Malware Analysis Report

2025-04-19 17:00

Sample ID 240522-wmbvjabb95
Target 2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike
SHA256 68ec096ed3ebef262ccad229af10d48bd4df27c078201313b8157d028b6336b5
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68ec096ed3ebef262ccad229af10d48bd4df27c078201313b8157d028b6336b5

Threat Level: Known bad

The file 2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

Cobaltstrike

Xmrig family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 18:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 18:01

Reported

2024-05-22 18:04

Platform

win7-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\AkwMsEg.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\dWwUaqE.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\EFhGpkr.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\jeHpZhS.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\IFrFWJc.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\rDurjWW.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\RGVRtSr.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\wSUICCS.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\UDgEhip.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\REtfBwO.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\TEYRbku.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\YSXaPIx.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\GLEvzJW.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\HZgEkeP.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\TBcCnxs.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\nXjUcqW.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\iYVICaI.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ZJOavQi.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\GqQLqvM.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\GogBUMk.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\fLBoDGd.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\fLBoDGd.exe
PID 1640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\fLBoDGd.exe
PID 1640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\fLBoDGd.exe
PID 1640 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GLEvzJW.exe
PID 1640 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GLEvzJW.exe
PID 1640 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GLEvzJW.exe
PID 1640 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\HZgEkeP.exe
PID 1640 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\HZgEkeP.exe
PID 1640 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\HZgEkeP.exe
PID 1640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\TBcCnxs.exe
PID 1640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\TBcCnxs.exe
PID 1640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\TBcCnxs.exe
PID 1640 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\jeHpZhS.exe
PID 1640 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\jeHpZhS.exe
PID 1640 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\jeHpZhS.exe
PID 1640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\nXjUcqW.exe
PID 1640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\nXjUcqW.exe
PID 1640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\nXjUcqW.exe
PID 1640 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\AkwMsEg.exe
PID 1640 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\AkwMsEg.exe
PID 1640 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\AkwMsEg.exe
PID 1640 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\dWwUaqE.exe
PID 1640 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\dWwUaqE.exe
PID 1640 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\dWwUaqE.exe
PID 1640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\iYVICaI.exe
PID 1640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\iYVICaI.exe
PID 1640 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\iYVICaI.exe
PID 1640 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\YSXaPIx.exe
PID 1640 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\YSXaPIx.exe
PID 1640 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\YSXaPIx.exe
PID 1640 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\ZJOavQi.exe
PID 1640 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\ZJOavQi.exe
PID 1640 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\ZJOavQi.exe
PID 1640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\EFhGpkr.exe
PID 1640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\EFhGpkr.exe
PID 1640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\EFhGpkr.exe
PID 1640 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\TEYRbku.exe
PID 1640 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\TEYRbku.exe
PID 1640 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\TEYRbku.exe
PID 1640 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\IFrFWJc.exe
PID 1640 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\IFrFWJc.exe
PID 1640 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\IFrFWJc.exe
PID 1640 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\rDurjWW.exe
PID 1640 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\rDurjWW.exe
PID 1640 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\rDurjWW.exe
PID 1640 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\RGVRtSr.exe
PID 1640 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\RGVRtSr.exe
PID 1640 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\RGVRtSr.exe
PID 1640 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GqQLqvM.exe
PID 1640 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GqQLqvM.exe
PID 1640 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GqQLqvM.exe
PID 1640 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\wSUICCS.exe
PID 1640 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\wSUICCS.exe
PID 1640 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\wSUICCS.exe
PID 1640 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GogBUMk.exe
PID 1640 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GogBUMk.exe
PID 1640 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GogBUMk.exe
PID 1640 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\UDgEhip.exe
PID 1640 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\UDgEhip.exe
PID 1640 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\UDgEhip.exe
PID 1640 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\REtfBwO.exe
PID 1640 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\REtfBwO.exe
PID 1640 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\REtfBwO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe"

C:\Windows\System\fLBoDGd.exe

C:\Windows\System\fLBoDGd.exe

C:\Windows\System\GLEvzJW.exe

C:\Windows\System\GLEvzJW.exe

C:\Windows\System\HZgEkeP.exe

C:\Windows\System\HZgEkeP.exe

C:\Windows\System\TBcCnxs.exe

C:\Windows\System\TBcCnxs.exe

C:\Windows\System\jeHpZhS.exe

C:\Windows\System\jeHpZhS.exe

C:\Windows\System\nXjUcqW.exe

C:\Windows\System\nXjUcqW.exe

C:\Windows\System\AkwMsEg.exe

C:\Windows\System\AkwMsEg.exe

C:\Windows\System\dWwUaqE.exe

C:\Windows\System\dWwUaqE.exe

C:\Windows\System\iYVICaI.exe

C:\Windows\System\iYVICaI.exe

C:\Windows\System\YSXaPIx.exe

C:\Windows\System\YSXaPIx.exe

C:\Windows\System\ZJOavQi.exe

C:\Windows\System\ZJOavQi.exe

C:\Windows\System\EFhGpkr.exe

C:\Windows\System\EFhGpkr.exe

C:\Windows\System\TEYRbku.exe

C:\Windows\System\TEYRbku.exe

C:\Windows\System\IFrFWJc.exe

C:\Windows\System\IFrFWJc.exe

C:\Windows\System\rDurjWW.exe

C:\Windows\System\rDurjWW.exe

C:\Windows\System\RGVRtSr.exe

C:\Windows\System\RGVRtSr.exe

C:\Windows\System\GqQLqvM.exe

C:\Windows\System\GqQLqvM.exe

C:\Windows\System\wSUICCS.exe

C:\Windows\System\wSUICCS.exe

C:\Windows\System\GogBUMk.exe

C:\Windows\System\GogBUMk.exe

C:\Windows\System\UDgEhip.exe

C:\Windows\System\UDgEhip.exe

C:\Windows\System\REtfBwO.exe

C:\Windows\System\REtfBwO.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1640-0-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1640-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\fLBoDGd.exe

MD5 b8cd7c70b9a05ccdcc3c92f422234c51
SHA1 5e3085fcbd19ddb2ef3813d91df2ecf5baf4cfa0
SHA256 fd991f8f05d773278abecd347a5b6f456fd7ae175c6d724cf2b818b122434077
SHA512 3e79b537f2b82cce17da44362b1de869d7147aa4c5218c06933c9e3e2c392367b07ff86ab7461a1fc25b7696eae9013b404940bfbbb0c718cd4c523b9801e37e

memory/1640-7-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/1628-8-0x000000013F5F0000-0x000000013F941000-memory.dmp

\Windows\system\GLEvzJW.exe

MD5 407874e73c72dafe39b93bf2175e3a79
SHA1 a67b66c1ebd848050b7706a308a508239cfcf8c1
SHA256 496a08015815fadb205104f4737c3aadbf80b1b854d888287a1b334588f95c96
SHA512 6e0b2d36dbdd6a012eb55e2ff585324b56cefaefb50fb59836117421a22d5395d6a2d57b908bf64599d9e6617bb73a7ccda8330d482bd0311348d038ad001133

C:\Windows\system\HZgEkeP.exe

MD5 d8501dcf9fd33b86e058fbf3579875d5
SHA1 a1326b13c653f6d7cd28b1447ff1a12892fb71b2
SHA256 def6e591604871d0a7ded181eece4625c3493c0f03e4d54056909f8a0c0c5a9f
SHA512 46376078586dddceff09bec531e313075b309a7495232361db73f9ceb0d0f883c5c06de2dd2757adc3f717a3b6267ce553b176f330b0ab0a8f452b1b7b3d3178

C:\Windows\system\TBcCnxs.exe

MD5 141fdfaa38bfc8550b86916c6b7e30c9
SHA1 52fa4f410c2ac4f0f2ef5bf9501187681e1c0f59
SHA256 6ec771985c7ee6a1eb59226654d7c4d6930ad596320b0b03bfe8289677f461ca
SHA512 1cf56c6494d47695a0b374fdf27dd376cbec25d47bf73e07e82bdfdb4fcfa12e63d9e480f4ecea4c58ae6833c704c753d156e2ff525a07037ab85f193555448d

C:\Windows\system\jeHpZhS.exe

MD5 cdef4f93b712b5438c49c0d8a616cccc
SHA1 c9027054764e76265ee5180330d6deb1298333bc
SHA256 76a0d83f40f4917c97f400477f648d276c4738dc23ea0af4551ecf807f03bebe
SHA512 21ef081fabe338cb284fbeff7402bbcc21a684783dc6f13d8b072f3a0af0b021efeb9aa857f08ad7f2b680a65e713f746b61f69f7f74dcfadbd0c1eef19eb6ed

C:\Windows\system\nXjUcqW.exe

MD5 fc9a7977c3d23f4410403c3a1481aa63
SHA1 db537fa166e564c398a85ebb92ad572202794658
SHA256 286cebbff0a66f274263293d906aed139b0b20a85cc7dfea7937d2dbee34953d
SHA512 ba20da0dd2a13ca82654b98cd5e059f470a4bdd96bd24caed5e193054f52024c0a488d856fcb7a1be278e67bfc15cce1d584dbe587d4642a82d196e7cb01595b

memory/2656-33-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2812-18-0x000000013F310000-0x000000013F661000-memory.dmp

\Windows\system\dWwUaqE.exe

MD5 db5ae4d77ff3ccffc477199e4b75e0d5
SHA1 3052180116b6f18720624c38c3c1e21ef527fb5c
SHA256 8a5729fa8cba4ff032d42389beb2d35aa9b32b2313f33c638ea091b12fc03aed
SHA512 83008720ccfa9fbb422d4f1cc69258496e700faf8bbdabcfe5eda01c2f7761177a166c364bda3c9ab08c5274cb779f8c5572c53eb180d7e71452933309e94e67

memory/1640-51-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2592-57-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2476-48-0x000000013FF80000-0x00000001402D1000-memory.dmp

C:\Windows\system\AkwMsEg.exe

MD5 83e6930c19feece5ce685b04ec764edd
SHA1 30f10fa7b7861b1911ba5c118a45cd4100a1ebf1
SHA256 ef8004da75cbc4e79b0428957110db59747cb5ebbc42644746a13fc9d07b0bed
SHA512 266fdeb0c48a3a52d79dd93925bbbb517ce7d55183775f219d6d8fc9c0d87845bea6ba484ac453e3a5e53819cbec32cda3f388a1ec774a815c43bc88af8290a3

memory/2952-46-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/1388-45-0x000000013F540000-0x000000013F891000-memory.dmp

memory/1640-69-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2644-65-0x000000013FDF0000-0x0000000140141000-memory.dmp

C:\Windows\system\iYVICaI.exe

MD5 0bb2221d384988ff0131f1fd01defc4b
SHA1 c88130b3f3c95e048aaa27f799932693e67a2d33
SHA256 12675752e9c10afb7734c752f05152bceceb625664e4cc865a05e10a91bf53a4
SHA512 89aa7763d2a6414a376c9558814ef85c79a10257b843ccc0ea4b1a5a17d3971215a1ea3e90669fee854d18a7d236a4d1ebe3151e5bba5e01066c7f9f1a554b28

memory/1640-62-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1628-61-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\EFhGpkr.exe

MD5 c06e1491967f9659360a0080ca16f0c2
SHA1 36f3b78e444cfd7525f6302c5e3ebed18f380943
SHA256 695bdff37c54480253c89d4c81daf7fdf257dfce7c014ca55834baa5bb9fb21d
SHA512 438ebfe1dc1aa69054087c6ca5965a97e3398615a079a98505de633205c21744ad752e0760353ad57a0d3a0c547234f894d9ba95dd8df3c7a1548268450e1917

memory/1640-85-0x00000000023D0000-0x0000000002721000-memory.dmp

\Windows\system\TEYRbku.exe

MD5 3c105f6580d14dbd130aeab4a21e6e3b
SHA1 a75b86f51a5e286fde40711fc995dd3b75d8ad27
SHA256 5a9174578080b1ebe8fa2631c5edf160ba723a536dcd2411e1fbbb37d23803ef
SHA512 9c6580904ffc95fcc15958c8618d85743d338ad4207c9af140163af74f703d5b6a8828c2731247aa3d0bf55b7b6dac41c2b8b6dc099e83fc4081ad43b05fe515

memory/1640-102-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2460-103-0x000000013FE40000-0x0000000140191000-memory.dmp

C:\Windows\system\GqQLqvM.exe

MD5 7ca245e6cc310d9c9d2f2844a8d94fb7
SHA1 34bafd3906ea38c7aad545f74a9a187f5b33028e
SHA256 3ef3090a6dea139e04f8d1573d78914bb1ac83da299b0b177c1489390622f1fd
SHA512 2dfd5b62689013eab06add840c4f5a0f2b92ae5fdc7e238241f51ff3a199b22cfbbf36e14d20b9e0acbcaa57cd3964e6004867f1fe7453a8d11fb5ca6ec16c1e

C:\Windows\system\UDgEhip.exe

MD5 f86b4440b4bf3e46414a4ff7e9b3fad7
SHA1 44baa6b545ac1507ce35e2fc04709efb10dcc3f0
SHA256 026386e2eb0a04e29a470e0cedf0d484f1253e590afb0660e3c53770978ff77b
SHA512 758c839cb6f3cc26c0edb8c89a5b740cd3b52194ced3cd103c3041becad7da3880cabb2366f693fe30ed034cf0767ec771c635daf5a39a00c9d77b3f4492104f

C:\Windows\system\REtfBwO.exe

MD5 8e05e79e28ca50b18897217818b6429b
SHA1 e0bf25105d4d10098ebf6d6ad4407fb0bcd9a2df
SHA256 5dc07b16f7e826b892550d8bed6ee82065378a2517a77fa8f60648fa99c3b0d9
SHA512 4d420e701aa1ab451340b6cc314952e04e9af54091297ad33d34cd80550a6e5511ff9617cf11dcd8a0b3ea5f4aafd5487ca5e5bb238d7692cad087af33602310

C:\Windows\system\GogBUMk.exe

MD5 b5c64d2e544f0348851e09d770896240
SHA1 f88381c99334118d51f93b0ab8448d6f005921a8
SHA256 0f6447b2b5946335fa3bb9ed2a21e184ace8e599abf3137c10a69322315580f9
SHA512 f4a79fcbe3e4fb09b95a01b4449365edc47fd99754fee37fee7acee53327999e7e6f7dcd28ca8b9dfd5c35391f42d6bb469ebffedfda87cebdc0e30aef852b28

memory/1640-110-0x000000013F550000-0x000000013F8A1000-memory.dmp

C:\Windows\system\wSUICCS.exe

MD5 b592b1b155f56b1740a3855c4aedc15c
SHA1 e2d8cdd03addfe638cdb59fbae6fbaa862eeded0
SHA256 c4d6a74bc57a2feb8ceefdd9bbc0cce6de740aa06ac615095456ac362534ae46
SHA512 ff0da46c94c727b20dda65c04d4ac7a842eb1eedc26960e0745cb905ac985df119c16a573d63f3815bc6ee90a8e440899256753f6bb970f45293430d011f5d37

memory/2592-141-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1640-109-0x000000013FD60000-0x00000001400B1000-memory.dmp

C:\Windows\system\RGVRtSr.exe

MD5 6700296468169e915538d99336717017
SHA1 c16a0fef33904d0ba76bd958cd95cc75316e7f4d
SHA256 901b19ba67e60d74f99d25f3a47fcc1931bd6e3c5092c56c4bec8744b9ae03aa
SHA512 7a6e9a6592db016937d8fb8feca50648da8d81e2cba04755dbe352d559f3cb2a8e50673365448a66777dfb463a8682c0a8350890a3772d413d8be19c06785315

C:\Windows\system\rDurjWW.exe

MD5 51ac271016b066195d92638702317ff7
SHA1 376ebe468449299aad32c43e1963c6d2bd3dc766
SHA256 9fc126a71ce6b2be9c9779fabdbc9341447d00d28fda55cebae536b9931fc52b
SHA512 fce20d006fc26e76c68fa78f67368bf4319715d2f2df81b18ecaf218ec30dc01cbef28d8c5ed7b1c3e5de7a0ba259a18745ab942926f75debd240261b725a043

memory/2384-94-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/1640-93-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2952-92-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2476-101-0x000000013FF80000-0x00000001402D1000-memory.dmp

C:\Windows\system\IFrFWJc.exe

MD5 424c7ef0c3c25bf0d5e682f1e9a081af
SHA1 9d2665c50bd839f0d57e06cd76ee364fbc83ceca
SHA256 525eb09ae396e91380704337c77b0b3f9ef8c311f1a37b1a6961370cbfbd3db9
SHA512 bb89e819ccc3b7c25686d477beb63ed61ba4e0b181fb0ab742360ad3f88f0a83815644a6208ad3d3f2cd8ccff7195bd081e6c3fdc691cef5cbbbd08952465a46

memory/2604-86-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2696-81-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2656-80-0x000000013FA50000-0x000000013FDA1000-memory.dmp

C:\Windows\system\ZJOavQi.exe

MD5 41c5ee3a9adb9875c205ca0fc4612d82
SHA1 5b7fe52555a00a9e72051e453f4ee3713c7e4aab
SHA256 ea533585f64fce7e92d2a7bc2998fa716b25b996eba47995eb5fc6e102b47167
SHA512 325e55acd2cda97b5027240c24134c7441770a6da0d0cc9a8ed163b616e4584820b1f1cd2441f4560e6721803cef5d1b750e4c9fa99f151dd77e380c547c8029

memory/1640-76-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2544-70-0x000000013F870000-0x000000013FBC1000-memory.dmp

C:\Windows\system\YSXaPIx.exe

MD5 60a172c7f871ccee1bb23b9389cda936
SHA1 992ea596bde993f79bfd5ae879071f16187d0b49
SHA256 237c022197b264e736f57188ca9521e56f7ca55db647cce72964974631789415
SHA512 0dfa80b20b3921b8b859e3d36024ae881d42ad8c7d97fd7e230282966f2ea84d34c8579d7bca2e52f893f8a8dd173dc94da938821f85117afc6e814745008edc

memory/1640-142-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2644-147-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1640-44-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/3028-43-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/1640-42-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/1640-41-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/1640-56-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1640-23-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/1640-20-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2460-157-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2280-164-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2016-163-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/1696-162-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/1900-161-0x000000013F630000-0x000000013F981000-memory.dmp

memory/1248-160-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/828-159-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/3008-158-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2384-156-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2604-155-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2544-153-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/1640-165-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1640-170-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/1640-188-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/1640-189-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/1640-193-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/1640-206-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1628-216-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2812-218-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2656-221-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/1388-222-0x000000013F540000-0x000000013F891000-memory.dmp

memory/3028-224-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2952-226-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2476-228-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2592-230-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2544-240-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2644-239-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2696-242-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2604-244-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2384-246-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2460-248-0x000000013FE40000-0x0000000140191000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 18:01

Reported

2024-05-22 18:04

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fGLkcgD.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\VIHggJD.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\HYJBVOn.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\GZgCqhL.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\UyBpDoV.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\XeOHfMq.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ydvceRG.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\uXwWqFj.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\zbVmqoH.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\XKbKsTg.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\WWRRQUZ.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\irvrdqI.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\vvLJmYy.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\AfdTyGr.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\SdIKoDP.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\kUefigO.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\KtFEPji.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\NHOkfrl.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\fyivnAC.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\NMyBBLt.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ZHXAIpw.exe C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\SdIKoDP.exe
PID 220 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\SdIKoDP.exe
PID 220 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\kUefigO.exe
PID 220 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\kUefigO.exe
PID 220 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\fGLkcgD.exe
PID 220 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\fGLkcgD.exe
PID 220 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\KtFEPji.exe
PID 220 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\KtFEPji.exe
PID 220 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\XKbKsTg.exe
PID 220 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\XKbKsTg.exe
PID 220 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\WWRRQUZ.exe
PID 220 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\WWRRQUZ.exe
PID 220 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\VIHggJD.exe
PID 220 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\VIHggJD.exe
PID 220 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\ydvceRG.exe
PID 220 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\ydvceRG.exe
PID 220 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\irvrdqI.exe
PID 220 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\irvrdqI.exe
PID 220 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\NHOkfrl.exe
PID 220 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\NHOkfrl.exe
PID 220 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\fyivnAC.exe
PID 220 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\fyivnAC.exe
PID 220 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\NMyBBLt.exe
PID 220 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\NMyBBLt.exe
PID 220 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\uXwWqFj.exe
PID 220 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\uXwWqFj.exe
PID 220 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\zbVmqoH.exe
PID 220 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\zbVmqoH.exe
PID 220 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\vvLJmYy.exe
PID 220 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\vvLJmYy.exe
PID 220 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\ZHXAIpw.exe
PID 220 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\ZHXAIpw.exe
PID 220 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\AfdTyGr.exe
PID 220 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\AfdTyGr.exe
PID 220 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\HYJBVOn.exe
PID 220 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\HYJBVOn.exe
PID 220 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GZgCqhL.exe
PID 220 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\GZgCqhL.exe
PID 220 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\UyBpDoV.exe
PID 220 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\UyBpDoV.exe
PID 220 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\XeOHfMq.exe
PID 220 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe C:\Windows\System\XeOHfMq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe"

C:\Windows\System\SdIKoDP.exe

C:\Windows\System\SdIKoDP.exe

C:\Windows\System\kUefigO.exe

C:\Windows\System\kUefigO.exe

C:\Windows\System\fGLkcgD.exe

C:\Windows\System\fGLkcgD.exe

C:\Windows\System\KtFEPji.exe

C:\Windows\System\KtFEPji.exe

C:\Windows\System\XKbKsTg.exe

C:\Windows\System\XKbKsTg.exe

C:\Windows\System\WWRRQUZ.exe

C:\Windows\System\WWRRQUZ.exe

C:\Windows\System\VIHggJD.exe

C:\Windows\System\VIHggJD.exe

C:\Windows\System\ydvceRG.exe

C:\Windows\System\ydvceRG.exe

C:\Windows\System\irvrdqI.exe

C:\Windows\System\irvrdqI.exe

C:\Windows\System\NHOkfrl.exe

C:\Windows\System\NHOkfrl.exe

C:\Windows\System\fyivnAC.exe

C:\Windows\System\fyivnAC.exe

C:\Windows\System\NMyBBLt.exe

C:\Windows\System\NMyBBLt.exe

C:\Windows\System\uXwWqFj.exe

C:\Windows\System\uXwWqFj.exe

C:\Windows\System\zbVmqoH.exe

C:\Windows\System\zbVmqoH.exe

C:\Windows\System\vvLJmYy.exe

C:\Windows\System\vvLJmYy.exe

C:\Windows\System\ZHXAIpw.exe

C:\Windows\System\ZHXAIpw.exe

C:\Windows\System\AfdTyGr.exe

C:\Windows\System\AfdTyGr.exe

C:\Windows\System\HYJBVOn.exe

C:\Windows\System\HYJBVOn.exe

C:\Windows\System\GZgCqhL.exe

C:\Windows\System\GZgCqhL.exe

C:\Windows\System\UyBpDoV.exe

C:\Windows\System\UyBpDoV.exe

C:\Windows\System\XeOHfMq.exe

C:\Windows\System\XeOHfMq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/220-0-0x00007FF7351F0000-0x00007FF735541000-memory.dmp

memory/220-1-0x00000284E3BD0000-0x00000284E3BE0000-memory.dmp

C:\Windows\System\SdIKoDP.exe

MD5 2fa2e30bfb8cafcae33ff733b110b07e
SHA1 3ca3563d0b96fbc60cf8e84224a93f19d69df7b5
SHA256 41f160cba604b2b2e3580f4bc849e756fd166ea9f5e520b616cbb486a08e562d
SHA512 1be77d3c2783c3bdacd35f4882e04e5bbae62e1cb802ed31f8787647382b1db3ae4bc88c8f0e5edb6fc67183dbabc3f47bec1199e278dd83a67407babac0172b

memory/216-6-0x00007FF622DF0000-0x00007FF623141000-memory.dmp

C:\Windows\System\fGLkcgD.exe

MD5 db5d1835498be84da78cd6ba95ae7c72
SHA1 cbead27cb8e33b83dd2241a2e985cd7d1df625a5
SHA256 e821ce2cd1736ff4ca09122a17c7f19f49004f0c629a60c6e799d6ab92ed7fbf
SHA512 98441cf1085d5f8f5e6d5406f699eef60dac475009b96ce5d4784affd530280e2ea7fc1a4270d9257a53eabfbf845845fba5bee57f9dab170f1ac455fbaf3605

C:\Windows\System\kUefigO.exe

MD5 97dca85e3e6146dac753008091ce8fc1
SHA1 aed314569254d9fd0d128eb50aef7409e983645e
SHA256 c4b7754588213129690721eed373e790894979156048db3cc0740d3331e8ac51
SHA512 8c24e1a8f53e5899b4d94ecfd7c2a5105c512158271c955bd4cffa4edc3840a16504e8e85e6c46733efd5d358665d9900dc8671e6866fb91c39dc36d15a59275

memory/5012-18-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp

memory/4560-14-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp

C:\Windows\System\KtFEPji.exe

MD5 401341dbf1741aeb5fdf07ba6aa9d2cb
SHA1 5877d30926033b2643dc9c3c9abd8ed783dd01c7
SHA256 7ed3216534b62e0ffb43c3a54a41fa8a1af0f764e0e091d7c29c8c2f1f390f84
SHA512 4e0c5789a90a285a20839590eab3efa86ff693a4b218fb716b27b5dd1c689a6d70ac83df4609710e55515f0e610f53c8b7b7f6daa884076e34d3c73e2e4fa7d9

C:\Windows\System\XKbKsTg.exe

MD5 052f6b011b4bd1ce7da06aa7d97c7fec
SHA1 852c5893e3d7205cda844c1d33c4ad7afa9995eb
SHA256 ca302a88cf717fc55a914fab5154621bf7f15b85b3e388746044b52798b77c62
SHA512 4119c6cc5331f6b01433a9740e33516e95f78fb782964e44bddd2f18ed2d465105dedbcc7b2890f3f36cdebc4d5fbb36206a37b1811a889cd1635ca995d204e0

memory/1428-26-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp

C:\Windows\System\WWRRQUZ.exe

MD5 a637faae944a00c689d91cc5d64554fe
SHA1 cd14467a9ad6d0dbb33b608349949e98dab546d8
SHA256 d8345b1c4722f4f6d6d330971f7650618f06d2b979e5458543d6e50e5b518b4e
SHA512 9c4c6fdfe42bdc70a4e82645d027a5b9cd4717b4f89d9db332d7f21555583b75e48f594fc39783193999a37b9785c1565bd39a458cd1899e80d5e93ce14e769a

memory/2904-33-0x00007FF738CF0000-0x00007FF739041000-memory.dmp

C:\Windows\System\VIHggJD.exe

MD5 f750739068c020ac031f2d68202cbe0c
SHA1 99350c14e7c0c4db436734c734d62f7f174ce079
SHA256 deb4f0cd45dd2a25ed7a9284b5ef659aba1137dd20bc365ea1da3729f71188c0
SHA512 87db1c624d7ee2b9451ca1c9e72be35b5dcaaac20fbde3b4c22582a898e2b11083f96a22b0b83d19f836547ab83b2a27e450e0134f1ad8e5fc316743b220a342

memory/3784-40-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp

memory/1864-44-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp

C:\Windows\System\ydvceRG.exe

MD5 58a906c9bea4b7cf45798bf16b039c79
SHA1 80721aca70b93e89aee1281825ca515fe71377d2
SHA256 1888798d4df987ce2a0d295d898fa5ea29e899adc4172d0a7d6e32bd017a145f
SHA512 65698b75aa95da0b859b024a6edce5ae325dd8ec3a822ba1c095011c0d0f701aa0acfab3ee7b34a3e32ffddeabee0b82a6cc7ed840d48e284527e3e69cfe755f

memory/4640-52-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp

C:\Windows\System\irvrdqI.exe

MD5 bac658ffc72f970919411ce70a3f56b4
SHA1 c83e6acbee326f67ae3db9d78d5d6ee8559ca3ae
SHA256 5f001d3ae412be2128d4af66b84db2c8d71397e4b364237caba49faf2d57dd60
SHA512 1d9419659f2850b0017279a0fa71dfd4b18af3295b74ed2d6bc4852ad404633536443c5a504bbb7df631757cb9e5cd41316a184067c6a3bba544b7468dfad1f8

memory/2460-56-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp

C:\Windows\System\NHOkfrl.exe

MD5 da473e0a7521f3d8879ff1982bfca922
SHA1 a3fe28430e768e53d84f90c5008cc3dcc4ef8316
SHA256 ec7b3e19fa576a96c2d8705d8e64d72381905dcc78452554b08b1d411d29eada
SHA512 0c308ccd548ab11f100560666c8123c474aafe2965fa8b176f6c7cf8aa49b82b3dfbd4036f25efb8e2cfc46792f0bbd4fa9c2c9e1f5949aafc3ec0cbd96bdfe1

C:\Windows\System\fyivnAC.exe

MD5 c232590739b3ee2939abaa2c120b8217
SHA1 6316bdbac7b3795dd7e2aa526ff22ac211a90cb2
SHA256 908647fe42f314038aa4cc756c4b643bfd2551729de2fa9066c85f8eb0f5ba3e
SHA512 3e02f6bd06e08efdeab3b1109d83a59d0e2e2a6914df89f90cbd7ceb343cb3ae10b080980e199d21d281eeee9bb6313161731b212de38392c2aa9ca88d34a8c3

C:\Windows\System\NMyBBLt.exe

MD5 680213ad05f8b7242354f6f465ee2adb
SHA1 cc7ceeffddf84adf7d4a749b7ef669442e025b48
SHA256 84c090e3577e9ae528e62859be454a5c0723206b0986d1b5eb8be74665e8987e
SHA512 ff97105cd289a9be62eafc1c9d9577d1148e0eb8ad59852230d8d70283000e8f0ca826ff2d797d77103ad78309a5604d66ef4efd9f9ad1f51682af63d5980bfe

memory/64-75-0x00007FF7296C0000-0x00007FF729A11000-memory.dmp

C:\Windows\System\uXwWqFj.exe

MD5 38947535975f5371e1518b83cd5c0d37
SHA1 30dba92ccafbc809e29f29b5f3df3a4da00fbbb2
SHA256 9a1c2d3000473c51829eeb6f1628cae36cb07c877dd3b9e286394b00c34510d6
SHA512 7592bd5c472c58553d4dc46585722f677a4dd52150215c2c1fd8e7945e3571a87417c2a547a0487a8ae9936656cbaca89ad6308cac0d84de01fd7f95bc76cada

memory/5012-84-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp

C:\Windows\System\zbVmqoH.exe

MD5 cb32241c92c462f38e486869e98b2c12
SHA1 8c6684115a5091f88e69435fd64cfe3d33f67c4d
SHA256 80484bd03528edef3d03d17cdb7f0ae5236f8b08f64b67745b0d397997bd36d3
SHA512 3c448f2f4eca11ddfed115866c8e35d930d4149ada9496069082f382316dfa6f052b9bcb0462db5513a8d5b88c9bc6259f66a4ebbfe4fe241ea8123e8ad405da

C:\Windows\System\vvLJmYy.exe

MD5 faf4f5e6902b454e4e42f7ca391841e5
SHA1 f9cdca20c6ea067511e336c8b8d6991a71922316
SHA256 7f91eb527ed88ec7af67961a2eb440c2952a8ff9ee0aa2f16f75993c8adb6245
SHA512 d9a7001d9210f7334ef22a4d9f1a45649e4610f4c016923d0bd29c458e3fb3204006f28b3e57302b4a6bf5f699f6cdc6a602f3d491ee28f949960716e51b6046

C:\Windows\System\ZHXAIpw.exe

MD5 81ffd519da8db987cf440893b70e8384
SHA1 27668f2dbe497a31863f0bac4a9c14d6adfef8af
SHA256 26ddc70cb17339c10516104a582d337b692d1ba2fd35aa536d1ed3dd9b08548c
SHA512 6188ab40e1b95677d66017e8812475d40eb6699361bc750ef14f9fac5720d9b7a03023aca06644506cf9a32c5760fc864e5542048371c8557ef1da8272443094

memory/2904-108-0x00007FF738CF0000-0x00007FF739041000-memory.dmp

C:\Windows\System\AfdTyGr.exe

MD5 2b3a36ac3230bedaee109783ac4c1fef
SHA1 16411d9b0e9bd51a456086e93ae08210d81ae789
SHA256 9d7e10210a361b3156569d5f002f884e370682110fbe408eb4d64da80647c1db
SHA512 2a1d77d01ba544da2d5db7afc87b4ad3d3cc937c4657993e5c7c92009acd62f880a10df3ae210e61504b55ade301fad362f367b23f7ed79362a64f8011cb99c4

C:\Windows\System\GZgCqhL.exe

MD5 2814864a3c40ac9fbcef0ec358908533
SHA1 768fa6c2c3f3415f73b788120c8398ff5d80a57e
SHA256 e1bf2ae11a245c780717ea00d091b596316d8c862e26d11ee1e2e721196db348
SHA512 111dc1f7c12db41e9d08b0fb63ef7b1473200030c33fe8de0bef8dce0b6314258428494e2dfe0c4cc72b7573cd127494e21d0b9d681a79a79af5f28e9ec06a44

memory/1048-117-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp

C:\Windows\System\HYJBVOn.exe

MD5 e76a9fc0d56ce04b2669103054cecd08
SHA1 941f9a7ba231539c5222a73b7da937afac427855
SHA256 fa50e02c2a007cd8006ddf5ea7d9b0de6f5a31cb6e7f15d2b4d4f10a42a6a41f
SHA512 56b8bbfbdd5e61fd33080298e696f2cef97714d7111ea5c38f1377a17d71ecc878fc98c1659174ec4418872a1368302e6b7e54a4b1cd36156fcc951a04a343ad

memory/1912-112-0x00007FF669D00000-0x00007FF66A051000-memory.dmp

memory/2472-109-0x00007FF6B1450000-0x00007FF6B17A1000-memory.dmp

memory/2692-94-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp

memory/660-93-0x00007FF79BAF0000-0x00007FF79BE41000-memory.dmp

memory/868-86-0x00007FF7887A0000-0x00007FF788AF1000-memory.dmp

memory/2532-78-0x00007FF618690000-0x00007FF6189E1000-memory.dmp

memory/4560-76-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp

memory/216-69-0x00007FF622DF0000-0x00007FF623141000-memory.dmp

memory/676-62-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp

memory/220-61-0x00007FF7351F0000-0x00007FF735541000-memory.dmp

memory/2852-128-0x00007FF6110F0000-0x00007FF611441000-memory.dmp

C:\Windows\System\XeOHfMq.exe

MD5 9bcaa3972771ad3419d6d9e7c40c97f6
SHA1 f3e5c4406df8bb603ad22b675f37b4f5bb9cc4b2
SHA256 f6321f854faf836c7f2f7e39b63349735172e4634d08a5d24b81cc155d6d7531
SHA512 68c09cb98c39be71c557fd7af70deb04fc5b10baf8fef6e026b657ab19b70a5482e55cb4e308541f7fd8259ea5e9b08bebb21042013ba2137008d447477e94a8

memory/4708-139-0x00007FF7BE0D0000-0x00007FF7BE421000-memory.dmp

memory/2244-141-0x00007FF6B1930000-0x00007FF6B1C81000-memory.dmp

memory/4640-135-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp

memory/1864-134-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp

C:\Windows\System\UyBpDoV.exe

MD5 bc7f66e2c1f04b4cdb341261881cefcd
SHA1 75e1a151419662e0f518023a833a57a80235cc66
SHA256 06f69e5a9429a5740fe5d7a9369a8a6cc87ceee2bfdae86abb5db20d47be0258
SHA512 ea484c4924321e83290054f7a2d3fa078765149524b752a356125a994cf635a1c70518649c4920284a27598dba20db5ce5cd1bdfe50becc2f64e19525d9f524f

memory/676-145-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp

memory/2692-150-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp

memory/1048-153-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp

memory/1912-152-0x00007FF669D00000-0x00007FF66A051000-memory.dmp

memory/220-156-0x00007FF7351F0000-0x00007FF735541000-memory.dmp

memory/216-203-0x00007FF622DF0000-0x00007FF623141000-memory.dmp

memory/4560-205-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp

memory/5012-207-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp

memory/1428-215-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp

memory/2904-217-0x00007FF738CF0000-0x00007FF739041000-memory.dmp

memory/3784-219-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp

memory/1864-221-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp

memory/4640-225-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp

memory/2460-227-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp

memory/676-229-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp

memory/64-231-0x00007FF7296C0000-0x00007FF729A11000-memory.dmp

memory/2532-233-0x00007FF618690000-0x00007FF6189E1000-memory.dmp

memory/868-235-0x00007FF7887A0000-0x00007FF788AF1000-memory.dmp

memory/660-237-0x00007FF79BAF0000-0x00007FF79BE41000-memory.dmp

memory/2692-239-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp

memory/2472-241-0x00007FF6B1450000-0x00007FF6B17A1000-memory.dmp

memory/1912-243-0x00007FF669D00000-0x00007FF66A051000-memory.dmp

memory/1048-245-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp

memory/2852-247-0x00007FF6110F0000-0x00007FF611441000-memory.dmp

memory/4708-252-0x00007FF7BE0D0000-0x00007FF7BE421000-memory.dmp

memory/2244-254-0x00007FF6B1930000-0x00007FF6B1C81000-memory.dmp