu.exe

C:\Windows\System\sWMJJeu.exe

C:\Windows\System\ExphGhO.exe

C:\Windows\System\ExphGhO.exe

C:\Windows\System\uaSPkIg.exe

C:\Windows\System\uaSPkIg.exe

C:\Windows\System\UriPApj.exe

C:\Windows\System\UriPApj.exe

C:\Windows\System\JSAsJni.exe

C:\Windows\System\JSAsJni.exe

C:\Windows\System\xhxRreR.exe

C:\Windows\System\xhxRreR.exe

C:\Windows\System\FQhzerE.exe

C:\Windows\System\FQhzerE.exe

C:\Windows\System\qJYxZcg.exe

C:\Windows\System\qJYxZcg.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2424-0-0x00000000002F0000-0x0000000000300000-memory.dmp

C:\Windows\system\RQmmvEH.exe

MD5 58bee7f456ffbeeda8982460c71343dc
SHA1 6b91160e6b6c986b81b0fe01287d7743e879df00
SHA256 1d52a9f77478bbdbab4872aba89b4a9faa65f692b8c37d1874694ed4caefa5e0
SHA512 983ce59866ebbc3161fe97400828851177a5add3ad9678503f5ecbba5ed9c23be67bb03f2f73c87b9af15039f77ca15ca562269c9cf2e28135e9b5af14a9f2fd

memory/2424-2-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2120-9-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2424-8-0x0000000002280000-0x00000000025D4000-memory.dmp

C:\Windows\system\pIMnxdz.exe

MD5 01998f7902bde6336a750fc13b3f6a3c
SHA1 ac85d259855c8d030b7aeb8487c8b70a864d0b53
SHA256 dd6d23a53cc787a763ead22c6d90eb2d33528fd95cad6162ebf5b4f4434fedad
SHA512 36e593312e0353a99786419dcdea022f0f136d0d53c82a5b1960032ead9e1269da400efd319032b2984055032fa96768a379cf77abf71379a839ef2b72568862

C:\Windows\system\JrUblFY.exe

MD5 2d047013b110a83cc5fba7ec2492a297
SHA1 bed34552fa4af879898801afe9af1485736244c3
SHA256 1d66790cc7bb0bf44a2b4609096e965a133789fe18fa1bc6e55e62375ad41720
SHA512 7eb3dedc4fa59fa92c342d61958753e6408eab446590bda82a1c3863fbc719a3f184fec88ad0b64006c61e8f55f9285e42090396a836d93b27b9037f8a5b692a

memory/2676-37-0x000000013F5C0000-0x000000013F914000-memory.dmp

C:\Windows\system\lVPYlcm.exe

MD5 09c50a7e07fb879a316855bf20059dde
SHA1 bbfdb94c8374b0b45acf6edf9977440e641d4565
SHA256 51e00124aa8045a3c96cc4b40f4bc582e676f839839511ec7fe7998f4d679216
SHA512 95fb4e10a0bf655f8d9e978a054d615f75beca02a4a503770bd20a3d582743677c9c5a41cf40db2dd6d3301d5c889b74832fbdd290708b4427992cf713320a77

C:\Windows\system\JLWsAjW.exe

MD5 c3e9844347ff9fb02a228f786c652052
SHA1 c1d611eb7bd525cf2f53e2bc366ce122abff829c
SHA256 148c52178b2dd62edf1fcfffe53481708bb5d7305fbdd6164dd50ac6a3fad4f3
SHA512 f464bcc8f1399d45e1f7c33ed087ed95d92aaea1e803c53d8109457d5f5bb244bac248466853bfdf55336d360e458bdd555d79f178edc5d5ca241fb8693b27df

C:\Windows\system\yqFsaNw.exe

MD5 f6f7c6f5f93527bc44bf21c470ea3af9
SHA1 6776524e0fdfea068b74add1c2f05669d77cbcba
SHA256 cbb3fa9a1af7b339ba298c0765ff038c3defbb75b5b46b71f75c1579609ecde4
SHA512 48979290397fd50937b979833d1630670e27071829eb35bb6821f467505e7863f65b7b5fe6d69e13a03c0cac8dca38b8542c9285b9f9a96c4235c077388ca28b

C:\Windows\system\uaSPkIg.exe

MD5 0e5c8654c33b72c55fe99719ce65a053
SHA1 da4872aa258a7e557c31d8f01ddf0cdcc1ac0139
SHA256 a7414af554ea2c8c04baa24904d12dafdb0377997ea42ed29a60c42c348124c5
SHA512 48e4d3702bcbea6772b136b2684d0644cea1f8dbca520797470c804f8a83b12d99d13ea6951fcacff6dfc6d485fbfa8bcf518c8ac802588b2ddeded532fdcfeb

\Windows\system\qJYxZcg.exe

MD5 c83a72fd32d1ea03c4c25e0b40a06534
SHA1 de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1
SHA256 c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359
SHA512 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c

C:\Windows\system\qJYxZcg.exe

MD5 805d6db0177034f4ef9f06d0e8f3970c
SHA1 67585ab26db8a0f7514bdddbe659a432c3af93ed
SHA256 89cb7ee366d7d52c8fbcb3a32cf095fd97d18d76331743469587b2f7ab169ca8
SHA512 c53966c4bd83d34a25a166391ac16ddf867ef50ef1bc67c351a4be7ba9cec60c60197219abaa391aa6a74c9615188bf95180c476bbf86e5e4e60b8523ed7049f

C:\Windows\system\FQhzerE.exe

MD5 2845745df0db5a020d828a78d8ae1661
SHA1 83761c2c52986df0099588c7e94de11c734e87ab
SHA256 22054713cbd39eeb7b3c42ed914bc51a7c9ac7ffabefdfc6338a82875d027f7c
SHA512 6ea499553899485323bdca098445221063797efbbdd10a4e65b60273807e4e9a6da5f97c183334f1402f19ddfaef66b2150db8f17e1d851d88ab9697a9c2b8ad

memory/2524-102-0x000000013F170000-0x000000013F4C4000-memory.dmp

C:\Windows\system\xhxRreR.exe

MD5 5358a4b13063c2520e17c51f96bfa1ac
SHA1 3047ca801e2e286bc4b4527dc3ff6b307ee48d17
SHA256 4b577413d2954ff1827ef1546213de820c85902a49dd2cfa7981ae608438098f
SHA512 b682cd0a63cdfea59f099bd3eb10ee8c5155c236ec32112f0b9473c83ab89021444804bbd74602f570e7171db86ace3ed6d1b8ddb2d954cd961eb91038a09927

memory/2596-127-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2424-131-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/1252-130-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2424-129-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/3008-128-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2424-126-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2536-125-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2424-124-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2796-123-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2692-122-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2424-121-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2748-120-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2424-119-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2800-118-0x000000013F3B0000-0x000000013F704000-memory.dmp

\Windows\system\xhxRreR.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

C:\Windows\system\JSAsJni.exe

MD5 17ae3cbfca04f683a7aac5e17e165342
SHA1 ea0e8f815106b7a2c7373a1c3929102ae9b25cab
SHA256 9f430796dda29d4039b85e36d711e1e9d5ca6ba0e948286ae51ab57be809fac9
SHA512 207c9e5c2122aee47dc389cdff03b5272174516c4a7e1a44d55f7f1b32055f90171afa99b4d66830d17d54f6dfa245e322b01c9714aa13684169e9cbc078ed0c

C:\Windows\system\UriPApj.exe

MD5 6fc1d2a6aa4e5fec1598640195150caa
SHA1 163971d08fea512c74e8dc6194438875b3a4e2dd
SHA256 c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b
SHA512 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4

\Windows\system\UriPApj.exe

MD5 859d94456bb3da553ce8b1a48ed5270c
SHA1 147a5c8674e46a7def81e3132c1064e5b94bb48d
SHA256 628ca57463e5aad8ef829809b5b8ac058b4ef16d57ba8fcfd96838bbb018af8b
SHA512 f1df12a7169cf442068dcabeac80288cdc24d71631e29b3d8fb5711c8593b406a752d6cdb0ced43357528d74c5eecc1d2da4a7e6dcdf69f9c1e81ea7faf6873d

C:\Windows\system\ExphGhO.exe

MD5 f991a15ca3ac60a167fa1a9c6e8de38e
SHA1 d439e0cc0a94122db1c5ba149582caa0a0697f4e
SHA256 fdcb1f7457c984d8eef6a2f17ef1df7dd4ef7d397e6731a8084f8d30609845b0
SHA512 60fcf22b0d122b18e20c538ceebbe59509ae233af3dc78fe804a99f603d9127125a3ac2c9c4dd7a255838e233096e5136ed0a6735069ac83f2b28c2721c5d50f

memory/2424-132-0x000000013F370000-0x000000013F6C4000-memory.dmp

C:\Windows\system\sWMJJeu.exe

MD5 ceb9098f5230061fcf932a8cbe87d317
SHA1 a2d1a3e81d5292da4aaf67e666eb73bba353f7cd
SHA256 d6817381308bd4ffe6cf3c0f7f6f7144a23f45ccbc833a0c62492f88dfb36323
SHA512 2dce8b9b2ed335da48d228caf439f5162ea1293a703453d6dc707864eaa0dab131c5b97227940de0debcb88dac45dec260320060be9dedb69bb74f43150e0df0

C:\Windows\system\lpNfSLt.exe

MD5 7aaed59e81883ccc6a1f51d7ceba8aea
SHA1 ad439da9e172d66fb363ee3ccdeb784403802da7
SHA256 60993be56448ec872285aca4f955766be9ffb9322286c54762c862c7bff99a4a
SHA512 a8213af11deee16995da3c584834892588465d8fcd7ba16d1dd81cde7e4051b7f82cc58b51f91d4f9df8d00b1ae51dd7c77c17c0b2f9917f25c200091d3e704c

C:\Windows\system\qDkBOVF.exe

MD5 5e0326ab63e44bcbb413da2eb1cede5f
SHA1 189fc080f0b195fe3e9004389d0fc400311918cb
SHA256 3d25a6341e2d099eb068708d7eb6acc6b0832d304052e4873badfd0d1582a464
SHA512 be356826d1d74f4f544c85dd17d55fa419abe001f7f7474edbbfa296ae778841bb4fe87e9763a3a12b65052a65ba656876bc6084ed122a441bfe91fd86b49880

\Windows\system\JLWsAjW.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

C:\Windows\system\ruYIdbj.exe

MD5 2e820f8af7aa3bf225d37608a0a87341
SHA1 b813ceb09756bee341a57c9525bd3abdbe863ab8
SHA256 de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa
SHA512 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4

\Windows\system\ruYIdbj.exe

MD5 030d80ee86dcb0299658f76269396f1f
SHA1 c321123581ea66ffedcef821911ccc978f0b8797
SHA256 97f8bc146e8dd61b74b62b1e6490d08b853578e355a16d99b1fca31c723f0d50
SHA512 da40c12c7593c0bf257bcee5bf83b42451980ebdb2bbecea1acaa04b1b303d1d74e08c7954ccdc495c8f29345f676109d84a708d9b918dd992e02259ad6dd517

C:\Windows\system\PMrexzj.exe

MD5 12895d7ff9e186b402c0cbc8144fdd93
SHA1 b39018a3d94749e8999f102b422f482f843c02d8
SHA256 8a7c014d158b2b58d0db468cdf4893e0da92b9ecbdd2421ceedd9484d15288c5
SHA512 26cc5532c96a513d6dc620feabdc9a24207a689399faf4b2b64db2d62a1333320107b37f549bc8879e8602bc90608d598adb65ce4bcda502b8a0c2ad275ce57e

\Windows\system\lVPYlcm.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\system\MkRJwXK.exe

MD5 4b28a8de4ae6ebe88cfeb5419bc29e27
SHA1 92c64b3d3923e7a6fc8537baaf44b185e5d8df1a
SHA256 02703b8d9827b0fdc3fb3647b09547bbfd5779d371a6b8ac60acab8abc808067
SHA512 b57812c594b441a92cd14e5a0197ad77d174486d3faabe6c99e3a491c9a60ca02f0e63e09198b98cb6ead70bc88ddb7adf77d3e74157fc00d401f64014bc4c83

memory/2424-36-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2424-35-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2424-33-0x000000013FDB0000-0x0000000140104000-memory.dmp

C:\Windows\system\nOicpOD.exe

MD5 aaf63299f5519f8596c1a6529aa0b906
SHA1 53ec52cd06843079cbfdbc0cea000dc6eea86297
SHA256 f6c5c1093b686d618f67b914fc67f8675e2d0d7850b0c6cb2e9f7311bace0a05
SHA512 ded042c1f37f039c528b177e7c0ed5a86fbf8eab61703c8816d89c553d2a9f6f65657c40dee639d25447d95d3c662da5dadc3b7cca1ef1c1403c8434e43d289b

memory/2716-31-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2344-30-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2808-25-0x000000013F3C0000-0x000000013F714000-memory.dmp

C:\Windows\system\okZETgH.exe

MD5 187c732d89175fa52717d51b47481f7a
SHA1 8dbb3a4b317c1199a8490318fdc674b8e36470f5
SHA256 e066963b8f92e27d0b6334d7ac07bd065289bcb08036d1c4d7651f38ab008696
SHA512 504a17775e68d9e75b111c2968f83bff8e5e0e04bec95b1439069841c8ecf3d65bb0202bd233f0e2f96abaa4d817eea2c23d0159be48aaf389debd4f254aa338

memory/2424-18-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2800-133-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2424-134-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2120-135-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2808-136-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2344-137-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2716-138-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2676-139-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2524-140-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2748-141-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2536-148-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2796-147-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2692-146-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2596-145-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/3008-144-0x000000013F630000-0x000000013F984000-memory.dmp

memory/1252-143-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2800-142-0x000000013F3B0000-0x000000013F704000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 21:35

Reported

2024-06-09 21:38

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MkRJwXK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yqFsaNw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qDkBOVF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ExphGhO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JSAsJni.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qJYxZcg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JrUblFY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\okZETgH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lVPYlcm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ruYIdbj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLWsAjW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pIMnxdz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PMrexzj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lpNfSLt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWMJJeu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uaSPkIg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xhxRreR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RQmmvEH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nOicpOD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UriPApj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FQhzerE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\RQmmvEH.exe
PID 4000 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\RQmmvEH.exe
PID 4000 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIMnxdz.exe
PID 4000 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIMnxdz.exe
PID 4000 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrUblFY.exe
PID 4000 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrUblFY.exe
PID 4000 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\okZETgH.exe
PID 4000 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\okZETgH.exe
PID 4000 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nOicpOD.exe
PID 4000 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nOicpOD.exe
PID 4000 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkRJwXK.exe
PID 4000 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkRJwXK.exe
PID 4000 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVPYlcm.exe
PID 4000 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVPYlcm.exe
PID 4000 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMrexzj.exe
PID 4000 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMrexzj.exe
PID 4000 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruYIdbj.exe
PID 4000 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruYIdbj.exe
PID 4000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLWsAjW.exe
PID 4000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLWsAjW.exe
PID 4000 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqFsaNw.exe
PID 4000 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqFsaNw.exe
PID 4000 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDkBOVF.exe
PID 4000 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qDkBOVF.exe
PID 4000 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpNfSLt.exe
PID 4000 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpNfSLt.exe
PID 4000 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWMJJeu.exe
PID 4000 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWMJJeu.exe
PID 4000 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ExphGhO.exe
PID 4000 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\ExphGhO.exe
PID 4000 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaSPkIg.exe
PID 4000 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaSPkIg.exe
PID 4000 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\UriPApj.exe
PID 4000 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\UriPApj.exe
PID 4000 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSAsJni.exe
PID 4000 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSAsJni.exe
PID 4000 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhxRreR.exe
PID 4000 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhxRreR.exe
PID 4000 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQhzerE.exe
PID 4000 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQhzerE.exe
PID 4000 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJYxZcg.exe
PID 4000 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJYxZcg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\RQmmvEH.exe

C:\Windows\System\RQmmvEH.exe

C:\Windows\System\pIMnxdz.exe

C:\Windows\System\pIMnxdz.exe

C:\Windows\System\JrUblFY.exe

C:\Windows\System\JrUblFY.exe

C:\Windows\System\okZETgH.exe

C:\Windows\System\okZETgH.exe

C:\Windows\System\nOicpOD.exe

C:\Windows\System\nOicpOD.exe

C:\Windows\System\MkRJwXK.exe

C:\Windows\System\MkRJwXK.exe

C:\Windows\System\lVPYlcm.exe

C:\Windows\System\lVPYlcm.exe

C:\Windows\System\PMrexzj.exe

C:\Windows\System\PMrexzj.exe

C:\Windows\System\ruYIdbj.exe

C:\Windows\System\ruYIdbj.exe

C:\Windows\System\JLWsAjW.exe

C:\Windows\System\JLWsAjW.exe

C:\Windows\System\yqFsaNw.exe

C:\Windows\System\yqFsaNw.exe

C:\Windows\System\qDkBOVF.exe

C:\Windows\System\qDkBOVF.exe

C:\Windows\System\lpNfSLt.exe

C:\Windows\System\lpNfSLt.exe

C:\Windows\System\sWMJJeu.exe

C:\Windows\System\sWMJJeu.exe

C:\Windows\System\ExphGhO.exe

C:\Windows\System\ExphGhO.exe

C:\Windows\System\uaSPkIg.exe

C:\Windows\System\uaSPkIg.exe

C:\Windows\System\UriPApj.exe

C:\Windows\System\UriPApj.exe

C:\Windows\System\JSAsJni.exe

C:\Windows\System\JSAsJni.exe

C:\Windows\System\xhxRreR.exe

C:\Windows\System\xhxRreR.exe

C:\Windows\System\FQhzerE.exe

C:\Windows\System\FQhzerE.exe

C:\Windows\System\qJYxZcg.exe

C:\Windows\System\qJYxZcg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4000-0-0x00007FF7464F0000-0x00007FF746844000-memory.dmp

memory/4000-1-0x000001EB0B220000-0x000001EB0B230000-memory.dmp

C:\Windows\System\RQmmvEH.exe

MD5 58bee7f456ffbeeda8982460c71343dc
SHA1 6b91160e6b6c986b81b0fe01287d7743e879df00
SHA256 1d52a9f77478bbdbab4872aba89b4a9faa65f692b8c37d1874694ed4caefa5e0
SHA512 983ce59866ebbc3161fe97400828851177a5add3ad9678503f5ecbba5ed9c23be67bb03f2f73c87b9af15039f77ca15ca562269c9cf2e28135e9b5af14a9f2fd

C:\Windows\System\pIMnxdz.exe

MD5 01998f7902bde6336a750fc13b3f6a3c
SHA1 ac85d259855c8d030b7aeb8487c8b70a864d0b53
SHA256 dd6d23a53cc787a763ead22c6d90eb2d33528fd95cad6162ebf5b4f4434fedad
SHA512 36e593312e0353a99786419dcdea022f0f136d0d53c82a5b1960032ead9e1269da400efd319032b2984055032fa96768a379cf77abf71379a839ef2b72568862

memory/4024-7-0x00007FF79F700000-0x00007FF79FA54000-memory.dmp

C:\Windows\System\okZETgH.exe

MD5 187c732d89175fa52717d51b47481f7a
SHA1 8dbb3a4b317c1199a8490318fdc674b8e36470f5
SHA256 e066963b8f92e27d0b6334d7ac07bd065289bcb08036d1c4d7651f38ab008696
SHA512 504a17775e68d9e75b111c2968f83bff8e5e0e04bec95b1439069841c8ecf3d65bb0202bd233f0e2f96abaa4d817eea2c23d0159be48aaf389debd4f254aa338

memory/4768-21-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp

C:\Windows\System\JrUblFY.exe

MD5 2d047013b110a83cc5fba7ec2492a297
SHA1 bed34552fa4af879898801afe9af1485736244c3
SHA256 1d66790cc7bb0bf44a2b4609096e965a133789fe18fa1bc6e55e62375ad41720
SHA512 7eb3dedc4fa59fa92c342d61958753e6408eab446590bda82a1c3863fbc719a3f184fec88ad0b64006c61e8f55f9285e42090396a836d93b27b9037f8a5b692a

memory/2380-15-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp

C:\Windows\System\nOicpOD.exe

MD5 aaf63299f5519f8596c1a6529aa0b906
SHA1 53ec52cd06843079cbfdbc0cea000dc6eea86297
SHA256 f6c5c1093b686d618f67b914fc67f8675e2d0d7850b0c6cb2e9f7311bace0a05
SHA512 ded042c1f37f039c528b177e7c0ed5a86fbf8eab61703c8816d89c553d2a9f6f65657c40dee639d25447d95d3c662da5dadc3b7cca1ef1c1403c8434e43d289b

memory/3556-31-0x00007FF665DC0000-0x00007FF666114000-memory.dmp

memory/3128-38-0x00007FF62A460000-0x00007FF62A7B4000-memory.dmp

C:\Windows\System\PMrexzj.exe

MD5 12895d7ff9e186b402c0cbc8144fdd93
SHA1 b39018a3d94749e8999f102b422f482f843c02d8
SHA256 8a7c014d158b2b58d0db468cdf4893e0da92b9ecbdd2421ceedd9484d15288c5
SHA512 26cc5532c96a513d6dc620feabdc9a24207a689399faf4b2b64db2d62a1333320107b37f549bc8879e8602bc90608d598adb65ce4bcda502b8a0c2ad275ce57e

C:\Windows\System\JLWsAjW.exe

MD5 c3e9844347ff9fb02a228f786c652052
SHA1 c1d611eb7bd525cf2f53e2bc366ce122abff829c
SHA256 148c52178b2dd62edf1fcfffe53481708bb5d7305fbdd6164dd50ac6a3fad4f3
SHA512 f464bcc8f1399d45e1f7c33ed087ed95d92aaea1e803c53d8109457d5f5bb244bac248466853bfdf55336d360e458bdd555d79f178edc5d5ca241fb8693b27df

memory/1080-52-0x00007FF711000000-0x00007FF711354000-memory.dmp

memory/4344-63-0x00007FF6FCB50000-0x00007FF6FCEA4000-memory.dmp

memory/2016-73-0x00007FF6C9260000-0x00007FF6C95B4000-memory.dmp

C:\Windows\System\JLWsAjW.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

memory/2140-89-0x00007FF7BCD80000-0x00007FF7BD0D4000-memory.dmp

memory/2380-95-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp

memory/4024-94-0x00007FF79F700000-0x00007FF79FA54000-memory.dmp

memory/3548-93-0x00007FF600FA0000-0x00007FF6012F4000-memory.dmp

C:\Windows\System\ExphGhO.exe

MD5 f991a15ca3ac60a167fa1a9c6e8de38e
SHA1 d439e0cc0a94122db1c5ba149582caa0a0697f4e
SHA256 fdcb1f7457c984d8eef6a2f17ef1df7dd4ef7d397e6731a8084f8d30609845b0
SHA512 60fcf22b0d122b18e20c538ceebbe59509ae233af3dc78fe804a99f603d9127125a3ac2c9c4dd7a255838e233096e5136ed0a6735069ac83f2b28c2721c5d50f

memory/1140-90-0x00007FF6A38A0000-0x00007FF6A3BF4000-memory.dmp

memory/4000-88-0x00007FF7464F0000-0x00007FF746844000-memory.dmp

C:\Windows\System\ExphGhO.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

C:\Windows\System\lpNfSLt.exe

MD5 2f6c78680b2f75c8ce8f41a76f87884b
SHA1 12618eb206165ab41654bc3bd25b692c41161644
SHA256 d2cb9271753c86ffffe38e679b1bdb13c205d813c16264cd9aaf0aee321793e1
SHA512 4ac821363b698dfb1ecacfa80cfce7b6c22aadc031ddb51d85d40c84978ae5362aba1e85ef771ec094bc3414bf35c72fed0ffb84a3c9e2f530d1dd09a23ea809

C:\Windows\System\sWMJJeu.exe

MD5 ceb9098f5230061fcf932a8cbe87d317
SHA1 a2d1a3e81d5292da4aaf67e666eb73bba353f7cd
SHA256 d6817381308bd4ffe6cf3c0f7f6f7144a23f45ccbc833a0c62492f88dfb36323
SHA512 2dce8b9b2ed335da48d228caf439f5162ea1293a703453d6dc707864eaa0dab131c5b97227940de0debcb88dac45dec260320060be9dedb69bb74f43150e0df0

C:\Windows\System\qDkBOVF.exe

MD5 5e0326ab63e44bcbb413da2eb1cede5f
SHA1 189fc080f0b195fe3e9004389d0fc400311918cb
SHA256 3d25a6341e2d099eb068708d7eb6acc6b0832d304052e4873badfd0d1582a464
SHA512 be356826d1d74f4f544c85dd17d55fa419abe001f7f7474edbbfa296ae778841bb4fe87e9763a3a12b65052a65ba656876bc6084ed122a441bfe91fd86b49880

memory/3392-80-0x00007FF757AB0000-0x00007FF757E04000-memory.dmp

memory/3876-79-0x00007FF795F40000-0x00007FF796294000-memory.dmp

C:\Windows\System\sWMJJeu.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

C:\Windows\System\ruYIdbj.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

C:\Windows\System\lpNfSLt.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

C:\Windows\System\yqFsaNw.exe

MD5 f6f7c6f5f93527bc44bf21c470ea3af9
SHA1 6776524e0fdfea068b74add1c2f05669d77cbcba
SHA256 cbb3fa9a1af7b339ba298c0765ff038c3defbb75b5b46b71f75c1579609ecde4
SHA512 48979290397fd50937b979833d1630670e27071829eb35bb6821f467505e7863f65b7b5fe6d69e13a03c0cac8dca38b8542c9285b9f9a96c4235c077388ca28b

C:\Windows\System\PMrexzj.exe

MD5 90be846177ebce09b1bfa8b40630684a
SHA1 43a2c66ff47d9e295f18f8c18fe76b69e8850154
SHA256 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65
SHA512 f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6

C:\Windows\System\lVPYlcm.exe

MD5 09c50a7e07fb879a316855bf20059dde
SHA1 bbfdb94c8374b0b45acf6edf9977440e641d4565
SHA256 51e00124aa8045a3c96cc4b40f4bc582e676f839839511ec7fe7998f4d679216
SHA512 95fb4e10a0bf655f8d9e978a054d615f75beca02a4a503770bd20a3d582743677c9c5a41cf40db2dd6d3301d5c889b74832fbdd290708b4427992cf713320a77

memory/1964-47-0x00007FF6672B0000-0x00007FF667604000-memory.dmp

C:\Windows\System\MkRJwXK.exe

MD5 4b28a8de4ae6ebe88cfeb5419bc29e27
SHA1 92c64b3d3923e7a6fc8537baaf44b185e5d8df1a
SHA256 02703b8d9827b0fdc3fb3647b09547bbfd5779d371a6b8ac60acab8abc808067
SHA512 b57812c594b441a92cd14e5a0197ad77d174486d3faabe6c99e3a491c9a60ca02f0e63e09198b98cb6ead70bc88ddb7adf77d3e74157fc00d401f64014bc4c83

memory/1892-27-0x00007FF6C6FF0000-0x00007FF6C7344000-memory.dmp

C:\Windows\System\JSAsJni.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

C:\Windows\System\xhxRreR.exe

MD5 5358a4b13063c2520e17c51f96bfa1ac
SHA1 3047ca801e2e286bc4b4527dc3ff6b307ee48d17
SHA256 4b577413d2954ff1827ef1546213de820c85902a49dd2cfa7981ae608438098f
SHA512 b682cd0a63cdfea59f099bd3eb10ee8c5155c236ec32112f0b9473c83ab89021444804bbd74602f570e7171db86ace3ed6d1b8ddb2d954cd961eb91038a09927

C:\Windows\System\FQhzerE.exe

MD5 2845745df0db5a020d828a78d8ae1661
SHA1 83761c2c52986df0099588c7e94de11c734e87ab
SHA256 22054713cbd39eeb7b3c42ed914bc51a7c9ac7ffabefdfc6338a82875d027f7c
SHA512 6ea499553899485323bdca098445221063797efbbdd10a4e65b60273807e4e9a6da5f97c183334f1402f19ddfaef66b2150db8f17e1d851d88ab9697a9c2b8ad

C:\Windows\System\JSAsJni.exe

MD5 17ae3cbfca04f683a7aac5e17e165342
SHA1 ea0e8f815106b7a2c7373a1c3929102ae9b25cab
SHA256 9f430796dda29d4039b85e36d711e1e9d5ca6ba0e948286ae51ab57be809fac9
SHA512 207c9e5c2122aee47dc389cdff03b5272174516c4a7e1a44d55f7f1b32055f90171afa99b4d66830d17d54f6dfa245e322b01c9714aa13684169e9cbc078ed0c

memory/1508-115-0x00007FF7C43C0000-0x00007FF7C4714000-memory.dmp

C:\Windows\System\UriPApj.exe

MD5 859d94456bb3da553ce8b1a48ed5270c
SHA1 147a5c8674e46a7def81e3132c1064e5b94bb48d
SHA256 628ca57463e5aad8ef829809b5b8ac058b4ef16d57ba8fcfd96838bbb018af8b
SHA512 f1df12a7169cf442068dcabeac80288cdc24d71631e29b3d8fb5711c8593b406a752d6cdb0ced43357528d74c5eecc1d2da4a7e6dcdf69f9c1e81ea7faf6873d

memory/1964-129-0x00007FF6672B0000-0x00007FF667604000-memory.dmp

memory/3252-132-0x00007FF638810000-0x00007FF638B64000-memory.dmp

C:\Windows\System\qJYxZcg.exe

MD5 df43099f8ecf7fc7231104cc7906f346
SHA1 3e71eb14c6e419a455fbd4a3234cbfb9f69fb428
SHA256 2fee27d95d784896594fd4c402904f15f7b6e8d0448726197f29a8303072c9e7
SHA512 0780e96102ed70b27cdcc7843ce59b45e8d687f99de38cd1f2d8f08d1be12d524f20b3d4f78294edd2ce2d1dc761badaaa437128842e8b787cbe7919b203b90d

memory/3728-125-0x00007FF624DA0000-0x00007FF6250F4000-memory.dmp

memory/512-128-0x00007FF6B7C40000-0x00007FF6B7F94000-memory.dmp

C:\Windows\System\qJYxZcg.exe

MD5 805d6db0177034f4ef9f06d0e8f3970c
SHA1 67585ab26db8a0f7514bdddbe659a432c3af93ed
SHA256 89cb7ee366d7d52c8fbcb3a32cf095fd97d18d76331743469587b2f7ab169ca8
SHA512 c53966c4bd83d34a25a166391ac16ddf867ef50ef1bc67c351a4be7ba9cec60c60197219abaa391aa6a74c9615188bf95180c476bbf86e5e4e60b8523ed7049f

memory/2600-108-0x00007FF7584E0000-0x00007FF758834000-memory.dmp

memory/4768-105-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp

C:\Windows\System\uaSPkIg.exe

MD5 0e5c8654c33b72c55fe99719ce65a053
SHA1 da4872aa258a7e557c31d8f01ddf0cdcc1ac0139
SHA256 a7414af554ea2c8c04baa24904d12dafdb0377997ea42ed29a60c42c348124c5
SHA512 48e4d3702bcbea6772b136b2684d0644cea1f8dbca520797470c804f8a83b12d99d13ea6951fcacff6dfc6d485fbfa8bcf518c8ac802588b2ddeded532fdcfeb

memory/2816-101-0x00007FF6A54F0000-0x00007FF6A5844000-memory.dmp

memory/4344-134-0x00007FF6FCB50000-0x00007FF6FCEA4000-memory.dmp

memory/1080-133-0x00007FF711000000-0x00007FF711354000-memory.dmp

memory/2016-135-0x00007FF6C9260000-0x00007FF6C95B4000-memory.dmp

memory/3392-136-0x00007FF757AB0000-0x00007FF757E04000-memory.dmp

memory/3548-137-0x00007FF600FA0000-0x00007FF6012F4000-memory.dmp

memory/2816-138-0x00007FF6A54F0000-0x00007FF6A5844000-memory.dmp

memory/2600-139-0x00007FF7584E0000-0x00007FF758834000-memory.dmp

memory/1508-140-0x00007FF7C43C0000-0x00007FF7C4714000-memory.dmp

memory/3252-141-0x00007FF638810000-0x00007FF638B64000-memory.dmp

memory/4024-142-0x00007FF79F700000-0x00007FF79FA54000-memory.dmp

memory/1892-145-0x00007FF6C6FF0000-0x00007FF6C7344000-memory.dmp

memory/2380-144-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp

memory/4768-143-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp

memory/3556-146-0x00007FF665DC0000-0x00007FF666114000-memory.dmp

memory/3128-147-0x00007FF62A460000-0x00007FF62A7B4000-memory.dmp

memory/1080-149-0x00007FF711000000-0x00007FF711354000-memory.dmp

memory/1964-148-0x00007FF6672B0000-0x00007FF667604000-memory.dmp

memory/2016-151-0x00007FF6C9260000-0x00007FF6C95B4000-memory.dmp

memory/4344-152-0x00007FF6FCB50000-0x00007FF6FCEA4000-memory.dmp

memory/3392-155-0x00007FF757AB0000-0x00007FF757E04000-memory.dmp

memory/3548-156-0x00007FF600FA0000-0x00007FF6012F4000-memory.dmp

memory/2140-154-0x00007FF7BCD80000-0x00007FF7BD0D4000-memory.dmp

memory/1140-153-0x00007FF6A38A0000-0x00007FF6A3BF4000-memory.dmp

memory/3876-150-0x00007FF795F40000-0x00007FF796294000-memory.dmp

memory/2816-157-0x00007FF6A54F0000-0x00007FF6A5844000-memory.dmp

memory/2600-158-0x00007FF7584E0000-0x00007FF758834000-memory.dmp

memory/512-161-0x00007FF6B7C40000-0x00007FF6B7F94000-memory.dmp

memory/3728-160-0x00007FF624DA0000-0x00007FF6250F4000-memory.dmp

memory/1508-159-0x00007FF7C43C0000-0x00007FF7C4714000-memory.dmp

memory/3252-162-0x00007FF638810000-0x00007FF638B64000-memory.dmp