Analysis Overview
SHA256
4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05
Threat Level: Known bad
The file 4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05 was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:07
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:07
Reported
2024-06-01 08:09
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lLSOyEl.exe | N/A |
| N/A | N/A | C:\Windows\System\FmTyWDb.exe | N/A |
| N/A | N/A | C:\Windows\System\GbIqvul.exe | N/A |
| N/A | N/A | C:\Windows\System\jTRZRXU.exe | N/A |
| N/A | N/A | C:\Windows\System\OOnElAd.exe | N/A |
| N/A | N/A | C:\Windows\System\VreqvRi.exe | N/A |
| N/A | N/A | C:\Windows\System\CKvXAui.exe | N/A |
| N/A | N/A | C:\Windows\System\FveXqjH.exe | N/A |
| N/A | N/A | C:\Windows\System\QpuowHJ.exe | N/A |
| N/A | N/A | C:\Windows\System\FbZkUwj.exe | N/A |
| N/A | N/A | C:\Windows\System\JIYbtxZ.exe | N/A |
| N/A | N/A | C:\Windows\System\fNtBxgF.exe | N/A |
| N/A | N/A | C:\Windows\System\YpFpVIu.exe | N/A |
| N/A | N/A | C:\Windows\System\CMrkNEV.exe | N/A |
| N/A | N/A | C:\Windows\System\xSrlZKS.exe | N/A |
| N/A | N/A | C:\Windows\System\XUXNoJV.exe | N/A |
| N/A | N/A | C:\Windows\System\kBeYkkb.exe | N/A |
| N/A | N/A | C:\Windows\System\zzxsCTA.exe | N/A |
| N/A | N/A | C:\Windows\System\NGowYdf.exe | N/A |
| N/A | N/A | C:\Windows\System\tGGogDg.exe | N/A |
| N/A | N/A | C:\Windows\System\jbrHbtG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe
"C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe"
C:\Windows\System\lLSOyEl.exe
C:\Windows\System\lLSOyEl.exe
C:\Windows\System\FmTyWDb.exe
C:\Windows\System\FmTyWDb.exe
C:\Windows\System\GbIqvul.exe
C:\Windows\System\GbIqvul.exe
C:\Windows\System\jTRZRXU.exe
C:\Windows\System\jTRZRXU.exe
C:\Windows\System\OOnElAd.exe
C:\Windows\System\OOnElAd.exe
C:\Windows\System\VreqvRi.exe
C:\Windows\System\VreqvRi.exe
C:\Windows\System\CKvXAui.exe
C:\Windows\System\CKvXAui.exe
C:\Windows\System\FveXqjH.exe
C:\Windows\System\FveXqjH.exe
C:\Windows\System\QpuowHJ.exe
C:\Windows\System\QpuowHJ.exe
C:\Windows\System\FbZkUwj.exe
C:\Windows\System\FbZkUwj.exe
C:\Windows\System\JIYbtxZ.exe
C:\Windows\System\JIYbtxZ.exe
C:\Windows\System\fNtBxgF.exe
C:\Windows\System\fNtBxgF.exe
C:\Windows\System\YpFpVIu.exe
C:\Windows\System\YpFpVIu.exe
C:\Windows\System\CMrkNEV.exe
C:\Windows\System\CMrkNEV.exe
C:\Windows\System\xSrlZKS.exe
C:\Windows\System\xSrlZKS.exe
C:\Windows\System\XUXNoJV.exe
C:\Windows\System\XUXNoJV.exe
C:\Windows\System\kBeYkkb.exe
C:\Windows\System\kBeYkkb.exe
C:\Windows\System\zzxsCTA.exe
C:\Windows\System\zzxsCTA.exe
C:\Windows\System\NGowYdf.exe
C:\Windows\System\NGowYdf.exe
C:\Windows\System\tGGogDg.exe
C:\Windows\System\tGGogDg.exe
C:\Windows\System\jbrHbtG.exe
C:\Windows\System\jbrHbtG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1368-0-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1368-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\lLSOyEl.exe
| MD5 | 803cd954258f0902d44004ad84b77f9e |
| SHA1 | 60d682e9f0daa01cc6a32152a50e7436f55ccc91 |
| SHA256 | c3a69b20d7941fdc7177bbd5f584a20aecd7efd76cfabb4ae8984d88627eec05 |
| SHA512 | a458b8348f4f7f925a9cc54ffb4cc805a6e88f6eb8917693442d61ffb9d99bb1f1abaf801a19c0466c1f8dfabc6e0b390c488bb549a2a608a79cd29d9bdca627 |
\Windows\system\FmTyWDb.exe
| MD5 | bd1352cfde839648144f9526b075f052 |
| SHA1 | 1a4eddcddd69e897367c10e35d5e9736b94e921f |
| SHA256 | 1e75d7a735a2a3f45fb2704dd6f96443e8bda067546325b70732ba0671ee8f29 |
| SHA512 | 341063c15b8695f02fe38314016bda02cb6b18d8cc1ca3312b57dd185470fecf4f741e4ad6c424e84d48e8db5ce6cbe8de20b4edac82b677b18acbee31ac540b |
C:\Windows\system\GbIqvul.exe
| MD5 | 05053a81624f8088120ef1aaf199f91a |
| SHA1 | bfa7666ac429d0eba9d35eb8bb30e993476afd9a |
| SHA256 | ce642f069b55c9f9fa03577db6143bad3af7fca02c66a2d8d978ff2a160d5611 |
| SHA512 | 26f45d8cdb2cf2cd260ceeeaf1a6d388861e18797b221db7633c1f7f94ecd42081023f2a70988b65fbf4b2aa5027de1b2c8116d953853c4487b047bfc5cbee07 |
\Windows\system\jTRZRXU.exe
| MD5 | 4c3371c3c219297ac57655cee816e516 |
| SHA1 | d82e32bd01c104be4564ddeb79d155fd74ea8792 |
| SHA256 | 6bd1cc739f61cc2aac9e1f3b4c1ef2f42a2327b3e34650477e1d554c7edf9c9f |
| SHA512 | a119d374c854c50b9f54633cf9eb207720bfb43c4c02a2570a9c37c12605fe173406530b3f85341214150f5f0b33bf6ffdd0fe72ffbe07b47672c228a9043f1c |
C:\Windows\system\CKvXAui.exe
| MD5 | 406595e66e5823e0f6416c0703f755a2 |
| SHA1 | 904eda06919c91d14ee7514562d3abea717d4e8e |
| SHA256 | cfd07e5df73fd95d71dababd37d04f5f17eadf5426102ec80789d8e96e9cf225 |
| SHA512 | 810ea79bbbffbfeb7462bea3582bc7c59d11fcf3ba84431b38833b6bb80d2f32d371d61c800e7a0354f0ec49b0ed93519554e44cd20e210ee728c625d99c9a2d |
C:\Windows\system\FveXqjH.exe
| MD5 | f8724315e1693d79ebae457fc6bf758f |
| SHA1 | 3b01a16d31921097b783adfe7fc4dc1e17b9df7d |
| SHA256 | 7e7f17264f889c1d5a351ad27cf7e6c717f0fc80be97e2b5e16d6fe2e088c249 |
| SHA512 | 5807eb22b929527a3ea3ccd10699b8b3064124a1d8dbdb3ee08e9b2e766f24162b1165237a7999074ebec144b1efc19dcc282feb25cf7ac4890a4930862ed61a |
C:\Windows\system\JIYbtxZ.exe
| MD5 | cdd9638a889ae87bd50633d5de376ff4 |
| SHA1 | 3cf480ea31f08a56bcecd4dd6a0c1ad72deabc2b |
| SHA256 | 3171957401932230ecb28ecac62452a05b765fb4991494275636c71a305d873f |
| SHA512 | 60b64bf08fc063c17bcee953a7b584efe67cd570d7798f0f7fd9d2d729703e60f6f525a02716f1d3ef6c9fe6a5aff7a66bbe8c6e8957906b0e9434942320d020 |
C:\Windows\system\XUXNoJV.exe
| MD5 | f1e41dfa28b435d25b4e8139f64a1f31 |
| SHA1 | 0021b83cd1832ed5dd43ab1ccc878062e2d58802 |
| SHA256 | 71809bcd122f25b841e29435ef76386ce8bf4c1b04c4acac182b7b83f4b0781c |
| SHA512 | e599d86ba43006f1784ac3a3142dad290b80036174d4160c7b0dd406652a6de731e44f2da5e26a8d60b30e74bbb930f5e255a1144d3ee852e3cc7ffb2d9b0f39 |
C:\Windows\system\NGowYdf.exe
| MD5 | 05eaab3912d23940255bc8bd8bf9700d |
| SHA1 | 987dd90950c41273b7f887079e6b82e901ca5623 |
| SHA256 | 4eda163828c13b045aab1d2062cdd322fc8e1fda0f6fa75c875f8c3e5e9ec514 |
| SHA512 | 2e1d387df31d1b945abb8d3ee8e1a9bbcfcbea645d7ec654a474fab12f001d3a2dba23bbedd0ef0e509551b070532b0bcb5e6db25f00b018d0d4c9d80c8e4dbc |
C:\Windows\system\jbrHbtG.exe
| MD5 | 09b73a75fc61af15996709ec63810300 |
| SHA1 | 12584d5432df3cbab1b9c758d9984b416ecceaff |
| SHA256 | a29b6c66c47ff529b4260186739fcefb715a59f32a0dd95ec3e1f8d9da807e34 |
| SHA512 | 073f4cde8f2798d04fa754bd299cd7933add85fafeff09f8a36b0f9b6d48021a4b96a359d1aa6adff2d43ba8b392f9c23ce17109df08c1ad935f64f482de0513 |
C:\Windows\system\tGGogDg.exe
| MD5 | 81ef439f838faea822325e133ef0d461 |
| SHA1 | b25e8306bfd9366a26a9d96cd80b394fde4535f2 |
| SHA256 | 898d76353c561e134f004b051a894095aa499281ec0b9e6fc62a6bd5692c8e31 |
| SHA512 | ac169c380cb9fdd2ee36202e7462ca3f3fafe3a7cc786da202381c2eb74c4dce9294e3b4a8a4c04e211f4c3c68f7ca4f1c93d559620c2ce8f1fb0b2d7d58d137 |
C:\Windows\system\zzxsCTA.exe
| MD5 | 775020314e0cc8c8f62659fdfaee7b95 |
| SHA1 | 858a4ac3449b8ce68b87a30408ef92cc9cda45f7 |
| SHA256 | 31c13da4d52c18fdc8158e7a5380b756daa44e9cf322cdaeb3ec9560c5f042a2 |
| SHA512 | 4e1b80c02f3e292ac3e4e8daaabda414e08804c3f50ea8d9aa1e56ee3e24e90d023bae4134fef22d19d89a3cfca65b85ae774870879d8aa6186e6ea62f8ef9fc |
C:\Windows\system\kBeYkkb.exe
| MD5 | 254e9f76ac6340c184e92f84ac6212e3 |
| SHA1 | 461507a6b7a58500168e8e07dee973d922b2d6fc |
| SHA256 | 9c0d36204ccc6a9d727fcaf0526b46132f0c5a4fae0a5172a36569f03e88ed7c |
| SHA512 | e4b8c70dfdd47ef0265eb10d4c841b3c8267dbbd1639dd494fcc4b7ef9233c716c9ea34a33a320d3f2e09f1334926bf0aaec4663c09993817cb8634bfed5113a |
C:\Windows\system\xSrlZKS.exe
| MD5 | cc25615d44609e3f93b318f02a9676a9 |
| SHA1 | 8d1ccf8d56a0c126325954f01026177c6f08db6f |
| SHA256 | b398fea66a0185d8d72c6192c3ac9c0a151ec3ee3a57eea883eb4504d1b87067 |
| SHA512 | c818bc412ef8811534d542de2b57b3f65d530ed12768d09db2b35ee95883e725365ad63c43b55a5e3c81ef062979162c1e97fbdea03d163d87492a827546a82f |
C:\Windows\system\CMrkNEV.exe
| MD5 | 46b46c57c21087c1d48cd9722e032d61 |
| SHA1 | 17737bdb4fa10dd42c0bb5e52d49402a917d8274 |
| SHA256 | 8de27ee263594580a8a2eb23983933f0cee491ac6080344589249683fe297060 |
| SHA512 | d795c83a97acf62d9e2cc6a3c710db56520fd74667bcd08d1e147a4136f637d38f85ce30a63f09424ad420570313601984b308762afdac08ee89177a7728e635 |
C:\Windows\system\YpFpVIu.exe
| MD5 | c78b641bf427a4a8a135e47bc71d4f67 |
| SHA1 | 9754dea6f454e7b5180e35a1467abe712136d6ac |
| SHA256 | 60f705fe76b5c8e3ccc2657abbe069cce3b5b69f9f1d7915df3e3ccfde0173c1 |
| SHA512 | da23255c3fe0292af046797ab01f7eb7f7a7b7ce02316d42caf7396bb25fd807c0df18145b1d903cb52681a8741b4b890e3aab881cfa3075c5ab67c0aacf030b |
C:\Windows\system\fNtBxgF.exe
| MD5 | 69744bc7695818e7a9e45f40eda4e88c |
| SHA1 | abaf71cbe248463045884f4ae341a7a46e768a99 |
| SHA256 | b7dc95400681846a13884fdbbbf62d7673b404405f0059dac193393723392514 |
| SHA512 | 7be98d79f010b38aef848ecb737d52c466a1b1a3145e5df94ad8357f2f44cad205bd1a3e78c49122c2e8d79a6ba690cb7411df338d5652381543edcc083d6830 |
C:\Windows\system\FbZkUwj.exe
| MD5 | 446a9f1f0e51c62653f21f237874fa45 |
| SHA1 | 87737f747cac65c442fa054b272650f35a208bb8 |
| SHA256 | e9367a5ee2dac056e42b61577c5134b56e2c41713a6ad0fa809b512d284f6c1b |
| SHA512 | c9f5934e1140f9a167c038c0d3308502f9b6aa0d80f78a7202e3b50748e0835752b85efe0d763e0cc573f3fb1dc1daea9efb3bcb0984d631a954e6528c8ddc47 |
C:\Windows\system\QpuowHJ.exe
| MD5 | 9e724dee6d3d741dba93d19e45d28204 |
| SHA1 | d3f9edf41a685d099ed3fc146404f42369c74419 |
| SHA256 | ea1320f4e2f6f087ea59356c46b698ad4b1f8a65ce88299f93536121afd68a36 |
| SHA512 | 39990a5f759690255c455f4f0f2cd1c806dcdb960c6c7f14faa2bde464ff67d5ec6479d406409e573a896b301a8ad555eb2b8b43c6ccd7ec580d176d2d90f9b6 |
C:\Windows\system\VreqvRi.exe
| MD5 | f5f19e032cad5f6e3e73d310bb275f17 |
| SHA1 | d5c2a7647bc888b842082e37d08bbb49f90748f9 |
| SHA256 | fca6eab2d5d92a569165480f36dcdd1048aa63c40e8fd1e99d36d0a50cc54060 |
| SHA512 | 3539ac496b1d5122b1c5afb4f30354a902e050c4330b4eb3ded880c6bfe6cf97da9c7dd314acb6cc83afd8452d431ee38eb78bac3908c4bf3757602a20d24b63 |
C:\Windows\system\OOnElAd.exe
| MD5 | 46f0b7d457d7ee1ded40c1a06672a71d |
| SHA1 | 528362a25d4b6c987c23b9aa4529994efbc5ed67 |
| SHA256 | 29ac5632e7d28ed02a2e01019a22609a5a361170c16c3203da86ecb65386c2e7 |
| SHA512 | 5c02cc94110cc26f28da6b9b1ac6433e0e14529ceadb5726a8111e52cb5be2f95c62b113a68259b5daad7520606986c303e3c409b0404148e9193b8e8b579610 |
memory/1368-107-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1368-109-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/2324-108-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2708-121-0x000000013F220000-0x000000013F574000-memory.dmp
memory/1368-120-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2772-119-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2508-118-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/1368-117-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2624-116-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1368-115-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2760-114-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/1368-113-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2704-112-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1368-111-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2644-110-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2984-122-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2232-123-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/1368-126-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2620-125-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1368-124-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2688-131-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1368-130-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2212-129-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/1368-128-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2788-127-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1368-132-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1368-133-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2232-142-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2984-143-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2620-144-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2788-145-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2212-146-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2624-141-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2324-140-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2704-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2708-138-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2508-137-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2644-136-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2688-135-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2760-134-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2772-147-0x000000013FA30000-0x000000013FD84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:07
Reported
2024-06-01 08:09
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\onmtIXe.exe | N/A |
| N/A | N/A | C:\Windows\System\RVMyYeQ.exe | N/A |
| N/A | N/A | C:\Windows\System\pTrVMEo.exe | N/A |
| N/A | N/A | C:\Windows\System\KbvkmzN.exe | N/A |
| N/A | N/A | C:\Windows\System\fpkzGig.exe | N/A |
| N/A | N/A | C:\Windows\System\fAJeJru.exe | N/A |
| N/A | N/A | C:\Windows\System\MvsHskj.exe | N/A |
| N/A | N/A | C:\Windows\System\YCPbotk.exe | N/A |
| N/A | N/A | C:\Windows\System\SRmDchL.exe | N/A |
| N/A | N/A | C:\Windows\System\QBqBdAM.exe | N/A |
| N/A | N/A | C:\Windows\System\fUMAokU.exe | N/A |
| N/A | N/A | C:\Windows\System\ffprlOo.exe | N/A |
| N/A | N/A | C:\Windows\System\XxWBxNg.exe | N/A |
| N/A | N/A | C:\Windows\System\eRxPTjs.exe | N/A |
| N/A | N/A | C:\Windows\System\wybjcZC.exe | N/A |
| N/A | N/A | C:\Windows\System\gsERvsY.exe | N/A |
| N/A | N/A | C:\Windows\System\BKkPGFO.exe | N/A |
| N/A | N/A | C:\Windows\System\wEUAKsF.exe | N/A |
| N/A | N/A | C:\Windows\System\HfoIWvE.exe | N/A |
| N/A | N/A | C:\Windows\System\IzoSVAd.exe | N/A |
| N/A | N/A | C:\Windows\System\mVzebEf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe
"C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe"
C:\Windows\System\onmtIXe.exe
C:\Windows\System\onmtIXe.exe
C:\Windows\System\RVMyYeQ.exe
C:\Windows\System\RVMyYeQ.exe
C:\Windows\System\pTrVMEo.exe
C:\Windows\System\pTrVMEo.exe
C:\Windows\System\KbvkmzN.exe
C:\Windows\System\KbvkmzN.exe
C:\Windows\System\fpkzGig.exe
C:\Windows\System\fpkzGig.exe
C:\Windows\System\fAJeJru.exe
C:\Windows\System\fAJeJru.exe
C:\Windows\System\MvsHskj.exe
C:\Windows\System\MvsHskj.exe
C:\Windows\System\YCPbotk.exe
C:\Windows\System\YCPbotk.exe
C:\Windows\System\SRmDchL.exe
C:\Windows\System\SRmDchL.exe
C:\Windows\System\QBqBdAM.exe
C:\Windows\System\QBqBdAM.exe
C:\Windows\System\fUMAokU.exe
C:\Windows\System\fUMAokU.exe
C:\Windows\System\ffprlOo.exe
C:\Windows\System\ffprlOo.exe
C:\Windows\System\XxWBxNg.exe
C:\Windows\System\XxWBxNg.exe
C:\Windows\System\eRxPTjs.exe
C:\Windows\System\eRxPTjs.exe
C:\Windows\System\wybjcZC.exe
C:\Windows\System\wybjcZC.exe
C:\Windows\System\gsERvsY.exe
C:\Windows\System\gsERvsY.exe
C:\Windows\System\BKkPGFO.exe
C:\Windows\System\BKkPGFO.exe
C:\Windows\System\wEUAKsF.exe
C:\Windows\System\wEUAKsF.exe
C:\Windows\System\HfoIWvE.exe
C:\Windows\System\HfoIWvE.exe
C:\Windows\System\IzoSVAd.exe
C:\Windows\System\IzoSVAd.exe
C:\Windows\System\mVzebEf.exe
C:\Windows\System\mVzebEf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
memory/232-0-0x00007FF7DDF90000-0x00007FF7DE2E4000-memory.dmp
memory/232-1-0x000001F33B5D0000-0x000001F33B5E0000-memory.dmp
C:\Windows\System\onmtIXe.exe
| MD5 | e679f4ca49c1df50975909184bb1d065 |
| SHA1 | 88dbb0ebeff324f46d45fe109a11d06b4bb75a59 |
| SHA256 | 220628030f61cf49d2ea0eac73a743ffd68b3b988966c81efa8ec2a6b643ed07 |
| SHA512 | 3590121a622b1ed0f1ea013dd4ca4c38be6b3cae5e35fe9d311d4c1ea174658599ad1ed7cd7e17836ab7e9cd4d0f9491581c9bf74c67ef1fb9989b3418a8afd1 |
memory/924-8-0x00007FF7CDE80000-0x00007FF7CE1D4000-memory.dmp
C:\Windows\System\RVMyYeQ.exe
| MD5 | 14274e812e43adbbff127cf870b70726 |
| SHA1 | 4b1b406a014e9cfc412786ebacadd62f0f1988c3 |
| SHA256 | 3aace6a5b9658cbbd307cc3ff82e6e1080fdf23cab2b179291c30f95544cc440 |
| SHA512 | 34610ef99e95aaa0fc634838e8dd02d9dbdbca6aee3ceefaacb2114a772af30caf098e584436e28a6d15cf6df73da91a55fe13d915a6838a73d61ce0d7eef1b9 |
memory/4692-14-0x00007FF651320000-0x00007FF651674000-memory.dmp
C:\Windows\System\pTrVMEo.exe
| MD5 | d47a8b0923e0619402c8043c91eb2cc0 |
| SHA1 | 858ed8be36579c57cb0b24031752d4c4e373933b |
| SHA256 | 5fc4deee1fbd0070121ac4da3fdee75ee24e0caa289b8006294309dedf26f0d0 |
| SHA512 | 3713257aa08e2d307ed2c6957e417d87915fd69dd5bdde0958b3688f9de8a99d3b02a5e659fe69f2e992545be479984016da91c2a10172d7298b989ea9dc35f5 |
memory/1056-20-0x00007FF68F0D0000-0x00007FF68F424000-memory.dmp
C:\Windows\System\KbvkmzN.exe
| MD5 | c87beac0b3b8a45e8ca9e7ae4594d363 |
| SHA1 | e9db31df6894b66c09ff1feb2c80cc0a208f9943 |
| SHA256 | ab397070639d9b977a255f5e5352745509a8c791e1a638e265b76a532b82a922 |
| SHA512 | be315555f9d84bdcd736952042ed079a09dd0b6007c63f0927ad236ac52eb18cd1a530c998e6133e6ee8ff0cc2a6750fa42d726779d812e6b1588998db975ca4 |
memory/4192-26-0x00007FF6CC980000-0x00007FF6CCCD4000-memory.dmp
C:\Windows\System\fpkzGig.exe
| MD5 | 7d53a366fd1957bf55e667889ce442c0 |
| SHA1 | baa1471f39f88e103dfb816522466541fc099b82 |
| SHA256 | de7677e294a6b94e98ace5b06ae57047de0f1590b307e1f6a22bec2da6e9ef67 |
| SHA512 | 0a1299e428a155afaeee591a9d2077847df07c3ee916f41660244e222c27032a70a25bd4a36dc08ecfe02712e5ecee1e9a4e005c3f63dc6442f8321dba62bc79 |
C:\Windows\System\fAJeJru.exe
| MD5 | fe932f4a21cbb001c1f0314909429a18 |
| SHA1 | 835606a9e8981106dfb28176e01ea7c6fd8ee1e9 |
| SHA256 | 8d713d2962fd502cdf5086e7ddc0508aff11dcc9498fcfe2ccd8095760fef466 |
| SHA512 | 86b0dc70d427763630133b51f4854d807c71eeda7fee9b0464226ddde6d3a2973c6acdbe7d85a38c7b874f6bb814f593eec411aeb0fc627dcba8aaf87e28d330 |
C:\Windows\System\MvsHskj.exe
| MD5 | e68ebf14ed5e4724c13413ad830c5070 |
| SHA1 | 0e6c379ec2a2819c8728d8fa769a2291215a8d2e |
| SHA256 | 3f4ad9205f1763d32e0f180d1ae0a1abd84dbe1cda88083759011a316e4e373f |
| SHA512 | e6e4938b373842626c44080d47af4ae550430e927c286b3db851c404639f35e5b61488d7bbe49f9f11371e2c287ae18af4a567cebe7d0f264ca5e93df235163e |
C:\Windows\System\YCPbotk.exe
| MD5 | da548b729d9d58a4f3ce21bca84fdbff |
| SHA1 | ff1f7656abb69c902b3b785f4f8d589af1920d71 |
| SHA256 | 83739098e9c35fa98176e3ce9bcb6e3179f5ea9b58a8c7ef28c8f3f884f9e814 |
| SHA512 | 9c37b199608af676638e65a9dcb906f0ae99e91ad0c12c86686876708edd6627b37ceee717f4db71120d25dc0fa24efa395e925ef94a38017ad2ba3dfc85af48 |
memory/3988-48-0x00007FF63CC10000-0x00007FF63CF64000-memory.dmp
memory/1560-44-0x00007FF64BC60000-0x00007FF64BFB4000-memory.dmp
memory/3480-40-0x00007FF7CA730000-0x00007FF7CAA84000-memory.dmp
memory/2792-32-0x00007FF6D01E0000-0x00007FF6D0534000-memory.dmp
C:\Windows\System\SRmDchL.exe
| MD5 | 634be665a006528990ae84ba36ffceb3 |
| SHA1 | 1d924607e3f96f8f810aa0f40d703d2371a67bd0 |
| SHA256 | 020538ed299539ec7ee9f650020b2a948a09fc79827836cd75315dc7551521e3 |
| SHA512 | 883044cf7ad131948bc8370bfd3acefeace6b9b18ed092095a9c9000add70cc355fb29317f28dfc449f095206aab464422ef745b80d7509a7f9af1a5baa5c07a |
C:\Windows\System\QBqBdAM.exe
| MD5 | f94c6decc7fdc0ce9b50730cf9361720 |
| SHA1 | 8c4ff8702c7b2cce646a93c704d6b56e22165023 |
| SHA256 | 50660bc7a2ae8382e8647e22b3ea94144e82b6c31b39d4e76588207e3e9d5a33 |
| SHA512 | b2d1b947b95eb27266d6de4420efb51fd8aa2eab0f7d1fb5f02b9dcad6e646ec43317945707a262a450173c4dcadb310db3288ab517adf3eb4b3442df078b9b2 |
memory/1012-58-0x00007FF7F9F20000-0x00007FF7FA274000-memory.dmp
C:\Windows\System\ffprlOo.exe
| MD5 | b5848164f286a308687fdf36e66850f3 |
| SHA1 | 048e0e6a0ac89e52e3fde60ab3b00e10928a0a98 |
| SHA256 | dcd6e32671f766c11db5b42b8f4626ca3c1c859f10b5498e9bde10a9829002d8 |
| SHA512 | d7c205ac246641d7f42bddfc14f46907451287edba4c7d9bea05cc7a1017e24c46291c6f1ac78816487e1acf110fc35431c18a751e7ccb5bf592df8432738a96 |
C:\Windows\System\fUMAokU.exe
| MD5 | 6e87e6a72a2069dcd93727bb1a9c1026 |
| SHA1 | 4fec99071f416bdb5de5fa5170a6e361671a85f5 |
| SHA256 | 5e47c7f7d3fb882e57f9740bd540d4af4db45024f53c41ce5a54adde531f9a74 |
| SHA512 | b5b2da7fb5d1d4f7c6f42cf33e56605199875f948abc1fa28ca9f8895f59a776e5478fe7f63751751215eeeb65e84e3904c2f28e04eb3b8b89440d7d5f6b8e3b |
C:\Windows\System\XxWBxNg.exe
| MD5 | b1d52f5e6671339cb2bb678eb28a476d |
| SHA1 | ff7225aea39bca4415d1159038cfdb8d5fe748d8 |
| SHA256 | da6a156bb554e8579b279003c044685562302999b116b4b739db2a8928880dbe |
| SHA512 | 6f72d36c7308c6b767d4cb6bb4b0900fc39394bd385ea6323258e43f54abf21fba6e0061a22ad2ef2da73bcceb1c689206582edf41743eef642e44293f1287a8 |
memory/2312-85-0x00007FF7B1510000-0x00007FF7B1864000-memory.dmp
memory/1088-89-0x00007FF671FF0000-0x00007FF672344000-memory.dmp
C:\Windows\System\wybjcZC.exe
| MD5 | 50a75ddada829206da860a046693ab6c |
| SHA1 | 020382de1e8f8e9ad8e70c154ae9f57ed48e01c2 |
| SHA256 | 6a166a03ac4d032e21730f4a1516d6c601e27d443df1b92c7e48532fcba20ae8 |
| SHA512 | 7e9a67a31fb558431ffebde702b8bcf9e23d491c13f58a2d110812ed3697e9c99ba2796b6538d2fd192bd3153de3579e5eadf4ac950aa1e2711e0a1a247d3db4 |
C:\Windows\System\eRxPTjs.exe
| MD5 | 78241c6b89e9b66a229a30aa2c4bab14 |
| SHA1 | 43079bae1bf0ec59c62263e570f9a96b3cf8f72f |
| SHA256 | a945e40eeea677a4bccccb178a0da40e1440bffa428261b77f65bb4b4c2e7641 |
| SHA512 | 3afcec0a6b9bb9b958e96566333caf568840eea9f98bb46ad0d4ca2126700a45e96d05a621395b390e13925bf6605b87927bb2989c4e182db8835d4f8fe78ff0 |
memory/2028-91-0x00007FF6150E0000-0x00007FF615434000-memory.dmp
memory/4676-77-0x00007FF6EB3F0000-0x00007FF6EB744000-memory.dmp
memory/4692-76-0x00007FF651320000-0x00007FF651674000-memory.dmp
memory/3192-71-0x00007FF7B0F40000-0x00007FF7B1294000-memory.dmp
memory/924-69-0x00007FF7CDE80000-0x00007FF7CE1D4000-memory.dmp
memory/3520-68-0x00007FF75E120000-0x00007FF75E474000-memory.dmp
memory/232-64-0x00007FF7DDF90000-0x00007FF7DE2E4000-memory.dmp
C:\Windows\System\gsERvsY.exe
| MD5 | e929b7134b7750cfeba5412c083d6b7d |
| SHA1 | b512d4963384d11c0d202063304810fa4f6f4b9d |
| SHA256 | a46cea3f718cd4ad7f5853d3f4e7348ea82617292415a08ca7fb46a9ec410098 |
| SHA512 | 26d99dda810ba0832577dd85968c69adacdfbce35766d925e4f653075c14e90ef117a55ee58440f10239e7daaeb2df9f65014071002b864c51652967b08a8e1a |
C:\Windows\System\BKkPGFO.exe
| MD5 | e56c33a46d128497772d08146c7cfcec |
| SHA1 | 0b96aaea43991a034e3af19fb4265ef47e719a7d |
| SHA256 | 49a27d881d09fc9775d17bdfac578ab3f178646d4f4264f29bff4b549e69842e |
| SHA512 | 0e9c39b1ee8a687a47cc89a194ffda4e23b795857d75ee59e87647f611d648f4507a5962a843685f69f7c1a2efcb47619d5f8d6636ecff92624892e6a96c9f6c |
memory/4468-109-0x00007FF77FDC0000-0x00007FF780114000-memory.dmp
C:\Windows\System\HfoIWvE.exe
| MD5 | 95f0e415e31a1cba880fca7884823b63 |
| SHA1 | bd9e8546c8c9b40e78e0cd2e9bba8f1416cf6b92 |
| SHA256 | 1efc13443eb12d5d113fed34796c2ed029de4db1fa1958489452138847475c5c |
| SHA512 | 7aa045c0484a8c1b7536093dee37af91ac18b5581a522cca58a8b556eafcbae74a8494b65fff9d34776245c078465279d71610ea44d5f99f6006d901aad45c65 |
memory/2932-115-0x00007FF7B6B80000-0x00007FF7B6ED4000-memory.dmp
C:\Windows\System\wEUAKsF.exe
| MD5 | 1786900d6364385baa1b9b8b7ec8bff9 |
| SHA1 | ae50b1209adadf3d60214a7f910a1c40d98256ec |
| SHA256 | e80f8aa3efbb820c3b2dc3f41f9d253dbcdc9f545051cd4a73b4eca0445d5a2f |
| SHA512 | aa98e3f2fa375f3ab2419b3ff30644a403ebe5e2296940659e9296aa5b10a7488a8787a63ceb58b17a55b834e84b890cb471b1d08a5bf5a3c3367d3f1a14cfbd |
memory/3956-116-0x00007FF66D470000-0x00007FF66D7C4000-memory.dmp
memory/1560-111-0x00007FF64BC60000-0x00007FF64BFB4000-memory.dmp
memory/1300-110-0x00007FF6C04A0000-0x00007FF6C07F4000-memory.dmp
C:\Windows\System\IzoSVAd.exe
| MD5 | 6d99d05097aeeb91601c9b8fd2d803de |
| SHA1 | 7cf57ca261a0c101ebf4691f4917b2aadf9f68f2 |
| SHA256 | accfc3ea48ded9cfe8c68f8816bb4aaf3a36dc056611cbeea57bb8e61459cbde |
| SHA512 | 490d165ef60376d22f9a72b759e4ec4ffbdb8a87d4e69742108e1031ba912c2ef7bb24e75e7325dad8dc179bab26472a89a54d42220f0b779bbf08fd598788f0 |
memory/1972-126-0x00007FF73AC70000-0x00007FF73AFC4000-memory.dmp
memory/3988-124-0x00007FF63CC10000-0x00007FF63CF64000-memory.dmp
C:\Windows\System\mVzebEf.exe
| MD5 | 6824c05938272f5094002105a2539585 |
| SHA1 | e2a908da8083842ce53b5cbb053edc25c46ef28a |
| SHA256 | 08a17823a2867ae8fc50468f082f970554488c2ad4c104e53ee20b56a4fefb89 |
| SHA512 | 46aa34781919d834d7baf624235983eb82bc5d9df0d5845694793fec854fcde38ea42ad918e19f1d1f705888c0387b7e3cc901b13dcc9ff42c0705b905ce7bf1 |
memory/2352-132-0x00007FF6836D0000-0x00007FF683A24000-memory.dmp
memory/3192-133-0x00007FF7B0F40000-0x00007FF7B1294000-memory.dmp
memory/4676-134-0x00007FF6EB3F0000-0x00007FF6EB744000-memory.dmp
memory/1088-135-0x00007FF671FF0000-0x00007FF672344000-memory.dmp
memory/2028-136-0x00007FF6150E0000-0x00007FF615434000-memory.dmp
memory/2932-137-0x00007FF7B6B80000-0x00007FF7B6ED4000-memory.dmp
memory/3956-138-0x00007FF66D470000-0x00007FF66D7C4000-memory.dmp
memory/1972-139-0x00007FF73AC70000-0x00007FF73AFC4000-memory.dmp
memory/924-140-0x00007FF7CDE80000-0x00007FF7CE1D4000-memory.dmp
memory/4692-141-0x00007FF651320000-0x00007FF651674000-memory.dmp
memory/1056-142-0x00007FF68F0D0000-0x00007FF68F424000-memory.dmp
memory/4192-143-0x00007FF6CC980000-0x00007FF6CCCD4000-memory.dmp
memory/2792-144-0x00007FF6D01E0000-0x00007FF6D0534000-memory.dmp
memory/3480-145-0x00007FF7CA730000-0x00007FF7CAA84000-memory.dmp
memory/1560-146-0x00007FF64BC60000-0x00007FF64BFB4000-memory.dmp
memory/3988-147-0x00007FF63CC10000-0x00007FF63CF64000-memory.dmp
memory/1012-148-0x00007FF7F9F20000-0x00007FF7FA274000-memory.dmp
memory/3520-149-0x00007FF75E120000-0x00007FF75E474000-memory.dmp
memory/4676-150-0x00007FF6EB3F0000-0x00007FF6EB744000-memory.dmp
memory/2312-151-0x00007FF7B1510000-0x00007FF7B1864000-memory.dmp
memory/3192-152-0x00007FF7B0F40000-0x00007FF7B1294000-memory.dmp
memory/1088-153-0x00007FF671FF0000-0x00007FF672344000-memory.dmp
memory/2028-154-0x00007FF6150E0000-0x00007FF615434000-memory.dmp
memory/4468-155-0x00007FF77FDC0000-0x00007FF780114000-memory.dmp
memory/1300-156-0x00007FF6C04A0000-0x00007FF6C07F4000-memory.dmp
memory/2932-157-0x00007FF7B6B80000-0x00007FF7B6ED4000-memory.dmp
memory/3956-158-0x00007FF66D470000-0x00007FF66D7C4000-memory.dmp
memory/1972-159-0x00007FF73AC70000-0x00007FF73AFC4000-memory.dmp
memory/2352-160-0x00007FF6836D0000-0x00007FF683A24000-memory.dmp