Malware Analysis Report

2024-10-16 03:08

Sample ID 240609-dgc7asdd26
Target 2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike
SHA256 3a8ba6ddbc11450d959a3f27a5813f7dd1529baea18a76f11188d85f41553e25
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a8ba6ddbc11450d959a3f27a5813f7dd1529baea18a76f11188d85f41553e25

Threat Level: Known bad

The file 2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

Cobalt Strike reflective loader

Xmrig family

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 02:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 02:58

Reported

2024-06-09 03:01

Platform

win7-20240508-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KMcaJFM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rbPQtOl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Cpkiggi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lTXvxSr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UELpAPs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QfzWkyQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\krYcvAR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\evObAsa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\THxTOpC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hDHvdiL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xruDmfP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gjQmkmK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SDBIdkk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cxxGbPe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BjJqzVl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RPdlwsG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\duwrwxj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lsXjILy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tMcUdVL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ceAwzsZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DZwfCfW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\THxTOpC.exe
PID 1944 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\THxTOpC.exe
PID 1944 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\THxTOpC.exe
PID 1944 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMcaJFM.exe
PID 1944 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMcaJFM.exe
PID 1944 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMcaJFM.exe
PID 1944 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPdlwsG.exe
PID 1944 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPdlwsG.exe
PID 1944 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPdlwsG.exe
PID 1944 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\hDHvdiL.exe
PID 1944 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\hDHvdiL.exe
PID 1944 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\hDHvdiL.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\rbPQtOl.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\rbPQtOl.exe
PID 1944 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\rbPQtOl.exe
PID 1944 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\duwrwxj.exe
PID 1944 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\duwrwxj.exe
PID 1944 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\duwrwxj.exe
PID 1944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\krYcvAR.exe
PID 1944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\krYcvAR.exe
PID 1944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\krYcvAR.exe
PID 1944 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\xruDmfP.exe
PID 1944 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\xruDmfP.exe
PID 1944 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\xruDmfP.exe
PID 1944 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjQmkmK.exe
PID 1944 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjQmkmK.exe
PID 1944 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjQmkmK.exe
PID 1944 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsXjILy.exe
PID 1944 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsXjILy.exe
PID 1944 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsXjILy.exe
PID 1944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\Cpkiggi.exe
PID 1944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\Cpkiggi.exe
PID 1944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\Cpkiggi.exe
PID 1944 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTXvxSr.exe
PID 1944 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTXvxSr.exe
PID 1944 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTXvxSr.exe
PID 1944 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\tMcUdVL.exe
PID 1944 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\tMcUdVL.exe
PID 1944 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\tMcUdVL.exe
PID 1944 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\UELpAPs.exe
PID 1944 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\UELpAPs.exe
PID 1944 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\UELpAPs.exe
PID 1944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\evObAsa.exe
PID 1944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\evObAsa.exe
PID 1944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\evObAsa.exe
PID 1944 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceAwzsZ.exe
PID 1944 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceAwzsZ.exe
PID 1944 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceAwzsZ.exe
PID 1944 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZwfCfW.exe
PID 1944 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZwfCfW.exe
PID 1944 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZwfCfW.exe
PID 1944 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDBIdkk.exe
PID 1944 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDBIdkk.exe
PID 1944 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDBIdkk.exe
PID 1944 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfzWkyQ.exe
PID 1944 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfzWkyQ.exe
PID 1944 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfzWkyQ.exe
PID 1944 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxxGbPe.exe
PID 1944 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxxGbPe.exe
PID 1944 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxxGbPe.exe
PID 1944 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\BjJqzVl.exe
PID 1944 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\BjJqzVl.exe
PID 1944 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\BjJqzVl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\THxTOpC.exe

C:\Windows\System\THxTOpC.exe

C:\Windows\System\KMcaJFM.exe

C:\Windows\System\KMcaJFM.exe

C:\Windows\System\RPdlwsG.exe

C:\Windows\System\RPdlwsG.exe

C:\Windows\System\hDHvdiL.exe

C:\Windows\System\hDHvdiL.exe

C:\Windows\System\rbPQtOl.exe

C:\Windows\System\rbPQtOl.exe

C:\Windows\System\duwrwxj.exe

C:\Windows\System\duwrwxj.exe

C:\Windows\System\krYcvAR.exe

C:\Windows\System\krYcvAR.exe

C:\Windows\System\xruDmfP.exe

C:\Windows\System\xruDmfP.exe

C:\Windows\System\gjQmkmK.exe

C:\Windows\System\gjQmkmK.exe

C:\Windows\System\lsXjILy.exe

C:\Windows\System\lsXjILy.exe

C:\Windows\System\Cpkiggi.exe

C:\Windows\System\Cpkiggi.exe

C:\Windows\System\lTXvxSr.exe

C:\Windows\System\lTXvxSr.exe

C:\Windows\System\tMcUdVL.exe

C:\Windows\System\tMcUdVL.exe

C:\Windows\System\UELpAPs.exe

C:\Windows\System\UELpAPs.exe

C:\Windows\System\evObAsa.exe

C:\Windows\System\evObAsa.exe

C:\Windows\System\ceAwzsZ.exe

C:\Windows\System\ceAwzsZ.exe

C:\Windows\System\DZwfCfW.exe

C:\Windows\System\DZwfCfW.exe

C:\Windows\System\SDBIdkk.exe

C:\Windows\System\SDBIdkk.exe

C:\Windows\System\QfzWkyQ.exe

C:\Windows\System\QfzWkyQ.exe

C:\Windows\System\cxxGbPe.exe

C:\Windows\System\cxxGbPe.exe

C:\Windows\System\BjJqzVl.exe

C:\Windows\System\BjJqzVl.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1944-0-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/1944-1-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/1944-21-0x00000000023E0000-0x0000000002734000-memory.dmp

C:\Windows\system\hDHvdiL.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

C:\Windows\system\xruDmfP.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/2728-48-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/1944-54-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/1944-58-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/3052-59-0x000000013FE10000-0x0000000140164000-memory.dmp

\Windows\system\Cpkiggi.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/1928-125-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\tMcUdVL.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

memory/1944-126-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2712-127-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2832-128-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/1944-129-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/1944-130-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

\Windows\system\QfzWkyQ.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

\Windows\system\DZwfCfW.exe

MD5 ce95ecfd82cad989d07f01bb5a4e0e62
SHA1 9c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512 c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

memory/2988-81-0x000000013F410000-0x000000013F764000-memory.dmp

\Windows\system\tMcUdVL.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

\Windows\system\lsXjILy.exe

MD5 170dd624fc04fc3839f9c4b66a089ce7
SHA1 689050489367e9d7989856de58d7dae4b3e867bb
SHA256 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA512 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

memory/1944-64-0x000000013F130000-0x000000013F484000-memory.dmp

memory/3008-63-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/1944-62-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/1944-61-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2496-60-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2720-56-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/1260-50-0x000000013FE30000-0x0000000140184000-memory.dmp

\Windows\system\xruDmfP.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

memory/2796-36-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2236-26-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1944-19-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2084-13-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/1944-10-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/1944-131-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2988-132-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2084-133-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2236-134-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2796-135-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2728-136-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/3008-139-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/3052-140-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2496-141-0x000000013F130000-0x000000013F484000-memory.dmp

memory/1260-138-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2720-137-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2988-142-0x000000013F410000-0x000000013F764000-memory.dmp

memory/1928-143-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2712-144-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2832-145-0x000000013FC40000-0x000000013FF94000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 02:58

Reported

2024-06-09 03:01

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VupaEva.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FixSpDs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lbfOdJS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZvzSnWo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eXdNDoL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YLzINuQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mwtwszv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Kbgodhb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uYGxDMa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yciyiWc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QdePLcH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LUXLsSY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CJYtGys.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PlzfoEH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cOYIYuG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gvvxhKn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gqsgCPO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NmBIdnR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HgTbNPs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DRVaCHn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QTnQMiK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\NmBIdnR.exe
PID 4512 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\NmBIdnR.exe
PID 4512 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\VupaEva.exe
PID 4512 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\VupaEva.exe
PID 4512 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\HgTbNPs.exe
PID 4512 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\HgTbNPs.exe
PID 4512 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZvzSnWo.exe
PID 4512 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZvzSnWo.exe
PID 4512 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\DRVaCHn.exe
PID 4512 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\DRVaCHn.exe
PID 4512 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTnQMiK.exe
PID 4512 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTnQMiK.exe
PID 4512 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdePLcH.exe
PID 4512 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdePLcH.exe
PID 4512 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUXLsSY.exe
PID 4512 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUXLsSY.exe
PID 4512 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOYIYuG.exe
PID 4512 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOYIYuG.exe
PID 4512 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\FixSpDs.exe
PID 4512 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\FixSpDs.exe
PID 4512 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJYtGys.exe
PID 4512 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJYtGys.exe
PID 4512 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbfOdJS.exe
PID 4512 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbfOdJS.exe
PID 4512 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\gvvxhKn.exe
PID 4512 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\gvvxhKn.exe
PID 4512 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlzfoEH.exe
PID 4512 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\PlzfoEH.exe
PID 4512 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqsgCPO.exe
PID 4512 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqsgCPO.exe
PID 4512 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\Kbgodhb.exe
PID 4512 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\Kbgodhb.exe
PID 4512 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXdNDoL.exe
PID 4512 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXdNDoL.exe
PID 4512 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLzINuQ.exe
PID 4512 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLzINuQ.exe
PID 4512 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\uYGxDMa.exe
PID 4512 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\uYGxDMa.exe
PID 4512 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\yciyiWc.exe
PID 4512 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\yciyiWc.exe
PID 4512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\mwtwszv.exe
PID 4512 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe C:\Windows\System\mwtwszv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_b84f489d78138b4fb82c06e7567d7759_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NmBIdnR.exe

C:\Windows\System\NmBIdnR.exe

C:\Windows\System\VupaEva.exe

C:\Windows\System\VupaEva.exe

C:\Windows\System\HgTbNPs.exe

C:\Windows\System\HgTbNPs.exe

C:\Windows\System\ZvzSnWo.exe

C:\Windows\System\ZvzSnWo.exe

C:\Windows\System\DRVaCHn.exe

C:\Windows\System\DRVaCHn.exe

C:\Windows\System\QTnQMiK.exe

C:\Windows\System\QTnQMiK.exe

C:\Windows\System\QdePLcH.exe

C:\Windows\System\QdePLcH.exe

C:\Windows\System\LUXLsSY.exe

C:\Windows\System\LUXLsSY.exe

C:\Windows\System\cOYIYuG.exe

C:\Windows\System\cOYIYuG.exe

C:\Windows\System\FixSpDs.exe

C:\Windows\System\FixSpDs.exe

C:\Windows\System\CJYtGys.exe

C:\Windows\System\CJYtGys.exe

C:\Windows\System\lbfOdJS.exe

C:\Windows\System\lbfOdJS.exe

C:\Windows\System\gvvxhKn.exe

C:\Windows\System\gvvxhKn.exe

C:\Windows\System\PlzfoEH.exe

C:\Windows\System\PlzfoEH.exe

C:\Windows\System\gqsgCPO.exe

C:\Windows\System\gqsgCPO.exe

C:\Windows\System\Kbgodhb.exe

C:\Windows\System\Kbgodhb.exe

C:\Windows\System\eXdNDoL.exe

C:\Windows\System\eXdNDoL.exe

C:\Windows\System\YLzINuQ.exe

C:\Windows\System\YLzINuQ.exe

C:\Windows\System\uYGxDMa.exe

C:\Windows\System\uYGxDMa.exe

C:\Windows\System\yciyiWc.exe

C:\Windows\System\yciyiWc.exe

C:\Windows\System\mwtwszv.exe

C:\Windows\System\mwtwszv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/4512-0-0x00007FF61CD30000-0x00007FF61D084000-memory.dmp

memory/4512-1-0x000001F166F30000-0x000001F166F40000-memory.dmp

memory/3576-8-0x00007FF7422C0000-0x00007FF742614000-memory.dmp

C:\Windows\System\VupaEva.exe

MD5 aa6f0198422c7a19fe25df62876b8d35
SHA1 4b33c442156e704c479f271186fe7f3b650477d2
SHA256 115ca2322798a7e2eaef5f6b25ab02cf2fb962b641c449610d7a5b14cb377d26
SHA512 0cf3d9a9bfda25448b260c5c0d6b9e25b0a44aa808e632e39768bac0bb40409e8812e855e7d56f3075e7b427eb62a3ea25c83992069198a16e42a0041f379e31

C:\Windows\System\NmBIdnR.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\System\HgTbNPs.exe

MD5 12abbaa263f00f0106257ac4b60d57ce
SHA1 1d3bdf80fe8e8ebb84ee859a49d9d621fd59d440
SHA256 0b7b3044cd28e07a04ce7803eafa1e53777f37ce9dde99b6224b77d4b706c0d9
SHA512 fc1c11614c35a2870b7f1c2ad74fe7e0d310d3a5f9242d66534117f43e3f78bb9659102c89d7c5b9250611067000d772a20e2ebb27a5f82c635680cbf5f1e2df

memory/116-19-0x00007FF705C80000-0x00007FF705FD4000-memory.dmp

C:\Windows\System\ZvzSnWo.exe

MD5 d35178cabc640615654c6f7ad9c405b0
SHA1 cc1daa32418a0851d378deb62798f537115276d1
SHA256 7210eed7b373a2ff61061a597ff2cf824f2ffab974d0b322a22aff289773ae6b
SHA512 f10a5de5f14ece9006e399ae07700396b4e8223720dd72890a15331eae1814c16122fc17ad34536a3003c005dcac5889c522ae7ae35d9ee06e9964a0803c7ff6

C:\Windows\System\QTnQMiK.exe

MD5 39ab8a376aba8a9fa379fe4dd2b36679
SHA1 b57fa2e9c621f45aabcaf6527a16212bfef8cc97
SHA256 14d3e453a8141e6eba8129d180bbd9550ce42354678381a1c96b8a4817973499
SHA512 2b6af04ef892466041da770141951aebb0dd43da12f0975a5e46c8cf78ea85a033335d2374b310eb02e83652fa51723ccf1a3e1af758171ff6142dd13401e926

C:\Windows\System\DRVaCHn.exe

MD5 0a25687d30d23ec24000803905b5fb77
SHA1 e707caaee01c897617b2f1294df28b9d4577dfcf
SHA256 def554a0e3ae16527aa73abb5aa1b18c55197332438edc7eb886dc31a24ddce5
SHA512 ce4180011ff56b33b35f005e4c530101ea9ec5637594a0011a951ec739780dc98fe75b5203c85be1cb045fedb561217a77a52ef7ae8cfb7e9efb59317d7ae439

C:\Windows\System\QdePLcH.exe

MD5 da49f1b1f2b96b49705866203751f59f
SHA1 1fb490e694febd4abb5609eba7058906c7c62fc1
SHA256 db17ce16538e3104d76c2865f6043929089867615332842fb4539363fa1e158f
SHA512 64230d121060a4ecf7e8546c8f3f841eea180c2377add458625a54155c0dd3d899c021538950ea3047fd426aed50dfc97cdf1f7e2bcab143f2777fd079bf8bf0

memory/2860-47-0x00007FF60C820000-0x00007FF60CB74000-memory.dmp

C:\Windows\System\LUXLsSY.exe

MD5 e9d236934eeb7485d5aef6ede7d8b090
SHA1 f844b2db6f02c06013a9fd8ab8ff059c14f90c0b
SHA256 dc6ad74e50e840a6e3827483a5e282aa608e96a0692e3f4723661f0e31d716d1
SHA512 408085b25718b8f500d2fbe168d90adaf53c5a6fdc8c0cd34b5d0b3c35587c86d59de32e1b39161b454f4efda14d3c4721507abbe4500fdb29b8b9669f85c6c0

C:\Windows\System\lbfOdJS.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

C:\Windows\System\CJYtGys.exe

MD5 ab6dcca99ea698d52e203ca3e14bebc3
SHA1 a8cd7cd95ca94ec721107784f887b67ed8c55199
SHA256 54b0af043f811f85c33e2c4351c023ed730e5e312641c47d65df499a619b9e49
SHA512 af185aba403e67005f849ecbd1524a7931368aa95c514a49a562b6824e7cf306c5d5fb15e1b9bd5ef18ae5a122b22593f8bf09b9cd61f0718ca57f2e0812006f

C:\Windows\System\gvvxhKn.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

C:\Windows\System\PlzfoEH.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

C:\Windows\System\PlzfoEH.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

C:\Windows\System\gqsgCPO.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

C:\Windows\System\lbfOdJS.exe

MD5 30e1295d464805afc949314110e4cc20
SHA1 fcfb1be1b25fa213ae6134eb487884ae6916fce8
SHA256 0e740e202eee26e0458d4b70c0851cf34c1d85dd6ac5c1c8ca31949b4a710be0
SHA512 1a707278af616e434c71c679869e8bca239e90d314514e9b206e987d846d5fac09c8e3b83383b770398f7b579407a224f719e89ad5adb8ff2bba6f8bdc173323

memory/3776-75-0x00007FF77FA60000-0x00007FF77FDB4000-memory.dmp

memory/4512-74-0x00007FF61CD30000-0x00007FF61D084000-memory.dmp

C:\Windows\System\gvvxhKn.exe

MD5 8a74009f7dd9c036cc12b3f189bd9ac6
SHA1 e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0
SHA256 b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932
SHA512 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876

memory/2204-73-0x00007FF78CC80000-0x00007FF78CFD4000-memory.dmp

memory/3372-71-0x00007FF6DBA40000-0x00007FF6DBD94000-memory.dmp

memory/3356-59-0x00007FF792730000-0x00007FF792A84000-memory.dmp

C:\Windows\System\FixSpDs.exe

MD5 244978123d3f930dccec1edc78468a31
SHA1 3889d55f33b4e323440153ffaf2ef67669da6f39
SHA256 c8c50148a597c8b3f81e7ff012a10df2b087158cf522a39a4b5fb4bd5f0f59bf
SHA512 19e55714bda6020360e25bac1a0bef703253c3e157f4a385620ad6447703f49edab71172f6516c4378accc374fa6abca94f1bf6d2815dbe5525abafc9e3673ef

memory/2144-55-0x00007FF662940000-0x00007FF662C94000-memory.dmp

C:\Windows\System\LUXLsSY.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

memory/1848-52-0x00007FF6219F0000-0x00007FF621D44000-memory.dmp

memory/1772-46-0x00007FF634250000-0x00007FF6345A4000-memory.dmp

C:\Windows\System\cOYIYuG.exe

MD5 4732b5f966db453f7d82262f3c83ef1a
SHA1 cedc9d8adafdf1c92e253a78e485591e44383c22
SHA256 994befea2f561fbbe7273c826bab5449e91e04b47821fa7a7c6a7d89f32a6364
SHA512 1b76f1fba027844200a6d4ef85b505cf4609ced29dd4bbe4805d98720cf9305b85429e53ef708b42ff875bec87dc9ced9ddeea2fd56536b491509784044e79c5

C:\Windows\System\QdePLcH.exe

MD5 ec131343b8baf3ec5af94b115752bd91
SHA1 07894e7267080dab74460e17ad7156af3d60bc64
SHA256 ab2d0996b63b514506741259e21d48f43377a610a9ba10d5402a6770421dc606
SHA512 2beaa28e6c5708ceffa373a33e0fb57b48443c2a9bf3fac6019fa5c59d36bb9795933cb27515ba002252a42541f24442768c93fb3558fb118a530e6eacaefea7

memory/3800-41-0x00007FF664DB0000-0x00007FF665104000-memory.dmp

memory/1184-27-0x00007FF6FA290000-0x00007FF6FA5E4000-memory.dmp

memory/1680-14-0x00007FF766AC0000-0x00007FF766E14000-memory.dmp

C:\Windows\System\NmBIdnR.exe

MD5 615dca6e6f3a0a960d07d9964283148c
SHA1 8560055a0fe16d466dd76d59d43f93377b35d8c5
SHA256 cacbcc401a79ceda645b72339c2c650840414ada1682ff26ab4a4a56b4a4e4ef
SHA512 87003865bca269dfcb87512ea93da88691db24f60f04ad1e90d3c71e156da0fbfba5604ca32a3b10f97222a488806018e0562a9f1780094dbf4015a262fa3b27

memory/2584-91-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp

memory/2724-92-0x00007FF712440000-0x00007FF712794000-memory.dmp

memory/1184-110-0x00007FF6FA290000-0x00007FF6FA5E4000-memory.dmp

C:\Windows\System\eXdNDoL.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

C:\Windows\System\mwtwszv.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

C:\Windows\System\uYGxDMa.exe

MD5 0003cb25d8e5fcf51d1ea8407b9410fc
SHA1 fc0940ac8a56e45a19f31c325aba00f814dae439
SHA256 f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2
SHA512 3e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87

C:\Windows\System\mwtwszv.exe

MD5 520306f0af217a723b94881629ed2c1f
SHA1 edfebe61571cd3958f1312a9985e7616d97f5058
SHA256 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40
SHA512 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e

memory/5096-118-0x00007FF689680000-0x00007FF6899D4000-memory.dmp

C:\Windows\System\YLzINuQ.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

C:\Windows\System\uYGxDMa.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/4764-109-0x00007FF631FB0000-0x00007FF632304000-memory.dmp

C:\Windows\System\YLzINuQ.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/116-105-0x00007FF705C80000-0x00007FF705FD4000-memory.dmp

C:\Windows\System\Kbgodhb.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

memory/1300-99-0x00007FF735910000-0x00007FF735C64000-memory.dmp

memory/1772-128-0x00007FF634250000-0x00007FF6345A4000-memory.dmp

memory/3800-131-0x00007FF664DB0000-0x00007FF665104000-memory.dmp

memory/1504-133-0x00007FF775700000-0x00007FF775A54000-memory.dmp

memory/1848-134-0x00007FF6219F0000-0x00007FF621D44000-memory.dmp

memory/840-132-0x00007FF607530000-0x00007FF607884000-memory.dmp

memory/596-130-0x00007FF6AFB00000-0x00007FF6AFE54000-memory.dmp

memory/2860-129-0x00007FF60C820000-0x00007FF60CB74000-memory.dmp

memory/2204-136-0x00007FF78CC80000-0x00007FF78CFD4000-memory.dmp

memory/3356-135-0x00007FF792730000-0x00007FF792A84000-memory.dmp

memory/3372-137-0x00007FF6DBA40000-0x00007FF6DBD94000-memory.dmp

memory/3776-138-0x00007FF77FA60000-0x00007FF77FDB4000-memory.dmp

memory/1300-139-0x00007FF735910000-0x00007FF735C64000-memory.dmp

memory/5096-141-0x00007FF689680000-0x00007FF6899D4000-memory.dmp

memory/4764-140-0x00007FF631FB0000-0x00007FF632304000-memory.dmp

memory/3576-142-0x00007FF7422C0000-0x00007FF742614000-memory.dmp

memory/1680-143-0x00007FF766AC0000-0x00007FF766E14000-memory.dmp

memory/116-144-0x00007FF705C80000-0x00007FF705FD4000-memory.dmp

memory/1184-145-0x00007FF6FA290000-0x00007FF6FA5E4000-memory.dmp

memory/3800-146-0x00007FF664DB0000-0x00007FF665104000-memory.dmp

memory/1772-147-0x00007FF634250000-0x00007FF6345A4000-memory.dmp

memory/2144-148-0x00007FF662940000-0x00007FF662C94000-memory.dmp

memory/1848-149-0x00007FF6219F0000-0x00007FF621D44000-memory.dmp

memory/3356-150-0x00007FF792730000-0x00007FF792A84000-memory.dmp

memory/2860-151-0x00007FF60C820000-0x00007FF60CB74000-memory.dmp

memory/3372-152-0x00007FF6DBA40000-0x00007FF6DBD94000-memory.dmp

memory/2204-154-0x00007FF78CC80000-0x00007FF78CFD4000-memory.dmp

memory/2724-156-0x00007FF712440000-0x00007FF712794000-memory.dmp

memory/2584-155-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp

memory/3776-153-0x00007FF77FA60000-0x00007FF77FDB4000-memory.dmp

memory/1300-157-0x00007FF735910000-0x00007FF735C64000-memory.dmp

memory/5096-158-0x00007FF689680000-0x00007FF6899D4000-memory.dmp

memory/840-160-0x00007FF607530000-0x00007FF607884000-memory.dmp

memory/4764-162-0x00007FF631FB0000-0x00007FF632304000-memory.dmp

memory/1504-161-0x00007FF775700000-0x00007FF775A54000-memory.dmp

memory/596-159-0x00007FF6AFB00000-0x00007FF6AFE54000-memory.dmp