Analysis Overview
SHA256
78361ec7eb065402e6199c60253a14e802252f8c41562b9eda26a8128d7de62a
Threat Level: Known bad
The file 2024-06-01_b51d8525fd1f4415298eb5e55122d304_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:47
Reported
2024-06-01 07:49
Platform
win7-20240508-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZwowCOJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dGImgEU.exe | N/A |
| N/A | N/A | C:\Windows\System\kxSThol.exe | N/A |
| N/A | N/A | C:\Windows\System\gjFXUEU.exe | N/A |
| N/A | N/A | C:\Windows\System\gccNgig.exe | N/A |
| N/A | N/A | C:\Windows\System\JdbTEyb.exe | N/A |
| N/A | N/A | C:\Windows\System\kusLUkT.exe | N/A |
| N/A | N/A | C:\Windows\System\BXctlcn.exe | N/A |
| N/A | N/A | C:\Windows\System\mSNvxxB.exe | N/A |
| N/A | N/A | C:\Windows\System\TiCoaeB.exe | N/A |
| N/A | N/A | C:\Windows\System\XOBnzQX.exe | N/A |
| N/A | N/A | C:\Windows\System\AbnrnJY.exe | N/A |
| N/A | N/A | C:\Windows\System\eUicdyA.exe | N/A |
| N/A | N/A | C:\Windows\System\IWymZtL.exe | N/A |
| N/A | N/A | C:\Windows\System\YoDcIox.exe | N/A |
| N/A | N/A | C:\Windows\System\YAAOrId.exe | N/A |
| N/A | N/A | C:\Windows\System\CzBalUr.exe | N/A |
| N/A | N/A | C:\Windows\System\zPvVfZf.exe | N/A |
| N/A | N/A | C:\Windows\System\DSTsCzP.exe | N/A |
| N/A | N/A | C:\Windows\System\kNvWfkU.exe | N/A |
| N/A | N/A | C:\Windows\System\fXEerdZ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b51d8525fd1f4415298eb5e55122d304_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b51d8525fd1f4415298eb5e55122d304_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_b51d8525fd1f4415298eb5e55122d304_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b51d8525fd1f4415298eb5e55122d304_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZwowCOJ.exe
C:\Windows\System\ZwowCOJ.exe
C:\Windows\System\dGImgEU.exe
C:\Windows\System\dGImgEU.exe
C:\Windows\System\gjFXUEU.exe
C:\Windows\System\gjFXUEU.exe
C:\Windows\System\kxSThol.exe
C:\Windows\System\kxSThol.exe
C:\Windows\System\gccNgig.exe
C:\Windows\System\gccNgig.exe
C:\Windows\System\JdbTEyb.exe
C:\Windows\System\JdbTEyb.exe
C:\Windows\System\kusLUkT.exe
C:\Windows\System\kusLUkT.exe
C:\Windows\System\YoDcIox.exe
C:\Windows\System\YoDcIox.exe
C:\Windows\System\BXctlcn.exe
C:\Windows\System\BXctlcn.exe
C:\Windows\System\YAAOrId.exe
C:\Windows\System\YAAOrId.exe
C:\Windows\System\mSNvxxB.exe
C:\Windows\System\mSNvxxB.exe
C:\Windows\System\CzBalUr.exe
C:\Windows\System\CzBalUr.exe
C:\Windows\System\TiCoaeB.exe
C:\Windows\System\TiCoaeB.exe
C:\Windows\System\zPvVfZf.exe
C:\Windows\System\zPvVfZf.exe
C:\Windows\System\XOBnzQX.exe
C:\Windows\System\XOBnzQX.exe
C:\Windows\System\DSTsCzP.exe
C:\Windows\System\DSTsCzP.exe
C:\Windows\System\AbnrnJY.exe
C:\Windows\System\AbnrnJY.exe
C:\Windows\System\kNvWfkU.exe
C:\Windows\System\kNvWfkU.exe
C:\Windows\System\eUicdyA.exe
C:\Windows\System\eUicdyA.exe
C:\Windows\System\fXEerdZ.exe
C:\Windows\System\fXEerdZ.exe
C:\Windows\System\IWymZtL.exe
C:\Windows\System\IWymZtL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1368-0-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/1368-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\ZwowCOJ.exe
| MD5 | ccc876b143d245543868ea93bbc3f86e |
| SHA1 | f0a72d1b32ba3e4552d64da7a01b48ff6bbe1037 |
| SHA256 | 08313fc18396b9dbe44d3fb1b9a23f12577499f752fc11bc0de4b2d1a9151ba1 |
| SHA512 | 960a2187b6c4502d72a823cf42b0030b398c37dfdce270e0db459ea48831956c3adaed2f92b02832f0cef56bfc9e038f58b5413b49360a3d856890c9750d48dc |
C:\Windows\system\kxSThol.exe
| MD5 | ca63cb8b6069af22d9b987371730e7b1 |
| SHA1 | fe895306f0d6f249d2938f07d8b6c332d62df058 |
| SHA256 | 7f381aec8c1c10a57d05fa5eeb96cdd633fd1b1ee170d431bf4013c1203334e9 |
| SHA512 | af70680f8875459f8bf4444f3aa515d32b8971a1994a22546536d647d635083996392d3b0893afd71cb9fd21e341ed73a5f96b70a5e1cefa4e92f684994674a8 |
memory/2688-12-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\gjFXUEU.exe
| MD5 | 8b770ff0a16f74e875ad2f5ade19c2de |
| SHA1 | 287f40bb4b1b81ae00741812ec166398ffc69fcb |
| SHA256 | 3645b2a8f7f5c71122f9bd3693d85b759875f7409f8a1852ee5e2aec97fb213f |
| SHA512 | ae56bec9cfc4192c510310fc1a2d2b62c155960c0d912e9bd84b57864f77769e0ce38fcf81b6ce45a1b9a1390dbc8dbacfccea0dc591cc9f96401c9a4cb9c15a |
C:\Windows\system\dGImgEU.exe
| MD5 | fe53e5b9d78347ed6e387af5934d765e |
| SHA1 | a11319e843fe58f574552a02799ac8a95f6a8b0e |
| SHA256 | ea22e322b53a389050e27cb426d5ebe4d20c019ce8855b1e6bd5d929b89d1cd3 |
| SHA512 | 9ee71d5a05d8e152ff27467ec011798bf29d2f3b62c3a40bcc84c923134af2c3225b0d8ad5696afadee3c2f2af39b20d3d1e421ef8c12515b7ce4c8197508c3f |
memory/1368-26-0x000000013FF60000-0x00000001402B4000-memory.dmp
\Windows\system\IWymZtL.exe
| MD5 | a553882845d7234722c513b25c104926 |
| SHA1 | a445cddeb7aa675a0e31ac386cf2950e771d6fe9 |
| SHA256 | 5320cb3658ba762f00056df5bf51f09b135aa1c3072e65e23ddb226cab4c828a |
| SHA512 | 484f95c031773a6d8018c5838265b36ae3d0b3448377289a095b949c10594e0f4830ca62d06a0d603ca0f02d7328926cbc6e8b5b2b93bb8a4567bbde9d47bfd0 |
memory/1368-114-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/492-108-0x000000013FAF0000-0x000000013FE44000-memory.dmp
\Windows\system\fXEerdZ.exe
| MD5 | f183b47432143411ee21f996286245b4 |
| SHA1 | 9f87a267b73e7b1fbb9266fc3d8a0fca8b26f40f |
| SHA256 | 98f05aa5f6a6d23c387972d31442925c049a0c64838a8dca0a65e3c5b4616611 |
| SHA512 | 7152eb94bab437b37b2eac4abab97feacd89de904c764a7e5582d3271e91f924f3c59056cf6a2fc48edd38692a28c0e7ee99bb01af59557b1e18db68251c6487 |
\Windows\system\kNvWfkU.exe
| MD5 | e3d54cfc4fda6da1a9a3c48e181deb2f |
| SHA1 | 4e37bf0074c560f0125210fafaaca7f182a464a3 |
| SHA256 | 8ad20d086c70d60fac908d09b7f2554de6ed7257def8a6cdb8d5ef07fdb2b35d |
| SHA512 | 28305930ba0fbf80f1327b2649ac10d6d5952050adf6620bb742dbfb55d9132a39539008ad6fd77d7c181a461462519c3b34d1cfe77b7ea8ae731191b106dffe |
\Windows\system\DSTsCzP.exe
| MD5 | db34cca1294d213e1d98392ae81463e2 |
| SHA1 | 82b088c267c7367c20cc22cb719a96805b526086 |
| SHA256 | 23088cc52eefe7b85112d33fc772b0236318a0c38efbd2eded184b9a2377e2da |
| SHA512 | 0d382d49c821d8561b132eb06a1affd3320d16714d039259636ec06d42e15a96d4eda327cfd82041d436b88f212c86f7e419de1d3c615c04cc12290ff5262ede |
memory/1368-81-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2556-78-0x000000013FA60000-0x000000013FDB4000-memory.dmp
\Windows\system\zPvVfZf.exe
| MD5 | bc57f871feffc46705c3d9d4f49f64c0 |
| SHA1 | cdcbc67a39560864e83affecf3a683523bc0a541 |
| SHA256 | 86270c9e39b048f589ac4b3ae30827058fd1b4f05b3001e9372a1825019085b3 |
| SHA512 | 11ea11eb50307ecad89b73a070f7139c837820883c9184e3b6e6173b15db255e049859f5a296e398ffeb7e2e02d5f41d4cf0a89c7bdb7553a01a3e2f11775349 |
memory/1368-73-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1368-72-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1368-71-0x00000000022A0000-0x00000000025F4000-memory.dmp
\Windows\system\CzBalUr.exe
| MD5 | ff0e54c19bf0cf511f445cd37194909a |
| SHA1 | b30f877781798fa40893e9e566c3f040963d5f85 |
| SHA256 | 278268ea9b16138991b52564745f8c47d22ff6986a7f0ccaa00e7c3dc95c7755 |
| SHA512 | a69fcbd3a7b6e93643ac4f3bd071091e2f6cce1795736c9d032b5bc793e4b2f6064882effe92a39840bb07071987b5cda51e2b0997bf2a53703de81a41b4b949 |
memory/1368-54-0x000000013F1D0000-0x000000013F524000-memory.dmp
\Windows\system\YAAOrId.exe
| MD5 | 439f63265e74774e1756963db3934b13 |
| SHA1 | a8d82b8eb4bdb9400becbb0bb07a49d0e85af73f |
| SHA256 | 2b544f95b144846bc8d4456f7b7352c7563cb1ae080f68d3acaf98fa08e73804 |
| SHA512 | f682ede8780552524852d88afa53190383c09b534762cf378945b87ae12827ff8583e2eeb43d90280774f72b5a20364f86f6501148f97d6f2a82905d246c7801 |
C:\Windows\system\kusLUkT.exe
| MD5 | 9786112eeeda7523cff108818a57dbac |
| SHA1 | 215a99a0877af5cf8494a21adb78c121b442a48e |
| SHA256 | 22bc4f54c38ee6c091dfbeb219e48b92df0e8d5602910579d139fbdce13314ee |
| SHA512 | d99cbb09a049d6bb03e6f25b37cc7bb654b865c3a89e8ab049fd5a89dbb837dd52f7980ea4a55c0fadecf2ff023045ccf94bc5808d104a30d3336f95f448601f |
memory/2792-47-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1984-122-0x000000013FBB0000-0x000000013FF04000-memory.dmp
\Windows\system\YoDcIox.exe
| MD5 | 9644b8f1d6a4a8b55f37281a460f816a |
| SHA1 | 8263e94d26bb988e2cf72d3db65cf198841e9d05 |
| SHA256 | 568d0e7e878e63293bd0d1d3b3052e9a24f5f7cc8b5561cdc3b7ab799f01b221 |
| SHA512 | 03342975b022370532d224151ea3e4b79b5e82e6e4c1f427399a0f3c3de8aa2ad30efc8a84ed0290a710f3012e966049a8bab3afd30015fe1991a28aedb149ea |
C:\Windows\system\eUicdyA.exe
| MD5 | 526c16353f67c1269b595cd2f0d12c68 |
| SHA1 | 15894bd11dc52f0802d731bd9b8fc8a2993f0c90 |
| SHA256 | 5a26b3617a2ab4bcab4c6d82ac9e480e10f70f7ee04e3b1806aaa5a86b2cbe7a |
| SHA512 | 24ad741bfc8f48bb896bf5ef31f710e8d0bf46652859439010f7c6527c24a92c32cc4e592287468bdd4ecf32f0cfa6a86575fcf5e25f2e15a783d99fde741e71 |
memory/1368-111-0x000000013F590000-0x000000013F8E4000-memory.dmp
C:\Windows\system\JdbTEyb.exe
| MD5 | eca358cbb9278afd586fed3973f579d8 |
| SHA1 | a94cbe8145e4647a18e24ab5a76789c7194a99ee |
| SHA256 | df6ec9ea3b20c0a52a0111f748280baf7601bcccb9c51397f1ae950b7c3e4da9 |
| SHA512 | d64f8c3319de50414e589b2164dfd1e606868403e1e094de57237eb343836b0aa499a0df30713168b28df58d66c92ce1ec889a0d406f5c58d396cc92464c54b4 |
memory/1368-104-0x000000013F130000-0x000000013F484000-memory.dmp
C:\Windows\system\AbnrnJY.exe
| MD5 | 42ccd3ea7810f1885e35e8c647bb7b04 |
| SHA1 | faf6de6b9cdeeb64616bb563ecd10cfba4d5abfb |
| SHA256 | d4cfa321b870a36fc6f44c68d6f9cf61003913817717e13cb98383e3305a52b6 |
| SHA512 | 526b4dab0638327c9b04da1a3c39eecae5f9d81395ab5904c8faab5ab23ab190f856bbf8bea94d49acdc08c4f8319f4dd5b0d0ca6adcd97407f57d8e32690dd8 |
memory/1540-96-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1368-89-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/1368-88-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1368-87-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\XOBnzQX.exe
| MD5 | 35570921ff207434a935df26e155e15b |
| SHA1 | 1da21865d82773690a77e2f3ccf3a9bfda8d645c |
| SHA256 | 9f30058ca63b6f7aad6901a57934fd3c5aa37bdf509a62d215df291236e4493e |
| SHA512 | d07a6485e2698cdce9348908c85d6f2ebeeec0fb6ea034d90504cb6cb8389301bf6ee3aea8f43f9e5d5c2fb0b46b2a08c6fa1ffd738445557a8b5435cfea0f97 |
C:\Windows\system\TiCoaeB.exe
| MD5 | e43f01c92cfc99bcd35f7bad2c6b5024 |
| SHA1 | a07e170aec0abf38505fc02a8c890e26d0c9b228 |
| SHA256 | fce3c6c56cffc23a038a1f3810ad6851968ca247a41fda289af2ee6411256f9c |
| SHA512 | d4b1b58bd6641c453211332c8a73a24468b0092511fce0083c9bdd6fc9ce36d19fb69ca338547aa88dd1135529e5c4bc028d1bc8cf9eaaf06a74127972af71b0 |
memory/2528-67-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2552-64-0x000000013FB80000-0x000000013FED4000-memory.dmp
C:\Windows\system\mSNvxxB.exe
| MD5 | 611bdc84a2f6a2d857e68248fb7982ce |
| SHA1 | 00b56828d64d4e054051680d33c7f016663c3092 |
| SHA256 | 38dfadc4db74af0d1392ec5a6389bc4fde1d0c9afebff71b3698fd5276fa2141 |
| SHA512 | 5edb3cd7261525b094855eb489556f02dc79a9e1d2dc926dd64d1b14084d86e371f43b6f0ef43860478689c4512a52e5c785e02f467d42e1877b74ec109e7797 |
C:\Windows\system\BXctlcn.exe
| MD5 | 10fcced609645cf29d3cd14a4b48f2de |
| SHA1 | aba1c1482a54b7fbcbbe587036f189d43ab095f0 |
| SHA256 | ffd72180afe924784a8a5a8f63d3646becd5875a069695fdcb0de8937bf543d5 |
| SHA512 | 756018732ff78852c14a6cdb8e08f40702ba12b93ee9327bdc34fe39f501025f450240b07d190352b6d4d0be97acad9a55546672135a07944a42d8a41db1e139 |
memory/1368-59-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2632-36-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1368-34-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2372-29-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2716-28-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1368-27-0x000000013F450000-0x000000013F7A4000-memory.dmp
C:\Windows\system\gccNgig.exe
| MD5 | 42eea2d4b7b1aada161581ae830ab768 |
| SHA1 | ba3a7f56d776afd83a55fcc0ac857ed163cde288 |
| SHA256 | 6025ab2abec4b9cab8bc2e0d9d7dde3daade0327a00739c9eca4a8da109242fd |
| SHA512 | 7d840277917867fd25c2c6e0d0512f898ae1eb3d57247377003bf37a0c6a7d887fdc91287db727fe682ff86993272bda8989adf9363f8b418e2ebb5413c26962 |
memory/1368-23-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1984-16-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2632-135-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2792-136-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1368-137-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1540-138-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/492-139-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2688-140-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2372-143-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2716-142-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1984-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2632-144-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2528-145-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2552-146-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2556-147-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2792-148-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/492-149-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/1540-150-0x000000013F3F0000-0x000000013F744000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:47
Reported
2024-06-01 07:49
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZwowCOJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dGImgEU.exe | N/A |
| N/A | N/A | C:\Windows\System\gjFXUEU.exe | N/A |
| N/A | N/A | C:\Windows\System\kxSThol.exe | N/A |
| N/A | N/A | C:\Windows\System\gccNgig.exe | N/A |
| N/A | N/A | C:\Windows\System\kusLUkT.exe | N/A |
| N/A | N/A | C:\Windows\System\JdbTEyb.exe | N/A |
| N/A | N/A | C:\Windows\System\YoDcIox.exe | N/A |
| N/A | N/A | C:\Windows\System\BXctlcn.exe | N/A |
| N/A | N/A | C:\Windows\System\YAAOrId.exe | N/A |
| N/A | N/A | C:\Windows\System\mSNvxxB.exe | N/A |
| N/A | N/A | C:\Windows\System\CzBalUr.exe | N/A |
| N/A | N/A | C:\Windows\System\TiCoaeB.exe | N/A |
| N/A | N/A | C:\Windows\System\zPvVfZf.exe | N/A |
| N/A | N/A | C:\Windows\System\XOBnzQX.exe | N/A |
| N/A | N/A | C:\Windows\System\DSTsCzP.exe | N/A |
| N/A | N/A | C:\Windows\System\AbnrnJY.exe | N/A |
| N/A | N/A | C:\Windows\System\kNvWfkU.exe | N/A |
| N/A | N/A | C:\Windows\System\eUicdyA.exe | N/A |
| N/A | N/A | C:\Windows\System\fXEerdZ.exe | N/A |
| N/A | N/A | C:\Windows\System\IWymZtL.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b51d8525fd1f4415298eb5e55122d304_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b51d8525fd1f4415298eb5e55122d304_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_b51d8525fd1f4415298eb5e55122d304_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b51d8525fd1f4415298eb5e55122d304_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZwowCOJ.exe
C:\Windows\System\ZwowCOJ.exe
C:\Windows\System\dGImgEU.exe
C:\Windows\System\dGImgEU.exe
C:\Windows\System\gjFXUEU.exe
C:\Windows\System\gjFXUEU.exe
C:\Windows\System\kxSThol.exe
C:\Windows\System\kxSThol.exe
C:\Windows\System\gccNgig.exe
C:\Windows\System\gccNgig.exe
C:\Windows\System\JdbTEyb.exe
C:\Windows\System\JdbTEyb.exe
C:\Windows\System\kusLUkT.exe
C:\Windows\System\kusLUkT.exe
C:\Windows\System\YoDcIox.exe
C:\Windows\System\YoDcIox.exe
C:\Windows\System\BXctlcn.exe
C:\Windows\System\BXctlcn.exe
C:\Windows\System\YAAOrId.exe
C:\Windows\System\YAAOrId.exe
C:\Windows\System\mSNvxxB.exe
C:\Windows\System\mSNvxxB.exe
C:\Windows\System\CzBalUr.exe
C:\Windows\System\CzBalUr.exe
C:\Windows\System\TiCoaeB.exe
C:\Windows\System\TiCoaeB.exe
C:\Windows\System\zPvVfZf.exe
C:\Windows\System\zPvVfZf.exe
C:\Windows\System\XOBnzQX.exe
C:\Windows\System\XOBnzQX.exe
C:\Windows\System\DSTsCzP.exe
C:\Windows\System\DSTsCzP.exe
C:\Windows\System\AbnrnJY.exe
C:\Windows\System\AbnrnJY.exe
C:\Windows\System\kNvWfkU.exe
C:\Windows\System\kNvWfkU.exe
C:\Windows\System\eUicdyA.exe
C:\Windows\System\eUicdyA.exe
C:\Windows\System\fXEerdZ.exe
C:\Windows\System\fXEerdZ.exe
C:\Windows\System\IWymZtL.exe
C:\Windows\System\IWymZtL.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/2948-0-0x00007FF677B60000-0x00007FF677EB4000-memory.dmp
memory/2948-1-0x000001E561120000-0x000001E561130000-memory.dmp
C:\Windows\System\ZwowCOJ.exe
| MD5 | ccc876b143d245543868ea93bbc3f86e |
| SHA1 | f0a72d1b32ba3e4552d64da7a01b48ff6bbe1037 |
| SHA256 | 08313fc18396b9dbe44d3fb1b9a23f12577499f752fc11bc0de4b2d1a9151ba1 |
| SHA512 | 960a2187b6c4502d72a823cf42b0030b398c37dfdce270e0db459ea48831956c3adaed2f92b02832f0cef56bfc9e038f58b5413b49360a3d856890c9750d48dc |
memory/4080-8-0x00007FF7DE820000-0x00007FF7DEB74000-memory.dmp
C:\Windows\System\dGImgEU.exe
| MD5 | fe53e5b9d78347ed6e387af5934d765e |
| SHA1 | a11319e843fe58f574552a02799ac8a95f6a8b0e |
| SHA256 | ea22e322b53a389050e27cb426d5ebe4d20c019ce8855b1e6bd5d929b89d1cd3 |
| SHA512 | 9ee71d5a05d8e152ff27467ec011798bf29d2f3b62c3a40bcc84c923134af2c3225b0d8ad5696afadee3c2f2af39b20d3d1e421ef8c12515b7ce4c8197508c3f |
C:\Windows\System\gjFXUEU.exe
| MD5 | 8b770ff0a16f74e875ad2f5ade19c2de |
| SHA1 | 287f40bb4b1b81ae00741812ec166398ffc69fcb |
| SHA256 | 3645b2a8f7f5c71122f9bd3693d85b759875f7409f8a1852ee5e2aec97fb213f |
| SHA512 | ae56bec9cfc4192c510310fc1a2d2b62c155960c0d912e9bd84b57864f77769e0ce38fcf81b6ce45a1b9a1390dbc8dbacfccea0dc591cc9f96401c9a4cb9c15a |
memory/3324-20-0x00007FF77CAE0000-0x00007FF77CE34000-memory.dmp
C:\Windows\System\kxSThol.exe
| MD5 | ca63cb8b6069af22d9b987371730e7b1 |
| SHA1 | fe895306f0d6f249d2938f07d8b6c332d62df058 |
| SHA256 | 7f381aec8c1c10a57d05fa5eeb96cdd633fd1b1ee170d431bf4013c1203334e9 |
| SHA512 | af70680f8875459f8bf4444f3aa515d32b8971a1994a22546536d647d635083996392d3b0893afd71cb9fd21e341ed73a5f96b70a5e1cefa4e92f684994674a8 |
memory/2324-26-0x00007FF6C2790000-0x00007FF6C2AE4000-memory.dmp
memory/2892-14-0x00007FF649A50000-0x00007FF649DA4000-memory.dmp
C:\Windows\System\gccNgig.exe
| MD5 | 42eea2d4b7b1aada161581ae830ab768 |
| SHA1 | ba3a7f56d776afd83a55fcc0ac857ed163cde288 |
| SHA256 | 6025ab2abec4b9cab8bc2e0d9d7dde3daade0327a00739c9eca4a8da109242fd |
| SHA512 | 7d840277917867fd25c2c6e0d0512f898ae1eb3d57247377003bf37a0c6a7d887fdc91287db727fe682ff86993272bda8989adf9363f8b418e2ebb5413c26962 |
C:\Windows\System\kusLUkT.exe
| MD5 | 9786112eeeda7523cff108818a57dbac |
| SHA1 | 215a99a0877af5cf8494a21adb78c121b442a48e |
| SHA256 | 22bc4f54c38ee6c091dfbeb219e48b92df0e8d5602910579d139fbdce13314ee |
| SHA512 | d99cbb09a049d6bb03e6f25b37cc7bb654b865c3a89e8ab049fd5a89dbb837dd52f7980ea4a55c0fadecf2ff023045ccf94bc5808d104a30d3336f95f448601f |
C:\Windows\System\JdbTEyb.exe
| MD5 | eca358cbb9278afd586fed3973f579d8 |
| SHA1 | a94cbe8145e4647a18e24ab5a76789c7194a99ee |
| SHA256 | df6ec9ea3b20c0a52a0111f748280baf7601bcccb9c51397f1ae950b7c3e4da9 |
| SHA512 | d64f8c3319de50414e589b2164dfd1e606868403e1e094de57237eb343836b0aa499a0df30713168b28df58d66c92ce1ec889a0d406f5c58d396cc92464c54b4 |
memory/1908-40-0x00007FF757B40000-0x00007FF757E94000-memory.dmp
memory/3348-37-0x00007FF7C1A50000-0x00007FF7C1DA4000-memory.dmp
memory/3284-33-0x00007FF64BAC0000-0x00007FF64BE14000-memory.dmp
C:\Windows\System\YoDcIox.exe
| MD5 | 9644b8f1d6a4a8b55f37281a460f816a |
| SHA1 | 8263e94d26bb988e2cf72d3db65cf198841e9d05 |
| SHA256 | 568d0e7e878e63293bd0d1d3b3052e9a24f5f7cc8b5561cdc3b7ab799f01b221 |
| SHA512 | 03342975b022370532d224151ea3e4b79b5e82e6e4c1f427399a0f3c3de8aa2ad30efc8a84ed0290a710f3012e966049a8bab3afd30015fe1991a28aedb149ea |
memory/4680-48-0x00007FF6289A0000-0x00007FF628CF4000-memory.dmp
C:\Windows\System\BXctlcn.exe
| MD5 | 10fcced609645cf29d3cd14a4b48f2de |
| SHA1 | aba1c1482a54b7fbcbbe587036f189d43ab095f0 |
| SHA256 | ffd72180afe924784a8a5a8f63d3646becd5875a069695fdcb0de8937bf543d5 |
| SHA512 | 756018732ff78852c14a6cdb8e08f40702ba12b93ee9327bdc34fe39f501025f450240b07d190352b6d4d0be97acad9a55546672135a07944a42d8a41db1e139 |
C:\Windows\System\YAAOrId.exe
| MD5 | 439f63265e74774e1756963db3934b13 |
| SHA1 | a8d82b8eb4bdb9400becbb0bb07a49d0e85af73f |
| SHA256 | 2b544f95b144846bc8d4456f7b7352c7563cb1ae080f68d3acaf98fa08e73804 |
| SHA512 | f682ede8780552524852d88afa53190383c09b534762cf378945b87ae12827ff8583e2eeb43d90280774f72b5a20364f86f6501148f97d6f2a82905d246c7801 |
C:\Windows\System\mSNvxxB.exe
| MD5 | 611bdc84a2f6a2d857e68248fb7982ce |
| SHA1 | 00b56828d64d4e054051680d33c7f016663c3092 |
| SHA256 | 38dfadc4db74af0d1392ec5a6389bc4fde1d0c9afebff71b3698fd5276fa2141 |
| SHA512 | 5edb3cd7261525b094855eb489556f02dc79a9e1d2dc926dd64d1b14084d86e371f43b6f0ef43860478689c4512a52e5c785e02f467d42e1877b74ec109e7797 |
C:\Windows\System\CzBalUr.exe
| MD5 | ff0e54c19bf0cf511f445cd37194909a |
| SHA1 | b30f877781798fa40893e9e566c3f040963d5f85 |
| SHA256 | 278268ea9b16138991b52564745f8c47d22ff6986a7f0ccaa00e7c3dc95c7755 |
| SHA512 | a69fcbd3a7b6e93643ac4f3bd071091e2f6cce1795736c9d032b5bc793e4b2f6064882effe92a39840bb07071987b5cda51e2b0997bf2a53703de81a41b4b949 |
C:\Windows\System\TiCoaeB.exe
| MD5 | e43f01c92cfc99bcd35f7bad2c6b5024 |
| SHA1 | a07e170aec0abf38505fc02a8c890e26d0c9b228 |
| SHA256 | fce3c6c56cffc23a038a1f3810ad6851968ca247a41fda289af2ee6411256f9c |
| SHA512 | d4b1b58bd6641c453211332c8a73a24468b0092511fce0083c9bdd6fc9ce36d19fb69ca338547aa88dd1135529e5c4bc028d1bc8cf9eaaf06a74127972af71b0 |
C:\Windows\System\zPvVfZf.exe
| MD5 | bc57f871feffc46705c3d9d4f49f64c0 |
| SHA1 | cdcbc67a39560864e83affecf3a683523bc0a541 |
| SHA256 | 86270c9e39b048f589ac4b3ae30827058fd1b4f05b3001e9372a1825019085b3 |
| SHA512 | 11ea11eb50307ecad89b73a070f7139c837820883c9184e3b6e6173b15db255e049859f5a296e398ffeb7e2e02d5f41d4cf0a89c7bdb7553a01a3e2f11775349 |
memory/4948-82-0x00007FF7FCF10000-0x00007FF7FD264000-memory.dmp
memory/4688-83-0x00007FF73D620000-0x00007FF73D974000-memory.dmp
memory/3992-76-0x00007FF644B00000-0x00007FF644E54000-memory.dmp
memory/1032-64-0x00007FF6379E0000-0x00007FF637D34000-memory.dmp
memory/4404-62-0x00007FF6D1390000-0x00007FF6D16E4000-memory.dmp
memory/2948-60-0x00007FF677B60000-0x00007FF677EB4000-memory.dmp
memory/4576-56-0x00007FF664FD0000-0x00007FF665324000-memory.dmp
C:\Windows\System\XOBnzQX.exe
| MD5 | 35570921ff207434a935df26e155e15b |
| SHA1 | 1da21865d82773690a77e2f3ccf3a9bfda8d645c |
| SHA256 | 9f30058ca63b6f7aad6901a57934fd3c5aa37bdf509a62d215df291236e4493e |
| SHA512 | d07a6485e2698cdce9348908c85d6f2ebeeec0fb6ea034d90504cb6cb8389301bf6ee3aea8f43f9e5d5c2fb0b46b2a08c6fa1ffd738445557a8b5435cfea0f97 |
C:\Windows\System\DSTsCzP.exe
| MD5 | db34cca1294d213e1d98392ae81463e2 |
| SHA1 | 82b088c267c7367c20cc22cb719a96805b526086 |
| SHA256 | 23088cc52eefe7b85112d33fc772b0236318a0c38efbd2eded184b9a2377e2da |
| SHA512 | 0d382d49c821d8561b132eb06a1affd3320d16714d039259636ec06d42e15a96d4eda327cfd82041d436b88f212c86f7e419de1d3c615c04cc12290ff5262ede |
memory/1916-103-0x00007FF6525C0000-0x00007FF652914000-memory.dmp
memory/1488-102-0x00007FF6E02F0000-0x00007FF6E0644000-memory.dmp
C:\Windows\System\AbnrnJY.exe
| MD5 | 42ccd3ea7810f1885e35e8c647bb7b04 |
| SHA1 | faf6de6b9cdeeb64616bb563ecd10cfba4d5abfb |
| SHA256 | d4cfa321b870a36fc6f44c68d6f9cf61003913817717e13cb98383e3305a52b6 |
| SHA512 | 526b4dab0638327c9b04da1a3c39eecae5f9d81395ab5904c8faab5ab23ab190f856bbf8bea94d49acdc08c4f8319f4dd5b0d0ca6adcd97407f57d8e32690dd8 |
memory/3348-98-0x00007FF7C1A50000-0x00007FF7C1DA4000-memory.dmp
memory/3284-97-0x00007FF64BAC0000-0x00007FF64BE14000-memory.dmp
memory/1796-91-0x00007FF73CB80000-0x00007FF73CED4000-memory.dmp
C:\Windows\System\kNvWfkU.exe
| MD5 | e3d54cfc4fda6da1a9a3c48e181deb2f |
| SHA1 | 4e37bf0074c560f0125210fafaaca7f182a464a3 |
| SHA256 | 8ad20d086c70d60fac908d09b7f2554de6ed7257def8a6cdb8d5ef07fdb2b35d |
| SHA512 | 28305930ba0fbf80f1327b2649ac10d6d5952050adf6620bb742dbfb55d9132a39539008ad6fd77d7c181a461462519c3b34d1cfe77b7ea8ae731191b106dffe |
C:\Windows\System\fXEerdZ.exe
| MD5 | f183b47432143411ee21f996286245b4 |
| SHA1 | 9f87a267b73e7b1fbb9266fc3d8a0fca8b26f40f |
| SHA256 | 98f05aa5f6a6d23c387972d31442925c049a0c64838a8dca0a65e3c5b4616611 |
| SHA512 | 7152eb94bab437b37b2eac4abab97feacd89de904c764a7e5582d3271e91f924f3c59056cf6a2fc48edd38692a28c0e7ee99bb01af59557b1e18db68251c6487 |
C:\Windows\System\IWymZtL.exe
| MD5 | a553882845d7234722c513b25c104926 |
| SHA1 | a445cddeb7aa675a0e31ac386cf2950e771d6fe9 |
| SHA256 | 5320cb3658ba762f00056df5bf51f09b135aa1c3072e65e23ddb226cab4c828a |
| SHA512 | 484f95c031773a6d8018c5838265b36ae3d0b3448377289a095b949c10594e0f4830ca62d06a0d603ca0f02d7328926cbc6e8b5b2b93bb8a4567bbde9d47bfd0 |
memory/4404-134-0x00007FF6D1390000-0x00007FF6D16E4000-memory.dmp
memory/4576-133-0x00007FF664FD0000-0x00007FF665324000-memory.dmp
memory/4464-132-0x00007FF6E4490000-0x00007FF6E47E4000-memory.dmp
memory/4960-131-0x00007FF791C70000-0x00007FF791FC4000-memory.dmp
memory/452-127-0x00007FF7FEA90000-0x00007FF7FEDE4000-memory.dmp
memory/4680-126-0x00007FF6289A0000-0x00007FF628CF4000-memory.dmp
C:\Windows\System\eUicdyA.exe
| MD5 | 526c16353f67c1269b595cd2f0d12c68 |
| SHA1 | 15894bd11dc52f0802d731bd9b8fc8a2993f0c90 |
| SHA256 | 5a26b3617a2ab4bcab4c6d82ac9e480e10f70f7ee04e3b1806aaa5a86b2cbe7a |
| SHA512 | 24ad741bfc8f48bb896bf5ef31f710e8d0bf46652859439010f7c6527c24a92c32cc4e592287468bdd4ecf32f0cfa6a86575fcf5e25f2e15a783d99fde741e71 |
memory/3028-115-0x00007FF613E40000-0x00007FF614194000-memory.dmp
memory/1908-113-0x00007FF757B40000-0x00007FF757E94000-memory.dmp
memory/1032-135-0x00007FF6379E0000-0x00007FF637D34000-memory.dmp
memory/4948-136-0x00007FF7FCF10000-0x00007FF7FD264000-memory.dmp
memory/4688-137-0x00007FF73D620000-0x00007FF73D974000-memory.dmp
memory/1796-138-0x00007FF73CB80000-0x00007FF73CED4000-memory.dmp
memory/1488-139-0x00007FF6E02F0000-0x00007FF6E0644000-memory.dmp
memory/1916-140-0x00007FF6525C0000-0x00007FF652914000-memory.dmp
memory/3028-141-0x00007FF613E40000-0x00007FF614194000-memory.dmp
memory/4080-142-0x00007FF7DE820000-0x00007FF7DEB74000-memory.dmp
memory/2892-143-0x00007FF649A50000-0x00007FF649DA4000-memory.dmp
memory/3324-144-0x00007FF77CAE0000-0x00007FF77CE34000-memory.dmp
memory/2324-145-0x00007FF6C2790000-0x00007FF6C2AE4000-memory.dmp
memory/3284-146-0x00007FF64BAC0000-0x00007FF64BE14000-memory.dmp
memory/3348-147-0x00007FF7C1A50000-0x00007FF7C1DA4000-memory.dmp
memory/1908-148-0x00007FF757B40000-0x00007FF757E94000-memory.dmp
memory/4680-149-0x00007FF6289A0000-0x00007FF628CF4000-memory.dmp
memory/4576-150-0x00007FF664FD0000-0x00007FF665324000-memory.dmp
memory/1032-151-0x00007FF6379E0000-0x00007FF637D34000-memory.dmp
memory/4404-152-0x00007FF6D1390000-0x00007FF6D16E4000-memory.dmp
memory/3992-153-0x00007FF644B00000-0x00007FF644E54000-memory.dmp
memory/4948-155-0x00007FF7FCF10000-0x00007FF7FD264000-memory.dmp
memory/4688-154-0x00007FF73D620000-0x00007FF73D974000-memory.dmp
memory/1796-156-0x00007FF73CB80000-0x00007FF73CED4000-memory.dmp
memory/1488-157-0x00007FF6E02F0000-0x00007FF6E0644000-memory.dmp
memory/1916-158-0x00007FF6525C0000-0x00007FF652914000-memory.dmp
memory/3028-159-0x00007FF613E40000-0x00007FF614194000-memory.dmp
memory/452-160-0x00007FF7FEA90000-0x00007FF7FEDE4000-memory.dmp
memory/4464-162-0x00007FF6E4490000-0x00007FF6E47E4000-memory.dmp
memory/4960-161-0x00007FF791C70000-0x00007FF791FC4000-memory.dmp