Malware Analysis Report

2025-04-19 16:03

Sample ID 240522-x3vs1sde5s
Target 2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike
SHA256 ea5d21cbfc480e93ee72f0f14792230db0a0380c0235eb82f1bf8f97bd96b9aa
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea5d21cbfc480e93ee72f0f14792230db0a0380c0235eb82f1bf8f97bd96b9aa

Threat Level: Known bad

The file 2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Cobaltstrike family

Xmrig family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 19:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 19:23

Reported

2024-05-22 19:25

Platform

win7-20240221-en

Max time kernel

140s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xNhgJfJ.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\wVARfeK.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\RgUjrOj.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ytjMomt.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\kanVcJK.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\eghLfht.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ebPkSIe.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\lCEhEvE.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\TTHkwKH.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\noHFaGs.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\xKPNjiG.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\UbOVhgh.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\phmxJzv.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\DSdSIZF.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\TzXnxZM.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\TrMYMBb.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\UsrgmHT.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\NgjUaxl.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\SPFbiPb.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\FQEebuv.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\SDSfRlT.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\xNhgJfJ.exe
PID 1760 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\xNhgJfJ.exe
PID 1760 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\xNhgJfJ.exe
PID 1760 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TrMYMBb.exe
PID 1760 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TrMYMBb.exe
PID 1760 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TrMYMBb.exe
PID 1760 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ebPkSIe.exe
PID 1760 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ebPkSIe.exe
PID 1760 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ebPkSIe.exe
PID 1760 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\UsrgmHT.exe
PID 1760 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\UsrgmHT.exe
PID 1760 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\UsrgmHT.exe
PID 1760 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\phmxJzv.exe
PID 1760 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\phmxJzv.exe
PID 1760 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\phmxJzv.exe
PID 1760 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\wVARfeK.exe
PID 1760 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\wVARfeK.exe
PID 1760 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\wVARfeK.exe
PID 1760 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\lCEhEvE.exe
PID 1760 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\lCEhEvE.exe
PID 1760 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\lCEhEvE.exe
PID 1760 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\RgUjrOj.exe
PID 1760 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\RgUjrOj.exe
PID 1760 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\RgUjrOj.exe
PID 1760 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\NgjUaxl.exe
PID 1760 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\NgjUaxl.exe
PID 1760 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\NgjUaxl.exe
PID 1760 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ytjMomt.exe
PID 1760 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ytjMomt.exe
PID 1760 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ytjMomt.exe
PID 1760 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TTHkwKH.exe
PID 1760 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TTHkwKH.exe
PID 1760 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TTHkwKH.exe
PID 1760 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\SPFbiPb.exe
PID 1760 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\SPFbiPb.exe
PID 1760 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\SPFbiPb.exe
PID 1760 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\noHFaGs.exe
PID 1760 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\noHFaGs.exe
PID 1760 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\noHFaGs.exe
PID 1760 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\FQEebuv.exe
PID 1760 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\FQEebuv.exe
PID 1760 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\FQEebuv.exe
PID 1760 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\SDSfRlT.exe
PID 1760 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\SDSfRlT.exe
PID 1760 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\SDSfRlT.exe
PID 1760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\xKPNjiG.exe
PID 1760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\xKPNjiG.exe
PID 1760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\xKPNjiG.exe
PID 1760 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\UbOVhgh.exe
PID 1760 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\UbOVhgh.exe
PID 1760 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\UbOVhgh.exe
PID 1760 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TzXnxZM.exe
PID 1760 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TzXnxZM.exe
PID 1760 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TzXnxZM.exe
PID 1760 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\kanVcJK.exe
PID 1760 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\kanVcJK.exe
PID 1760 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\kanVcJK.exe
PID 1760 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\DSdSIZF.exe
PID 1760 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\DSdSIZF.exe
PID 1760 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\DSdSIZF.exe
PID 1760 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\eghLfht.exe
PID 1760 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\eghLfht.exe
PID 1760 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\eghLfht.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe"

C:\Windows\System\xNhgJfJ.exe

C:\Windows\System\xNhgJfJ.exe

C:\Windows\System\TrMYMBb.exe

C:\Windows\System\TrMYMBb.exe

C:\Windows\System\ebPkSIe.exe

C:\Windows\System\ebPkSIe.exe

C:\Windows\System\UsrgmHT.exe

C:\Windows\System\UsrgmHT.exe

C:\Windows\System\phmxJzv.exe

C:\Windows\System\phmxJzv.exe

C:\Windows\System\wVARfeK.exe

C:\Windows\System\wVARfeK.exe

C:\Windows\System\lCEhEvE.exe

C:\Windows\System\lCEhEvE.exe

C:\Windows\System\RgUjrOj.exe

C:\Windows\System\RgUjrOj.exe

C:\Windows\System\NgjUaxl.exe

C:\Windows\System\NgjUaxl.exe

C:\Windows\System\ytjMomt.exe

C:\Windows\System\ytjMomt.exe

C:\Windows\System\TTHkwKH.exe

C:\Windows\System\TTHkwKH.exe

C:\Windows\System\SPFbiPb.exe

C:\Windows\System\SPFbiPb.exe

C:\Windows\System\noHFaGs.exe

C:\Windows\System\noHFaGs.exe

C:\Windows\System\FQEebuv.exe

C:\Windows\System\FQEebuv.exe

C:\Windows\System\SDSfRlT.exe

C:\Windows\System\SDSfRlT.exe

C:\Windows\System\xKPNjiG.exe

C:\Windows\System\xKPNjiG.exe

C:\Windows\System\UbOVhgh.exe

C:\Windows\System\UbOVhgh.exe

C:\Windows\System\TzXnxZM.exe

C:\Windows\System\TzXnxZM.exe

C:\Windows\System\kanVcJK.exe

C:\Windows\System\kanVcJK.exe

C:\Windows\System\DSdSIZF.exe

C:\Windows\System\DSdSIZF.exe

C:\Windows\System\eghLfht.exe

C:\Windows\System\eghLfht.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1760-0-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/1760-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\xNhgJfJ.exe

MD5 224623c7e5f842809727ba84b4b9b171
SHA1 bf44a47c2c2a64c5924b25eec4481858c58b55e2
SHA256 fc99bffa75e5c38982dcec85f11104288bf9bcc46d2e9b4886b80ee6e0f6ed2d
SHA512 3eab44edc71df325e1bfa267794530dc3ca60eb837fee7e6cd157cf7572d0a3f84dfa32a78bb8709c6c98e705907de7eeb9042b9bd2d43f41df2bededef355bc

C:\Windows\system\TrMYMBb.exe

MD5 5b4236cb6038b8aaaf1f8b3e1b01144a
SHA1 2c1e58c89b4c356551ef3f9425e8b22fa8381b54
SHA256 87e547371611edbbe834dc42ed7d02ccb9d40574a4baed33ff23b30f2fb37772
SHA512 bcf4b336312c9b190f5f808342284bb179db12131012b535b3233c8198a702c39f69fc0113889000a0d040f248eeb61d5f4d0d4674ce7a20053d195bdc5693cb

memory/1760-8-0x000000013FFC0000-0x0000000140311000-memory.dmp

C:\Windows\system\ebPkSIe.exe

MD5 b7080c711d06d01caffebe266c2d881b
SHA1 4b6e8faf3ac3abeba638444d51e6d6289c7050f0
SHA256 6294f6316895ff597684ace69d2ad60535acb7a1e6ed8056dd58f053a47fd6e7
SHA512 dd439570dbffc3b42630aa2b9ead00235974fcd61560868f5f4e2b41496bc68bbc079e3208d9f2424080b9f6ce45f6bf556ad3e97d67ceea7ce4c3c87f90c1ef

memory/2736-37-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2564-45-0x000000013F030000-0x000000013F381000-memory.dmp

memory/1760-31-0x000000013F560000-0x000000013F8B1000-memory.dmp

\Windows\system\ytjMomt.exe

MD5 45dc8c2832599f7e6facccc1a69a0777
SHA1 c791e1ea45196d7982011bac6fb9721cab9bb2db
SHA256 7816cd31d0972c8040147ed9a39245799d5ff86cd19050539b3437b98f22c91b
SHA512 fcdbd9d6f77b3d7cfb48363af4b9c715dc03d35057653ca1ae10583c1e508d8f8f5147e29e1a4e554360c06da8097290ffb0f1349be6d4e2bbf77ecac2aa30b7

\Windows\system\SDSfRlT.exe

MD5 5d43ef702b8660eb5c284cef85a1c7de
SHA1 eaae2a9d498a0822d05edbaa8d68d39f4632ce4e
SHA256 d17438e9504215e0a51eb402613e5b2cc510d8150616a23db8481efa391347e4
SHA512 f67359256134490e64c903c61d5c9136f57c35121108619e694f57bfe995a6b97d5da69d4fe87e7bfa6e6ab823ae8a507e82f254c63eed231d49e5b7c5cead3e

C:\Windows\system\TzXnxZM.exe

MD5 57b891be85ddf3510505e86f211ea578
SHA1 2d6be9cbb2a3c32032b13177b562096c772f0d91
SHA256 f9eb963cf04ecbaf4ac9f482514df7b7f5de4880c91f099c81b968690697a21f
SHA512 275c72f0ef34250ae37e4dc72d034aaaec6858a7b03c5192586d9db783e38f5d5945f6fd8601c4d9ff1ee1d49ca56efa16767ecbdda7d11e0cd37e04be347626

memory/1760-111-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1760-110-0x000000013F1B0000-0x000000013F501000-memory.dmp

C:\Windows\system\kanVcJK.exe

MD5 372d05c044bb7fe0082a64db5556a6e4
SHA1 921e4abfab7843924e947098755c67aae380880c
SHA256 109111a18851e7476795f1640a332773a31523a93954847123e8f87f80bd6040
SHA512 4766181ba5dbae860621adbf42fe5a0a691fb0a9901f6dad20abd19b6336dfa3c9b8db406fc7b148516687c2382ddfd660b9098e12b36e41786da82f18525b94

memory/1760-106-0x0000000002310000-0x0000000002661000-memory.dmp

\Windows\system\DSdSIZF.exe

MD5 e4f69a4880c79500017b32b09d58f435
SHA1 60d9d0596f496921315d9a42c1eb10a47396a1c1
SHA256 bb319b26f1aef9a362d3c2012d3e6c91db0198acb1abf4804e012f3598a5ce19
SHA512 5167097f784452eb0943dc4631a696eece7a4b59dd49d50dc57750cf021e6266547868b26c53c240262fcdf761815907d54e43bf9b604f6d4861bb2a69764b2e

\Windows\system\xKPNjiG.exe

MD5 fa46ae9fa2d2418cc98f9c383283a4b7
SHA1 f8369e7dfb3380a918e501c7b686bfb27a703bcd
SHA256 35a51b38119e0c13a91de68cd3820917b156303c9f484e1023bc12d5c4d8514b
SHA512 7f320c3e267ced2ee958fc132310d3a69a55a93aca2c8f7baf6e624d953d0c9b6233103bd2ba5324445f81307b6793de4f0d14076c3933156d7af6c02761f71b

C:\Windows\system\noHFaGs.exe

MD5 9156460a082bbbf2934c6c41cfd77e84
SHA1 c360907491223128f4317df3367c770b83cd7ba6
SHA256 2392aefc165e9527866e8cfafafee0545d08077471c4b53b4bc0ec02938a737a
SHA512 2bdc76e14ec840534a0e000fa913ffa3c03e6d5825700699ddf58cb9fafc039cece68f17bad623301e30c534d6cda3ab0006c3baf4c9cbd5c4e2cb2d925a0e6f

\Windows\system\FQEebuv.exe

MD5 2b6f4dd4ad6384241afc3b32d933bde0
SHA1 3c8103c531acc261b6fbdd1cd6018bba6152ff3b
SHA256 cb4bec76c471242de68ed140ddc0f8befaf6dfcfaf6c3a5ddd62e0034db69e6e
SHA512 d79b035e90cb9b592c883b22a864ee50f9e797f4ed01ae34086e2e5964e2597612d93846d16208a35351e6d47dcf9a837c7768cc16ea2e701cd253eb3b6992ca

memory/1760-73-0x0000000002310000-0x0000000002661000-memory.dmp

C:\Windows\system\TTHkwKH.exe

MD5 022653d523f30f08622c89cbe122438b
SHA1 74fc8f8034b1bcdbb20989e4257a7ad08454dd32
SHA256 af58bad0014fc26e10de640e037b820eac356243d15c62279bc829f90305faac
SHA512 cee03e0b39ce9955fb4ce7b1946bb6d4abfa2021fce162345fdb94e030d6e5ddaef3bd5553f20afba6cba48df83fc66952d41c258676d97b41e8e780bc8d2a74

\Windows\system\SPFbiPb.exe

MD5 69451b896ee845d0696cde6ea3a80596
SHA1 2626e3e038a304b1b072a2ba39e0a12f496015cc
SHA256 5fff24ed4941bfe485756c9bd51a1663b83383cf9410acaf5bf0a2d78e0fd0d8
SHA512 4d6debdb88e216a7c899401f241602d7787be1fc9bb8dcc6d6c9fda46cecd868ab5092f17d6c9c23004e6ed4c5786655206a177f5a4e63842fe9085910939707

memory/1760-134-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2432-55-0x000000013F230000-0x000000013F581000-memory.dmp

C:\Windows\system\RgUjrOj.exe

MD5 2b6e236446923f3ad4f571dfed2f35cd
SHA1 d0688ab486cfa669fc2ae6619426634766bcbe67
SHA256 4094dff074f9a9afdcd879fb989f779ec599629c885788cd22a8011e940afab5
SHA512 4e552c6e556de59b041ff5a6e9c1cd3b010d3d79af881994add4ac89fe471210a3e7867ca07b11bf577b83e87b357256a7bc6b6021c8b102a06302fe01b59fe5

memory/1384-121-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/1352-120-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1760-119-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/472-118-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1760-117-0x000000013F240000-0x000000013F591000-memory.dmp

memory/1760-116-0x0000000002310000-0x0000000002661000-memory.dmp

C:\Windows\system\eghLfht.exe

MD5 023875ae52556c233510c302a29b4bf2
SHA1 94de6877233bce01f5694ffb1b481a936c44dba0
SHA256 92b890e0b27def3377f030affcb7cc0df06745035d72505889a669058d347a4b
SHA512 c3990e26819412be9e6f00387e308840ca952a2a8467746572a3d8732e043a5a1087d542011b7b9337dc46a0f77e82e68cf63086e3d30924592496aa1a7627d0

C:\Windows\system\UbOVhgh.exe

MD5 9d9339eaeb70bf3f851e7fae5a42ecab
SHA1 539b65f62c46cb3b5155977b839206e66990129e
SHA256 6fa3ebcc9bba605399e6cb3b76e52ea3dbf669780502800be8f55bbf490f5104
SHA512 93253d6a41673eeeec35c31abcd787081a5734751dab8e9d9b0c46a06a0dc7c638d6a2a8a932ca198a4f101c8a7828369adcfd6a9828f4f210289129d5e4ef9f

memory/1760-94-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/1760-85-0x0000000002310000-0x0000000002661000-memory.dmp

memory/1760-52-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2580-51-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/1760-50-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/1760-48-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/1488-77-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2432-143-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2580-141-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/1716-149-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/1944-147-0x000000013F240000-0x000000013F591000-memory.dmp

memory/592-145-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2324-156-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2644-155-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2076-154-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2952-153-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2800-152-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2732-151-0x000000013F1B0000-0x000000013F501000-memory.dmp

C:\Windows\system\NgjUaxl.exe

MD5 35cfd2843bd48bdf4c77509457000d33
SHA1 a6d77302f0726f6b0d66c6eaf8bf9994aafc93e2
SHA256 6294b875dc2cb90cd39753d10c3f145a43a00c4d61eb390ee68214a95cc39781
SHA512 88300363018f6158838d8886f54583bd2710c8fefde2725350be5f3d12a6aa259c3905d265bbe7c21b00cfc83d9992ad99c3ddfef3043dd0acc2ea7b121cfd37

C:\Windows\system\phmxJzv.exe

MD5 c34650c4759e97c20f0aef37fe05e2e6
SHA1 48b7ae7b62ed6b5e17ce98b4958f645b5fb9e451
SHA256 cbe14dc2bbdeaf53573eff416125952bc8beb131ce185c1cc0e5801bc16d5872
SHA512 09058826aa276be5094fcc87b37e270ba5946233bfee6e16c35dc91a1f6710cd1ba5cfe5596c8f4a34ce80aff661078df6fb18fb6df59e01908d9bfab75a5934

C:\Windows\system\UsrgmHT.exe

MD5 250bf4828ae5ec65dfda1d2326e52e1e
SHA1 880d8bd99b80925c6164ca06ea8096a1feee4f22
SHA256 9b67826a4b4bc09a2c5937ce21f4db378b3205170b9c07060a16f493edabcbff
SHA512 f9366712860c717814beab327a54076b1422d69d13b044931f60bcdb9b5333a76a1487d2aa66d01f58de3023653599573debeab456cfc0c108d21a90d9b16bb0

\Windows\system\wVARfeK.exe

MD5 559ecea3700015e775f54803330aaf2d
SHA1 658470b042cbbf0cb42c0aa68e2b4b907050883c
SHA256 81da1b47a0731885521cb34980d4492a760ebd4ffc15be072fc66488dfaa54f0
SHA512 4372fa9431933dcb6ca695e12bcfeaacdfc28bff184c10654607e5e59e99e8eb9d726c94de8130414d61165c5b0e931d69e347a585f410545fc67bbf37cc0dd1

memory/3012-21-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2804-44-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2768-43-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2576-42-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/1760-38-0x0000000002310000-0x0000000002661000-memory.dmp

C:\Windows\system\lCEhEvE.exe

MD5 85e737480a975810386eea9bdc4cf711
SHA1 eaaad2efd66ec01c37426054b563065c6efd1bd4
SHA256 00512603c6a7ecd0a080c5ae030f60e1c8f28403f88f4a2a116979d47382e75a
SHA512 4219d53f53b3e452e9f9f69e6ae6fe1f4e03dbb2994be865771a1e19e4f72c8e5e536030266d8f6f979bc8858f5d4addebdd4535a99547196e466ee90ab368fa

memory/1760-157-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/3012-208-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2564-212-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2736-211-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2804-216-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2576-218-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2768-214-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2432-220-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2580-222-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/472-226-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1488-224-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/1384-228-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/1352-230-0x000000013F850000-0x000000013FBA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 19:23

Reported

2024-05-22 19:25

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TnZoXWc.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\usFVRfh.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ggrtGAG.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\LbImLLu.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ODsnpAG.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\DkgFByb.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\uLVdQEy.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\xITUJPM.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\dLyzVXg.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\TfiiOXk.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\oeaJczD.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\oivoLcB.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\tdFtyEQ.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\HITYKSm.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\QGpCoRB.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\cRHxMFv.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\zAnIdit.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\yYjnmMO.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\LwrFufj.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\mSSDfiY.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\SpJkuot.exe C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\tdFtyEQ.exe
PID 3856 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\tdFtyEQ.exe
PID 3856 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\HITYKSm.exe
PID 3856 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\HITYKSm.exe
PID 3856 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\DkgFByb.exe
PID 3856 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\DkgFByb.exe
PID 3856 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\usFVRfh.exe
PID 3856 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\usFVRfh.exe
PID 3856 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\QGpCoRB.exe
PID 3856 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\QGpCoRB.exe
PID 3856 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\uLVdQEy.exe
PID 3856 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\uLVdQEy.exe
PID 3856 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\cRHxMFv.exe
PID 3856 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\cRHxMFv.exe
PID 3856 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\yYjnmMO.exe
PID 3856 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\yYjnmMO.exe
PID 3856 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\LwrFufj.exe
PID 3856 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\LwrFufj.exe
PID 3856 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\mSSDfiY.exe
PID 3856 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\mSSDfiY.exe
PID 3856 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\xITUJPM.exe
PID 3856 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\xITUJPM.exe
PID 3856 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\SpJkuot.exe
PID 3856 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\SpJkuot.exe
PID 3856 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ggrtGAG.exe
PID 3856 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ggrtGAG.exe
PID 3856 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\dLyzVXg.exe
PID 3856 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\dLyzVXg.exe
PID 3856 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TfiiOXk.exe
PID 3856 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TfiiOXk.exe
PID 3856 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\oeaJczD.exe
PID 3856 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\oeaJczD.exe
PID 3856 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\LbImLLu.exe
PID 3856 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\LbImLLu.exe
PID 3856 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ODsnpAG.exe
PID 3856 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\ODsnpAG.exe
PID 3856 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\zAnIdit.exe
PID 3856 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\zAnIdit.exe
PID 3856 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\oivoLcB.exe
PID 3856 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\oivoLcB.exe
PID 3856 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TnZoXWc.exe
PID 3856 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe C:\Windows\System\TnZoXWc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024052289bb0a8945c30a2a7e5f8c748f68bc54cobaltstrikecobaltstrike.exe"

C:\Windows\System\tdFtyEQ.exe

C:\Windows\System\tdFtyEQ.exe

C:\Windows\System\HITYKSm.exe

C:\Windows\System\HITYKSm.exe

C:\Windows\System\DkgFByb.exe

C:\Windows\System\DkgFByb.exe

C:\Windows\System\usFVRfh.exe

C:\Windows\System\usFVRfh.exe

C:\Windows\System\QGpCoRB.exe

C:\Windows\System\QGpCoRB.exe

C:\Windows\System\uLVdQEy.exe

C:\Windows\System\uLVdQEy.exe

C:\Windows\System\cRHxMFv.exe

C:\Windows\System\cRHxMFv.exe

C:\Windows\System\yYjnmMO.exe

C:\Windows\System\yYjnmMO.exe

C:\Windows\System\LwrFufj.exe

C:\Windows\System\LwrFufj.exe

C:\Windows\System\mSSDfiY.exe

C:\Windows\System\mSSDfiY.exe

C:\Windows\System\xITUJPM.exe

C:\Windows\System\xITUJPM.exe

C:\Windows\System\SpJkuot.exe

C:\Windows\System\SpJkuot.exe

C:\Windows\System\ggrtGAG.exe

C:\Windows\System\ggrtGAG.exe

C:\Windows\System\dLyzVXg.exe

C:\Windows\System\dLyzVXg.exe

C:\Windows\System\TfiiOXk.exe

C:\Windows\System\TfiiOXk.exe

C:\Windows\System\oeaJczD.exe

C:\Windows\System\oeaJczD.exe

C:\Windows\System\LbImLLu.exe

C:\Windows\System\LbImLLu.exe

C:\Windows\System\ODsnpAG.exe

C:\Windows\System\ODsnpAG.exe

C:\Windows\System\zAnIdit.exe

C:\Windows\System\zAnIdit.exe

C:\Windows\System\oivoLcB.exe

C:\Windows\System\oivoLcB.exe

C:\Windows\System\TnZoXWc.exe

C:\Windows\System\TnZoXWc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3856-0-0x00007FF7FE610000-0x00007FF7FE961000-memory.dmp

memory/3856-1-0x000002789C960000-0x000002789C970000-memory.dmp

C:\Windows\System\tdFtyEQ.exe

MD5 6d5bf3a898be0514afc179f2d3bcff2c
SHA1 5dd441cee79956ca8af232696407f5b0650b5c8e
SHA256 1e40e10f290aff0be4def06a73d952c6b04033f613790f4ae5e05f7d4a79b1bf
SHA512 12b28a200761f4b3c836075e081da72e178c36ae78be42e4557bdfc10c2f420e9224012308211e1f7671af02948b0dc176bec44b944d230300245596c9a24c49

memory/4808-11-0x00007FF7E4B70000-0x00007FF7E4EC1000-memory.dmp

C:\Windows\System\DkgFByb.exe

MD5 95b4e331bf40000dd082f0f8bd41072d
SHA1 591dbbedadb46d8368005eddb804dd8532620df0
SHA256 a6bda6cb9b63987c5a04a656aa17cd3e503c5b78ff0eaa9b5e344697e48dcd90
SHA512 acfa0aa173625b9fe69cb3f61f10de220f528133f0188c5789fc596f8ff6c112ad66fd154021b4edff8b916f97df2e5aa23195c454c2e200e55fda404fce23e4

C:\Windows\System\QGpCoRB.exe

MD5 dac8499b1382a5d36acb37315e10f504
SHA1 f36bed4cc7923e7950078c7c023528506284ccef
SHA256 14bcdc8a409842c7450d9fdd697fdf157d013d8f896cef32b201ba45b6a0a164
SHA512 23af2706f4ad2e8e5993edbf3554a213c6f34ee8b13dc05f757dcaf870556120a57de2012103d5a5a5088c569fa08ad862ba9a0c7ba547092f323bde14e9a493

C:\Windows\System\uLVdQEy.exe

MD5 24aa8ddb413535943a20988702c3172e
SHA1 721fbc4d3ebe76bd6f1adfedc5a0409d9a4562f7
SHA256 6e268ae20037588f4675e621cb09f021b9cfda585a12cbebafb8b09625ad5f21
SHA512 298b4afc35d84bc012216b6609c040f535bd5b8098eedcb4019cc1b5e63655d2f9441bb08318ede18f2ab0273cf66f19b9aa8ab29755f9a5cb47cb9cba442596

C:\Windows\System\mSSDfiY.exe

MD5 05612b6374be4cb2c86d6024b03f6f24
SHA1 aaf2d6a5feb493e53ab9f461a344b3f14145e0d6
SHA256 21ba9473579a15f6cf1506fa53850e136f5c96f2e4f1723bed5d4c489c4c170d
SHA512 046880484b92b23405e9d2eea590eae8c28dec9d9e258330ccaaf4c850f2a455fceac51b0837b17b348a93ce222adaeae8865e427f8d07e483f0cf4a12ca32c4

memory/3356-67-0x00007FF6C5BA0000-0x00007FF6C5EF1000-memory.dmp

C:\Windows\System\ggrtGAG.exe

MD5 ee8e117b7e775cff6f1104e18f47887b
SHA1 80e1faed0a9913f53a7e6aaf42bc69cc13d2652e
SHA256 7f84608c7d3d96166ad51add6ccf40fc366a6b18535a20c9ef7e584028cb35bd
SHA512 d0d783f335f24ec153906344d11bbeb0e0caa4f6c37b7a4ad90adfa1640050817514786ef010562b243056a27053d3eee18812b4b327e683c5fec14ae588e735

C:\Windows\System\SpJkuot.exe

MD5 9f4bfde4fd9b6953da78bf725fadd579
SHA1 c93a8e6fb705c0d27cdbdac88826012b6a687435
SHA256 92b1bb7afe38ef9d072cf7e6e3441e8a4ce9b8bcdcbbbc7881b4ae5ad574210d
SHA512 b7e1302dbe2366fa8c83095e5268ba3b668e72b5578f4aa55e93ea9f6c6c39b6b2f568a4f138af0fffe82b451a0d08a3f25fda83924a49c3c23116ed24af2755

C:\Windows\System\xITUJPM.exe

MD5 8940f1433651066307c9b7c9428647df
SHA1 719788cc2f07f5a6ab1cbf74294f045d25263799
SHA256 fd9ba68517d5ba3a2b29e3ce53a84fc0692dc3eef1d4e7cf3f3c0f3bf0324c9e
SHA512 b019778306cc1717b6ebf3d95a8bc8a0e7fa8aa4ba533df37f3c4bfb75d9748ea1efdb292d5d713239e838efb051df2547df78c1d4a703594d55f5ef71b99a11

memory/4912-63-0x00007FF6EA170000-0x00007FF6EA4C1000-memory.dmp

memory/4312-60-0x00007FF649250000-0x00007FF6495A1000-memory.dmp

C:\Windows\System\yYjnmMO.exe

MD5 c81ee9c812b044d23c53d05d5a14663a
SHA1 1850df7992e7df646fbf191a27b06604dcd44de8
SHA256 8707401a469a6c3e41b2ca8f904bfa6f4d3e75f32c5bb0977c670c86b2646712
SHA512 1f47d89b895736607399205f4c7f3b652e22f9d2bcaf60e7fcaf54f7fe8cc3acbdac99b786597eeb17d74fd091c42bc248eeff750d58c0ed48488737a573d208

C:\Windows\System\cRHxMFv.exe

MD5 8c8a9a5213745085deb91f37557d0daf
SHA1 88e0cdd334d52492b465753f2598cc31589db6ac
SHA256 e9be2809a1cfc1a2db1b17fde7458beacf51878f4ab5430286287a9ba143ba09
SHA512 d684b2688cc4dcb56c2f99cdbc66aef6fe116e789e179ba67698fd23b9d5a3f8321351f3f874c6c012a58c0cf2fe0523e6a08775f4a34e7cb3364c857a503d58

memory/760-42-0x00007FF7A24F0000-0x00007FF7A2841000-memory.dmp

C:\Windows\System\LwrFufj.exe

MD5 6e8dc1d1503ee84540fd97a4698529e6
SHA1 a92150f8e324b56865a454635de807b93a54f037
SHA256 b97389ea79ad3217c43860d6f53fb33ce75092fc045c72bb53b0d6f919edae49
SHA512 a229a29f7b745c06e4f1c4ea51ec76c403ae6f3bdc8803d1914c8f2df4f6ba1e899159dd4a93053bf49af4e1808e97416a1cd837cd2f4efb9d22913fbc1a3c22

memory/4044-34-0x00007FF70F540000-0x00007FF70F891000-memory.dmp

memory/3672-27-0x00007FF648A30000-0x00007FF648D81000-memory.dmp

C:\Windows\System\usFVRfh.exe

MD5 e99aa5b370f0b3c303753c1bb1e7f171
SHA1 523773d3447fbb1aa85599854eaa1366b945ec3a
SHA256 a07cce2c4923a025a6a222968fd17f1f8939f7cd05dde3f52e8ca0511a9764de
SHA512 e71aff1ce87e837e9a93ae08aaa741a24987c48d770264168541804c054a8e907b6033c2265ac77befd13bf46c31bb79a30c24cbe5e7d82d0a795e6be36e213e

C:\Windows\System\HITYKSm.exe

MD5 49fbbec3eed76e2f95e6508c79ab1759
SHA1 19a16cd2a79ffa753c5c81ccead4c9eb156d820a
SHA256 c2fe9d5731b692df7357e05ad3af66512a6b1207215716dd310d112588b863ca
SHA512 72ccd3ec4324716720a134f5c49c3d4f5c463faa01d92a5890cf82c40a44823987774cb3d665b8c6494d4554561cf60d590c217814cf7a1b522bef4deaaae1e8

memory/3848-18-0x00007FF65DCA0000-0x00007FF65DFF1000-memory.dmp

C:\Windows\System\dLyzVXg.exe

MD5 b5b53e5c6feb994e720bc894ca353bc0
SHA1 fbee6daf9857a2a715edcb038ed3363af2ef8ce6
SHA256 1c700c41f399d02af5603447b6d8f56b90d7fce33561966c7dc6be60d4604a25
SHA512 5b1592dabfe52bc90718be4cc4cc89470019ac08240be9638e5c75fdb91ee29ce1666191369ce2e3ca2b2bb7b0087ba04fd3e2de699d6464c61c8542d71baf52

memory/3728-95-0x00007FF682220000-0x00007FF682571000-memory.dmp

memory/664-107-0x00007FF6C83D0000-0x00007FF6C8721000-memory.dmp

C:\Windows\System\oivoLcB.exe

MD5 dde0c2f767323a7fefdfccd46c2136f5
SHA1 4a3c35ef49d6ec4de95cffd10e811e6ee6ac7aac
SHA256 93eb7277b305f4c62a5cfd6a9ebfeb9b3ad719ceb0fec0d4be3b46862c7a8aa4
SHA512 b84f5b90eef453d1ba53b65ac0df5e93c3000167b9899338e4dea4d13d7fe4c2c023119637e13ae06e2d1a88b6c62fb2be79cd7a90456354f82fff7d7f8aabbd

C:\Windows\System\TnZoXWc.exe

MD5 f8b501722181d2d82e0ab6e396a4b950
SHA1 ab87433053d9f37218c62d0dfda120350a604918
SHA256 3c41ae16766bd489526af680eaeb4099ae1ce2f7ac41ecfd9212c3d912c49334
SHA512 29295c3e8cafe17f0f05fb13a2aafce981d29376c57fd95782cf7d80a1b7eb589dd869ef61657ac1ab5bb84bd48680609e6c2cc106dc7c67af0fc80f1e5fa249

memory/2404-127-0x00007FF721B50000-0x00007FF721EA1000-memory.dmp

memory/2468-126-0x00007FF79D2C0000-0x00007FF79D611000-memory.dmp

memory/4380-125-0x00007FF76F650000-0x00007FF76F9A1000-memory.dmp

C:\Windows\System\zAnIdit.exe

MD5 8a3e587f4f81a49db2d25115618f037e
SHA1 8bb35b33318fce1d16a010cf712e692ee5b6221a
SHA256 8332fbc127ecdde43fc3af7e955e152b1f9fd8edb31f71fdf330dae42099b900
SHA512 f6a7d8ef3941d80b32e9540bcd51edcc5695340e6d918b6fb4f525832d751798d667ecf886384aab44352c1433307433eb3a76eb51928c284a3e62267cd52856

memory/1796-118-0x00007FF7D89A0000-0x00007FF7D8CF1000-memory.dmp

memory/4692-117-0x00007FF734480000-0x00007FF7347D1000-memory.dmp

memory/2452-114-0x00007FF766610000-0x00007FF766961000-memory.dmp

memory/1248-109-0x00007FF799480000-0x00007FF7997D1000-memory.dmp

C:\Windows\System\ODsnpAG.exe

MD5 f1fab0a1f8ab73c585fa3af58b0a29ed
SHA1 7bdebe58da60a2663f5df79022ed6fc388a1e9dc
SHA256 c3f7e90017d06c56ffdcd18a193b843aa5d39a8ad54a9af680b4aebdf42f999a
SHA512 7e6e5504f374f5eadca2835eb0036f089d02fb0d7a9d6d6c734c75a936e5ccf663cecd8303d2f0ffd4952e974b8ca8d63e221a9f26edae964c4015b0ad742922

C:\Windows\System\LbImLLu.exe

MD5 b304e4160148fb7d6222442bb4d09370
SHA1 76696104b29c8c07d6e3941a5e5c41a2cb34150c
SHA256 79aec2606c2aa9296d3d5f4c776db5b8a666df29bb12110faf17ca30d4c8c457
SHA512 a97b40dfe313223128f5d48932a7789e0b23154af1883cabcb11a686319c752f488cba31f95061b9b213265dda29f24a894738aad7bae5ce74e55d65515e5fa3

C:\Windows\System\oeaJczD.exe

MD5 4a5b3edcd1934f806f6db0741219ced7
SHA1 b983da17ddb0fd75d7ca0de212c48c7f1fafe7af
SHA256 fb7d19451fb222c0aa87afc697bc1a33e61bcbf7c27349423c4201433b8795ad
SHA512 ef15dec89eac3e74041d19e273d2b414042ad080dffadde7744936f9fb9ead2461c0625b6fd8c560e0c192971e20b9951b29e1a4a2586aa92df639c2542ec42b

C:\Windows\System\TfiiOXk.exe

MD5 c5c558977945249f136b091e73cecef6
SHA1 a71c53deeba35351c14b17f9928034cdb32222df
SHA256 2da54da6f89f8da72b2aab929c63837d4cbb6f5b50f52f693b2a3e66e2eb5723
SHA512 b7b44053c5ecf3927982a45e9307b081f4e7c28749292fab649552bd33b313a05eabc35abbdedff480032a249664ad348ebda74515ec68256a6a6638448caa49

memory/2596-91-0x00007FF676580000-0x00007FF6768D1000-memory.dmp

memory/1080-81-0x00007FF7D39B0000-0x00007FF7D3D01000-memory.dmp

memory/4836-80-0x00007FF642900000-0x00007FF642C51000-memory.dmp

memory/824-70-0x00007FF7791C0000-0x00007FF779511000-memory.dmp

memory/3848-130-0x00007FF65DCA0000-0x00007FF65DFF1000-memory.dmp

memory/760-134-0x00007FF7A24F0000-0x00007FF7A2841000-memory.dmp

memory/4312-135-0x00007FF649250000-0x00007FF6495A1000-memory.dmp

memory/824-141-0x00007FF7791C0000-0x00007FF779511000-memory.dmp

memory/4380-147-0x00007FF76F650000-0x00007FF76F9A1000-memory.dmp

memory/664-143-0x00007FF6C83D0000-0x00007FF6C8721000-memory.dmp

memory/3356-140-0x00007FF6C5BA0000-0x00007FF6C5EF1000-memory.dmp

memory/3672-132-0x00007FF648A30000-0x00007FF648D81000-memory.dmp

memory/4808-129-0x00007FF7E4B70000-0x00007FF7E4EC1000-memory.dmp

memory/3856-128-0x00007FF7FE610000-0x00007FF7FE961000-memory.dmp

memory/3856-150-0x00007FF7FE610000-0x00007FF7FE961000-memory.dmp

memory/4808-208-0x00007FF7E4B70000-0x00007FF7E4EC1000-memory.dmp

memory/4044-210-0x00007FF70F540000-0x00007FF70F891000-memory.dmp

memory/3672-212-0x00007FF648A30000-0x00007FF648D81000-memory.dmp

memory/3848-214-0x00007FF65DCA0000-0x00007FF65DFF1000-memory.dmp

memory/4836-216-0x00007FF642900000-0x00007FF642C51000-memory.dmp

memory/4312-218-0x00007FF649250000-0x00007FF6495A1000-memory.dmp

memory/2596-222-0x00007FF676580000-0x00007FF6768D1000-memory.dmp

memory/4912-221-0x00007FF6EA170000-0x00007FF6EA4C1000-memory.dmp

memory/760-226-0x00007FF7A24F0000-0x00007FF7A2841000-memory.dmp

memory/1080-225-0x00007FF7D39B0000-0x00007FF7D3D01000-memory.dmp

memory/3728-230-0x00007FF682220000-0x00007FF682571000-memory.dmp

memory/3356-229-0x00007FF6C5BA0000-0x00007FF6C5EF1000-memory.dmp

memory/824-232-0x00007FF7791C0000-0x00007FF779511000-memory.dmp

memory/4692-239-0x00007FF734480000-0x00007FF7347D1000-memory.dmp

memory/1248-242-0x00007FF799480000-0x00007FF7997D1000-memory.dmp

memory/2452-240-0x00007FF766610000-0x00007FF766961000-memory.dmp

memory/664-236-0x00007FF6C83D0000-0x00007FF6C8721000-memory.dmp

memory/1796-235-0x00007FF7D89A0000-0x00007FF7D8CF1000-memory.dmp

memory/2468-245-0x00007FF79D2C0000-0x00007FF79D611000-memory.dmp

memory/2404-246-0x00007FF721B50000-0x00007FF721EA1000-memory.dmp

memory/4380-248-0x00007FF76F650000-0x00007FF76F9A1000-memory.dmp