Malware Analysis Report

2024-10-16 03:06

Sample ID 240609-dhj18sdd48
Target 2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike
SHA256 1af27e2230a7ae8d94ad15f9a0d9d6c25b8f9a7412bdb3fb47ebc8fe3bac709a
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1af27e2230a7ae8d94ad15f9a0d9d6c25b8f9a7412bdb3fb47ebc8fe3bac709a

Threat Level: Known bad

The file 2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Cobaltstrike

Detects Reflective DLL injection artifacts

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 03:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 03:00

Reported

2024-06-09 03:03

Platform

win7-20240508-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tyTWUUf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SMsRqgO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WHAbgyL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XPcOhTf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ysDFWXX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UaAPqQQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LpGrckF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kyCzxXM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zIIUcyY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZOSjAds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\deeZsmq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RHXnFcl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DqLAJty.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kffWXoO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VvFtaHm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QInkysK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LRGDCiX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PbFpdoM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RGtKvny.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HMrVTRT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RYIwiOR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZOSjAds.exe
PID 1736 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZOSjAds.exe
PID 1736 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZOSjAds.exe
PID 1736 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\deeZsmq.exe
PID 1736 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\deeZsmq.exe
PID 1736 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\deeZsmq.exe
PID 1736 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHXnFcl.exe
PID 1736 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHXnFcl.exe
PID 1736 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHXnFcl.exe
PID 1736 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRGDCiX.exe
PID 1736 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRGDCiX.exe
PID 1736 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRGDCiX.exe
PID 1736 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbFpdoM.exe
PID 1736 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbFpdoM.exe
PID 1736 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbFpdoM.exe
PID 1736 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\SMsRqgO.exe
PID 1736 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\SMsRqgO.exe
PID 1736 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\SMsRqgO.exe
PID 1736 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHAbgyL.exe
PID 1736 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHAbgyL.exe
PID 1736 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHAbgyL.exe
PID 1736 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqLAJty.exe
PID 1736 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqLAJty.exe
PID 1736 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqLAJty.exe
PID 1736 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kffWXoO.exe
PID 1736 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kffWXoO.exe
PID 1736 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kffWXoO.exe
PID 1736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPcOhTf.exe
PID 1736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPcOhTf.exe
PID 1736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPcOhTf.exe
PID 1736 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpGrckF.exe
PID 1736 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpGrckF.exe
PID 1736 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpGrckF.exe
PID 1736 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCzxXM.exe
PID 1736 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCzxXM.exe
PID 1736 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCzxXM.exe
PID 1736 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGtKvny.exe
PID 1736 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGtKvny.exe
PID 1736 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGtKvny.exe
PID 1736 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysDFWXX.exe
PID 1736 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysDFWXX.exe
PID 1736 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysDFWXX.exe
PID 1736 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMrVTRT.exe
PID 1736 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMrVTRT.exe
PID 1736 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMrVTRT.exe
PID 1736 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaAPqQQ.exe
PID 1736 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaAPqQQ.exe
PID 1736 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaAPqQQ.exe
PID 1736 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\zIIUcyY.exe
PID 1736 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\zIIUcyY.exe
PID 1736 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\zIIUcyY.exe
PID 1736 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYIwiOR.exe
PID 1736 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYIwiOR.exe
PID 1736 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYIwiOR.exe
PID 1736 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvFtaHm.exe
PID 1736 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvFtaHm.exe
PID 1736 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvFtaHm.exe
PID 1736 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\QInkysK.exe
PID 1736 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\QInkysK.exe
PID 1736 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\QInkysK.exe
PID 1736 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyTWUUf.exe
PID 1736 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyTWUUf.exe
PID 1736 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyTWUUf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZOSjAds.exe

C:\Windows\System\ZOSjAds.exe

C:\Windows\System\deeZsmq.exe

C:\Windows\System\deeZsmq.exe

C:\Windows\System\RHXnFcl.exe

C:\Windows\System\RHXnFcl.exe

C:\Windows\System\LRGDCiX.exe

C:\Windows\System\LRGDCiX.exe

C:\Windows\System\PbFpdoM.exe

C:\Windows\System\PbFpdoM.exe

C:\Windows\System\SMsRqgO.exe

C:\Windows\System\SMsRqgO.exe

C:\Windows\System\WHAbgyL.exe

C:\Windows\System\WHAbgyL.exe

C:\Windows\System\DqLAJty.exe

C:\Windows\System\DqLAJty.exe

C:\Windows\System\kffWXoO.exe

C:\Windows\System\kffWXoO.exe

C:\Windows\System\XPcOhTf.exe

C:\Windows\System\XPcOhTf.exe

C:\Windows\System\LpGrckF.exe

C:\Windows\System\LpGrckF.exe

C:\Windows\System\kyCzxXM.exe

C:\Windows\System\kyCzxXM.exe

C:\Windows\System\RGtKvny.exe

C:\Windows\System\RGtKvny.exe

C:\Windows\System\ysDFWXX.exe

C:\Windows\System\ysDFWXX.exe

C:\Windows\System\HMrVTRT.exe

C:\Windows\System\HMrVTRT.exe

C:\Windows\System\UaAPqQQ.exe

C:\Windows\System\UaAPqQQ.exe

C:\Windows\System\zIIUcyY.exe

C:\Windows\System\zIIUcyY.exe

C:\Windows\System\RYIwiOR.exe

C:\Windows\System\RYIwiOR.exe

C:\Windows\System\VvFtaHm.exe

C:\Windows\System\VvFtaHm.exe

C:\Windows\System\QInkysK.exe

C:\Windows\System\QInkysK.exe

C:\Windows\System\tyTWUUf.exe

C:\Windows\System\tyTWUUf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1736-0-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/1736-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\ZOSjAds.exe

MD5 0c4fa25607b4370165ec346f1ab5cf33
SHA1 e793a93cf0e5f3e380ba686a46b04e292ac07498
SHA256 f680fd2e7e49c6829b698cc5e2e48b3f3ec8ee78dfde1c28c492f9f7a1d1aa8a
SHA512 57cf1299c34833ccdb24babcc7aeb948098cf922afcd315f5a5058d132d8d7c108e23a581403cea07290b7bffcfee0f7a4aa118bae4b90c90b7ccd5b4bd86e46

C:\Windows\system\ZOSjAds.exe

MD5 08eafc1774f698f370d0718289fcd234
SHA1 66b83b284ce1d9c4fc471d3e4551706cab8375fe
SHA256 14085b5a368d46c833885e8e8019623a4fde452e1307b111b230fe8b13333f47
SHA512 41a069d761cee4c3d0d86eb44de3cd9c0b7aa5012b0db410f996238976ec9817750ab5bd5744739d63f870ed6252eec49bade9191d8e10f8c3aeeb207e0289fb

memory/1736-7-0x00000000022B0000-0x0000000002604000-memory.dmp

C:\Windows\system\deeZsmq.exe

MD5 af48687689822d5820e79e82ff60116d
SHA1 9b735584a6b32d5f788e7e7004e33080c80fd469
SHA256 f8b520209de195a21b7127e4ce870f24844c9e5717cee39aeb5aaec0dce507d9
SHA512 8e946bddbf65ba5ea6ec8826dd4d31e5d38abd028e868f38bff9da7e8fe8ca82aa994323c6efc53177353620557f07148ee4ca42ab6fb2a74e8c6647a8e3c108

memory/1736-22-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2692-27-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1676-30-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2864-15-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1736-29-0x000000013F260000-0x000000013F5B4000-memory.dmp

C:\Windows\system\RHXnFcl.exe

MD5 1f998fa697cd8622747a38f64299a573
SHA1 492bbb2ea85f471c6ca2e1fe5d05c26642503178
SHA256 57338c9fb6668d33eb6ff3885eee80504faa7da870b3ba319d2f3569c94336aa
SHA512 d430b654fac541e8b00cfa42698ab7671c7a46de805e83f4ed6a3124f48ef7f864104c6e4082598264017e555b0bf6556978391f1b8f2ad72d4db1331db1571c

memory/2604-25-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\LRGDCiX.exe

MD5 ab9b7f419fd2a276a4c460a89170d441
SHA1 102f31dcb179d7f22b7bf328e449b251d74ed673
SHA256 edb8cd63fd2a65550bbe52f25806394e94eb919ddef861a54c41892c32e89632
SHA512 c32b30203801d6b564309596c05af33d2bfe6d1573fc74ffd40050a63a5850e2879d02ff75377f59d54711687b638b8332efb132e98e801fae307699e076c749

\Windows\system\RHXnFcl.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

memory/1736-19-0x000000013F570000-0x000000013F8C4000-memory.dmp

\Windows\system\PbFpdoM.exe

MD5 ed0e997a4e2bd44d6cffef178134421e
SHA1 e0bd7edc8371b83e891888ab1a78ef80151d1f83
SHA256 68c2ac04b6c388dd16baa7ef6b9af76562dd1aaec6dff14c1cad639af093f1cf
SHA512 a7adb794b5474a373d6dad7dd6f3c1f2bc1e403d9744332189c01caab75a2b5d3b122602e94e3c54bb48a3e96785c69d48df700d88c5445e290a366de011e20c

\Windows\system\DqLAJty.exe

MD5 bf1b8e5e1f1d2494586162de540bad5c
SHA1 fbf2bd329a558f72391f6c28d843d05a17a04440
SHA256 54224a3d5a1523da6d82b55f882fa9dac7a24f2f8017a5f473946a6332981a6e
SHA512 a2622afff70973432d33a819bafb070f9b0804644190ea9af2744df7c68badba6c5bf058e0362eff3a678cb5738677984122d3ec888c13c2d38dced38501321f

memory/2432-57-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\XPcOhTf.exe

MD5 dec6a43021985b77b042d7184920ba19
SHA1 95ee1f5371567aad30a8388f0b1055acc094fa68
SHA256 549b4f74994c65d217212a32116ec2bc331ac15488ada8d745539d01598848ac
SHA512 1db803a6c67def2d68eca8823c5aec4f62b0d2511b1e91e57ec4b0ce40b372b71cd2021b3545956a6f74ceefe90c16c921a95a7320101fb10ad823bd4123bcfb

memory/2836-92-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1736-107-0x00000000022B0000-0x0000000002604000-memory.dmp

\Windows\system\tyTWUUf.exe

MD5 8a74009f7dd9c036cc12b3f189bd9ac6
SHA1 e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0
SHA256 b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932
SHA512 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876

C:\Windows\system\tyTWUUf.exe

MD5 c6739666a33a990476e2ff789e179e93
SHA1 249b85550a016e28ee0d095a00c5b35435a209f9
SHA256 7137a161db4e29a4d976f5c3fcd19c959e2542d95a845cecb635d7dfb9490c5c
SHA512 66132284d0e97bd63ab44e6fc9772bb321ce05fcfab04044d316eb0273b6e03890a30d633311e5f195f58355514c26acf2a5f9527599935572dbb787f46e6a7e

C:\Windows\system\QInkysK.exe

MD5 8bf2cc209f6510f3080249e102d752aa
SHA1 b30e5dd4c525bf9c7be91e31b8a5924b94451eea
SHA256 63f568b4fb0012c97e126693182ecd044ad372800e911c03f7af9ea8081d71e9
SHA512 40ff07fc50c5dcd24482e4572d1988160c5021b5376ec300b0a6546f3f6f1223a82136448f52580e992d5cda113de5efa4c2900d448525d835df511e87fc3d33

C:\Windows\system\VvFtaHm.exe

MD5 06e7776c45522cd727375134e965e22f
SHA1 b3c6cc8ec21bae0f0aa8708062a4e0f18fd21432
SHA256 2e168c5305fc6931df6647569f2eac771398a9fe5bbc1782667bc1c201007bfb
SHA512 0b18810a5223438d648db6031a4bc963ddc222296395333088b069467dd1914822ad34fd9a3ff6c6694db24c914bdda3b30ab67d7943ad9a074d0ee7d9dc226d

\Windows\system\VvFtaHm.exe

MD5 240a95cb60c14ce340f2f5434b66d5ce
SHA1 a658fafc8419469abf15f4757791c55f9906191b
SHA256 14fb1a8344fca61dca7af51c053a3eb59740a4a087a317d91117d91423669367
SHA512 063b41bd92b61500310dc6790f764f1ce293ff07d51e4c54628c9d47056b7bd1a4aabd867e95099092a1eb8633312aecad7ecd17af7c91dd16baf071c01435c2

C:\Windows\system\RYIwiOR.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

C:\Windows\system\UaAPqQQ.exe

MD5 7a7cd4e734c6f2632f0a46add1b0b648
SHA1 7656c873c48bfede449e7dca92f1494455d5ca4d
SHA256 ee4d4bc55661aed842567b033ed6b9f54e0d59c1679bce8cbf404ff16bcd75e3
SHA512 135a64e0a52684ab26d5f3b823ff8a9ba6eaa70022c2dbf2fc984bb976ea0ba770dd28317bc1eff31d2ca4bd1d7b5c9d25cb74778a76439a76cb9357d260ec2f

memory/2520-106-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\HMrVTRT.exe

MD5 392bfb954c8bde1343fc7a4c84ea55e9
SHA1 aef22e8df745f1d85d6a7a6873b99f38be177585
SHA256 4fbdae2eb6e9cd850b7ac0ad5ea56f20ee062e1220b11f1e5fc7e199289e1776
SHA512 dd814ce86b844ebe188e5c1d5d236af96f5edcd19a9cc995c43144053be0b13f358a0d37c94127475b3c700ee735ed91336e365c7955118fb8bc7e4ae769bf2f

\Windows\system\HMrVTRT.exe

MD5 67d7d0c360c2defa9a36a47a23af7dd6
SHA1 efd9d2994e80ef40cbaab5f7ef02420aebe17206
SHA256 0521cd0d1d60fc081a5e4d3f28f5a76a962e60920d871e29a2de526b0e72b791
SHA512 f5338aedc9e177da3d3af04e6946e9f03280307d40c8e1e2e21b270727d9ec57427c8f7861835c62a83f44226e722c786902eaaa4187cfaefc3a81305ca12e2b

memory/2188-137-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/3000-99-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1736-98-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1736-91-0x00000000022B0000-0x0000000002604000-memory.dmp

C:\Windows\system\ysDFWXX.exe

MD5 f6ff13f5b74581b4d693140d7ed15d42
SHA1 b5f72d745d10b4b9c5938885364efade2590a6ab
SHA256 0632369166c9bc5c9b434ffd89ec9c9f265e35db5f9f6e8b7957c45b2c7683c7
SHA512 39ddedcd48f0afefef8b6d9f4c6350246031d6adffaa23199754b30948665cbedbf8af674f3d181d1c85403f8709c1fd9ff92429b133ea7e8be126dcdcc115dd

\Windows\system\ysDFWXX.exe

MD5 ced6503f1c442b215a831868d06a53c4
SHA1 d1546486e9a0a87544debc9d7cfe00f7d2fcb25b
SHA256 e275615d23ea2865d75a0660f437a7d370977a82d9b793f46f83217faabc1309
SHA512 6a0a0fbefffb4e18dbf3cf69b0665c759689d4226cfb687511f02c0243028181f491c0c45e1d040428b7fac5c6352059fa68bd53dd377cd6e8ca55b464eab7e6

\Windows\system\RGtKvny.exe

MD5 0c889b2cf4cc08ad6fd922ca312c17e1
SHA1 f5b45fb9a6def28157e603f9c3cde74ddbe22c2d
SHA256 c03fd608ca3ca8fdff6fcd672a297712dcd914a0feb13d42092191a53962dfa6
SHA512 68934fba5ce2ef3490dd2c9f60e7005b8e234a9ad2c46bdce0a867cde65920e6acb902e6287c577b4824d66c818991d87cca4ebbe40755e252ef4ba431ea9b05

memory/2256-85-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1736-84-0x000000013F5F0000-0x000000013F944000-memory.dmp

C:\Windows\system\kyCzxXM.exe

MD5 6f576608053fcf29ed404927c5fb26e0
SHA1 9070cbacf17ecc2168e221d7e4526388e3a25209
SHA256 cbd8e45cf18567a54ae4e3ee707a71da40fa2cf9f818cff08c7d101780e56f6c
SHA512 4b9f8883d8874648c7907a88329ac2618c565ac3623a0d69b3f4c0e9ec1cdc172784065d108077973ed8f696d4285a0844f406c04dff3b72af4c4088078fbf2a

memory/2392-78-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2864-77-0x000000013FE40000-0x0000000140194000-memory.dmp

C:\Windows\system\LpGrckF.exe

MD5 599ae7f1dfdc3e12d22b505e1579eed5
SHA1 44d2434e3fc35ffd8da9fb200647988833d833c1
SHA256 de913118e473fb6f56d8fdbc6f1a209552cc3230fd0229caab472a65af56fb7d
SHA512 628c3bd4ddd6da7bad56fe5eb51798d5501d41b4eedb9656e30d55709233fec51e0c08eae61774d36d5107985c40d2f1653f900ea8ad915b3ca4d5d991067f3c

memory/2680-71-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/1736-70-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2528-64-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/1736-63-0x000000013FC90000-0x000000013FFE4000-memory.dmp

C:\Windows\system\kffWXoO.exe

MD5 4f17e12a53ee5aee4ae8f5a7a959f84a
SHA1 2f0da666e465db6ff66879c7aab09fc3c4c136d5
SHA256 e97a388d34e0be6f1ef14a372be34b5315037b66eab49336eaed21bb06854c37
SHA512 64c859abe0a6bc9ee388d98cbc819b3026eacaf7755b303a746613aa605c694adfb918fc0cc3bb6673990f91a3867e0f1a9eb5116df6cb8b432a61fb6ab8c238

memory/2840-51-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1736-50-0x00000000022B0000-0x0000000002604000-memory.dmp

C:\Windows\system\WHAbgyL.exe

MD5 8e9a56ccd9e0998e0e10657d2e5b8a28
SHA1 62db83deb188b34d0703d5fb5cd345acd948966f
SHA256 f8aadcc13094264527ef90a8e3927233e9510330b8d5b82dbeccb8c03de4b4d3
SHA512 cd113b3d29f5e540658dbd8735466bf5e8b6ea0abc5d853aa1834e8387348e417887e6b5b0e1969d5e346d49e4aecd12eff3fa370ce80d45d7fd3f7404f02aec

memory/1736-56-0x00000000022B0000-0x0000000002604000-memory.dmp

memory/2188-42-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/1736-41-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2520-36-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1736-35-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\PbFpdoM.exe

MD5 04d51d193560bd7cbe3c1aa4176588ed
SHA1 50c403f2cdd24613871102930823a4077a309a84
SHA256 d2f2e6f71c7392c54365bfeba96646f1b48bfc2b35cee99399fabe8555745a79
SHA512 16c84370d3456e4b479306cb1207e32853b3b3dacdc34ee2c06bac6f00e0ed99d27f6c49bc2894052479d03d45c8d3898044a71ee9425a44f4f5a31a42b6918a

C:\Windows\system\SMsRqgO.exe

MD5 faffcf3d398d3fe1bcff9a2c280fa6c4
SHA1 7a6a72bfe81ed3ad6258f1efc93dee0c22d4cc59
SHA256 36bce5488bd1870aefc42e110b9f27238fbc2170af713fb52c657a711949700c
SHA512 170895045fd922e2625497da13d6e048e92c7a7b04677856cfeda4d5fbf493f2de84761f3d8a6f2e9c64f453253c9df99985836e8cab3960da0305937d5b0c12

memory/2432-138-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2528-140-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/1736-139-0x00000000022B0000-0x0000000002604000-memory.dmp

memory/1736-141-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2680-142-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2392-143-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2256-145-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1736-144-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2836-146-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/3000-148-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1736-147-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2864-149-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2604-151-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2692-150-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1676-152-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2520-153-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2840-155-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2188-154-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2432-156-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2528-157-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2680-158-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2392-159-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2256-160-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2836-161-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/3000-162-0x000000013F700000-0x000000013FA54000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 03:00

Reported

2024-06-09 03:03

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HMrVTRT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tyTWUUf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LRGDCiX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PbFpdoM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WHAbgyL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XPcOhTf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LpGrckF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZOSjAds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RHXnFcl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kffWXoO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RGtKvny.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DqLAJty.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kyCzxXM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RYIwiOR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VvFtaHm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QInkysK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\deeZsmq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SMsRqgO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ysDFWXX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UaAPqQQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zIIUcyY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 724 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZOSjAds.exe
PID 724 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZOSjAds.exe
PID 724 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\deeZsmq.exe
PID 724 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\deeZsmq.exe
PID 724 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHXnFcl.exe
PID 724 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHXnFcl.exe
PID 724 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRGDCiX.exe
PID 724 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRGDCiX.exe
PID 724 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbFpdoM.exe
PID 724 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbFpdoM.exe
PID 724 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\SMsRqgO.exe
PID 724 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\SMsRqgO.exe
PID 724 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHAbgyL.exe
PID 724 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHAbgyL.exe
PID 724 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqLAJty.exe
PID 724 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqLAJty.exe
PID 724 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kffWXoO.exe
PID 724 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kffWXoO.exe
PID 724 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPcOhTf.exe
PID 724 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPcOhTf.exe
PID 724 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpGrckF.exe
PID 724 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpGrckF.exe
PID 724 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCzxXM.exe
PID 724 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyCzxXM.exe
PID 724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGtKvny.exe
PID 724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGtKvny.exe
PID 724 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysDFWXX.exe
PID 724 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysDFWXX.exe
PID 724 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMrVTRT.exe
PID 724 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMrVTRT.exe
PID 724 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaAPqQQ.exe
PID 724 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaAPqQQ.exe
PID 724 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\zIIUcyY.exe
PID 724 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\zIIUcyY.exe
PID 724 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYIwiOR.exe
PID 724 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYIwiOR.exe
PID 724 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvFtaHm.exe
PID 724 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvFtaHm.exe
PID 724 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\QInkysK.exe
PID 724 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\QInkysK.exe
PID 724 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyTWUUf.exe
PID 724 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyTWUUf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZOSjAds.exe

C:\Windows\System\ZOSjAds.exe

C:\Windows\System\deeZsmq.exe

C:\Windows\System\deeZsmq.exe

C:\Windows\System\RHXnFcl.exe

C:\Windows\System\RHXnFcl.exe

C:\Windows\System\LRGDCiX.exe

C:\Windows\System\LRGDCiX.exe

C:\Windows\System\PbFpdoM.exe

C:\Windows\System\PbFpdoM.exe

C:\Windows\System\SMsRqgO.exe

C:\Windows\System\SMsRqgO.exe

C:\Windows\System\WHAbgyL.exe

C:\Windows\System\WHAbgyL.exe

C:\Windows\System\DqLAJty.exe

C:\Windows\System\DqLAJty.exe

C:\Windows\System\kffWXoO.exe

C:\Windows\System\kffWXoO.exe

C:\Windows\System\XPcOhTf.exe

C:\Windows\System\XPcOhTf.exe

C:\Windows\System\LpGrckF.exe

C:\Windows\System\LpGrckF.exe

C:\Windows\System\kyCzxXM.exe

C:\Windows\System\kyCzxXM.exe

C:\Windows\System\RGtKvny.exe

C:\Windows\System\RGtKvny.exe

C:\Windows\System\ysDFWXX.exe

C:\Windows\System\ysDFWXX.exe

C:\Windows\System\HMrVTRT.exe

C:\Windows\System\HMrVTRT.exe

C:\Windows\System\UaAPqQQ.exe

C:\Windows\System\UaAPqQQ.exe

C:\Windows\System\zIIUcyY.exe

C:\Windows\System\zIIUcyY.exe

C:\Windows\System\RYIwiOR.exe

C:\Windows\System\RYIwiOR.exe

C:\Windows\System\VvFtaHm.exe

C:\Windows\System\VvFtaHm.exe

C:\Windows\System\QInkysK.exe

C:\Windows\System\QInkysK.exe

C:\Windows\System\tyTWUUf.exe

C:\Windows\System\tyTWUUf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 33.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/724-0-0x00007FF74E2A0000-0x00007FF74E5F4000-memory.dmp

memory/724-1-0x000002A0EF240000-0x000002A0EF250000-memory.dmp

C:\Windows\System\ZOSjAds.exe

MD5 08eafc1774f698f370d0718289fcd234
SHA1 66b83b284ce1d9c4fc471d3e4551706cab8375fe
SHA256 14085b5a368d46c833885e8e8019623a4fde452e1307b111b230fe8b13333f47
SHA512 41a069d761cee4c3d0d86eb44de3cd9c0b7aa5012b0db410f996238976ec9817750ab5bd5744739d63f870ed6252eec49bade9191d8e10f8c3aeeb207e0289fb

memory/2868-8-0x00007FF7EBF50000-0x00007FF7EC2A4000-memory.dmp

C:\Windows\System\RHXnFcl.exe

MD5 1f998fa697cd8622747a38f64299a573
SHA1 492bbb2ea85f471c6ca2e1fe5d05c26642503178
SHA256 57338c9fb6668d33eb6ff3885eee80504faa7da870b3ba319d2f3569c94336aa
SHA512 d430b654fac541e8b00cfa42698ab7671c7a46de805e83f4ed6a3124f48ef7f864104c6e4082598264017e555b0bf6556978391f1b8f2ad72d4db1331db1571c

memory/4168-20-0x00007FF7FCFF0000-0x00007FF7FD344000-memory.dmp

C:\Windows\System\LRGDCiX.exe

MD5 ab9b7f419fd2a276a4c460a89170d441
SHA1 102f31dcb179d7f22b7bf328e449b251d74ed673
SHA256 edb8cd63fd2a65550bbe52f25806394e94eb919ddef861a54c41892c32e89632
SHA512 c32b30203801d6b564309596c05af33d2bfe6d1573fc74ffd40050a63a5850e2879d02ff75377f59d54711687b638b8332efb132e98e801fae307699e076c749

C:\Windows\System\SMsRqgO.exe

MD5 15c2d97864e8c143fb2518e0d79fe7fc
SHA1 e88572ddf165f0fd9684d13af9c029353692e01c
SHA256 f56dcefe5e943360d37621024dfce55002d169a9fc20a0d3be94d0ceb21ce2ea
SHA512 81d7f5d1a85d3230d7a4c1df13f6d160a5072ed0dca0e2479f7dc8ebf2b4e78f88b17bc6533f7a3689abd5114e54b7d80f16d54b57382e98466e1e523e170ec0

memory/224-37-0x00007FF61BA00000-0x00007FF61BD54000-memory.dmp

C:\Windows\System\WHAbgyL.exe

MD5 b5d6c8b472f6137523570f20868f4041
SHA1 61a520c4e5802e3278d223745c0d5b53798489c3
SHA256 df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324
SHA512 310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229

C:\Windows\System\DqLAJty.exe

MD5 f6ff13f5b74581b4d693140d7ed15d42
SHA1 b5f72d745d10b4b9c5938885364efade2590a6ab
SHA256 0632369166c9bc5c9b434ffd89ec9c9f265e35db5f9f6e8b7957c45b2c7683c7
SHA512 39ddedcd48f0afefef8b6d9f4c6350246031d6adffaa23199754b30948665cbedbf8af674f3d181d1c85403f8709c1fd9ff92429b133ea7e8be126dcdcc115dd

C:\Windows\System\DqLAJty.exe

MD5 bf1b8e5e1f1d2494586162de540bad5c
SHA1 fbf2bd329a558f72391f6c28d843d05a17a04440
SHA256 54224a3d5a1523da6d82b55f882fa9dac7a24f2f8017a5f473946a6332981a6e
SHA512 a2622afff70973432d33a819bafb070f9b0804644190ea9af2744df7c68badba6c5bf058e0362eff3a678cb5738677984122d3ec888c13c2d38dced38501321f

C:\Windows\System\XPcOhTf.exe

MD5 0c4fa25607b4370165ec346f1ab5cf33
SHA1 e793a93cf0e5f3e380ba686a46b04e292ac07498
SHA256 f680fd2e7e49c6829b698cc5e2e48b3f3ec8ee78dfde1c28c492f9f7a1d1aa8a
SHA512 57cf1299c34833ccdb24babcc7aeb948098cf922afcd315f5a5058d132d8d7c108e23a581403cea07290b7bffcfee0f7a4aa118bae4b90c90b7ccd5b4bd86e46

C:\Windows\System\kffWXoO.exe

MD5 1a0e1455de686b8158fbc1e4c92a2f9d
SHA1 29170fbafb064ea2f4235b38c121cb23ca398b78
SHA256 751d7a519550296e44f729642a25deee57e02effc38513cfbd1634914ad4844e
SHA512 0c3cf17afd7417c22e0ca6141bcc86ad947d316dec4ac51bbf0cfbf64b1e1e9ff9d8ef71b04c70e0dce9d50c4cfc20ef43f31d0c81e2d8a56a7eec0800995807

memory/1524-66-0x00007FF7609A0000-0x00007FF760CF4000-memory.dmp

C:\Windows\System\RGtKvny.exe

MD5 0c889b2cf4cc08ad6fd922ca312c17e1
SHA1 f5b45fb9a6def28157e603f9c3cde74ddbe22c2d
SHA256 c03fd608ca3ca8fdff6fcd672a297712dcd914a0feb13d42092191a53962dfa6
SHA512 68934fba5ce2ef3490dd2c9f60e7005b8e234a9ad2c46bdce0a867cde65920e6acb902e6287c577b4824d66c818991d87cca4ebbe40755e252ef4ba431ea9b05

C:\Windows\System\ysDFWXX.exe

MD5 17fc50ceee2e03d90dc66d1b696ae04c
SHA1 edb9bfabb63dae8151ef58d586ad8bd320e46954
SHA256 fc4616ed39d09901bce558c977cf8c1b0bb141044fdc081427724967ba6dd3fa
SHA512 d8c3393f993fa67b8b0595df5ee762653e8d56a623f080da9228a5a0d869ef0a7edc1d904724d72b970bf2e625e4a5f9c12c3697e318c3a3b3b8ac5cb30955dc

memory/1016-91-0x00007FF7FBC00000-0x00007FF7FBF54000-memory.dmp

memory/2532-95-0x00007FF622100000-0x00007FF622454000-memory.dmp

memory/5092-101-0x00007FF673CA0000-0x00007FF673FF4000-memory.dmp

memory/1756-103-0x00007FF7FA720000-0x00007FF7FAA74000-memory.dmp

memory/412-102-0x00007FF6FA440000-0x00007FF6FA794000-memory.dmp

memory/4000-100-0x00007FF6F78A0000-0x00007FF6F7BF4000-memory.dmp

C:\Windows\System\UaAPqQQ.exe

MD5 64608890dcd212091a87599b2f0612b4
SHA1 642cba6fdd06687bf7b84652d1d79a4e1e6a2442
SHA256 b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b
SHA512 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347

C:\Windows\System\HMrVTRT.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\System\zIIUcyY.exe

MD5 520306f0af217a723b94881629ed2c1f
SHA1 edfebe61571cd3958f1312a9985e7616d97f5058
SHA256 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40
SHA512 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e

memory/4844-92-0x00007FF76F080000-0x00007FF76F3D4000-memory.dmp

C:\Windows\System\UaAPqQQ.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

C:\Windows\System\ysDFWXX.exe

MD5 ced6503f1c442b215a831868d06a53c4
SHA1 d1546486e9a0a87544debc9d7cfe00f7d2fcb25b
SHA256 e275615d23ea2865d75a0660f437a7d370977a82d9b793f46f83217faabc1309
SHA512 6a0a0fbefffb4e18dbf3cf69b0665c759689d4226cfb687511f02c0243028181f491c0c45e1d040428b7fac5c6352059fa68bd53dd377cd6e8ca55b464eab7e6

C:\Windows\System\HMrVTRT.exe

MD5 7aaed59e81883ccc6a1f51d7ceba8aea
SHA1 ad439da9e172d66fb363ee3ccdeb784403802da7
SHA256 60993be56448ec872285aca4f955766be9ffb9322286c54762c862c7bff99a4a
SHA512 a8213af11deee16995da3c584834892588465d8fcd7ba16d1dd81cde7e4051b7f82cc58b51f91d4f9df8d00b1ae51dd7c77c17c0b2f9917f25c200091d3e704c

memory/3772-86-0x00007FF6F89C0000-0x00007FF6F8D14000-memory.dmp

memory/2240-80-0x00007FF60E930000-0x00007FF60EC84000-memory.dmp

C:\Windows\System\kyCzxXM.exe

MD5 6f576608053fcf29ed404927c5fb26e0
SHA1 9070cbacf17ecc2168e221d7e4526388e3a25209
SHA256 cbd8e45cf18567a54ae4e3ee707a71da40fa2cf9f818cff08c7d101780e56f6c
SHA512 4b9f8883d8874648c7907a88329ac2618c565ac3623a0d69b3f4c0e9ec1cdc172784065d108077973ed8f696d4285a0844f406c04dff3b72af4c4088078fbf2a

memory/5024-72-0x00007FF7A45B0000-0x00007FF7A4904000-memory.dmp

C:\Windows\System\LpGrckF.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

memory/1472-67-0x00007FF675B30000-0x00007FF675E84000-memory.dmp

memory/3776-62-0x00007FF773630000-0x00007FF773984000-memory.dmp

C:\Windows\System\LpGrckF.exe

MD5 599ae7f1dfdc3e12d22b505e1579eed5
SHA1 44d2434e3fc35ffd8da9fb200647988833d833c1
SHA256 de913118e473fb6f56d8fdbc6f1a209552cc3230fd0229caab472a65af56fb7d
SHA512 628c3bd4ddd6da7bad56fe5eb51798d5501d41b4eedb9656e30d55709233fec51e0c08eae61774d36d5107985c40d2f1653f900ea8ad915b3ca4d5d991067f3c

C:\Windows\System\XPcOhTf.exe

MD5 79cb800fff47a06afebef72028461c94
SHA1 ff75505398b632020d3756d39d393f7d0d663647
SHA256 2760b590a3c4c257a39f7b7571e6c124eaff33574997b2f854f74eb79aa5ddcd
SHA512 78f1927d2b050cb370b68ab097fb94c3e648811aa84b2fd62943b155b74ce09079cdacc50c8966802fcb433c83f629e8829ddc1d359fa6ac0fd803671d765d22

C:\Windows\System\kffWXoO.exe

MD5 4f17e12a53ee5aee4ae8f5a7a959f84a
SHA1 2f0da666e465db6ff66879c7aab09fc3c4c136d5
SHA256 e97a388d34e0be6f1ef14a372be34b5315037b66eab49336eaed21bb06854c37
SHA512 64c859abe0a6bc9ee388d98cbc819b3026eacaf7755b303a746613aa605c694adfb918fc0cc3bb6673990f91a3867e0f1a9eb5116df6cb8b432a61fb6ab8c238

C:\Windows\System\WHAbgyL.exe

MD5 8e9a56ccd9e0998e0e10657d2e5b8a28
SHA1 62db83deb188b34d0703d5fb5cd345acd948966f
SHA256 f8aadcc13094264527ef90a8e3927233e9510330b8d5b82dbeccb8c03de4b4d3
SHA512 cd113b3d29f5e540658dbd8735466bf5e8b6ea0abc5d853aa1834e8387348e417887e6b5b0e1969d5e346d49e4aecd12eff3fa370ce80d45d7fd3f7404f02aec

C:\Windows\System\SMsRqgO.exe

MD5 faffcf3d398d3fe1bcff9a2c280fa6c4
SHA1 7a6a72bfe81ed3ad6258f1efc93dee0c22d4cc59
SHA256 36bce5488bd1870aefc42e110b9f27238fbc2170af713fb52c657a711949700c
SHA512 170895045fd922e2625497da13d6e048e92c7a7b04677856cfeda4d5fbf493f2de84761f3d8a6f2e9c64f453253c9df99985836e8cab3960da0305937d5b0c12

C:\Windows\System\PbFpdoM.exe

MD5 ed0e997a4e2bd44d6cffef178134421e
SHA1 e0bd7edc8371b83e891888ab1a78ef80151d1f83
SHA256 68c2ac04b6c388dd16baa7ef6b9af76562dd1aaec6dff14c1cad639af093f1cf
SHA512 a7adb794b5474a373d6dad7dd6f3c1f2bc1e403d9744332189c01caab75a2b5d3b122602e94e3c54bb48a3e96785c69d48df700d88c5445e290a366de011e20c

memory/2536-23-0x00007FF73FF80000-0x00007FF7402D4000-memory.dmp

C:\Windows\System\deeZsmq.exe

MD5 af48687689822d5820e79e82ff60116d
SHA1 9b735584a6b32d5f788e7e7004e33080c80fd469
SHA256 f8b520209de195a21b7127e4ce870f24844c9e5717cee39aeb5aaec0dce507d9
SHA512 8e946bddbf65ba5ea6ec8826dd4d31e5d38abd028e868f38bff9da7e8fe8ca82aa994323c6efc53177353620557f07148ee4ca42ab6fb2a74e8c6647a8e3c108

C:\Windows\System\RHXnFcl.exe

MD5 4b7216d89e20f49e9c16c0253cc47511
SHA1 2897390157f4ddd1aa5b6b0434e8fd2685151896
SHA256 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f
SHA512 f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84

C:\Windows\System\RYIwiOR.exe

MD5 170dd624fc04fc3839f9c4b66a089ce7
SHA1 689050489367e9d7989856de58d7dae4b3e867bb
SHA256 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA512 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

memory/1184-108-0x00007FF798ED0000-0x00007FF799224000-memory.dmp

C:\Windows\System\VvFtaHm.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

C:\Windows\System\QInkysK.exe

MD5 df43099f8ecf7fc7231104cc7906f346
SHA1 3e71eb14c6e419a455fbd4a3234cbfb9f69fb428
SHA256 2fee27d95d784896594fd4c402904f15f7b6e8d0448726197f29a8303072c9e7
SHA512 0780e96102ed70b27cdcc7843ce59b45e8d687f99de38cd1f2d8f08d1be12d524f20b3d4f78294edd2ce2d1dc761badaaa437128842e8b787cbe7919b203b90d

memory/3724-126-0x00007FF626C80000-0x00007FF626FD4000-memory.dmp

memory/724-127-0x00007FF74E2A0000-0x00007FF74E5F4000-memory.dmp

memory/4464-128-0x00007FF640830000-0x00007FF640B84000-memory.dmp

C:\Windows\System\tyTWUUf.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

C:\Windows\System\tyTWUUf.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

C:\Windows\System\QInkysK.exe

MD5 182702f8c189f2105671b3b193ea01bd
SHA1 5cbe4a492c7f661166b4ece7955c0ec73fadc31d
SHA256 a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f
SHA512 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1

memory/1492-117-0x00007FF63C900000-0x00007FF63CC54000-memory.dmp

memory/2536-129-0x00007FF73FF80000-0x00007FF7402D4000-memory.dmp

memory/2240-130-0x00007FF60E930000-0x00007FF60EC84000-memory.dmp

memory/1184-131-0x00007FF798ED0000-0x00007FF799224000-memory.dmp

memory/2868-132-0x00007FF7EBF50000-0x00007FF7EC2A4000-memory.dmp

memory/4168-133-0x00007FF7FCFF0000-0x00007FF7FD344000-memory.dmp

memory/2536-134-0x00007FF73FF80000-0x00007FF7402D4000-memory.dmp

memory/3772-136-0x00007FF6F89C0000-0x00007FF6F8D14000-memory.dmp

memory/3776-137-0x00007FF773630000-0x00007FF773984000-memory.dmp

memory/224-135-0x00007FF61BA00000-0x00007FF61BD54000-memory.dmp

memory/1016-139-0x00007FF7FBC00000-0x00007FF7FBF54000-memory.dmp

memory/1524-138-0x00007FF7609A0000-0x00007FF760CF4000-memory.dmp

memory/5024-141-0x00007FF7A45B0000-0x00007FF7A4904000-memory.dmp

memory/1472-140-0x00007FF675B30000-0x00007FF675E84000-memory.dmp

memory/2240-142-0x00007FF60E930000-0x00007FF60EC84000-memory.dmp

memory/4844-144-0x00007FF76F080000-0x00007FF76F3D4000-memory.dmp

memory/4000-145-0x00007FF6F78A0000-0x00007FF6F7BF4000-memory.dmp

memory/412-146-0x00007FF6FA440000-0x00007FF6FA794000-memory.dmp

memory/1756-148-0x00007FF7FA720000-0x00007FF7FAA74000-memory.dmp

memory/5092-147-0x00007FF673CA0000-0x00007FF673FF4000-memory.dmp

memory/2532-143-0x00007FF622100000-0x00007FF622454000-memory.dmp

memory/1184-150-0x00007FF798ED0000-0x00007FF799224000-memory.dmp

memory/3724-151-0x00007FF626C80000-0x00007FF626FD4000-memory.dmp

memory/4464-152-0x00007FF640830000-0x00007FF640B84000-memory.dmp

memory/1492-149-0x00007FF63C900000-0x00007FF63CC54000-memory.dmp