Malware Analysis Report

2024-10-16 03:10

Sample ID 240609-ddcfladc59
Target 2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike
SHA256 b0c009145c5c84b738337e8a66cf8ad952c66e914248b12d4084c46c417bcf15
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0c009145c5c84b738337e8a66cf8ad952c66e914248b12d4084c46c417bcf15

Threat Level: Known bad

The file 2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

xmrig

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 02:56

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 02:53

Reported

2024-06-09 02:59

Platform

win7-20240221-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RpwIcPT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vUCbbsh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gSflHYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bGuAJWW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CrTKOmt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EpdTDyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHeWrji.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TYQAnDb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IwNGDxb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VaBiJiS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZFlVXfA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RVXQEol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRiWySn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\slEDbeo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WiBbcTU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SzQlZlv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fAZiJBd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\POixSfg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\embgdRH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kMINxzr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RkfqrrM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUCbbsh.exe
PID 2208 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUCbbsh.exe
PID 2208 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUCbbsh.exe
PID 2208 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwNGDxb.exe
PID 2208 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwNGDxb.exe
PID 2208 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwNGDxb.exe
PID 2208 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\embgdRH.exe
PID 2208 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\embgdRH.exe
PID 2208 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\embgdRH.exe
PID 2208 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kMINxzr.exe
PID 2208 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kMINxzr.exe
PID 2208 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kMINxzr.exe
PID 2208 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSflHYg.exe
PID 2208 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSflHYg.exe
PID 2208 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSflHYg.exe
PID 2208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGuAJWW.exe
PID 2208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGuAJWW.exe
PID 2208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGuAJWW.exe
PID 2208 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\slEDbeo.exe
PID 2208 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\slEDbeo.exe
PID 2208 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\slEDbeo.exe
PID 2208 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VaBiJiS.exe
PID 2208 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VaBiJiS.exe
PID 2208 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VaBiJiS.exe
PID 2208 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFlVXfA.exe
PID 2208 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFlVXfA.exe
PID 2208 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFlVXfA.exe
PID 2208 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrTKOmt.exe
PID 2208 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrTKOmt.exe
PID 2208 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrTKOmt.exe
PID 2208 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkfqrrM.exe
PID 2208 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkfqrrM.exe
PID 2208 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkfqrrM.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiBbcTU.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiBbcTU.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiBbcTU.exe
PID 2208 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpwIcPT.exe
PID 2208 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpwIcPT.exe
PID 2208 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpwIcPT.exe
PID 2208 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EpdTDyo.exe
PID 2208 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EpdTDyo.exe
PID 2208 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EpdTDyo.exe
PID 2208 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzQlZlv.exe
PID 2208 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzQlZlv.exe
PID 2208 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzQlZlv.exe
PID 2208 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAZiJBd.exe
PID 2208 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAZiJBd.exe
PID 2208 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAZiJBd.exe
PID 2208 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVXQEol.exe
PID 2208 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVXQEol.exe
PID 2208 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVXQEol.exe
PID 2208 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\POixSfg.exe
PID 2208 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\POixSfg.exe
PID 2208 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\POixSfg.exe
PID 2208 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHeWrji.exe
PID 2208 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHeWrji.exe
PID 2208 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHeWrji.exe
PID 2208 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRiWySn.exe
PID 2208 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRiWySn.exe
PID 2208 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRiWySn.exe
PID 2208 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYQAnDb.exe
PID 2208 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYQAnDb.exe
PID 2208 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYQAnDb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vUCbbsh.exe

C:\Windows\System\vUCbbsh.exe

C:\Windows\System\IwNGDxb.exe

C:\Windows\System\IwNGDxb.exe

C:\Windows\System\embgdRH.exe

C:\Windows\System\embgdRH.exe

C:\Windows\System\kMINxzr.exe

C:\Windows\System\kMINxzr.exe

C:\Windows\System\gSflHYg.exe

C:\Windows\System\gSflHYg.exe

C:\Windows\System\bGuAJWW.exe

C:\Windows\System\bGuAJWW.exe

C:\Windows\System\slEDbeo.exe

C:\Windows\System\slEDbeo.exe

C:\Windows\System\VaBiJiS.exe

C:\Windows\System\VaBiJiS.exe

C:\Windows\System\ZFlVXfA.exe

C:\Windows\System\ZFlVXfA.exe

C:\Windows\System\CrTKOmt.exe

C:\Windows\System\CrTKOmt.exe

C:\Windows\System\RkfqrrM.exe

C:\Windows\System\RkfqrrM.exe

C:\Windows\System\WiBbcTU.exe

C:\Windows\System\WiBbcTU.exe

C:\Windows\System\RpwIcPT.exe

C:\Windows\System\RpwIcPT.exe

C:\Windows\System\EpdTDyo.exe

C:\Windows\System\EpdTDyo.exe

C:\Windows\System\SzQlZlv.exe

C:\Windows\System\SzQlZlv.exe

C:\Windows\System\fAZiJBd.exe

C:\Windows\System\fAZiJBd.exe

C:\Windows\System\RVXQEol.exe

C:\Windows\System\RVXQEol.exe

C:\Windows\System\POixSfg.exe

C:\Windows\System\POixSfg.exe

C:\Windows\System\rHeWrji.exe

C:\Windows\System\rHeWrji.exe

C:\Windows\System\bRiWySn.exe

C:\Windows\System\bRiWySn.exe

C:\Windows\System\TYQAnDb.exe

C:\Windows\System\TYQAnDb.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2208-0-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2208-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\vUCbbsh.exe

MD5 520306f0af217a723b94881629ed2c1f
SHA1 edfebe61571cd3958f1312a9985e7616d97f5058
SHA256 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40
SHA512 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e

C:\Windows\system\vUCbbsh.exe

MD5 8ba2c88901d611dd821819b2e5dd8095
SHA1 26d2fa29703efb269d858375c5c987698466edda
SHA256 38132a290038b894e6d77da852fd8efebae51a479ddaf3779228891c5b810931
SHA512 ce86ce99f61c2db318bb2b5fbaba9d24e7dbb6cb658ecca2c30755b72da2cbc09dd29fc06ae26237f7530116823459d032146466c8e63cf9950584cce2bed301

\Windows\system\IwNGDxb.exe

MD5 b27e06f3e32e84b4955eb21935a7f718
SHA1 e1bb7e21a0747232c4d3307cb855886d8edeacdb
SHA256 a9e7a3354cc85e1bbebde6116e94eb84ad5db6cae0de31615f32f11a4b6086b9
SHA512 b871279d80497f4e1b110ea840fa51eed3cbf150a6db84a71c8e76c1228ea07d8aadc6287fc5ee9d288361fc70f9e802a46569a01ed6c8338b27d97ee4783de5

C:\Windows\system\embgdRH.exe

MD5 87e7bffe186b98434468380177f61aa9
SHA1 2121f58a870d11f5d5aec73c82df28564324fb5e
SHA256 2a864af8ee72ab84cf0c4dc94ea1779f6e4a9a2b497f491616908ad2ea5f68b0
SHA512 a5e4ffa13f056bbba6669c6db1d6f18cb7dce6df7b00eea490d90ba35005c8a89a13d61796350a9e7d36a849135bba60a4f9ef5e50a3fb347a5c2578394493a7

memory/2208-10-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\kMINxzr.exe

MD5 edb8ddbe9be2a1d93725081bca1076be
SHA1 2e81f42a93b35020b06f38e531c99fa4530a8386
SHA256 9acbeabab3d027a57b0942dc65c5011911c5fbc7e7e5933f54f0f3b9354d97da
SHA512 5600c9242ea54108c66ffddb267ae3f9fefa9c7a9b401e8f575bf89559f5b649506144a8bc53acb0d00f4d35de4495225d14ad49c010d069c861d0c48b1a121c

memory/1384-16-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2208-114-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\bRiWySn.exe

MD5 e54933575ee2b3428ad75315cec866c9
SHA1 619ea4f971dde33c43df6ffb2c8bc2db844ba166
SHA256 7dfad4203c240c7b11ba32812530a0d5384e05acd4f6d78d7a71d71705151545
SHA512 db5fdffe64206360a76fce5c11cb0a42f34673df1b8fb84f982eed536cf05479fb81187cf0d1e4cd51ae46dde58eae8539bd2dee908deff96a74ec52f6d21f6a

C:\Windows\system\rHeWrji.exe

MD5 db81d7ce223d11cd6128310c3ffb501f
SHA1 c0d0f2aab880325019465938bab1b6bde941235b
SHA256 83bac1c5c0a609fc1275440d84a4417587c0c7cf2e6af9b540afd4664d8b824f
SHA512 1acd67de73a90e4ded8c4e7cccfafdcd02b7aa746c8887ffec436573a7765dcab15f3735254bff2df521909d62aa3cc435c6c294267fd54ccc3c913ebe807a7c

C:\Windows\system\RVXQEol.exe

MD5 8c5a7bced8b30b6d4753774c4e9bdfb7
SHA1 595c94d0c6a66daa1abd63499b4333a0c41d5d8f
SHA256 8add21920fc658a99992c81d1195a5b97def5792df7f9ae0c1151180f69a3f74
SHA512 56b1ac4e580e91826674cae3faf79397bf979d2c4463e1a7cbcff059d1d0cb0d44369d61b762c8430a7acbf4e8221b173feb8821f27bfcdef2a1341e0092a980

\Windows\system\POixSfg.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/2208-95-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2208-94-0x0000000002420000-0x0000000002774000-memory.dmp

\Windows\system\fAZiJBd.exe

MD5 03686cfd6bbb43c8ac4dc50889b137b9
SHA1 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee
SHA256 ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471
SHA512 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2

memory/2380-85-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2208-84-0x000000013F250000-0x000000013F5A4000-memory.dmp

\Windows\system\EpdTDyo.exe

MD5 86552a533336fa9b3b40101de855a2d5
SHA1 660ae7e05e44236f94fdfeb3092a1c8cc9a10b6f
SHA256 19a7d9d6018321cba180e4feae755fef1d2eada686f23621a5da1a4514c9a2ec
SHA512 ff7f7aabedad6b29c823c25993dd938ccbb6eb3afd504fcdfc81b4210fa50022c937a0149795f2de18ce0c92d25c218fd5b5fff4e6c66d661c6ccdda4c6af3e1

memory/2408-75-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2396-74-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2208-73-0x000000013FE30000-0x0000000140184000-memory.dmp

\Windows\system\WiBbcTU.exe

MD5 40fb9e204a1a8c8bda6caf48757e7ceb
SHA1 90bf178769a325d8d6e777ae460fdc7d4be75b1f
SHA256 8cf44bd6d9d81ce9c3a1b21a3ef48bf5907e1ef38bafdbef60280fedeba4f488
SHA512 42383bdc23a01dfd485af1ea36e19c9bae61dde6ac0dc85ffbdb6b972332e66f9501f31e59bdd7d359debd28abecae3a90c25851fcc34e51b3d96254bdae9d3a

memory/2748-56-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2208-54-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2716-53-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2552-52-0x000000013F720000-0x000000013FA74000-memory.dmp

C:\Windows\system\ZFlVXfA.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

\Windows\system\CrTKOmt.exe

MD5 25af8d2cd9fef5e33a6621becdd9430e
SHA1 e55d7db5b76e7240dace290189f636654ad2e919
SHA256 3c646eacf05f49d5239f03da61668b7e77d437c61a679d2cd051e32a2206b377
SHA512 1d821ef47998d48471343dc32ecffffb14a7bc062dd59f03ac7c98dc554f0d245cf0f9fe7a8276c66e70698c870e0c976aaa91e066a3be0b270b9d828887d4f1

memory/2208-43-0x000000013F720000-0x000000013FA74000-memory.dmp

\Windows\system\VaBiJiS.exe

MD5 33d6e4b95316fb4c363088e8483b090e
SHA1 febc68f16ed2d9887b79fcd957ad1fbc6c09f3fc
SHA256 42c4d28cab499f54d5f71bde82848719f34f4ebff1d26f73a6994ee67420bfc0
SHA512 2003c13367a46e7c18a6ab70d963e1a1ae66f49501703a62061da788a43e1e98484056e2f18db5c65349b120d724ad0ae814c3928b0eeba38b86dc78a9354d2e

C:\Windows\system\POixSfg.exe

MD5 ac67a7bed58e40b676c932dc4d6714b8
SHA1 fb1c7c8cd3e6ee2728bd6971eb89bbb406434f17
SHA256 c97a1ce46afc362abca61fbd1934cb8c686cc48fbb130a60ae721c013883118e
SHA512 d0eb575167b56f12c13cecd995c1da4f36a9b92f9ba875e83abda4040beb81dffbae82036cb6571a23991037fa9a196add6e51d9d7e97eee006f900031e4bde6

C:\Windows\system\fAZiJBd.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

C:\Windows\system\CrTKOmt.exe

MD5 98ddbea8b700025cfea6cdb4aa3e43e8
SHA1 50ceb41fa98f8da019e896ed8b56fb815ade85c3
SHA256 f3d04b1b505bbd1edfc225f0ff843d2d6e124620e1863f1cebccc8fb38f1e763
SHA512 d10c79b9ffe04655d2ed28a606ef98f8550b5560c30acde63f1522d23a06ada25993e4c72d6366952d8876ac8ea72ef7e8996ba2e92abd973881f2d8a97c9a8a

memory/2208-134-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2632-135-0x000000013FEF0000-0x0000000140244000-memory.dmp

C:\Windows\system\VaBiJiS.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

C:\Windows\system\TYQAnDb.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

\Windows\system\TYQAnDb.exe

MD5 0b26ef55132d1a1770c2a1bce9704fd3
SHA1 c06a3bf19637daeb9f4b043b68fb9c756750c616
SHA256 c133fa2867dba55ba6c8da1d481b4c64491aaeec2c7ced8a9019fd8a38f3d6ae
SHA512 2fa92eb5ac8f987f0e0b2342101e9b7d9f895b61575e46b41e9f37435c74095a431760742a2e25a3578e52c75e4b22ee0e5d07e01337fa52dcb3ecadc105e9e1

memory/2208-107-0x0000000002420000-0x0000000002774000-memory.dmp

\Windows\system\rHeWrji.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

memory/760-99-0x000000013F8D0000-0x000000013FC24000-memory.dmp

C:\Windows\system\SzQlZlv.exe

MD5 54728b2c68b211b7a0f49b92d4720773
SHA1 4427f60c03a9ffcdeb31d35d2d081c5195a384ef
SHA256 fd0fc613e2ead61842106c93fbbaac11f90fe5ac985a01039a8f2abcfccbc151
SHA512 7f02c37054e7070780e1844681c4b087f7e82b66c97297e23d744acbe62eed96e7497a71a2b2c95fb463acac658bd76a14590e4efb1790d6b5fb3039d8ab0072

\Windows\system\SzQlZlv.exe

MD5 2130f4461ba7262c4b9569c7ad362fbe
SHA1 477f7cc69e47cdff19a52b2da61a04f2127580e1
SHA256 f68cab9e215b5970b95a91cba35e4b211ac827a19d524f2bf913504bdbf08025
SHA512 bd19fb9a7b432908f39c8e2a25f78223abf0f155bd219827a4b513d256827c60c965e975a97433d8f252d3353383a04a3ae742b841c52e2f210a05922493b703

memory/2208-136-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2208-80-0x0000000002420000-0x0000000002774000-memory.dmp

\Windows\system\RpwIcPT.exe

MD5 4f0266104585ce6749cad5aa5fee6f0e
SHA1 27e2a35aa76980090913549703bca12ebb05b771
SHA256 f9737587aecd79b9ef02cd33927a01fed69a5ab13694a78d779869421a762a0b
SHA512 af4b7ab474a13c3b1c85eedca67379ad378f79076636c3eefdcc4d20f0244a1a4991d526b7ef7fa013060f6ed54148eda37ab4c14b178e88109177ee59dab2bc

memory/2208-69-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2208-32-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2208-68-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2208-67-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2968-65-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2056-64-0x000000013FB00000-0x000000013FE54000-memory.dmp

\Windows\system\bGuAJWW.exe

MD5 90b4e931954ca71f987eacf3848373c9
SHA1 fe034abdd2cd27801fcb7113d51f343ee1020fc2
SHA256 f8beb22d0bf97b2df5b204067ae87e51c57faf6cbe7d88cb7cd40f2dd2120548
SHA512 81ad09d9b1fc7fa3faa673f9a72d1c1544d1dc550bd7dc4ec9340c73d970dd54cb282aac847715f6e0c9fc0a11fe4a54ab4338d1c418f5a0ccdb167fb5d5901a

memory/2208-61-0x0000000002420000-0x0000000002774000-memory.dmp

\Windows\system\RkfqrrM.exe

MD5 8d6df18be05179c3d52c61de14eda2c2
SHA1 67b46401dc1fdeac9e888c4b642daf9378dc693e
SHA256 c1bb4e296fce211ed4b948580110c3bb415d6e6de4db1cc0ebb6f7fe7d620202
SHA512 5e65b99bf2b576f5c31ecfb35d4d5a73db8603dec80ffedbee9f37847e4b15c81cd68d08a38598bee11d5e208f016c6d6dd7bcb426dfcb9f38d7d6f70a3419c5

\Windows\system\ZFlVXfA.exe

MD5 f548888928ec554b9464cd05c1dd61bb
SHA1 d36512b1a33d53d9cb0b11177acf9feefd9df0c8
SHA256 521efe32e9cdcff951a1730c95c1c5f43505c56b8026c2f9f719ec6930575d7c
SHA512 74025033b989a11ebc83b27de3f289904dfec2e23bdbebe9e409abc20e53a8aaf8ff416a571de08a08e50c8404dc2e28f9059cb3e8789d66092b26929213d6e8

memory/2632-39-0x000000013FEF0000-0x0000000140244000-memory.dmp

C:\Windows\system\slEDbeo.exe

MD5 4a8f0e7005dd0305198e86b5e4b40c50
SHA1 603dde14ff3905a3d9dfc1437a30a20f7bd074ad
SHA256 54f846ed1b6196f831e9acb53c0c24f20bb45f01c10f1bc98c25e8e134f73cc0
SHA512 aa20faebce917e97b3bee0e68c13db572fa8b2731d743f6df3fee5b598e0627d12bd311742a70abe06cfc76e85ca4bc9014010ca8e0b5fbc5a3eafde5df73dfe

memory/2208-29-0x000000013F720000-0x000000013FA74000-memory.dmp

C:\Windows\system\gSflHYg.exe

MD5 f8ab73b228609536c4f34d1aeeedf5f4
SHA1 95e645a67118504c7c6b7b4832894f6a2080d6b1
SHA256 ff53550d0c8e83729b58f0db178423baa2ba4e76eb6f1febccd502967d6d2bff
SHA512 ee72ef70fa51d22af74ae21414171af68613ad0eaacde33dde9a7b36a303e142ee634b586858ca9eb09e004342f40ffa5ab8168d5f2ff8630274b9daf9d29df4

memory/2748-137-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2208-138-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2380-139-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/1384-140-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2968-142-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2056-141-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2552-143-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2632-144-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2716-145-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2748-146-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2396-147-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2408-148-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/760-149-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2380-150-0x000000013F250000-0x000000013F5A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 02:53

Reported

2024-06-09 02:59

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JIodPBZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QEmgYGH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xvuzfMb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JHkFiVz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qLgmvZR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OxfiDuR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pWAOHPF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EzzPLCy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dacAsXE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KIrfRZC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VitAoju.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zeqqDfv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BhzuMmS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VcZbqfV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ghDcllv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\isCbYvz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WGkgQar.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NOfvYUQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yuyerLo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oVmqDmV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kTQjmKW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BhzuMmS.exe
PID 628 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BhzuMmS.exe
PID 628 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWAOHPF.exe
PID 628 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWAOHPF.exe
PID 628 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\oVmqDmV.exe
PID 628 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\oVmqDmV.exe
PID 628 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kTQjmKW.exe
PID 628 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kTQjmKW.exe
PID 628 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcZbqfV.exe
PID 628 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcZbqfV.exe
PID 628 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ghDcllv.exe
PID 628 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ghDcllv.exe
PID 628 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzzPLCy.exe
PID 628 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EzzPLCy.exe
PID 628 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxfiDuR.exe
PID 628 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxfiDuR.exe
PID 628 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\dacAsXE.exe
PID 628 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\dacAsXE.exe
PID 628 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\isCbYvz.exe
PID 628 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\isCbYvz.exe
PID 628 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KIrfRZC.exe
PID 628 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KIrfRZC.exe
PID 628 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VitAoju.exe
PID 628 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VitAoju.exe
PID 628 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGkgQar.exe
PID 628 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGkgQar.exe
PID 628 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIodPBZ.exe
PID 628 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIodPBZ.exe
PID 628 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QEmgYGH.exe
PID 628 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QEmgYGH.exe
PID 628 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvuzfMb.exe
PID 628 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvuzfMb.exe
PID 628 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zeqqDfv.exe
PID 628 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zeqqDfv.exe
PID 628 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHkFiVz.exe
PID 628 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHkFiVz.exe
PID 628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NOfvYUQ.exe
PID 628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NOfvYUQ.exe
PID 628 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\yuyerLo.exe
PID 628 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\yuyerLo.exe
PID 628 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qLgmvZR.exe
PID 628 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qLgmvZR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BhzuMmS.exe

C:\Windows\System\BhzuMmS.exe

C:\Windows\System\pWAOHPF.exe

C:\Windows\System\pWAOHPF.exe

C:\Windows\System\oVmqDmV.exe

C:\Windows\System\oVmqDmV.exe

C:\Windows\System\kTQjmKW.exe

C:\Windows\System\kTQjmKW.exe

C:\Windows\System\VcZbqfV.exe

C:\Windows\System\VcZbqfV.exe

C:\Windows\System\ghDcllv.exe

C:\Windows\System\ghDcllv.exe

C:\Windows\System\EzzPLCy.exe

C:\Windows\System\EzzPLCy.exe

C:\Windows\System\OxfiDuR.exe

C:\Windows\System\OxfiDuR.exe

C:\Windows\System\dacAsXE.exe

C:\Windows\System\dacAsXE.exe

C:\Windows\System\isCbYvz.exe

C:\Windows\System\isCbYvz.exe

C:\Windows\System\KIrfRZC.exe

C:\Windows\System\KIrfRZC.exe

C:\Windows\System\VitAoju.exe

C:\Windows\System\VitAoju.exe

C:\Windows\System\WGkgQar.exe

C:\Windows\System\WGkgQar.exe

C:\Windows\System\JIodPBZ.exe

C:\Windows\System\JIodPBZ.exe

C:\Windows\System\QEmgYGH.exe

C:\Windows\System\QEmgYGH.exe

C:\Windows\System\xvuzfMb.exe

C:\Windows\System\xvuzfMb.exe

C:\Windows\System\zeqqDfv.exe

C:\Windows\System\zeqqDfv.exe

C:\Windows\System\JHkFiVz.exe

C:\Windows\System\JHkFiVz.exe

C:\Windows\System\NOfvYUQ.exe

C:\Windows\System\NOfvYUQ.exe

C:\Windows\System\yuyerLo.exe

C:\Windows\System\yuyerLo.exe

C:\Windows\System\qLgmvZR.exe

C:\Windows\System\qLgmvZR.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/628-0-0x00007FF741910000-0x00007FF741C64000-memory.dmp

memory/628-1-0x00000192B66A0000-0x00000192B66B0000-memory.dmp

C:\Windows\System\BhzuMmS.exe

MD5 4abd2f31151ccdafb22a7777964b5eb7
SHA1 3925328dac43e61c26be16566b8cefd97b83609f
SHA256 fde4123410ac2da8cda904481125819ed5f44540432a42e4208903da9861d6d0
SHA512 3dba4a52e71f2ade1a1896b016821e40869c8a3f65e25859eed4a9ea05e7ee1a3b40ca88bb6a594f07f7fea04ba2eb8f52d8d881516f72007f76d52f0cd65f31

memory/1448-8-0x00007FF75CCA0000-0x00007FF75CFF4000-memory.dmp

C:\Windows\System\pWAOHPF.exe

MD5 9bebd1043e4bb1016b61aea18ad3a2ad
SHA1 985f53ed60deecdffaf9b700d554ebfe9904b5ba
SHA256 9fdb44b07f908f16f7af37b35e37937593442bc602b212835656d9535effd384
SHA512 ddf498e71e4386ecf50444d84f610e14592b4a72d34c1c182224b17d875de7a8f7889ea4d1c6e08caf9c93d26c3a920ef8fa1d7c1d91c25bf92f6217afd4d194

memory/444-14-0x00007FF6E1540000-0x00007FF6E1894000-memory.dmp

C:\Windows\System\oVmqDmV.exe

MD5 61e110bf845e2e351f66cde743ee5e44
SHA1 a03e0c0214abf524a68f8f428ccdede6dcb9e143
SHA256 34fcf858482e296dc5f3c5d0076022d5b971ae3a88a3894cf4159169169e0f8c
SHA512 8cc4911a523e871bff71ab9807946eb6b4ff61efe85ff19c6e8d1b5b76175e5a22c81ba8af993d911e8177d79983c3303dba7be884ed67ad4fc212e6743c59d4

C:\Windows\System\kTQjmKW.exe

MD5 76d2eacd3255927c333aab6f955accf5
SHA1 adfdf6092d95496249a1b38d583607a85a130210
SHA256 13ce5c05b2f9736a2f71b135d2eda469640acc80afc113c5686ba2980a69a1c2
SHA512 613074a9d125e512cd720181858d98d042acedb7c4a554a6325235388037a59d9357581b01e0714162e0a69b9fc52229489ab625f452010524de059250ecba91

memory/4696-20-0x00007FF68F640000-0x00007FF68F994000-memory.dmp

C:\Windows\System\VcZbqfV.exe

MD5 52731b1b5e491eab142cb563e5dee4c0
SHA1 eb74d98a47d0ac2b920688cb9ac6dc1afefe847b
SHA256 0d01b12d9c81b73710469447fe31518b7f7f316de206491d48d09ed8f50cda0d
SHA512 1af413def4fe92d9c3698b48ee14bc5accce99ab347067489dc6f23d6ab00dfd4607094b7a86505a062eaba38e17a6369001fab7689731699c61c4be7dffaf2c

memory/2032-27-0x00007FF778770000-0x00007FF778AC4000-memory.dmp

memory/572-32-0x00007FF6319B0000-0x00007FF631D04000-memory.dmp

C:\Windows\System\ghDcllv.exe

MD5 7e9dec720c4d16f3269547eabe38de0d
SHA1 cd67722951f3599f5051e56a089aba50678b4dbf
SHA256 e49c18d01afa8b9cbb4a582e5d290f595e01899e8892b3b3a4d3552a708f57d4
SHA512 7b320a8b325f860e192665d6a653e56064120cf22ab40e664201411093aadda258b850a1a16667413749df7e55d0cec677681ed8ed7bfa48895a4bb58bcf800c

memory/3632-38-0x00007FF7442D0000-0x00007FF744624000-memory.dmp

C:\Windows\System\EzzPLCy.exe

MD5 be1f7f7f27ad9e1b0ece68c108fdf696
SHA1 2c4e13ae04019ed375a5426234e5c66e3c0cc70a
SHA256 9809e920fd737b20e8e9d53a6736a8e910abe6d58747a8daf7005efd44753418
SHA512 a2beddc8a4321800081490860299cd39342da3499460949726201712d011c9fde916628931685f91e3b08fc94b95bf53add6f072e554e7cb71d9821b46df743b

memory/1972-44-0x00007FF695A50000-0x00007FF695DA4000-memory.dmp

C:\Windows\System\OxfiDuR.exe

MD5 c0fd26727f551dce2a78ae627dfcbcba
SHA1 f0ffdc967d7cd77dad011138dc96a22d9ff6c65b
SHA256 d58dc2b439ccf97a8e096bf66acb5d420ba10e3670f333da7d7bf9ad49edc303
SHA512 a6d2ced0e40764f292e3b0a4f9ab4e36e4ec23e23e75b0be9602585aed5bd29232ac03035125f2b5ed352d87d74d2c6eb0afa1d88e2f4a0e26e3fb19e791d6a3

C:\Windows\System\OxfiDuR.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

memory/2492-50-0x00007FF6B6A40000-0x00007FF6B6D94000-memory.dmp

C:\Windows\System\dacAsXE.exe

MD5 c665d55523745ebd550a2c4296ad8ec9
SHA1 43f72a8e93454ded742dbec7a7c84f59cb0d6520
SHA256 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b
SHA512 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

C:\Windows\System\dacAsXE.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

memory/2996-56-0x00007FF606060000-0x00007FF6063B4000-memory.dmp

memory/628-62-0x00007FF741910000-0x00007FF741C64000-memory.dmp

C:\Windows\System\isCbYvz.exe

MD5 1d3a027708a48a3c73a911f7d1532fca
SHA1 f960fd40bf0cf951600c386a6a9501a01e54ab51
SHA256 f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda
SHA512 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539

memory/960-63-0x00007FF60F1C0000-0x00007FF60F514000-memory.dmp

C:\Windows\System\isCbYvz.exe

MD5 4ebd1901e669a14d40cee031fd206e82
SHA1 48b4d9303ce77228a3ead5a9a71386291542a98f
SHA256 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512 c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

memory/1448-67-0x00007FF75CCA0000-0x00007FF75CFF4000-memory.dmp

C:\Windows\System\KIrfRZC.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

C:\Windows\System\KIrfRZC.exe

MD5 c2630368f2b0f1676e4f1cfe1abe40fe
SHA1 1a1ea934cad8c04d2d7cb52f6d24efa72171b9bb
SHA256 ba2b6ec7283487518598a85cf876bd237f0f22469f9ddb98503daa3b393dd952
SHA512 0aab36dba19a00b9153d667bd13a12f0f52c3bc100eb4b39808efd5f028076649453c97409b4e3cd94bf4c0fd01aceb1a9a9bb93111ac83c147c79b204a0dec0

memory/1636-70-0x00007FF7D2310000-0x00007FF7D2664000-memory.dmp

C:\Windows\System\VitAoju.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

memory/444-75-0x00007FF6E1540000-0x00007FF6E1894000-memory.dmp

memory/2424-77-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp

C:\Windows\System\VitAoju.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

C:\Windows\System\WGkgQar.exe

MD5 7d9f1099f6b47550fd37adb914ba896f
SHA1 73597804426883357ebb880f6c0164793f40ad60
SHA256 66cd4cd4af8f630e7f196e1d09756e078751dfa9bcc54e0d14fae0ccbe492285
SHA512 e8add13893f4c014a42f0f57f95da110b546828bbf0b90c6e45d275710a9847ff130353175caa02a22132a7aec183fbbcda6a7a954c359f2b63e3b3f4a4cba77

C:\Windows\System\WGkgQar.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

memory/4304-83-0x00007FF6E75F0000-0x00007FF6E7944000-memory.dmp

C:\Windows\System\JIodPBZ.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

C:\Windows\System\JIodPBZ.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/4068-89-0x00007FF75C5C0000-0x00007FF75C914000-memory.dmp

memory/572-95-0x00007FF6319B0000-0x00007FF631D04000-memory.dmp

memory/4040-96-0x00007FF74B040000-0x00007FF74B394000-memory.dmp

C:\Windows\System\xvuzfMb.exe

MD5 170dd624fc04fc3839f9c4b66a089ce7
SHA1 689050489367e9d7989856de58d7dae4b3e867bb
SHA256 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA512 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

C:\Windows\System\xvuzfMb.exe

MD5 2543c4760bd9af7f70b7834411ab61af
SHA1 ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256 c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA512 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

memory/3804-102-0x00007FF710710000-0x00007FF710A64000-memory.dmp

C:\Windows\System\zeqqDfv.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

C:\Windows\System\JHkFiVz.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

memory/4724-114-0x00007FF7B8100000-0x00007FF7B8454000-memory.dmp

memory/2332-118-0x00007FF71E620000-0x00007FF71E974000-memory.dmp

C:\Windows\System\NOfvYUQ.exe

MD5 ce95ecfd82cad989d07f01bb5a4e0e62
SHA1 9c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512 c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

memory/2408-131-0x00007FF764750000-0x00007FF764AA4000-memory.dmp

memory/2468-125-0x00007FF681920000-0x00007FF681C74000-memory.dmp

memory/3784-108-0x00007FF721E20000-0x00007FF722174000-memory.dmp

memory/3784-132-0x00007FF721E20000-0x00007FF722174000-memory.dmp

memory/2332-133-0x00007FF71E620000-0x00007FF71E974000-memory.dmp

memory/2468-134-0x00007FF681920000-0x00007FF681C74000-memory.dmp

memory/1448-135-0x00007FF75CCA0000-0x00007FF75CFF4000-memory.dmp

memory/444-136-0x00007FF6E1540000-0x00007FF6E1894000-memory.dmp

memory/4696-137-0x00007FF68F640000-0x00007FF68F994000-memory.dmp

memory/2032-138-0x00007FF778770000-0x00007FF778AC4000-memory.dmp

memory/572-139-0x00007FF6319B0000-0x00007FF631D04000-memory.dmp

memory/3632-140-0x00007FF7442D0000-0x00007FF744624000-memory.dmp

memory/1972-141-0x00007FF695A50000-0x00007FF695DA4000-memory.dmp

memory/2492-142-0x00007FF6B6A40000-0x00007FF6B6D94000-memory.dmp

memory/2996-143-0x00007FF606060000-0x00007FF6063B4000-memory.dmp

memory/960-144-0x00007FF60F1C0000-0x00007FF60F514000-memory.dmp

memory/1636-145-0x00007FF7D2310000-0x00007FF7D2664000-memory.dmp

memory/2424-146-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp

memory/4304-147-0x00007FF6E75F0000-0x00007FF6E7944000-memory.dmp

memory/4068-148-0x00007FF75C5C0000-0x00007FF75C914000-memory.dmp

memory/4040-149-0x00007FF74B040000-0x00007FF74B394000-memory.dmp

memory/3804-150-0x00007FF710710000-0x00007FF710A64000-memory.dmp

memory/3784-151-0x00007FF721E20000-0x00007FF722174000-memory.dmp

memory/4724-152-0x00007FF7B8100000-0x00007FF7B8454000-memory.dmp

memory/2332-153-0x00007FF71E620000-0x00007FF71E974000-memory.dmp

memory/2408-155-0x00007FF764750000-0x00007FF764AA4000-memory.dmp

memory/2468-154-0x00007FF681920000-0x00007FF681C74000-memory.dmp