Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-lcehkafb4z
Target 2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike
SHA256 c94081d5e83cd3fd6f98325ffab902f1cacf9ac8ea43a393adb207fe96d89efa
Tags
miner upx 0 xmrig cobaltstrike
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c94081d5e83cd3fd6f98325ffab902f1cacf9ac8ea43a393adb207fe96d89efa

Threat Level: Known bad

The file 2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 09:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 09:22

Reported

2024-06-10 09:26

Platform

win7-20240221-en

Max time kernel

136s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WTKaDrX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fDiEMxv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\StsQHWm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jCbllfq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IRWnnkO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JdbyjSY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dYyKbdJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZPMZvl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YgZeeGW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SOnpgAO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qjGWgUy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MWHGKxS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\upUbGnp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qqAcdzX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WogSfSA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OulOuiz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VOIfsCn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FbtsTqs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GPiZIhy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LVUmdcW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JmHZsmj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\SOnpgAO.exe
PID 2944 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\SOnpgAO.exe
PID 2944 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\SOnpgAO.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\fDiEMxv.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\fDiEMxv.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\fDiEMxv.exe
PID 2944 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\OulOuiz.exe
PID 2944 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\OulOuiz.exe
PID 2944 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\OulOuiz.exe
PID 2944 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\VOIfsCn.exe
PID 2944 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\VOIfsCn.exe
PID 2944 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\VOIfsCn.exe
PID 2944 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\StsQHWm.exe
PID 2944 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\StsQHWm.exe
PID 2944 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\StsQHWm.exe
PID 2944 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbtsTqs.exe
PID 2944 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbtsTqs.exe
PID 2944 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbtsTqs.exe
PID 2944 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\jCbllfq.exe
PID 2944 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\jCbllfq.exe
PID 2944 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\jCbllfq.exe
PID 2944 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\dYyKbdJ.exe
PID 2944 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\dYyKbdJ.exe
PID 2944 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\dYyKbdJ.exe
PID 2944 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZPMZvl.exe
PID 2944 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZPMZvl.exe
PID 2944 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZPMZvl.exe
PID 2944 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRWnnkO.exe
PID 2944 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRWnnkO.exe
PID 2944 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRWnnkO.exe
PID 2944 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\qjGWgUy.exe
PID 2944 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\qjGWgUy.exe
PID 2944 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\qjGWgUy.exe
PID 2944 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgZeeGW.exe
PID 2944 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgZeeGW.exe
PID 2944 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgZeeGW.exe
PID 2944 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPiZIhy.exe
PID 2944 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPiZIhy.exe
PID 2944 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPiZIhy.exe
PID 2944 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdbyjSY.exe
PID 2944 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdbyjSY.exe
PID 2944 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdbyjSY.exe
PID 2944 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVUmdcW.exe
PID 2944 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVUmdcW.exe
PID 2944 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVUmdcW.exe
PID 2944 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\upUbGnp.exe
PID 2944 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\upUbGnp.exe
PID 2944 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\upUbGnp.exe
PID 2944 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\qqAcdzX.exe
PID 2944 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\qqAcdzX.exe
PID 2944 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\qqAcdzX.exe
PID 2944 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\WTKaDrX.exe
PID 2944 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\WTKaDrX.exe
PID 2944 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\WTKaDrX.exe
PID 2944 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\WogSfSA.exe
PID 2944 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\WogSfSA.exe
PID 2944 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\WogSfSA.exe
PID 2944 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWHGKxS.exe
PID 2944 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWHGKxS.exe
PID 2944 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWHGKxS.exe
PID 2944 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\JmHZsmj.exe
PID 2944 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\JmHZsmj.exe
PID 2944 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe C:\Windows\System\JmHZsmj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_77379eb8cca229f256303a95d3a84e47_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SOnpgAO.exe

C:\Windows\System\SOnpgAO.exe

C:\Windows\System\fDiEMxv.exe

C:\Windows\System\fDiEMxv.exe

C:\Windows\System\OulOuiz.exe

C:\Windows\System\OulOuiz.exe

C:\Windows\System\VOIfsCn.exe

C:\Windows\System\VOIfsCn.exe

C:\Windows\System\StsQHWm.exe

C:\Windows\System\StsQHWm.exe

C:\Windows\System\FbtsTqs.exe

C:\Windows\System\FbtsTqs.exe

C:\Windows\System\jCbllfq.exe

C:\Windows\System\jCbllfq.exe

C:\Windows\System\dYyKbdJ.exe

C:\Windows\System\dYyKbdJ.exe

C:\Windows\System\uZPMZvl.exe

C:\Windows\System\uZPMZvl.exe

C:\Windows\System\IRWnnkO.exe

C:\Windows\System\IRWnnkO.exe

C:\Windows\System\qjGWgUy.exe

C:\Windows\System\qjGWgUy.exe

C:\Windows\System\YgZeeGW.exe

C:\Windows\System\YgZeeGW.exe

C:\Windows\System\GPiZIhy.exe

C:\Windows\System\GPiZIhy.exe

C:\Windows\System\JdbyjSY.exe

C:\Windows\System\JdbyjSY.exe

C:\Windows\System\LVUmdcW.exe

C:\Windows\System\LVUmdcW.exe

C:\Windows\System\upUbGnp.exe

C:\Windows\System\upUbGnp.exe

C:\Windows\System\qqAcdzX.exe

C:\Windows\System\qqAcdzX.exe

C:\Windows\System\WTKaDrX.exe

C:\Windows\System\WTKaDrX.exe

C:\Windows\System\WogSfSA.exe

C:\Windows\System\WogSfSA.exe

C:\Windows\System\MWHGKxS.exe

C:\Windows\System\MWHGKxS.exe

C:\Windows\System\JmHZsmj.exe

C:\Windows\System\JmHZsmj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2944-0-0x0000000000100000-0x0000000000110000-memory.dmp

memory/2944-1-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2556-37-0x000000013FC60000-0x000000013FFB4000-memory.dmp

C:\Windows\system\jCbllfq.exe

MD5 2e820f8af7aa3bf225d37608a0a87341
SHA1 b813ceb09756bee341a57c9525bd3abdbe863ab8
SHA256 de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa
SHA512 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4

memory/2944-47-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\dYyKbdJ.exe

MD5 06e7776c45522cd727375134e965e22f
SHA1 b3c6cc8ec21bae0f0aa8708062a4e0f18fd21432
SHA256 2e168c5305fc6931df6647569f2eac771398a9fe5bbc1782667bc1c201007bfb
SHA512 0b18810a5223438d648db6031a4bc963ddc222296395333088b069467dd1914822ad34fd9a3ff6c6694db24c914bdda3b30ab67d7943ad9a074d0ee7d9dc226d

\Windows\system\uZPMZvl.exe

MD5 798628437c4823e17d8e57facadaa5a1
SHA1 4be9e2a956db29ed5fdc7d21ca59e87cd89097b1
SHA256 61b9d4d4d42f43a523daed7217b3f40f7d5b10be4da6b41364f9ba7aebf7c2ed
SHA512 57d97fa3795a59d19b4cccff258a8d9e7722a5e6673f549c82548e40666fd134623544cd66d38e810ed3b23239001ffe1a19f35aac37a12faf1c5e8f1c30140b

memory/2712-63-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2780-72-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2944-79-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2616-83-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2944-82-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\GPiZIhy.exe

MD5 473e05b9007245959011d8397481c0c1
SHA1 a7d4ea5b3171641ef1500c4df41271c313a04d3e
SHA256 6ba75e2fc9b50af19f538f4cc133d1c407570cfd11f0a312bf6a106311ef45f5
SHA512 954541c06ab2b82c50275ae68ae8fddb1bb35af652e3fec552c9a797fc3cf41cd1fd184fbc3762e033862a19b48a474528e6ad25930b9056a29df30461d32308

memory/640-90-0x000000013F840000-0x000000013FB94000-memory.dmp

C:\Windows\system\JdbyjSY.exe

MD5 d17d952a6dfc7f7d5b98cc09f0b7cbdd
SHA1 fec0c348c1cdd77b648a3ba5748d48987d56b005
SHA256 8184e8993fcef83d3b35fef1a39835244fc74f67e41d3b1febcdbef18a2c840d
SHA512 6b601426fee04e6970ad065a6a77a039ecdfdecd7e3e6db10af0a524fcaf1c5335d4a35a500337669f2dd87735e561f3c527213ef37f84e0fd9989bd932cf7f1

\Windows\system\LVUmdcW.exe

MD5 9d367348bc2b0a338371873ab92b5ce0
SHA1 7f656575ff1e475fc391f43341a8d5f4ac819b19
SHA256 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309
SHA512 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454

memory/2696-97-0x000000013FC10000-0x000000013FF64000-memory.dmp

C:\Windows\system\LVUmdcW.exe

MD5 d5a548d48b0efc78b598096b40926b85
SHA1 edcbde6a385a137b3a91183bd121518426889baa
SHA256 42f01608c563e1fdeb6e59c7fe4c28f2c9f529fa535eccc55ea0c51405a8baf1
SHA512 25418c0549804a91261fe95b79c8a224e9f918592399505462b2504c6a118a6cbc4de282a7f1f55658d164e02e3afa2dd9b17b9c5f19859d2429525050fbbc30

memory/2944-99-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2944-95-0x000000013FC10000-0x000000013FF64000-memory.dmp

\Windows\system\JdbyjSY.exe

MD5 2cf608c269c2503d2d70c58a81a3676b
SHA1 b27db114868b2570bcdef46af05f3e25d1657d56
SHA256 80c0229d9b512aa75f940b04af50fe97eb5c2319dbc11286e86fb6cf98db6c5e
SHA512 ecc09caa16a1cac3b87a1d0384cb3a95292ab2d07c7a7d188860c1c8564d6e5f42a729c4886644c27a4757027adccebb2d12d707596f0a50da9c8821e88ba013

memory/2944-89-0x000000013F840000-0x000000013FB94000-memory.dmp

\Windows\system\GPiZIhy.exe

MD5 64608890dcd212091a87599b2f0612b4
SHA1 642cba6fdd06687bf7b84652d1d79a4e1e6a2442
SHA256 b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b
SHA512 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347

\Windows\system\JmHZsmj.exe

MD5 3c4936ba91eaa69f7fdbfccc9b857022
SHA1 d97c8ba6655ec64594f86192c6bdb9c832040c3a
SHA256 f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10
SHA512 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9

C:\Windows\system\JmHZsmj.exe

MD5 7aaed59e81883ccc6a1f51d7ceba8aea
SHA1 ad439da9e172d66fb363ee3ccdeb784403802da7
SHA256 60993be56448ec872285aca4f955766be9ffb9322286c54762c862c7bff99a4a
SHA512 a8213af11deee16995da3c584834892588465d8fcd7ba16d1dd81cde7e4051b7f82cc58b51f91d4f9df8d00b1ae51dd7c77c17c0b2f9917f25c200091d3e704c

C:\Windows\system\MWHGKxS.exe

MD5 c83a72fd32d1ea03c4c25e0b40a06534
SHA1 de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1
SHA256 c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359
SHA512 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c

C:\Windows\system\WogSfSA.exe

MD5 e36afd6c35c94d0a3760ffc5c520dbaf
SHA1 fcfc435aabd0379d632916351cc7214f0664adaa
SHA256 ebd86d5f4a0406fe798891a46ff8fabe34a9c281968b64c8280b930804f0c378
SHA512 85f6a8dd361a30c09ef040453801cb93767c13eb3ac2e43c9b6b850094d02a297b76981263b283089ab424f00f181a7668301067964aa2871c2c59a079aee447

C:\Windows\system\WTKaDrX.exe

MD5 d40da3f72b1d0ff826f884cc7bd2f64f
SHA1 595107e8eeeb9ebf769d1150884a0116a28ff187
SHA256 2fa22e04917720135e7a1682bb830fdfcb60dffeb587ca30bb2c2d0c5bfb8ae6
SHA512 45a0a431e2ef2af7274cccb93798b3808553eef56456dd590718a6ad5f1100a72b5d0e312e97f60b8d225c223b97ad48f02e0e480cde2b6cf85b0f7b0144968f

\Windows\system\WTKaDrX.exe

MD5 bfe1cf23f0f502213cae1ec2f78f716d
SHA1 076b515974d2bf63967d59a6dc0a17b696d54075
SHA256 307be75b3b328023566c69390a465ea651e48b5d5552661259a739aff948c1f9
SHA512 afaf3bbda04cec4f2f84d03994e15e67d6b8de09a08cc4a1926a00fb5b952360f1ef60c0c6bb8cfc013b4f061d156b1aa97e987bec07b1dff9541f8749a6847b

\Windows\system\qqAcdzX.exe

MD5 314443a3e1d326f4d0ae325268d0a3cb
SHA1 cae79eb9491bd5710642496562a3e9bf1f8c3f64
SHA256 6125164f3647ae1fd03ea3b1d8ead097c3c13d01b86bc85db540ad05b7482030
SHA512 d362df1a89ca8040636780edb1c21d00b1dd6b210f931aa0b39181c09aaeec00bf55bb78a4aae06319204dfa3c9bdff7fda633a055d7b5bc3569a4e8c2759e78

C:\Windows\system\upUbGnp.exe

MD5 90be846177ebce09b1bfa8b40630684a
SHA1 43a2c66ff47d9e295f18f8c18fe76b69e8850154
SHA256 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65
SHA512 f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6

C:\Windows\system\YgZeeGW.exe

MD5 03b1764556b0d07f54050f99d7902224
SHA1 9ce874a7c6589e716d72a032bf4a1674a6b96d94
SHA256 41e41c2c64d4536cacd90e62cab5db3682930ca34e93fa589977512a02064965
SHA512 81a7b86d614a98f85d8d348baa710a1de131ed3ca519baafe45637a70ec4efe5731630a1469374b97246c9fd70bfdca18ed68c31e2d7b0b7f466f072403b51f4

memory/2468-77-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2212-75-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2612-74-0x000000013F330000-0x000000013F684000-memory.dmp

C:\Windows\system\qjGWgUy.exe

MD5 6aabe2e748cee6d07f24c026461cb48a
SHA1 fe435ec8690de5aed611e8b6e996882f126c4bb9
SHA256 551c2573568f6ad35d10f80b58ca4997f5dba80ae615fb3a522cbfb755fa022a
SHA512 13d999d941baed2473792d915bae6ed172cd29ce935c44fff65629b650c371ebe29b735b83455a9a37b0fdfa4912df807a91d4e5572cd52076bb1f8b14ed1cf5

\Windows\system\IRWnnkO.exe

MD5 53316368a5c35bfe8d2650de718bf34c
SHA1 1f19034b7b11940fd11aecb68e1e1001adf683cd
SHA256 e0c333f848fe9c9f14b05e33c591c684ad4110067b4eace58f300da96c22985e
SHA512 8b208e51a71160cb1b5808744c50b1438ba943bd3e381649ef8dea146af35ef7878ac903d4569a46f0c64ef098a935d18e4382fdb3f217b2d57b02a94f54480a

memory/2944-66-0x000000013F910000-0x000000013FC64000-memory.dmp

C:\Windows\system\IRWnnkO.exe

MD5 ec92e07b02f20d795a0e1863fe069dc8
SHA1 5076ad4225509fb06df6a1c7d82542c5a224c871
SHA256 d93ccd8bbd9241ae214cf9bd04fec1c798bfa78296802457f50c065fad349de1
SHA512 5cea4a90d5b075c2c3843f219d649bcc179719c667dc7e023eb40c8f330b42346385b74a58e4419cdbca8a4582a56595f734d564e1b2748ba9d9dc4d7400b368

\Windows\system\qjGWgUy.exe

MD5 ccf7e0b017f1f57e15628f2b144791a7
SHA1 541751df01a48b92c0e1bbf53d3d82e0a047034d
SHA256 7f5a8c6275c0337803eaf59b78ec5be8cc02c704ff17f9440537b2d843501c93
SHA512 0c3526ea832ca44194f9d6e573294c04ba39d0fddaa17548d289d0175238d916d47141db5e4e89d41239a154037c657a07d52a72591424920afb9b685f0525fa

memory/2944-58-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\uZPMZvl.exe

MD5 51a51ebc84c388c79a91f0b3179b5c2d
SHA1 3c972a7b976a1850c5cfb1f9d7c2c42730c06f8f
SHA256 cbfbbcf972fc71c8f8ee59465cf3f9800b7e00f9c21efbdabbf3a708d55ab9e6
SHA512 65a0879242c47331e54a5a0993ab3eaff209a8935d346f6cbc6005b8903a4ea25b77854b41878c75510a37292ca93d1e0b4470998505fe051262be09344375bb

\Windows\system\dYyKbdJ.exe

MD5 9fae6a62d0e7737cd1f90ae57eb20b3d
SHA1 13784b0da7ba1dedd03f6abdda89b4afea844996
SHA256 01c73a08c7489480d1f803769c13916571cd7bd967246a4c2426c45f5800ef2c
SHA512 820a39f84575455d289b1f5165babe217901b51c9a818650b199bc3390d3737f43758b6f24b9b34f4ba07b5aa4010222d008eb2fbec1b5af4fb196e1fdf5b3f4

memory/2840-48-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2944-46-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2944-45-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2644-41-0x000000013F140000-0x000000013F494000-memory.dmp

\Windows\system\jCbllfq.exe

MD5 4680f13079c0e48ee439b976a9ac693d
SHA1 a5c12784c8da3cfabec20069ab3c25a1dfc4425f
SHA256 0e6bfb7d33136e38a277815d9f2033d77a81430c490510147ae8c15098c1a1c4
SHA512 237160c9b2ec927f1f7f8eb93eb0998feae0a5fdd096d5d2839acdea62b53ff40c45b15a6c068ea902eeaba138635691258cd1beaebf5b47a125222bc088363f

C:\Windows\system\FbtsTqs.exe

MD5 977386e05d43a135b6e404a1960d7bc0
SHA1 763800e9f7b3068ec836119e3cb480edf764c444
SHA256 9d9d9529f9a54cfec92ff0817ece8548d369cb1de1628f0e773611998cde0c5e
SHA512 a1d26f11fbea269491e824fc7d2d40c00fe1fe8385711294ccc9c2165d61d76bfeb4274070c882235be800f68485144c058702e098a07fa296183730a5dc3385

memory/2968-32-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2944-28-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2940-25-0x000000013F040000-0x000000013F394000-memory.dmp

memory/272-23-0x000000013FB00000-0x000000013FE54000-memory.dmp

\Windows\system\VOIfsCn.exe

MD5 3aaf7053b1006fd7d70c363e848b8e8e
SHA1 e2be9819683f0283d109809481c733839febbc3d
SHA256 2fa086ee3728339162cc3efc11e0508d1f1e7cae6d38f9e6760e87a8d8f0ce12
SHA512 130dd95ec7cc0fb5ad51a6ff145ab69cb89e3ab2460901bb7cc8d243ccf54f04b145bcad784faf61c4e1b14203cbfa8785cb8650d5bbac13727aba2d8a9c9ee7

C:\Windows\system\VOIfsCn.exe

MD5 ff64dcb83e4bfcbec95c1199068a4029
SHA1 01f05afdcb01e8ad3ef58e9fa9bef68f24d046a7
SHA256 8efa3f8aa831de7fe27cf1cbe36bbeb398f5d663c062d85acba5fe5c7378e48b
SHA512 06923ac204cf11b9d902f24bbbe8d40fcac11c82ca7b20accd56287ae5b42ce760e7423e128d433e189b023a4f6db6a19e8634cbefaf2d5abef747cddd00411d

memory/2944-16-0x000000013FB00000-0x000000013FE54000-memory.dmp

\Windows\system\OulOuiz.exe

MD5 d86c13c002e1f9c3d18cea41a8f7272f
SHA1 17b169b1bbff68c674d94b4d5e154ee9030bd7be
SHA256 ceb45eeeef4cecffe5421da62919d4d6e2499dda9d0d0390457610d4ebf3217f
SHA512 c03bf374cecd07327461316e12a491e0707d965095efa204623ede1c8a9109820dcde79f32914948c8a936806132a47556176cce4d7174e7d3d33a84c10401ff

memory/2944-133-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2944-134-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2944-135-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2840-141-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2712-142-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2780-143-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2612-144-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2468-146-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2616-147-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2212-145-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/640-148-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2696-149-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2644-140-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2556-139-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2968-138-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2940-137-0x000000013F040000-0x000000013F394000-memory.dmp

memory/272-136-0x000000013FB00000-0x000000013FE54000-memory.dmp

Analysis: behavioral2

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A