Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-exnteaca6w
Target 2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike
SHA256 e2963245cac4520d3f0ede59c59224028fb2bc3764d6163ad1db7ef2f4eb10a2
Tags
xmrig miner upx 0 cobaltstrike
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2963245cac4520d3f0ede59c59224028fb2bc3764d6163ad1db7ef2f4eb10a2

Threat Level: Known bad

The file 2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx 0 cobaltstrike

UPX dump on OEP (original entry point)

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:25

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:19

Reported

2024-06-10 04:41

Platform

win7-20240220-en

Max time kernel

133s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LfTceUM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CPWnSWj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fmhMZcG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SlHeanr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qjdXgIa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GuHQESQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HdxWZol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TJyNqjY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lQScvDL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TwNQPXs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LERvhzl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VlCPDli.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rWOlEYx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WnboJVE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZWDvDKi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YlMnsqK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mTNlNTG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hxzgwTw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gjXOaPb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BsSCPMu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WnOgAuC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnboJVE.exe
PID 1992 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnboJVE.exe
PID 1992 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnboJVE.exe
PID 1992 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWDvDKi.exe
PID 1992 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWDvDKi.exe
PID 1992 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWDvDKi.exe
PID 1992 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LfTceUM.exe
PID 1992 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LfTceUM.exe
PID 1992 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LfTceUM.exe
PID 1992 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\HdxWZol.exe
PID 1992 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\HdxWZol.exe
PID 1992 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\HdxWZol.exe
PID 1992 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJyNqjY.exe
PID 1992 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJyNqjY.exe
PID 1992 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJyNqjY.exe
PID 1992 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlMnsqK.exe
PID 1992 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlMnsqK.exe
PID 1992 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\YlMnsqK.exe
PID 1992 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPWnSWj.exe
PID 1992 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPWnSWj.exe
PID 1992 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPWnSWj.exe
PID 1992 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQScvDL.exe
PID 1992 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQScvDL.exe
PID 1992 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQScvDL.exe
PID 1992 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fmhMZcG.exe
PID 1992 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fmhMZcG.exe
PID 1992 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fmhMZcG.exe
PID 1992 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwNQPXs.exe
PID 1992 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwNQPXs.exe
PID 1992 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwNQPXs.exe
PID 1992 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTNlNTG.exe
PID 1992 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTNlNTG.exe
PID 1992 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTNlNTG.exe
PID 1992 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxzgwTw.exe
PID 1992 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxzgwTw.exe
PID 1992 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxzgwTw.exe
PID 1992 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\SlHeanr.exe
PID 1992 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\SlHeanr.exe
PID 1992 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\SlHeanr.exe
PID 1992 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\qjdXgIa.exe
PID 1992 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\qjdXgIa.exe
PID 1992 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\qjdXgIa.exe
PID 1992 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuHQESQ.exe
PID 1992 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuHQESQ.exe
PID 1992 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuHQESQ.exe
PID 1992 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjXOaPb.exe
PID 1992 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjXOaPb.exe
PID 1992 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjXOaPb.exe
PID 1992 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LERvhzl.exe
PID 1992 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LERvhzl.exe
PID 1992 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LERvhzl.exe
PID 1992 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnOgAuC.exe
PID 1992 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnOgAuC.exe
PID 1992 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WnOgAuC.exe
PID 1992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsSCPMu.exe
PID 1992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsSCPMu.exe
PID 1992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsSCPMu.exe
PID 1992 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\rWOlEYx.exe
PID 1992 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\rWOlEYx.exe
PID 1992 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\rWOlEYx.exe
PID 1992 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlCPDli.exe
PID 1992 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlCPDli.exe
PID 1992 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlCPDli.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\WnboJVE.exe

C:\Windows\System\WnboJVE.exe

C:\Windows\System\ZWDvDKi.exe

C:\Windows\System\ZWDvDKi.exe

C:\Windows\System\LfTceUM.exe

C:\Windows\System\LfTceUM.exe

C:\Windows\System\HdxWZol.exe

C:\Windows\System\HdxWZol.exe

C:\Windows\System\TJyNqjY.exe

C:\Windows\System\TJyNqjY.exe

C:\Windows\System\YlMnsqK.exe

C:\Windows\System\YlMnsqK.exe

C:\Windows\System\CPWnSWj.exe

C:\Windows\System\CPWnSWj.exe

C:\Windows\System\lQScvDL.exe

C:\Windows\System\lQScvDL.exe

C:\Windows\System\fmhMZcG.exe

C:\Windows\System\fmhMZcG.exe

C:\Windows\System\TwNQPXs.exe

C:\Windows\System\TwNQPXs.exe

C:\Windows\System\mTNlNTG.exe

C:\Windows\System\mTNlNTG.exe

C:\Windows\System\hxzgwTw.exe

C:\Windows\System\hxzgwTw.exe

C:\Windows\System\SlHeanr.exe

C:\Windows\System\SlHeanr.exe

C:\Windows\System\qjdXgIa.exe

C:\Windows\System\qjdXgIa.exe

C:\Windows\System\GuHQESQ.exe

C:\Windows\System\GuHQESQ.exe

C:\Windows\System\gjXOaPb.exe

C:\Windows\System\gjXOaPb.exe

C:\Windows\System\LERvhzl.exe

C:\Windows\System\LERvhzl.exe

C:\Windows\System\WnOgAuC.exe

C:\Windows\System\WnOgAuC.exe

C:\Windows\System\BsSCPMu.exe

C:\Windows\System\BsSCPMu.exe

C:\Windows\System\rWOlEYx.exe

C:\Windows\System\rWOlEYx.exe

C:\Windows\System\VlCPDli.exe

C:\Windows\System\VlCPDli.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1992-0-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1992-1-0x0000000000100000-0x0000000000110000-memory.dmp

C:\Windows\system\WnboJVE.exe

MD5 e0f258099dcc71eb5136723dc36b2abf
SHA1 06369204a4e29aa090f08d64ed6c999554293c3f
SHA256 fc3ecae0284f85748e4163e8d74dc23b78b006a385dbce7949b1a3162c04a129
SHA512 e5e771b58d729c6c2e5be391c3472852275f9809b6a59989d03020b02587a111724b07f4267210e0379988c9bdeb785b25dc195f7e8ce97d17a6e677d81ad615

memory/2900-19-0x000000013F420000-0x000000013F774000-memory.dmp

C:\Windows\system\LfTceUM.exe

MD5 4e4e7701c2efaacb44b83f7401796edc
SHA1 517bc40386696904cd64c07f343efce48c7a07e4
SHA256 dbdfbf4fdef51e88312f8df7d6ffbe33bed736a3a4d5791a2e70f32f1dccc2bf
SHA512 896d16d843dd119c27cde9b840c8eb762d10c86c400256b244b3fbb29c6fbf8e519b26224dd40195fb8255930420595f606351704568020f105ff7a08b939d13

C:\Windows\system\HdxWZol.exe

MD5 28cb3c70e8875962c8183b5a0e7adc2d
SHA1 d5718aeadf1a0bfb30982d6009c7281d4d8e3561
SHA256 024b1c6bd697f3aa6eaf4e8b2ce6dd33ab1cb2e431eebaddc8bf62cb34b30f06
SHA512 6ba4e438d3bfbeb43c58d20248ca6e97a26c2055dfd15e3290ecb77aa10783771e0ab83940bf7eb94db314590b1dabf6c76fb80cd2ad7f3b0e866fdcb4e289d2

C:\Windows\system\TJyNqjY.exe

MD5 aaed74917506ff51fda1b4ba068d1473
SHA1 802a3816d35cc14f98b65b76a638423d9adcb4cd
SHA256 6617ac3071fe6f32c33ca15f02d780325cd05911e16ba4b78369324a2873ca01
SHA512 1b4689e9121944286df73477d8e78049eae3105b00021e5db4cd99d6972a523db724b8506ab724991ae5d06bb41b7321453c0a8baccb3958135e2b7a1a086cbf

C:\Windows\system\CPWnSWj.exe

MD5 98170d407464e45b9846f1db6ea81b1c
SHA1 0eaf32b5139942c238a79941ec1f2765ebaf37dd
SHA256 8d80b2103ec71222c641177a015cbcae41c301aeded0f69e47bc175eaf90d7b3
SHA512 0617cdf36abe4382ea80a5bf72ed7d27f126f755cab80b7b4103d48ef740a77a9c79de5b8fd70a64cb2726b67580e158c8f9f9391d3a3477a4f56e5a1166e445

memory/1992-47-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1960-49-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2652-48-0x000000013FC00000-0x000000013FF54000-memory.dmp

\Windows\system\lQScvDL.exe

MD5 b3ef206c831508f45129ddf44a13c9b1
SHA1 62b6a5279e986ec5e998149278f27a24663f61b8
SHA256 46763f7540dcb808d492abc52d355e64c5f35740b36bbe9058d403396008af82
SHA512 468cf3542575ebe225e09b872cf87f32ca6a1e4502775711c84cde78da7434531112c314b9604b39e37e797c7a9b6e8b16c2aa4f9cdd532a3ec974c1211db79c

C:\Windows\system\lQScvDL.exe

MD5 939d7b9066ecd8485785d90f4a6c868a
SHA1 00b3e848e692dbb6bc47e441f0529730a4d88bcf
SHA256 8955b1461e8f7c4b6c57aa6947e35828b8b62c3e070a6c5f9bc6fc66b00c895b
SHA512 5a89163d0b72a4609c667d4babac5c415f3720a20fb7552d03f98a30533dc097e76124eed770df0f2e571d712cbf590acb12ccf29319d343e0964e24862144a6

memory/1992-62-0x0000000002400000-0x0000000002754000-memory.dmp

\Windows\system\TwNQPXs.exe

MD5 d2a23b3e0d763e6906bcf6f358a63dc9
SHA1 e27a46b4c8f9672d01daaa9581f6ea582dc0cf10
SHA256 7410338be3c1fdf3d02c7815c1055472e63689283487f6ce879824604f67660e
SHA512 301b1d78c4af851ea777afa93051a6aa3a7daa561bc4e6bf0fba9b0915880b658080173d6cb872c513e5c3ec8b956a00175cbb2bdfbb566fcb8ceb505ac670d2

memory/1656-77-0x000000013F6E0000-0x000000013FA34000-memory.dmp

C:\Windows\system\hxzgwTw.exe

MD5 5cee648fc1a67e17875102caa6b80dbd
SHA1 591240f685e886235568be1fabea495655c75c6b
SHA256 1b4562018459f6b6ad47567b6758884cbf63369cca4412684ec6f8315779589e
SHA512 412d0dac8fbfb05d0f5ea3f23b453b0830514b183970103c1345895266d1b26e83e72035c8ef6c5bf35dc99bac4d5a256f15f7a54b41867b7202103360b81978

memory/1896-83-0x000000013F230000-0x000000013F584000-memory.dmp

memory/1992-89-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1288-94-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2552-97-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/1992-102-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1992-101-0x000000013F090000-0x000000013F3E4000-memory.dmp

\Windows\system\VlCPDli.exe

MD5 3cadf09c977fa98b9eb995b01833e902
SHA1 180bf675a54c9de08fda177abf1710211331b2be
SHA256 0a187e21dced8827fdb28cd0334d25a62ad8b1631e2806bdcdeaddb1bc965a41
SHA512 f234c0c500a79d30657fd9e56424353a8a4a4e25953c293cddcfd2bfc593ec407e38f80199c10d63371609c3fb2691e74ca49303da8330c53c66823606fe72a6

C:\Windows\system\rWOlEYx.exe

MD5 348c49a5a83cb57d6dfe5a500754256a
SHA1 3759231f358bc2d401032e6fb8f4702dea81ddd5
SHA256 bb42b044561f7f4bae7103dd0b7cd74461dd6496a36e12470b9ce3b966135728
SHA512 7a4b55b1d91c5d4a124fc08dbb01800d60ffa2014df827e7f68f141c73936b4ac6e35475f590acbfc947fc7a2db1524d81adef0798f71c1673f81e2bb69af52c

\Windows\system\BsSCPMu.exe

MD5 8e842e14620d735ccaa55f74275fe36e
SHA1 ea81ea0d693ac18188a3498c69abb6d7a0981040
SHA256 da6ac36de6145e066af6c00a7822fd68e58d2a72bc4ce66d668b2b42596fc98e
SHA512 451feb5305642d21a2ae2ea7da4c1f400d89f505fa99242b509952bf1cb3fd4b29c74473933d328d246b099d40bdb0292cbc8ca10a0c62cafdec9c67a784f6f4

C:\Windows\system\WnOgAuC.exe

MD5 ce178bd72ed852cee68a120a1b1fdee8
SHA1 450b4db3f97e0fa9cf2857aacb158ac3998799fc
SHA256 09942dda717225533b45ca8503ef26ec7ce53502b28a59820843418dd9c55e48
SHA512 ac11f5d8bd6a4cdcaadc561628f8aa1e827b567dbb06f407fecd65c0ccc957413ba3aabab14edce8306016a228274a4e07c6e80f331f04c7c924977540fcd45f

C:\Windows\system\LERvhzl.exe

MD5 0e9f83fabd7c894d32e7c16610777413
SHA1 d2ad7bdda34eca7891c12b62e64d32f33bbe51ef
SHA256 b2fdc7f9084f5d145b19fc2f087ea34040dd70d143b95505bd58c38b1adc6195
SHA512 942da06230af383971b192d07ece9396bc001cc30d784df489e7d5254f2ba8546d3df4e017e00d880ce28d4826ed7a5375c68807ed6e4f97a93cb93951ba7537

\Windows\system\LERvhzl.exe

MD5 f3b2c88d5d8ea78f4d29143de7a9b3f7
SHA1 536c31b9076464b750b829bfb785e03dbd4e1d08
SHA256 3a13c120933b8127c622eea6bd3b1254316a74b8371360587e662b97d361e836
SHA512 830a54b6ff95b7e4006e1aa234a672fd9b429031d606a5017d9551e2aeb3c248ae1f48af83e74904e91a1de17a563a61ff5bef8d363ab8f2c7019fa530456c95

\Windows\system\WnOgAuC.exe

MD5 e114b5cee2d6863b24b2f20a9d618b33
SHA1 c5809fcbddba5a53f7fbfa3c0a00aebc41fd3cce
SHA256 aadba55e663a7b0d3a41a498215bc1f6369e2648abfc05715e660955e452d100
SHA512 92ecf09b5b199578d4f4c26ed109282d719faee11a1fe8bcc10d12f1535ebf59da3ced6048dc522c5c3fd02745ee498c00378b7e0e95a29a9b8a4895e8fc6605

C:\Windows\system\gjXOaPb.exe

MD5 30fec2098e9905b39e5d81b87fd312fd
SHA1 2c1f2b248cd4ede3fee5420aa87176ead862df21
SHA256 cea34fdf4791d61b3966909d853a9f2be87875d60d2a8b8f032de64ebf0f8f31
SHA512 f115f67a290ec1acd1e7a9cbaeee79febf008db73b12d696a8ecb533730bcd13430e253a74a21e9383fcbc00eca570c861388816731748e6b3445239c626bef9

memory/1992-108-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\GuHQESQ.exe

MD5 77935f7fa515e2498097f96e331d34aa
SHA1 485d7f26bd5cb37bc584d5c8f968f5e9fef298cb
SHA256 a24111205f2806993b03daa9bab173a6d11a16cb18878caa1071fd928980464c
SHA512 36ce0bab4a0434c7a28f678c10a9627666b81884015f70cf5a1069ddfbb17d42082499c523fc5e2c32acfa6cdf63a0b247d285dc0850603412d2d0c0692584cf

memory/1468-100-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1992-99-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1992-96-0x000000013F740000-0x000000013FA94000-memory.dmp

C:\Windows\system\qjdXgIa.exe

MD5 9cb050b6bcdf4e136bb58512936c1eb0
SHA1 edd574c6cb357c2c5cdb608d67e744ace8208a43
SHA256 a9b5d85de7a650367e0cbcc80ee0f5ceb90ce51d57a346b10d170189224636c1
SHA512 2b168ddcd82b2ff1f9e2e7bffad1cd658c08223b93724469eced7b74c6b788191fb6afa29fba75f0657011bb6864449a96662a19f279170067b3132bbc84a107

memory/1992-93-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1992-76-0x000000013F6E0000-0x000000013FA34000-memory.dmp

\Windows\system\mTNlNTG.exe

MD5 05c3e8289519b776895ce75d8338437d
SHA1 3c2baa4c8a06589bd9171c47fa12cbed3d666c18
SHA256 7388217fb408b816da0720c3b664c374439a90d770c9679fd0761c0fb4940f81
SHA512 959b2aba5e5e4cef55295c9f3be847540af58c1cccd46b3c2460599b9183899e01e1a7c99fa6a952fd82d1312b4d71f71a7227aa95b3ced8b8009f7333c77bd2

memory/2456-70-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/1992-69-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2452-63-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2396-56-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/1992-55-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2420-46-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/1992-45-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1992-44-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2536-34-0x000000013FD30000-0x0000000140084000-memory.dmp

\Windows\system\YlMnsqK.exe

MD5 ca782e6e0a0804d229da2735af31fd06
SHA1 9723e9bc96c63cc03e30f15e6ef819269f1f2475
SHA256 ba3854cd0a9db88bfaa116cc87b39cc88eaa2db5fbe983ee4a1f94a5d0218c4b
SHA512 07b94d5d1ef974a4090999815983f7e5b36c85a3213799cf6c31b77a54aef66b9a42096f58731ef03d6bd59ef24aeee37023f9ce335eac6f247402ef24d3b6bf

memory/1992-138-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/1992-29-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2552-26-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2616-23-0x000000013F740000-0x000000013FA94000-memory.dmp

\Windows\system\LfTceUM.exe

MD5 df943514ab006095197fa746516d64e8
SHA1 59e94961e0a65d81f3cea6e082d3f85a8185f91a
SHA256 aefa10caec1297f753a1b13ad99bef9cfcf2a64bbba13a4af4a5723bb02829e9
SHA512 94f5f93236f69684e5e3af54347ef62d663e81d7c7d99e5cd301e005204f21248d672b30246afc9461f92a228366973e13e60fbfbf3a54ee5c24eaf2f77cc221

C:\Windows\system\ZWDvDKi.exe

MD5 586c9547493a88de16fd09ad19df758b
SHA1 8a50178682c692f204a45b7798c63d3f6375432b
SHA256 991f4d210c6e659974dd43deb7cc93077b9ed3c337c5951172529c0bae179e02
SHA512 63d13596bcc59b486c85cd55cf9779d952b67ccbfc54495f389035c1d68fd043ac79c180dc1fc0d479811fe4e468b78c5250d0acdb5b23ce7e1ec600b69b0629

memory/1992-10-0x000000013F420000-0x000000013F774000-memory.dmp

\Windows\system\ZWDvDKi.exe

MD5 ed79533d1616ac90eb2f594339f4c3e5
SHA1 947c8455b4418b62805a57bbbbb0df9d948363a7
SHA256 9d1fb523f3aae4410a1a231b173f9d113336b58924d3a65151b5479f6078a2e4
SHA512 9160e43243847662a3efb39c2c20c759012911504d175f4de4ee8f817d176441acddf91fc19866ee2af1f1e1178a586154731ba2126bd953626e9f9295b60987

memory/1992-139-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1992-140-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2616-143-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2552-144-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2420-147-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/1960-146-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2652-145-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2396-148-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2452-149-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2456-150-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/1656-151-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/1896-152-0x000000013F230000-0x000000013F584000-memory.dmp

memory/1288-153-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/1468-154-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2536-142-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2900-141-0x000000013F420000-0x000000013F774000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:19

Reported

2024-06-10 04:41

Platform

win10v2004-20240226-en

Max time kernel

48s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WZavFfA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WwJAbLS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TnYaGMI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jgyPSvK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wfSzReg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qtqDpLc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qhQkISL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uNnSgcg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xjIEzca.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gVLajcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cfRKQxU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KHFgKxB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YCxNDZb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kHDlzuz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZqZLwBD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zQQVZfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGxhhrw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wiyGNnn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fsbpvGS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CFxgWxP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BXqUtoz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\qhQkISL.exe
PID 3192 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\qhQkISL.exe
PID 3192 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfRKQxU.exe
PID 3192 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfRKQxU.exe
PID 3192 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\wiyGNnn.exe
PID 3192 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\wiyGNnn.exe
PID 3192 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fsbpvGS.exe
PID 3192 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fsbpvGS.exe
PID 3192 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnYaGMI.exe
PID 3192 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnYaGMI.exe
PID 3192 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNnSgcg.exe
PID 3192 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNnSgcg.exe
PID 3192 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\CFxgWxP.exe
PID 3192 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\CFxgWxP.exe
PID 3192 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXqUtoz.exe
PID 3192 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXqUtoz.exe
PID 3192 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgyPSvK.exe
PID 3192 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgyPSvK.exe
PID 3192 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHFgKxB.exe
PID 3192 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHFgKxB.exe
PID 3192 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCxNDZb.exe
PID 3192 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCxNDZb.exe
PID 3192 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZqZLwBD.exe
PID 3192 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZqZLwBD.exe
PID 3192 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjIEzca.exe
PID 3192 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjIEzca.exe
PID 3192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfSzReg.exe
PID 3192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfSzReg.exe
PID 3192 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\kHDlzuz.exe
PID 3192 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\kHDlzuz.exe
PID 3192 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtqDpLc.exe
PID 3192 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtqDpLc.exe
PID 3192 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\zQQVZfZ.exe
PID 3192 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\zQQVZfZ.exe
PID 3192 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WZavFfA.exe
PID 3192 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WZavFfA.exe
PID 3192 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\gVLajcJ.exe
PID 3192 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\gVLajcJ.exe
PID 3192 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwJAbLS.exe
PID 3192 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwJAbLS.exe
PID 3192 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGxhhrw.exe
PID 3192 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGxhhrw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qhQkISL.exe

C:\Windows\System\qhQkISL.exe

C:\Windows\System\cfRKQxU.exe

C:\Windows\System\cfRKQxU.exe

C:\Windows\System\wiyGNnn.exe

C:\Windows\System\wiyGNnn.exe

C:\Windows\System\fsbpvGS.exe

C:\Windows\System\fsbpvGS.exe

C:\Windows\System\TnYaGMI.exe

C:\Windows\System\TnYaGMI.exe

C:\Windows\System\uNnSgcg.exe

C:\Windows\System\uNnSgcg.exe

C:\Windows\System\CFxgWxP.exe

C:\Windows\System\CFxgWxP.exe

C:\Windows\System\BXqUtoz.exe

C:\Windows\System\BXqUtoz.exe

C:\Windows\System\jgyPSvK.exe

C:\Windows\System\jgyPSvK.exe

C:\Windows\System\KHFgKxB.exe

C:\Windows\System\KHFgKxB.exe

C:\Windows\System\YCxNDZb.exe

C:\Windows\System\YCxNDZb.exe

C:\Windows\System\ZqZLwBD.exe

C:\Windows\System\ZqZLwBD.exe

C:\Windows\System\xjIEzca.exe

C:\Windows\System\xjIEzca.exe

C:\Windows\System\wfSzReg.exe

C:\Windows\System\wfSzReg.exe

C:\Windows\System\kHDlzuz.exe

C:\Windows\System\kHDlzuz.exe

C:\Windows\System\qtqDpLc.exe

C:\Windows\System\qtqDpLc.exe

C:\Windows\System\zQQVZfZ.exe

C:\Windows\System\zQQVZfZ.exe

C:\Windows\System\WZavFfA.exe

C:\Windows\System\WZavFfA.exe

C:\Windows\System\gVLajcJ.exe

C:\Windows\System\gVLajcJ.exe

C:\Windows\System\WwJAbLS.exe

C:\Windows\System\WwJAbLS.exe

C:\Windows\System\eGxhhrw.exe

C:\Windows\System\eGxhhrw.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 13.107.253.64:443 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3192-0-0x00007FF753940000-0x00007FF753C94000-memory.dmp

memory/3192-1-0x000001D24A020000-0x000001D24A030000-memory.dmp

C:\Windows\System\qhQkISL.exe

MD5 1986081e085842d3f520289f84206395
SHA1 4d75553f16b682d786bc8068a15784b46931b901
SHA256 f2967819f3f3f3975ec4820b1e4e87ab109282d32aa8655701a286e014da5907
SHA512 1e6cb88a646df9a430bbd6607b55abd7dd948ebd323400485bcde1016db7e1033a979bbc5b0a1bae8a28a41ec5b4325abae25f3d3d05537f0ef517963a0b2722

memory/4036-8-0x00007FF672DE0000-0x00007FF673134000-memory.dmp

C:\Windows\System\cfRKQxU.exe

MD5 9b577ffff6c1f5ffff7f64441d883431
SHA1 10ba0bbbec3c90794664c7d383f12f8e5eb6c74b
SHA256 91f3e82906a538100a99ed926f9fc65724c6b25f34a3a65f82125b966c8582db
SHA512 f8bb3727a9f20749433ece4d83348bcfd5e5e28efa7ccba238d5a6d724481df6d5f37b94f4ffcea847376be6b1b47a9ca7c6e243f6823afe20547eef85d0ed8f

memory/2128-14-0x00007FF6CA4A0000-0x00007FF6CA7F4000-memory.dmp

C:\Windows\System\cfRKQxU.exe

MD5 5467228a38a1e6f590cbb58455c3474f
SHA1 c523c0f649db22a4a6a3309b20372128ff8f6e0d
SHA256 a817bb69d880a546037740ee854f1c9fa5c9c0c8d083b49b23fda745eeb9595d
SHA512 6548eef9961a9dfae4cfc23ad96922b5331f5eae80166a20a719ca38af0523147178f5e06c2538478b9b4f0ccb7c5c0376bdebc51ddc30dacfde5f9262c54824

C:\Windows\System\wiyGNnn.exe

MD5 460a560d9343614b4f5d3d4dba3f4ee8
SHA1 b7e4e11f7bd5df3f2363cf6c1fa4d5ae53e0122e
SHA256 fd744e6808c52535a94243828181a8d013638b8f8817cf398b9172e0ee7b110d
SHA512 1f115a8993e51d1f37533d08960597baad579468fd9fc33ed73870d8dbecffbacf74c482d28ec7d6893e63aba21811f0abf2dfee545d005b933bc73799ad2c80

memory/408-20-0x00007FF6216B0000-0x00007FF621A04000-memory.dmp

C:\Windows\System\wiyGNnn.exe

MD5 a22964dba57c3c901624bb203a786a20
SHA1 2785962844594e8dce7bf2f4085a236e9f71d5ab
SHA256 5996bde9ba808ebd606acd3fbf109204881337437ef0f4a1b4a3df71fc1a72b0
SHA512 ebd5acc63df37eb364e2a1912052ab7b48e31e9351ea1ff3f033f185151128e014f8fbd830c8316d49b2e23d6f5f8736e0d78680b3496108c77e8ea417b44062

C:\Windows\System\fsbpvGS.exe

MD5 6f79929539cf65dcb1e405ed0a538ec1
SHA1 46963681601be609a978fb70a544460fdecbb830
SHA256 8292e8db4cea39d46d950b64cc55f87ab625ecdebcbe27f469743b8d918b78e8
SHA512 e991eb3fcf3d9e8bf2f4b7d6bc5ccb92f66bf173e56c3693b2cbd12083aeda0fcdb439b0c82e3da3f8abfa3d37b16394bcf458c3b338809e1ffa376eff9aa3d0

memory/2240-26-0x00007FF6D4AB0000-0x00007FF6D4E04000-memory.dmp

memory/3356-30-0x00007FF7662B0000-0x00007FF766604000-memory.dmp

C:\Windows\System\TnYaGMI.exe

MD5 30fec2098e9905b39e5d81b87fd312fd
SHA1 2c1f2b248cd4ede3fee5420aa87176ead862df21
SHA256 cea34fdf4791d61b3966909d853a9f2be87875d60d2a8b8f032de64ebf0f8f31
SHA512 f115f67a290ec1acd1e7a9cbaeee79febf008db73b12d696a8ecb533730bcd13430e253a74a21e9383fcbc00eca570c861388816731748e6b3445239c626bef9

C:\Windows\System\uNnSgcg.exe

MD5 dde990a7f8a79781ba2c374cb8601523
SHA1 f64b5da7c0d051852d9394c446a1cb967f9639ff
SHA256 c2d9abc9e648c29cbe4d2b8a79eaf8e706ce89b4b480fe1585b33b50fc4cc255
SHA512 8bcd3483b7804480da618d302052e88e9f46dd7a6f0daccd4640b953083e880f1e4712dfba74458af1c638611d08e1dd590eada8fb960c66d56ddc9ed524d031

memory/880-38-0x00007FF750090000-0x00007FF7503E4000-memory.dmp

memory/432-44-0x00007FF7843D0000-0x00007FF784724000-memory.dmp

memory/3476-50-0x00007FF7F26B0000-0x00007FF7F2A04000-memory.dmp

memory/4940-56-0x00007FF74EA70000-0x00007FF74EDC4000-memory.dmp

memory/3192-62-0x00007FF753940000-0x00007FF753C94000-memory.dmp

memory/1624-63-0x00007FF718540000-0x00007FF718894000-memory.dmp

C:\Windows\System\KHFgKxB.exe

MD5 0b4145c2cc110331e4da5e560102704d
SHA1 c566b9a6ceb44b7f1c214b316c08f6bec9d9b2b1
SHA256 45685ced1acb15c50a2e82577fa387cda30481d8f7a525239c32c5f5bf6e48b4
SHA512 abf913119d63f487a6aab21c7aef0828fd1abea0d0c9a3b66bf2a375882b42bf9f76fd9b59dbd74e92020f35616ebd4ca75dc1ea4b5b55a7e8ed17cc28d58dc6

memory/2672-70-0x00007FF69F650000-0x00007FF69F9A4000-memory.dmp

memory/4036-69-0x00007FF672DE0000-0x00007FF673134000-memory.dmp

memory/2128-75-0x00007FF6CA4A0000-0x00007FF6CA7F4000-memory.dmp

memory/2940-77-0x00007FF74EB50000-0x00007FF74EEA4000-memory.dmp

memory/408-83-0x00007FF6216B0000-0x00007FF621A04000-memory.dmp

memory/3720-84-0x00007FF699C80000-0x00007FF699FD4000-memory.dmp

C:\Windows\System\wfSzReg.exe

MD5 c82368624fc0cbc229c201ce1985bc94
SHA1 ee5f9762a48551b4aca0f410ce58ba6b3a31c5e7
SHA256 931c951679eb1fb702111027aabfe5c2dbae5ee0133b51e3a18f5413cb866a95
SHA512 a02b7bbdc00adbf81d06cac9c2ff95404ee7daaf391f997518b816e211a80c24bef9f62cfffbf4467be156c5ab3f90c9c19fabf63f6e25a559ab78ca4191369f

memory/2240-90-0x00007FF6D4AB0000-0x00007FF6D4E04000-memory.dmp

memory/2116-91-0x00007FF609E70000-0x00007FF60A1C4000-memory.dmp

memory/3356-96-0x00007FF7662B0000-0x00007FF766604000-memory.dmp

memory/984-98-0x00007FF6ACD30000-0x00007FF6AD084000-memory.dmp

memory/880-104-0x00007FF750090000-0x00007FF7503E4000-memory.dmp

memory/3584-105-0x00007FF7A8980000-0x00007FF7A8CD4000-memory.dmp

C:\Windows\System\qtqDpLc.exe

MD5 b73b9362c43b7c3340b334c1496fe9d4
SHA1 0663a477ff6c9708fcc7f3207910e4ad6b54a299
SHA256 98d73e674cda0b49faf517360914bb147dbe942876acea3a669cc627eec700c6
SHA512 9322db0f530cf71bb7dd5d83fa3ccf6b557840576d2918269e5f0c865093f70757b68d13871d01d128c0d0fe2cd2fda5ce6675a9a07fdbc5c1c051e316e107b2

memory/2356-111-0x00007FF7EDE40000-0x00007FF7EE194000-memory.dmp

memory/3476-117-0x00007FF7F26B0000-0x00007FF7F2A04000-memory.dmp

memory/988-118-0x00007FF755F10000-0x00007FF756264000-memory.dmp

C:\Windows\System\eGxhhrw.exe

MD5 11012d922c4962c68391425dc253a7eb
SHA1 63324103cd8f864ba2bd66ac83917fcf62879288
SHA256 2797b80048ed711e303e2630b938cf7527a5fecbef3356e24ab309d27f7ad172
SHA512 dda70221b131d9ed7b0f7e0894d8c2d35ab271e4499964b52307e3769000c61ab878aad3387628ad0779b2e07c097c88acaf1e855a826b985daccf820cdbd074

memory/4432-135-0x00007FF63AF50000-0x00007FF63B2A4000-memory.dmp

memory/4256-136-0x00007FF60A090000-0x00007FF60A3E4000-memory.dmp

C:\Windows\System\WwJAbLS.exe

MD5 37bcf85724b59412e0444016add01a8b
SHA1 4675f224c6c41b2ca578f40b6b0d788b154087e3
SHA256 a3638a6b4547c48a6affa2591cc465ac87315dd038fef4115117f68875d6935b
SHA512 e01a5c4c99d0debd687987b277118ffc529f4afb61eaea33ed2778b9b2d4b3ac164fc03bff5d2bf4dec55326f737eb9652c0067bda3931510234b736e5c58695

memory/5004-126-0x00007FF7CF590000-0x00007FF7CF8E4000-memory.dmp

memory/4940-124-0x00007FF74EA70000-0x00007FF74EDC4000-memory.dmp

memory/4036-137-0x00007FF672DE0000-0x00007FF673134000-memory.dmp

memory/2128-138-0x00007FF6CA4A0000-0x00007FF6CA7F4000-memory.dmp

memory/408-139-0x00007FF6216B0000-0x00007FF621A04000-memory.dmp

memory/2240-140-0x00007FF6D4AB0000-0x00007FF6D4E04000-memory.dmp

memory/3356-141-0x00007FF7662B0000-0x00007FF766604000-memory.dmp

memory/880-142-0x00007FF750090000-0x00007FF7503E4000-memory.dmp

memory/432-143-0x00007FF7843D0000-0x00007FF784724000-memory.dmp

memory/3476-144-0x00007FF7F26B0000-0x00007FF7F2A04000-memory.dmp

memory/4940-145-0x00007FF74EA70000-0x00007FF74EDC4000-memory.dmp

memory/1624-146-0x00007FF718540000-0x00007FF718894000-memory.dmp

memory/2672-147-0x00007FF69F650000-0x00007FF69F9A4000-memory.dmp

memory/2940-148-0x00007FF74EB50000-0x00007FF74EEA4000-memory.dmp

memory/3720-149-0x00007FF699C80000-0x00007FF699FD4000-memory.dmp

memory/2116-150-0x00007FF609E70000-0x00007FF60A1C4000-memory.dmp

memory/984-151-0x00007FF6ACD30000-0x00007FF6AD084000-memory.dmp

memory/3584-152-0x00007FF7A8980000-0x00007FF7A8CD4000-memory.dmp

memory/2356-153-0x00007FF7EDE40000-0x00007FF7EE194000-memory.dmp

memory/988-154-0x00007FF755F10000-0x00007FF756264000-memory.dmp

memory/5004-155-0x00007FF7CF590000-0x00007FF7CF8E4000-memory.dmp

memory/4432-156-0x00007FF63AF50000-0x00007FF63B2A4000-memory.dmp

memory/4256-157-0x00007FF60A090000-0x00007FF60A3E4000-memory.dmp