Malware Analysis Report

2025-04-19 16:03

Sample ID 240522-xytedsdd47
Target 202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike
SHA256 cdce79e68b7d47cda949e72c69a45d7e5bbe34fba232bb5bca34b9a119144fae
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdce79e68b7d47cda949e72c69a45d7e5bbe34fba232bb5bca34b9a119144fae

Threat Level: Known bad

The file 202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

XMRig Miner payload

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 19:16

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 19:16

Reported

2024-05-22 19:18

Platform

win7-20240221-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JpvVTwU.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\rXRaZFU.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\PhkbIPi.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\OmANoPa.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\zZGBOhL.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\xWZkrLk.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\IWGaubk.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\TYaamfu.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\YzmPnoi.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\RFxTCtw.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\HqeVwzZ.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\JPvbPGy.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\NVhywEP.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\iZWTwAg.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\NIgCFkw.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\zKajvdK.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\aVzPdVC.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ErTJmQE.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\NFEQzyB.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\VQIVTpU.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\qhebuWh.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NFEQzyB.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NFEQzyB.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NFEQzyB.exe
PID 3048 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\YzmPnoi.exe
PID 3048 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\YzmPnoi.exe
PID 3048 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\YzmPnoi.exe
PID 3048 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\rXRaZFU.exe
PID 3048 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\rXRaZFU.exe
PID 3048 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\rXRaZFU.exe
PID 3048 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\PhkbIPi.exe
PID 3048 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\PhkbIPi.exe
PID 3048 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\PhkbIPi.exe
PID 3048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\iZWTwAg.exe
PID 3048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\iZWTwAg.exe
PID 3048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\iZWTwAg.exe
PID 3048 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\RFxTCtw.exe
PID 3048 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\RFxTCtw.exe
PID 3048 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\RFxTCtw.exe
PID 3048 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NIgCFkw.exe
PID 3048 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NIgCFkw.exe
PID 3048 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NIgCFkw.exe
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\VQIVTpU.exe
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\VQIVTpU.exe
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\VQIVTpU.exe
PID 3048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zKajvdK.exe
PID 3048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zKajvdK.exe
PID 3048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zKajvdK.exe
PID 3048 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\HqeVwzZ.exe
PID 3048 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\HqeVwzZ.exe
PID 3048 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\HqeVwzZ.exe
PID 3048 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JPvbPGy.exe
PID 3048 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JPvbPGy.exe
PID 3048 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JPvbPGy.exe
PID 3048 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NVhywEP.exe
PID 3048 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NVhywEP.exe
PID 3048 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NVhywEP.exe
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\OmANoPa.exe
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\OmANoPa.exe
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\OmANoPa.exe
PID 3048 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\qhebuWh.exe
PID 3048 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\qhebuWh.exe
PID 3048 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\qhebuWh.exe
PID 3048 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zZGBOhL.exe
PID 3048 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zZGBOhL.exe
PID 3048 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zZGBOhL.exe
PID 3048 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JpvVTwU.exe
PID 3048 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JpvVTwU.exe
PID 3048 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JpvVTwU.exe
PID 3048 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\xWZkrLk.exe
PID 3048 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\xWZkrLk.exe
PID 3048 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\xWZkrLk.exe
PID 3048 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\aVzPdVC.exe
PID 3048 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\aVzPdVC.exe
PID 3048 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\aVzPdVC.exe
PID 3048 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\IWGaubk.exe
PID 3048 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\IWGaubk.exe
PID 3048 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\IWGaubk.exe
PID 3048 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\TYaamfu.exe
PID 3048 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\TYaamfu.exe
PID 3048 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\TYaamfu.exe
PID 3048 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\ErTJmQE.exe
PID 3048 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\ErTJmQE.exe
PID 3048 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\ErTJmQE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe"

C:\Windows\System\NFEQzyB.exe

C:\Windows\System\NFEQzyB.exe

C:\Windows\System\YzmPnoi.exe

C:\Windows\System\YzmPnoi.exe

C:\Windows\System\rXRaZFU.exe

C:\Windows\System\rXRaZFU.exe

C:\Windows\System\PhkbIPi.exe

C:\Windows\System\PhkbIPi.exe

C:\Windows\System\iZWTwAg.exe

C:\Windows\System\iZWTwAg.exe

C:\Windows\System\RFxTCtw.exe

C:\Windows\System\RFxTCtw.exe

C:\Windows\System\NIgCFkw.exe

C:\Windows\System\NIgCFkw.exe

C:\Windows\System\VQIVTpU.exe

C:\Windows\System\VQIVTpU.exe

C:\Windows\System\zKajvdK.exe

C:\Windows\System\zKajvdK.exe

C:\Windows\System\HqeVwzZ.exe

C:\Windows\System\HqeVwzZ.exe

C:\Windows\System\JPvbPGy.exe

C:\Windows\System\JPvbPGy.exe

C:\Windows\System\NVhywEP.exe

C:\Windows\System\NVhywEP.exe

C:\Windows\System\OmANoPa.exe

C:\Windows\System\OmANoPa.exe

C:\Windows\System\qhebuWh.exe

C:\Windows\System\qhebuWh.exe

C:\Windows\System\zZGBOhL.exe

C:\Windows\System\zZGBOhL.exe

C:\Windows\System\JpvVTwU.exe

C:\Windows\System\JpvVTwU.exe

C:\Windows\System\xWZkrLk.exe

C:\Windows\System\xWZkrLk.exe

C:\Windows\System\aVzPdVC.exe

C:\Windows\System\aVzPdVC.exe

C:\Windows\System\IWGaubk.exe

C:\Windows\System\IWGaubk.exe

C:\Windows\System\TYaamfu.exe

C:\Windows\System\TYaamfu.exe

C:\Windows\System\ErTJmQE.exe

C:\Windows\System\ErTJmQE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3048-0-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/3048-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\NFEQzyB.exe

MD5 b77978fcb59d862ea9313924f2b389e7
SHA1 cca8b6033fa6174038710d8b51cf95795e2b3c2f
SHA256 ec0a3353d4436f3b42774639ae97c06e46d031dc2606c086ef8b1ea966afc79f
SHA512 2b99fd191c96afc103445fad6e29883551e3bc532485c4f4cf2f6031c000e3bc93eb1bdb94d417213363ee5d403af4bc0993081528b2a711d32c7a811f2e9c16

memory/2448-41-0x000000013F580000-0x000000013F8D1000-memory.dmp

C:\Windows\system\VQIVTpU.exe

MD5 08299ff696cbe69ff635204e97df4a60
SHA1 e232d8f408fd18844a61e1dc03e3fb515acca49c
SHA256 a48f48af233676124555bf8c11d2c2c196f5c67f262d3393827801e6e20bc9e4
SHA512 0642bd12db1650b4b78a72a5c5dec6b5081f9442f1ac65b98d6d2c4b8fa9fe055824656e46da98747dd017ee8081e76280cd9c25cefa2c5b24fa64358168858d

memory/3048-28-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2420-55-0x000000013F230000-0x000000013F581000-memory.dmp

\Windows\system\xWZkrLk.exe

MD5 f546871cea646316ece66dd58db1cbe8
SHA1 cd14d544ad2ab82321eb765e124b3dccbf2f50c4
SHA256 b45bc357bc48ccf4ac30eb5bf98349de299b993e9b762ec7ed680876256359ed
SHA512 300602f2f83b470594e34660b412e82b134c16a61b0137dd3a609eec82f7fd0abc6cede571d8267d4611450d970959d0ab5a8477886b156fed698fbf435615c4

C:\Windows\system\JpvVTwU.exe

MD5 ca35bb3ad977ce2540d04a127800fa46
SHA1 d5ac1049d7bc911360fc0b777b947518348f52fd
SHA256 01092b31ac1963ce73ff96faa33a08acb27b6dd2b2a9b118f57a3f4879b1cb06
SHA512 bca8f6972e79c65d591476265d9cd0db1a6394c787172db0da6424e03c14dd4c7d8ae08f30f4337c425a624eacbc22d15b2b76ab528d3b6c5f4ab7f9f23b6983

memory/2944-96-0x000000013F240000-0x000000013F591000-memory.dmp

\Windows\system\TYaamfu.exe

MD5 4db40550a8a405226847478d6fa8f459
SHA1 994d52f0d881bc1bf96cda12e8d4b4e2ab80edc8
SHA256 4dcb83d498e06d0c2ec0cb8da046e2c28de8c3ddc5d836841783a9b78bfe0c4b
SHA512 dc231f99221fd2af39eca498798361805abe9af13666d51d3fe24eb40655976ee66f68d6393aecb00db57990e1ca4c46bffb1feee538746f70945cffb350366c

memory/3048-97-0x00000000021B0000-0x0000000002501000-memory.dmp

\Windows\system\aVzPdVC.exe

MD5 86d3864916f1a6acdd291718d2fa9949
SHA1 8f9fe188a80b0a837c8a692567e46862abbdb2bb
SHA256 a09172ad232de6582d1757f0b32467e33b59c09fbf3cbdc554561e90d4788dd0
SHA512 2f7617659ba9fcbcd518d63f6226ae052fde36e37f59718ee648e71748a6ffc122b660481110a83df815acf1d40f0143cf9dbd88739ce6312ea527717cbc8781

C:\Windows\system\NVhywEP.exe

MD5 4d78eb97fe50b273cb75f7e1f345d580
SHA1 0c330348b5419bb65f408b53fe3d0b955b0dd7be
SHA256 3fcf2bb9fbc791091735779bce3984951fcff5d881c5a117027f289b4334ba07
SHA512 d86bfcbfc8dcee7f8a5851514bdefc34d14a7a992c9d7a60412256b1ed40777f3d8c36260fa3b9267e112ea61c491c653b6a063399ce78c3099ffbb429775ef0

\Windows\system\qhebuWh.exe

MD5 101adb101bfd223b1fe00f2f1b8476a1
SHA1 4ccb5d0405356514c031bb643572bd65b05a338c
SHA256 9b19819d14aa899ce18757678674036f581dabe0c9695f895faa665256c43236
SHA512 0222a8940fbefc9bd9f7c7feae5d2765ada0ad65de1f03511b11be8d927c3b5570b614523c11f2d7010700c524906c7f88abd095cab2d0b6a61fc16e4e1a74e0

memory/524-116-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/3048-115-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1384-114-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/3048-113-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/3048-112-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/1076-111-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/820-110-0x000000013F3B0000-0x000000013F701000-memory.dmp

C:\Windows\system\ErTJmQE.exe

MD5 2cc8e9602dba58825118995709c9147f
SHA1 6f551b30218eabac9f4131c6e1cf07653f2d3316
SHA256 f1e09c4e7d62b62fbe6f204a2612e869dea6fd2de4716fdfb2df39f1165549a1
SHA512 bafe280ddf17329056059c6ec609badcb42eb68fc157ae3ba4c441d73c44b7f84509e4f41557ebbe412b2149bff977949d14da4a87d4f24d570aa1130252953a

memory/3048-108-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/3048-102-0x00000000021B0000-0x0000000002501000-memory.dmp

C:\Windows\system\IWGaubk.exe

MD5 730c0a0c26bd413d853654ad525906d8
SHA1 676aa650b7d903b42289960baa383c2421d589c5
SHA256 72c684afcbee42d4a2e3cbdb89971e3252d1ef9fcf6a619e94954ed5e3c0721a
SHA512 a34fd888dc390f4b7ae3d576013988fc864bf081644b4833cf48bb66687291e73da138cacc99eb76918daaa0e1788e7f180e41ab8753d4cbd6b4bf72c76f24e5

memory/3048-92-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/3048-90-0x00000000021B0000-0x0000000002501000-memory.dmp

C:\Windows\system\zZGBOhL.exe

MD5 aaf67029147cac77d7b3d09546f69951
SHA1 dc5103564bd63d7ce1a6afb0ee6db3018a02a675
SHA256 47e8e6a9f8d3bebd6817786a49427ea0248b33a6a6db2bb2ba1c699765464cb8
SHA512 5f2080e0a1a3bc7d1ccec7b643a59e7b9a797a8481df71be56b8ac21e686759e4a9c53057e8e21975c7cad36680d601cbbf97d0c080c6de7fa7105eb20c8b8d8

C:\Windows\system\OmANoPa.exe

MD5 a5ed7f653524a37814ea41852f4e8bf1
SHA1 b5339da96ca97792b86281e89871e69878a14a3c
SHA256 1a85533e62c9f7781a881cff88bab97c5797a9b9949fa1bde2eaccab69820ca0
SHA512 ebfa1863f4369887cc498ec39e62005d3a62f3e65539cb0da0d3aaf4abaad8d577c90a6bac1f7370d113a71cf7038bc8500f3f521d8eba75172a041d301a44b8

C:\Windows\system\JPvbPGy.exe

MD5 397223f03ebfea8e6944090db676faf2
SHA1 2cd3555cbe4f3a44c634c9818df8c1d14ee16dd4
SHA256 fcf14202ce8f09a682e9482e41f3d0b2fc0c7d03d7b82a641127ea35d4339103
SHA512 dc93e991cd19a45471526eb6ec273c11604b6e47e6dbb5f7878907f73e56b2559849ef5d8312778ce495378299ddad4cda169adcb81d9b58fdf724291bec9e0e

C:\Windows\system\HqeVwzZ.exe

MD5 470b7b71136e30b5f2af13059e15e172
SHA1 e9f5dbd6a473e43625f5770a1740176a1a70ae70
SHA256 5dcd91d02b3a6f4c6a37eceddd90c82bb15efb5b5a37d3c0b80430a01499768d
SHA512 aae97346d793adaa7e113b3301db4ab682813675be7509d741102bd7170721a0835993f4f689173d81e3a1b9a956df6d3e658959d99da56177f94a6b5aaf0568

C:\Windows\system\zKajvdK.exe

MD5 bfbdbf328656c6c509a3117bc9199e94
SHA1 ae47855de6c528c02246ded95c2f5d032aea8e3b
SHA256 7cf8f6ba980de68b403f2d7dbbfdd0b9582f2ca5c21b8a01db1900d5bcef1837
SHA512 44f6c2c5a6d8d8d35af1b6364f2d4cf4b79c2b1a018d41bf0019aba3557327819b1ae9cf26932deaf20ff6150a6d72df2937927be35ebc0fee89158fd0f31738

memory/3048-133-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2768-54-0x000000013F0C0000-0x000000013F411000-memory.dmp

C:\Windows\system\RFxTCtw.exe

MD5 07076f1a19372ad4af489da7f105602b
SHA1 3810749f436199d6002ff05d04b8fbe3a481d03f
SHA256 c16511c69c9922beb85fa0e93f720cee1b10608baeb6210afe7000e100a6aa5a
SHA512 aa65fd2efbb539b912b99a13b1ea58d65682f9c0eb085aa135849b0e159fb46123a05e473f4dc84cc74992d72bde654b3aab527b6b79debb88a6a4c6edc96a62

memory/3048-49-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2696-48-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/3048-47-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/3048-46-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/3056-45-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

C:\Windows\system\iZWTwAg.exe

MD5 e62d97ac2657d0b188c6ab628188355f
SHA1 83d96570ee5fec8ea48bfcc26b7d303c0da034a4
SHA256 29d5964ced7387db6727b4371510bd747aafd030343e6167012d12d182263abc
SHA512 4b668abed6bbb8f4f4efb032287c379747dc18384f6411461240e15d5e0265446e92f1a5911736a956c5c2b0c484ffb9d6cfb65bc7a618217e44e7aed7b0be9a

memory/2552-40-0x000000013F9D0000-0x000000013FD21000-memory.dmp

C:\Windows\system\rXRaZFU.exe

MD5 68839dc64953b14f24f7e70d574fa813
SHA1 b226c5877fb3942e3822746d12cbb0ac35a86a6e
SHA256 efce37d83ab6bb12674f03cb14821ac779b32ca4ddbe7a4f43eefeddaa0e15fc
SHA512 cf229a885e2e50325c3a6412e553d991e6b3946e3c6b3288c437ac1370d33d6661824a20acc03cda887778e504228d128868580adcc6ef281d8d9c18699ca772

memory/2716-39-0x000000013F630000-0x000000013F981000-memory.dmp

memory/3048-38-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\NIgCFkw.exe

MD5 3e62968a33d33b4c111d71e55ffa301f
SHA1 ffc54d76b83a03c182a29ce4898b8862a42c21f0
SHA256 88ad97d45f4a2b1523228f09180b824550117e52521f5e9e3cac7c3e6bda53e2
SHA512 efe957238c1f8f111cadb8c0b45d894c899d3fe61d934b10d74c76f97c57474f1030e86ab4e1b22d56309777d8f4a612b7b5562bf5b3ae4ccc1534e9cfac25e7

C:\Windows\system\PhkbIPi.exe

MD5 768105ef2e50cf86358fadab19291ce0
SHA1 a42f04aaaaa06de4ed8751a22600d96b677c9bbe
SHA256 d1381c4180d45ebe6b39b30f7e291badb2387b1e28ae61f862af47baea8e075d
SHA512 9ab7d4c6fbbe8bed704656bf50a39cd0aa2f3e01273033585328b380c95556defdeaedf77e35188a6141cb26ea2c57e35863093e0c85cb199b8234d72dfeac65

memory/2548-33-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/1996-145-0x000000013F340000-0x000000013F691000-memory.dmp

memory/820-144-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/860-149-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2824-150-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1232-153-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1336-154-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/3048-156-0x000000013F630000-0x000000013F981000-memory.dmp

memory/3048-155-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2180-152-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2956-151-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/1384-148-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/1728-147-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/1076-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/524-143-0x000000013F260000-0x000000013F5B1000-memory.dmp

C:\Windows\system\YzmPnoi.exe

MD5 b7c5e52a5e818fd986fc0eae4338e8fd
SHA1 bc2d363c84cf561e52f9308fe258d96b1995b6e8
SHA256 da2ad62628d3242b5163e8b0718af1071a7137637d9f0c563191f8b69d241067
SHA512 9c3e1a68a1b29830939bf9b90e2ea6066d8dd2fdb1abd9c2ac873bb9153ad7158bf143ef234fe6f16c6ef0b4a9be8aedca2af570f577c5a22eaa7e9d8cc0fbd0

memory/3048-157-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/3056-211-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2548-212-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2716-220-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2696-223-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2448-226-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2552-225-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2420-228-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2944-232-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2768-231-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1076-234-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/820-242-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/524-244-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/1384-238-0x000000013F940000-0x000000013FC91000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 19:16

Reported

2024-05-22 19:18

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\aVzPdVC.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ErTJmQE.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\rXRaZFU.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\HqeVwzZ.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\OmANoPa.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\zZGBOhL.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\JpvVTwU.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\xWZkrLk.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\qhebuWh.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\IWGaubk.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\PhkbIPi.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\RFxTCtw.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\NIgCFkw.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\zKajvdK.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\JPvbPGy.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\NVhywEP.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\NFEQzyB.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\YzmPnoi.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\VQIVTpU.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\TYaamfu.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\iZWTwAg.exe C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NFEQzyB.exe
PID 3036 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NFEQzyB.exe
PID 3036 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\YzmPnoi.exe
PID 3036 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\YzmPnoi.exe
PID 3036 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\rXRaZFU.exe
PID 3036 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\rXRaZFU.exe
PID 3036 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\PhkbIPi.exe
PID 3036 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\PhkbIPi.exe
PID 3036 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\iZWTwAg.exe
PID 3036 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\iZWTwAg.exe
PID 3036 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\RFxTCtw.exe
PID 3036 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\RFxTCtw.exe
PID 3036 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NIgCFkw.exe
PID 3036 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NIgCFkw.exe
PID 3036 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\VQIVTpU.exe
PID 3036 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\VQIVTpU.exe
PID 3036 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zKajvdK.exe
PID 3036 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zKajvdK.exe
PID 3036 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\HqeVwzZ.exe
PID 3036 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\HqeVwzZ.exe
PID 3036 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JPvbPGy.exe
PID 3036 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JPvbPGy.exe
PID 3036 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NVhywEP.exe
PID 3036 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\NVhywEP.exe
PID 3036 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\OmANoPa.exe
PID 3036 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\OmANoPa.exe
PID 3036 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\qhebuWh.exe
PID 3036 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\qhebuWh.exe
PID 3036 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zZGBOhL.exe
PID 3036 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\zZGBOhL.exe
PID 3036 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JpvVTwU.exe
PID 3036 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\JpvVTwU.exe
PID 3036 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\xWZkrLk.exe
PID 3036 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\xWZkrLk.exe
PID 3036 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\aVzPdVC.exe
PID 3036 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\aVzPdVC.exe
PID 3036 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\IWGaubk.exe
PID 3036 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\IWGaubk.exe
PID 3036 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\TYaamfu.exe
PID 3036 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\TYaamfu.exe
PID 3036 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\ErTJmQE.exe
PID 3036 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe C:\Windows\System\ErTJmQE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\202405220d73b00d3b0f3341623a5a10f335a190cobaltstrikecobaltstrike.exe"

C:\Windows\System\NFEQzyB.exe

C:\Windows\System\NFEQzyB.exe

C:\Windows\System\YzmPnoi.exe

C:\Windows\System\YzmPnoi.exe

C:\Windows\System\rXRaZFU.exe

C:\Windows\System\rXRaZFU.exe

C:\Windows\System\PhkbIPi.exe

C:\Windows\System\PhkbIPi.exe

C:\Windows\System\iZWTwAg.exe

C:\Windows\System\iZWTwAg.exe

C:\Windows\System\RFxTCtw.exe

C:\Windows\System\RFxTCtw.exe

C:\Windows\System\NIgCFkw.exe

C:\Windows\System\NIgCFkw.exe

C:\Windows\System\VQIVTpU.exe

C:\Windows\System\VQIVTpU.exe

C:\Windows\System\zKajvdK.exe

C:\Windows\System\zKajvdK.exe

C:\Windows\System\HqeVwzZ.exe

C:\Windows\System\HqeVwzZ.exe

C:\Windows\System\JPvbPGy.exe

C:\Windows\System\JPvbPGy.exe

C:\Windows\System\NVhywEP.exe

C:\Windows\System\NVhywEP.exe

C:\Windows\System\OmANoPa.exe

C:\Windows\System\OmANoPa.exe

C:\Windows\System\qhebuWh.exe

C:\Windows\System\qhebuWh.exe

C:\Windows\System\zZGBOhL.exe

C:\Windows\System\zZGBOhL.exe

C:\Windows\System\JpvVTwU.exe

C:\Windows\System\JpvVTwU.exe

C:\Windows\System\xWZkrLk.exe

C:\Windows\System\xWZkrLk.exe

C:\Windows\System\aVzPdVC.exe

C:\Windows\System\aVzPdVC.exe

C:\Windows\System\IWGaubk.exe

C:\Windows\System\IWGaubk.exe

C:\Windows\System\TYaamfu.exe

C:\Windows\System\TYaamfu.exe

C:\Windows\System\ErTJmQE.exe

C:\Windows\System\ErTJmQE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/3036-0-0x00007FF7A48E0000-0x00007FF7A4C31000-memory.dmp

memory/3036-1-0x000002A160D50000-0x000002A160D60000-memory.dmp

C:\Windows\System\NFEQzyB.exe

MD5 b77978fcb59d862ea9313924f2b389e7
SHA1 cca8b6033fa6174038710d8b51cf95795e2b3c2f
SHA256 ec0a3353d4436f3b42774639ae97c06e46d031dc2606c086ef8b1ea966afc79f
SHA512 2b99fd191c96afc103445fad6e29883551e3bc532485c4f4cf2f6031c000e3bc93eb1bdb94d417213363ee5d403af4bc0993081528b2a711d32c7a811f2e9c16

memory/4488-7-0x00007FF610480000-0x00007FF6107D1000-memory.dmp

C:\Windows\System\rXRaZFU.exe

MD5 68839dc64953b14f24f7e70d574fa813
SHA1 b226c5877fb3942e3822746d12cbb0ac35a86a6e
SHA256 efce37d83ab6bb12674f03cb14821ac779b32ca4ddbe7a4f43eefeddaa0e15fc
SHA512 cf229a885e2e50325c3a6412e553d991e6b3946e3c6b3288c437ac1370d33d6661824a20acc03cda887778e504228d128868580adcc6ef281d8d9c18699ca772

memory/4564-12-0x00007FF717C30000-0x00007FF717F81000-memory.dmp

memory/2200-20-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp

C:\Windows\System\YzmPnoi.exe

MD5 b7c5e52a5e818fd986fc0eae4338e8fd
SHA1 bc2d363c84cf561e52f9308fe258d96b1995b6e8
SHA256 da2ad62628d3242b5163e8b0718af1071a7137637d9f0c563191f8b69d241067
SHA512 9c3e1a68a1b29830939bf9b90e2ea6066d8dd2fdb1abd9c2ac873bb9153ad7158bf143ef234fe6f16c6ef0b4a9be8aedca2af570f577c5a22eaa7e9d8cc0fbd0

C:\Windows\System\PhkbIPi.exe

MD5 768105ef2e50cf86358fadab19291ce0
SHA1 a42f04aaaaa06de4ed8751a22600d96b677c9bbe
SHA256 d1381c4180d45ebe6b39b30f7e291badb2387b1e28ae61f862af47baea8e075d
SHA512 9ab7d4c6fbbe8bed704656bf50a39cd0aa2f3e01273033585328b380c95556defdeaedf77e35188a6141cb26ea2c57e35863093e0c85cb199b8234d72dfeac65

C:\Windows\System\iZWTwAg.exe

MD5 e62d97ac2657d0b188c6ab628188355f
SHA1 83d96570ee5fec8ea48bfcc26b7d303c0da034a4
SHA256 29d5964ced7387db6727b4371510bd747aafd030343e6167012d12d182263abc
SHA512 4b668abed6bbb8f4f4efb032287c379747dc18384f6411461240e15d5e0265446e92f1a5911736a956c5c2b0c484ffb9d6cfb65bc7a618217e44e7aed7b0be9a

memory/2444-24-0x00007FF63D9B0000-0x00007FF63DD01000-memory.dmp

memory/4484-32-0x00007FF70F660000-0x00007FF70F9B1000-memory.dmp

C:\Windows\System\RFxTCtw.exe

MD5 07076f1a19372ad4af489da7f105602b
SHA1 3810749f436199d6002ff05d04b8fbe3a481d03f
SHA256 c16511c69c9922beb85fa0e93f720cee1b10608baeb6210afe7000e100a6aa5a
SHA512 aa65fd2efbb539b912b99a13b1ea58d65682f9c0eb085aa135849b0e159fb46123a05e473f4dc84cc74992d72bde654b3aab527b6b79debb88a6a4c6edc96a62

C:\Windows\System\NIgCFkw.exe

MD5 3e62968a33d33b4c111d71e55ffa301f
SHA1 ffc54d76b83a03c182a29ce4898b8862a42c21f0
SHA256 88ad97d45f4a2b1523228f09180b824550117e52521f5e9e3cac7c3e6bda53e2
SHA512 efe957238c1f8f111cadb8c0b45d894c899d3fe61d934b10d74c76f97c57474f1030e86ab4e1b22d56309777d8f4a612b7b5562bf5b3ae4ccc1534e9cfac25e7

C:\Windows\System\VQIVTpU.exe

MD5 08299ff696cbe69ff635204e97df4a60
SHA1 e232d8f408fd18844a61e1dc03e3fb515acca49c
SHA256 a48f48af233676124555bf8c11d2c2c196f5c67f262d3393827801e6e20bc9e4
SHA512 0642bd12db1650b4b78a72a5c5dec6b5081f9442f1ac65b98d6d2c4b8fa9fe055824656e46da98747dd017ee8081e76280cd9c25cefa2c5b24fa64358168858d

C:\Windows\System\zKajvdK.exe

MD5 bfbdbf328656c6c509a3117bc9199e94
SHA1 ae47855de6c528c02246ded95c2f5d032aea8e3b
SHA256 7cf8f6ba980de68b403f2d7dbbfdd0b9582f2ca5c21b8a01db1900d5bcef1837
SHA512 44f6c2c5a6d8d8d35af1b6364f2d4cf4b79c2b1a018d41bf0019aba3557327819b1ae9cf26932deaf20ff6150a6d72df2937927be35ebc0fee89158fd0f31738

memory/3624-51-0x00007FF6527F0000-0x00007FF652B41000-memory.dmp

C:\Windows\System\OmANoPa.exe

MD5 a5ed7f653524a37814ea41852f4e8bf1
SHA1 b5339da96ca97792b86281e89871e69878a14a3c
SHA256 1a85533e62c9f7781a881cff88bab97c5797a9b9949fa1bde2eaccab69820ca0
SHA512 ebfa1863f4369887cc498ec39e62005d3a62f3e65539cb0da0d3aaf4abaad8d577c90a6bac1f7370d113a71cf7038bc8500f3f521d8eba75172a041d301a44b8

memory/4116-78-0x00007FF703670000-0x00007FF7039C1000-memory.dmp

C:\Windows\System\qhebuWh.exe

MD5 101adb101bfd223b1fe00f2f1b8476a1
SHA1 4ccb5d0405356514c031bb643572bd65b05a338c
SHA256 9b19819d14aa899ce18757678674036f581dabe0c9695f895faa665256c43236
SHA512 0222a8940fbefc9bd9f7c7feae5d2765ada0ad65de1f03511b11be8d927c3b5570b614523c11f2d7010700c524906c7f88abd095cab2d0b6a61fc16e4e1a74e0

memory/4488-89-0x00007FF610480000-0x00007FF6107D1000-memory.dmp

C:\Windows\System\zZGBOhL.exe

MD5 aaf67029147cac77d7b3d09546f69951
SHA1 dc5103564bd63d7ce1a6afb0ee6db3018a02a675
SHA256 47e8e6a9f8d3bebd6817786a49427ea0248b33a6a6db2bb2ba1c699765464cb8
SHA512 5f2080e0a1a3bc7d1ccec7b643a59e7b9a797a8481df71be56b8ac21e686759e4a9c53057e8e21975c7cad36680d601cbbf97d0c080c6de7fa7105eb20c8b8d8

C:\Windows\System\xWZkrLk.exe

MD5 f546871cea646316ece66dd58db1cbe8
SHA1 cd14d544ad2ab82321eb765e124b3dccbf2f50c4
SHA256 b45bc357bc48ccf4ac30eb5bf98349de299b993e9b762ec7ed680876256359ed
SHA512 300602f2f83b470594e34660b412e82b134c16a61b0137dd3a609eec82f7fd0abc6cede571d8267d4611450d970959d0ab5a8477886b156fed698fbf435615c4

C:\Windows\System\aVzPdVC.exe

MD5 86d3864916f1a6acdd291718d2fa9949
SHA1 8f9fe188a80b0a837c8a692567e46862abbdb2bb
SHA256 a09172ad232de6582d1757f0b32467e33b59c09fbf3cbdc554561e90d4788dd0
SHA512 2f7617659ba9fcbcd518d63f6226ae052fde36e37f59718ee648e71748a6ffc122b660481110a83df815acf1d40f0143cf9dbd88739ce6312ea527717cbc8781

C:\Windows\System\TYaamfu.exe

MD5 4db40550a8a405226847478d6fa8f459
SHA1 994d52f0d881bc1bf96cda12e8d4b4e2ab80edc8
SHA256 4dcb83d498e06d0c2ec0cb8da046e2c28de8c3ddc5d836841783a9b78bfe0c4b
SHA512 dc231f99221fd2af39eca498798361805abe9af13666d51d3fe24eb40655976ee66f68d6393aecb00db57990e1ca4c46bffb1feee538746f70945cffb350366c

C:\Windows\System\ErTJmQE.exe

MD5 2cc8e9602dba58825118995709c9147f
SHA1 6f551b30218eabac9f4131c6e1cf07653f2d3316
SHA256 f1e09c4e7d62b62fbe6f204a2612e869dea6fd2de4716fdfb2df39f1165549a1
SHA512 bafe280ddf17329056059c6ec609badcb42eb68fc157ae3ba4c441d73c44b7f84509e4f41557ebbe412b2149bff977949d14da4a87d4f24d570aa1130252953a

C:\Windows\System\IWGaubk.exe

MD5 730c0a0c26bd413d853654ad525906d8
SHA1 676aa650b7d903b42289960baa383c2421d589c5
SHA256 72c684afcbee42d4a2e3cbdb89971e3252d1ef9fcf6a619e94954ed5e3c0721a
SHA512 a34fd888dc390f4b7ae3d576013988fc864bf081644b4833cf48bb66687291e73da138cacc99eb76918daaa0e1788e7f180e41ab8753d4cbd6b4bf72c76f24e5

C:\Windows\System\JpvVTwU.exe

MD5 ca35bb3ad977ce2540d04a127800fa46
SHA1 d5ac1049d7bc911360fc0b777b947518348f52fd
SHA256 01092b31ac1963ce73ff96faa33a08acb27b6dd2b2a9b118f57a3f4879b1cb06
SHA512 bca8f6972e79c65d591476265d9cd0db1a6394c787172db0da6424e03c14dd4c7d8ae08f30f4337c425a624eacbc22d15b2b76ab528d3b6c5f4ab7f9f23b6983

memory/3460-90-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp

memory/4832-79-0x00007FF796450000-0x00007FF7967A1000-memory.dmp

memory/804-77-0x00007FF7244E0000-0x00007FF724831000-memory.dmp

memory/3036-76-0x00007FF7A48E0000-0x00007FF7A4C31000-memory.dmp

C:\Windows\System\NVhywEP.exe

MD5 4d78eb97fe50b273cb75f7e1f345d580
SHA1 0c330348b5419bb65f408b53fe3d0b955b0dd7be
SHA256 3fcf2bb9fbc791091735779bce3984951fcff5d881c5a117027f289b4334ba07
SHA512 d86bfcbfc8dcee7f8a5851514bdefc34d14a7a992c9d7a60412256b1ed40777f3d8c36260fa3b9267e112ea61c491c653b6a063399ce78c3099ffbb429775ef0

C:\Windows\System\JPvbPGy.exe

MD5 397223f03ebfea8e6944090db676faf2
SHA1 2cd3555cbe4f3a44c634c9818df8c1d14ee16dd4
SHA256 fcf14202ce8f09a682e9482e41f3d0b2fc0c7d03d7b82a641127ea35d4339103
SHA512 dc93e991cd19a45471526eb6ec273c11604b6e47e6dbb5f7878907f73e56b2559849ef5d8312778ce495378299ddad4cda169adcb81d9b58fdf724291bec9e0e

C:\Windows\System\HqeVwzZ.exe

MD5 470b7b71136e30b5f2af13059e15e172
SHA1 e9f5dbd6a473e43625f5770a1740176a1a70ae70
SHA256 5dcd91d02b3a6f4c6a37eceddd90c82bb15efb5b5a37d3c0b80430a01499768d
SHA512 aae97346d793adaa7e113b3301db4ab682813675be7509d741102bd7170721a0835993f4f689173d81e3a1b9a956df6d3e658959d99da56177f94a6b5aaf0568

memory/2484-58-0x00007FF600B20000-0x00007FF600E71000-memory.dmp

memory/5028-47-0x00007FF7887B0000-0x00007FF788B01000-memory.dmp

memory/1612-45-0x00007FF73CC10000-0x00007FF73CF61000-memory.dmp

memory/2880-40-0x00007FF6AE860000-0x00007FF6AEBB1000-memory.dmp

memory/4564-123-0x00007FF717C30000-0x00007FF717F81000-memory.dmp

memory/1500-124-0x00007FF72F700000-0x00007FF72FA51000-memory.dmp

memory/4648-125-0x00007FF659070000-0x00007FF6593C1000-memory.dmp

memory/4328-128-0x00007FF68B4A0000-0x00007FF68B7F1000-memory.dmp

memory/3068-129-0x00007FF60E300000-0x00007FF60E651000-memory.dmp

memory/3244-130-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp

memory/4204-127-0x00007FF768970000-0x00007FF768CC1000-memory.dmp

memory/1828-126-0x00007FF72E700000-0x00007FF72EA51000-memory.dmp

memory/5028-139-0x00007FF7887B0000-0x00007FF788B01000-memory.dmp

memory/3624-140-0x00007FF6527F0000-0x00007FF652B41000-memory.dmp

memory/2484-141-0x00007FF600B20000-0x00007FF600E71000-memory.dmp

memory/1612-138-0x00007FF73CC10000-0x00007FF73CF61000-memory.dmp

memory/3036-131-0x00007FF7A48E0000-0x00007FF7A4C31000-memory.dmp

memory/2880-137-0x00007FF6AE860000-0x00007FF6AEBB1000-memory.dmp

memory/2444-135-0x00007FF63D9B0000-0x00007FF63DD01000-memory.dmp

memory/4832-144-0x00007FF796450000-0x00007FF7967A1000-memory.dmp

memory/3036-153-0x00007FF7A48E0000-0x00007FF7A4C31000-memory.dmp

memory/4488-203-0x00007FF610480000-0x00007FF6107D1000-memory.dmp

memory/4564-207-0x00007FF717C30000-0x00007FF717F81000-memory.dmp

memory/2200-206-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp

memory/2444-209-0x00007FF63D9B0000-0x00007FF63DD01000-memory.dmp

memory/4484-211-0x00007FF70F660000-0x00007FF70F9B1000-memory.dmp

memory/2880-213-0x00007FF6AE860000-0x00007FF6AEBB1000-memory.dmp

memory/5028-215-0x00007FF7887B0000-0x00007FF788B01000-memory.dmp

memory/1612-217-0x00007FF73CC10000-0x00007FF73CF61000-memory.dmp

memory/2484-219-0x00007FF600B20000-0x00007FF600E71000-memory.dmp

memory/3624-221-0x00007FF6527F0000-0x00007FF652B41000-memory.dmp

memory/804-223-0x00007FF7244E0000-0x00007FF724831000-memory.dmp

memory/4116-225-0x00007FF703670000-0x00007FF7039C1000-memory.dmp

memory/4832-236-0x00007FF796450000-0x00007FF7967A1000-memory.dmp

memory/3460-238-0x00007FF6AF090000-0x00007FF6AF3E1000-memory.dmp

memory/1500-240-0x00007FF72F700000-0x00007FF72FA51000-memory.dmp

memory/4648-242-0x00007FF659070000-0x00007FF6593C1000-memory.dmp

memory/1828-244-0x00007FF72E700000-0x00007FF72EA51000-memory.dmp

memory/4204-246-0x00007FF768970000-0x00007FF768CC1000-memory.dmp

memory/4328-248-0x00007FF68B4A0000-0x00007FF68B7F1000-memory.dmp

memory/3068-251-0x00007FF60E300000-0x00007FF60E651000-memory.dmp

memory/3244-252-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp