Malware Analysis Report

2024-11-16 15:04

Sample ID 240606-y449hscf73
Target 28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b
SHA256 28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b
Tags
blackmoon banker trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b

Threat Level: Known bad

The file 28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b was found to be: Known bad.

Malicious Activity Summary

blackmoon banker trojan upx

Blackmoon, KrBanker

Detect Blackmoon payload

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 20:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 20:21

Reported

2024-06-06 20:35

Platform

win7-20240221-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\vthdtp.exe N/A
N/A N/A \??\c:\lphtdt.exe N/A
N/A N/A \??\c:\nxhtn.exe N/A
N/A N/A \??\c:\jxffbbd.exe N/A
N/A N/A \??\c:\vlrplj.exe N/A
N/A N/A \??\c:\jjphjnh.exe N/A
N/A N/A \??\c:\xftjj.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe \??\c:\vthdtp.exe
PID 1368 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe \??\c:\vthdtp.exe
PID 1368 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe \??\c:\vthdtp.exe
PID 1368 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe \??\c:\vthdtp.exe
PID 2944 wrote to memory of 2664 N/A \??\c:\vthdtp.exe \??\c:\lphtdt.exe
PID 2944 wrote to memory of 2664 N/A \??\c:\vthdtp.exe \??\c:\lphtdt.exe
PID 2944 wrote to memory of 2664 N/A \??\c:\vthdtp.exe \??\c:\lphtdt.exe
PID 2944 wrote to memory of 2664 N/A \??\c:\vthdtp.exe \??\c:\lphtdt.exe
PID 2664 wrote to memory of 556 N/A \??\c:\lphtdt.exe \??\c:\nxhtn.exe
PID 2664 wrote to memory of 556 N/A \??\c:\lphtdt.exe \??\c:\nxhtn.exe
PID 2664 wrote to memory of 556 N/A \??\c:\lphtdt.exe \??\c:\nxhtn.exe
PID 2664 wrote to memory of 556 N/A \??\c:\lphtdt.exe \??\c:\nxhtn.exe
PID 556 wrote to memory of 1692 N/A \??\c:\nxhtn.exe \??\c:\jxffbbd.exe
PID 556 wrote to memory of 1692 N/A \??\c:\nxhtn.exe \??\c:\jxffbbd.exe
PID 556 wrote to memory of 1692 N/A \??\c:\nxhtn.exe \??\c:\jxffbbd.exe
PID 556 wrote to memory of 1692 N/A \??\c:\nxhtn.exe \??\c:\jxffbbd.exe
PID 1692 wrote to memory of 1204 N/A \??\c:\jxffbbd.exe \??\c:\vlrplj.exe
PID 1692 wrote to memory of 1204 N/A \??\c:\jxffbbd.exe \??\c:\vlrplj.exe
PID 1692 wrote to memory of 1204 N/A \??\c:\jxffbbd.exe \??\c:\vlrplj.exe
PID 1692 wrote to memory of 1204 N/A \??\c:\jxffbbd.exe \??\c:\vlrplj.exe
PID 1204 wrote to memory of 2204 N/A \??\c:\vlrplj.exe \??\c:\jjphjnh.exe
PID 1204 wrote to memory of 2204 N/A \??\c:\vlrplj.exe \??\c:\jjphjnh.exe
PID 1204 wrote to memory of 2204 N/A \??\c:\vlrplj.exe \??\c:\jjphjnh.exe
PID 1204 wrote to memory of 2204 N/A \??\c:\vlrplj.exe \??\c:\jjphjnh.exe
PID 2204 wrote to memory of 2728 N/A \??\c:\jjphjnh.exe \??\c:\xftjj.exe
PID 2204 wrote to memory of 2728 N/A \??\c:\jjphjnh.exe \??\c:\xftjj.exe
PID 2204 wrote to memory of 2728 N/A \??\c:\jjphjnh.exe \??\c:\xftjj.exe
PID 2204 wrote to memory of 2728 N/A \??\c:\jjphjnh.exe \??\c:\xftjj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe

"C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe"

\??\c:\vthdtp.exe

c:\vthdtp.exe

\??\c:\lphtdt.exe

c:\lphtdt.exe

\??\c:\nxhtn.exe

c:\nxhtn.exe

\??\c:\jxffbbd.exe

c:\jxffbbd.exe

\??\c:\vlrplj.exe

c:\vlrplj.exe

\??\c:\jjphjnh.exe

c:\jjphjnh.exe

\??\c:\xftjj.exe

c:\xftjj.exe

Network

N/A

Files

memory/1368-0-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1368-1-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1368-13-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\vthdtp.exe

MD5 d232062a9d41c8d3f581fc61fa2176d5
SHA1 daccca2190bc296d2f65908abadeeae0f7df6b16
SHA256 d12734822d02581e9db1472f83a370e0a2317514c3d951549784518c5ce187e0
SHA512 ef5404222463ded65e35798c3987d5d3c37d950ce2727d9d721e1d0459ae1baf9db10a4b0b9099c85fc3231a89a643c3dc37b53682884b6ca3fee39284dc3dc2

memory/1368-5-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1368-4-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1368-3-0x000000000042B000-0x0000000000442000-memory.dmp

memory/2944-14-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2944-19-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2944-17-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\lphtdt.exe

MD5 8ea91a96656a2b7443148b191abc1ac0
SHA1 d206d2f4e33be814c7315949b7185e49e4783da5
SHA256 99d05d0a1096b9feb4ed3ae02313b350f602c69190dfbef24b6c13e59450c836
SHA512 fea81cb99805a0961b8d91357cd077761598bc28982828b18b687fb28d5a7437dbe7d3dc7e69f885050df015a6456b8f9c9c07aef1cac8f852a97c96fba99a2a

memory/2664-27-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2664-32-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\nxhtn.exe

MD5 2a83535e15abec5481824c5ef1393b7f
SHA1 57a06a1a056a0c88e7cb91ccd28643b0f39c2861
SHA256 b2e5530a6c48da271fa5352a55bdec552993604554c9dd30abbe84ddb340cd00
SHA512 ef330dbb4e0a689eca625fb958beb68ef1a521a69869a92d2d6bd83bdd29d2fd0b5f9fbb5ac62c119c7a71814f622f0fece8f46643e056e0bfb35d34ff56fee3

memory/2664-31-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/556-40-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/556-46-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/556-44-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/556-43-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\jxffbbd.exe

MD5 85a57fefe69b0a161a3f791aaba2c3cf
SHA1 718da3abc402b97e3370d38ae6ef839f0b64714f
SHA256 17e26678cad72957daced5fed719344f65faf95a28ac220b5614c9c9de6a12ca
SHA512 ceb4e5b2b0456223a6a75638546a4f20c33ec9cdfc33ee20bcc80b96dc47204bafba4b6d75bb4bac4f7534812c493d4c5a11ef77675bdee9ebe58a806d0f2348

memory/1692-54-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\vlrplj.exe

MD5 63b421bc3f17818fc273c039c9d348a8
SHA1 afdbaad6727f1f71b9d9f5ab0cf245481fd7692b
SHA256 89e8019a0e757c377e160366abbcc7c913025c7a8f4f6eae37600b6be2dcbf34
SHA512 431dbcae9e92d5002424739e70297c60f0f1e38af603d6a5f057f46cd61ec3ce39ce9706957d8edfbf6f3740ea83a4a176f412c0fa69438f7989f04a0ceb9186

memory/1692-60-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1692-59-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1692-57-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1204-68-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1204-74-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1204-72-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1204-71-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\jjphjnh.exe

MD5 d4b52a583e09584dca4b58907f4387f9
SHA1 112d336dfe274f5187f5599055cf9cca590db5a4
SHA256 a03aed889a6f8a7d7feb1896ae3c0ad0ac7406d9415653ba73a5c8e7c755e357
SHA512 1aa77e8524f6aa6a931f05f1e0ec4a8c2a362903a8387cabc89fbdeab630055e89b5ca493ff4ecc9e73c33db1eb258fe7cc7509103c1b981be705e2a5cf09b7f

memory/2204-82-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2204-85-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2204-89-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\xftjj.exe

MD5 0b421f2f3239cd395fd1c3b1c5308b1b
SHA1 e4bedd2bccd286496c58826cb73091bfd91c460c
SHA256 9ee6fe3e8a777998013789c5569291093717e495de12cb89524df6b875da438e
SHA512 f5d16308c394e153755964750b56f74d35ede4a34a70fb0a88f0517a928daae5e6300af451b644a3fe9d5411b1af5cf3ef9ec87aa90e042ad46a6dba8f25dd16

memory/2204-86-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2728-96-0x0000000000400000-0x00000000004A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 20:21

Reported

2024-06-06 20:35

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\x451u74.exe N/A
N/A N/A \??\c:\6kxj5.exe N/A
N/A N/A \??\c:\sgh7405.exe N/A
N/A N/A \??\c:\gk9f4d1.exe N/A
N/A N/A \??\c:\6k5rls1.exe N/A
N/A N/A \??\c:\v835mae.exe N/A
N/A N/A \??\c:\jj3wt.exe N/A
N/A N/A \??\c:\2w5bcci.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe \??\c:\x451u74.exe
PID 2436 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe \??\c:\x451u74.exe
PID 2436 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe \??\c:\x451u74.exe
PID 4952 wrote to memory of 3188 N/A \??\c:\x451u74.exe \??\c:\6kxj5.exe
PID 4952 wrote to memory of 3188 N/A \??\c:\x451u74.exe \??\c:\6kxj5.exe
PID 4952 wrote to memory of 3188 N/A \??\c:\x451u74.exe \??\c:\6kxj5.exe
PID 3188 wrote to memory of 3732 N/A \??\c:\6kxj5.exe \??\c:\sgh7405.exe
PID 3188 wrote to memory of 3732 N/A \??\c:\6kxj5.exe \??\c:\sgh7405.exe
PID 3188 wrote to memory of 3732 N/A \??\c:\6kxj5.exe \??\c:\sgh7405.exe
PID 3732 wrote to memory of 2808 N/A \??\c:\sgh7405.exe \??\c:\gk9f4d1.exe
PID 3732 wrote to memory of 2808 N/A \??\c:\sgh7405.exe \??\c:\gk9f4d1.exe
PID 3732 wrote to memory of 2808 N/A \??\c:\sgh7405.exe \??\c:\gk9f4d1.exe
PID 2808 wrote to memory of 708 N/A \??\c:\gk9f4d1.exe \??\c:\6k5rls1.exe
PID 2808 wrote to memory of 708 N/A \??\c:\gk9f4d1.exe \??\c:\6k5rls1.exe
PID 2808 wrote to memory of 708 N/A \??\c:\gk9f4d1.exe \??\c:\6k5rls1.exe
PID 708 wrote to memory of 212 N/A \??\c:\6k5rls1.exe \??\c:\v835mae.exe
PID 708 wrote to memory of 212 N/A \??\c:\6k5rls1.exe \??\c:\v835mae.exe
PID 708 wrote to memory of 212 N/A \??\c:\6k5rls1.exe \??\c:\v835mae.exe
PID 212 wrote to memory of 1104 N/A \??\c:\v835mae.exe \??\c:\jj3wt.exe
PID 212 wrote to memory of 1104 N/A \??\c:\v835mae.exe \??\c:\jj3wt.exe
PID 212 wrote to memory of 1104 N/A \??\c:\v835mae.exe \??\c:\jj3wt.exe
PID 1104 wrote to memory of 1236 N/A \??\c:\jj3wt.exe \??\c:\2w5bcci.exe
PID 1104 wrote to memory of 1236 N/A \??\c:\jj3wt.exe \??\c:\2w5bcci.exe
PID 1104 wrote to memory of 1236 N/A \??\c:\jj3wt.exe \??\c:\2w5bcci.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe

"C:\Users\Admin\AppData\Local\Temp\28b194bd19a28d81649f0fd27beb5eb00e759ee51852d59c1ee48f8593c5a71b.exe"

\??\c:\x451u74.exe

c:\x451u74.exe

\??\c:\6kxj5.exe

c:\6kxj5.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

\??\c:\sgh7405.exe

c:\sgh7405.exe

\??\c:\gk9f4d1.exe

c:\gk9f4d1.exe

\??\c:\6k5rls1.exe

c:\6k5rls1.exe

\??\c:\v835mae.exe

c:\v835mae.exe

\??\c:\jj3wt.exe

c:\jj3wt.exe

\??\c:\2w5bcci.exe

c:\2w5bcci.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/2436-0-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2436-1-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2436-3-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2436-4-0x000000000042B000-0x0000000000442000-memory.dmp

memory/2436-5-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2436-6-0x0000000000400000-0x00000000004A4000-memory.dmp

\??\c:\x451u74.exe

MD5 b01ff04df22f84af54c7a1907c9f89a7
SHA1 d9541178f90111772635af445623a285106ba26c
SHA256 6e337bf4f76569a293909baab839a04543759f67b43e5ef3ebd2069dac833cc9
SHA512 f752789d570af4646cf09975ebbcfba7d1becc796e2f01233d566df34c1544bf8ad99b2e205c1ff7d3c89ad83c408e3237c3dea4bc14ceacb5f1f04d5424ea6a

memory/4952-12-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/4952-15-0x0000000000400000-0x00000000004A4000-memory.dmp

\??\c:\6kxj5.exe

MD5 bca4c1d04a0d7608721124331494094a
SHA1 036df7d7864ea8558bd3975568a7d480505b0c6b
SHA256 5d1624bacc977d9fdbee690e9d2f9aad967c9564e702dddf14e4e1a56b656f75
SHA512 a708c688cc00b6d5f828ab9ff385fb9efe5a3362b52af80422397391de7955e72b447e88f97714f931c0d681b9ae861958419eb911102fbf4ba110525d9e8996

memory/4952-18-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/4952-16-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/3188-23-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/3188-27-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/3188-28-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/3188-26-0x0000000000400000-0x00000000004A4000-memory.dmp

\??\c:\sgh7405.exe

MD5 2b74f599d76e90b79b9d1a938eb2b65d
SHA1 b25082fe635585643f2129889147ba236ba7d4a9
SHA256 f3cab895bd0653710cea1e80b94178f7b570bcd7697e90f8f7ba4bc4b8b35ae5
SHA512 68dc647eee21112f9bc58bef2f4f0aad6c51f4e5cc3e1a08b57f510c5dca6e404134cc18c2a4f3b270156650e6ebf16cb9f2f5e60d1343772a1928bfc30f2814

memory/3188-33-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/3732-35-0x0000000000400000-0x00000000004A4000-memory.dmp

\??\c:\gk9f4d1.exe

MD5 d7da4f6b4c7ffa9516642fd1653a68ff
SHA1 e502a4765f61f3c175507ad0ed87a7977c615563
SHA256 bd1e36f284d6b04b4a5bfae4b2e1eae77f6ab23b97f788481f2557b482cd17dd
SHA512 7543fa889886b61f0c34cc8a08d54991d1149edf3918582d00ed6cd2d766d441286300c044366ed4f3e0e3737c2d427ad59f0b2176dd5e933db8b3f8ca30bb20

memory/3732-39-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2808-44-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2808-48-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2808-47-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\6k5rls1.exe

MD5 ba549cee729aef2fa6f68636aac18855
SHA1 3b84d3229a1d2da208c9dad2d1f0db768a703c33
SHA256 7d4642b2f94152f957b1863a83b97c1fa90de9f53e0c5e35229a28c6ef1b0fe9
SHA512 a083c5a4aff6ade8239537ef0df46eb6e4448730b6d5701f55b2dc60983a42ad431b2f3ef0f03ba5d33596033aca1a378e15aae7e20c4e6f083367306eee82c8

memory/2808-54-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/708-55-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/708-59-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/708-58-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/708-60-0x0000000000400000-0x00000000004A4000-memory.dmp

\??\c:\v835mae.exe

MD5 c8889fb665c0b6647155f7f5e04f6e1f
SHA1 4bc7ed5da42e4b234fbe478c1bfc150cdba60362
SHA256 a2d124ce7c3d3d3820a0c60eeb3c193bf41006a94cb48649a8ea351985325e3e
SHA512 ecc962ffa6d7bf72eb7f6838a324ba5b69bed3ad7e37305a3cbaa39a77aac0cef0c8af41376052d78fc1961b2901d7f3796d00624c3976eba436d9950f5919aa

memory/212-66-0x0000000000400000-0x00000000004A4000-memory.dmp

\??\c:\jj3wt.exe

MD5 7f0a001df65965fab2e52e0030d4012a
SHA1 6cd6b25024918aa4f08c0856c801019c88bbd600
SHA256 94bb1fec751bbb720d607dd06719c8de0eba94846c1449500d9e8e81c036d513
SHA512 e657d35a40f755b968467aec7b06ed2ed4099760cc0272d323fd3a3d0c40bd06a9265472f92f65318f6a72cbffb156d0413ba2f6be5454dd4dc1f800df7ccc4c

memory/212-70-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1104-75-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1104-79-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1104-78-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1104-80-0x0000000000400000-0x00000000004A4000-memory.dmp

\??\c:\2w5bcci.exe

MD5 da3f9213bb016e72c70a2fa619534797
SHA1 5fa568826ad6e6c5507dd1bfcd5ebdd95469d0bd
SHA256 748a7a7063d4a9916a84d3909c3f8d858eac56dfa691eb31129e2022d63cbc83
SHA512 fba2b7e480eff88121400298c5623b728680d9c467fcb301ae4e914dfdf69be43b63dca9ec6e946023ebf8cd404879c6c88ba06d689a1821f390379b84d739d2