Analysis Overview
SHA256
69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20
Threat Level: Known bad
The file 69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20 was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
xmrig
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:11
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:11
Reported
2024-08-06 12:14
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JTJybSy.exe | N/A |
| N/A | N/A | C:\Windows\System\DspdAnL.exe | N/A |
| N/A | N/A | C:\Windows\System\cQDwIFt.exe | N/A |
| N/A | N/A | C:\Windows\System\dOcyREd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZRsVyaD.exe | N/A |
| N/A | N/A | C:\Windows\System\MRjiNuO.exe | N/A |
| N/A | N/A | C:\Windows\System\HENcyQh.exe | N/A |
| N/A | N/A | C:\Windows\System\nYupmBU.exe | N/A |
| N/A | N/A | C:\Windows\System\HHNGihY.exe | N/A |
| N/A | N/A | C:\Windows\System\qHDLdHW.exe | N/A |
| N/A | N/A | C:\Windows\System\jEdwjIG.exe | N/A |
| N/A | N/A | C:\Windows\System\AjgPayk.exe | N/A |
| N/A | N/A | C:\Windows\System\xaKMAaC.exe | N/A |
| N/A | N/A | C:\Windows\System\dWMVPkf.exe | N/A |
| N/A | N/A | C:\Windows\System\RwWxSCY.exe | N/A |
| N/A | N/A | C:\Windows\System\aJEHkqC.exe | N/A |
| N/A | N/A | C:\Windows\System\fAwyONf.exe | N/A |
| N/A | N/A | C:\Windows\System\MtzZHfq.exe | N/A |
| N/A | N/A | C:\Windows\System\EdzKrYG.exe | N/A |
| N/A | N/A | C:\Windows\System\CijbwWT.exe | N/A |
| N/A | N/A | C:\Windows\System\JgzFGTC.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe
"C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe"
C:\Windows\System\JTJybSy.exe
C:\Windows\System\JTJybSy.exe
C:\Windows\System\DspdAnL.exe
C:\Windows\System\DspdAnL.exe
C:\Windows\System\cQDwIFt.exe
C:\Windows\System\cQDwIFt.exe
C:\Windows\System\dOcyREd.exe
C:\Windows\System\dOcyREd.exe
C:\Windows\System\ZRsVyaD.exe
C:\Windows\System\ZRsVyaD.exe
C:\Windows\System\MRjiNuO.exe
C:\Windows\System\MRjiNuO.exe
C:\Windows\System\nYupmBU.exe
C:\Windows\System\nYupmBU.exe
C:\Windows\System\HENcyQh.exe
C:\Windows\System\HENcyQh.exe
C:\Windows\System\HHNGihY.exe
C:\Windows\System\HHNGihY.exe
C:\Windows\System\qHDLdHW.exe
C:\Windows\System\qHDLdHW.exe
C:\Windows\System\jEdwjIG.exe
C:\Windows\System\jEdwjIG.exe
C:\Windows\System\AjgPayk.exe
C:\Windows\System\AjgPayk.exe
C:\Windows\System\xaKMAaC.exe
C:\Windows\System\xaKMAaC.exe
C:\Windows\System\dWMVPkf.exe
C:\Windows\System\dWMVPkf.exe
C:\Windows\System\RwWxSCY.exe
C:\Windows\System\RwWxSCY.exe
C:\Windows\System\aJEHkqC.exe
C:\Windows\System\aJEHkqC.exe
C:\Windows\System\fAwyONf.exe
C:\Windows\System\fAwyONf.exe
C:\Windows\System\MtzZHfq.exe
C:\Windows\System\MtzZHfq.exe
C:\Windows\System\EdzKrYG.exe
C:\Windows\System\EdzKrYG.exe
C:\Windows\System\JgzFGTC.exe
C:\Windows\System\JgzFGTC.exe
C:\Windows\System\CijbwWT.exe
C:\Windows\System\CijbwWT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.48:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/844-0-0x00007FF711950000-0x00007FF711CA4000-memory.dmp
memory/844-1-0x0000015C69840000-0x0000015C69850000-memory.dmp
C:\Windows\System\JTJybSy.exe
| MD5 | 29996ecc6a7db31f2a94af2efdaf919c |
| SHA1 | a6dadd3072d37279f47d46740162a296a7a92dca |
| SHA256 | fff115db35dbed574aef8a1ec263bf653afd3c10fe7036f88872622c6e748a78 |
| SHA512 | b8645dab9798f0f6517535e1a4460f52489698b000a13b8fff65614fe415c2a13fee3bf49fcfa0e7f6c8c0e053ff10a50b69196d709fe41a6d4a4ae25b25e79b |
C:\Windows\System\cQDwIFt.exe
| MD5 | 0a81f512365b627bc560124929f8f76a |
| SHA1 | 68a8552a6b2c030daee8586ad8405a29e775d1ab |
| SHA256 | 38f49b97ba6abfea2fc60741930c88eb6eb8916a413ac97112696dc970e8b034 |
| SHA512 | 28a6c57c26da09229a90ac96a8920ee1b1a3031acbb84815c1a094e4fee9580790432bff1fb3f832790c795f87c0d7a447ebb5a338869363fe68ec7a2efbf5d2 |
memory/2628-23-0x00007FF70BB00000-0x00007FF70BE54000-memory.dmp
C:\Windows\System\dOcyREd.exe
| MD5 | ef8e2ca7f9d986151af330b7289665a0 |
| SHA1 | fa983502689d74a55583c3bf8142dda25259dfff |
| SHA256 | 56ed4de85831a024b611d3ebf27ee75343f903dc026521eb8021230d2b7b5e0a |
| SHA512 | b9b42ef825deb6c6a013f951813de516fa23d11664d6ac131e97382e91d2471e4cacf3254e837af7e4f6a56585255115563c676d0706e52ba4c32b1a8c6ac930 |
C:\Windows\System\ZRsVyaD.exe
| MD5 | a0a66df9eed8396cfa7869532a812c67 |
| SHA1 | 66829482d2e7651dae20c12b77138cb256a460c0 |
| SHA256 | 29fe6d2b548b779c450895bc25bae4251f7eb46a4316ec33fe4941d4f172a200 |
| SHA512 | 40c4737cd297ca5da4096ebdfad088f075c37f88c7c721b002e75da34be2563d9bad5c4249d65d85fcf2b286e61ed2d94a8f2337475e2c0c7b1ac3b651f4d23f |
C:\Windows\System\nYupmBU.exe
| MD5 | 609facbaaca3cd8563e5692251f9fc65 |
| SHA1 | 35b25c7cda22e1aa1d994e06d496a93395f7d529 |
| SHA256 | 1191f19b7ab9a8a779ccbc7220929591e8fadf8bab792f8960f18250d0a03cab |
| SHA512 | becf1f6b412c15486cc2c5361c4183cf21ad8679f198b93dd842ae18f11ef96eb27ad82d473c82853f7140e67e2bcf493a942b1dbeddf0956f149e528684e236 |
C:\Windows\System\qHDLdHW.exe
| MD5 | 06e81f2688bc720d0965c095b9efeea3 |
| SHA1 | e73559a84e363a03736c32fa59b08460efbcf497 |
| SHA256 | 58fa74ae5eb01857deb0d73df54988c99327e92816c92ff6a66d662a2ff98f94 |
| SHA512 | 93abccc093abb2bd58588f0757f78df78cd3aca388aecfadd4d0b612414b3fb278cd135d667e31182b88c3c6aab368eaebe1bd990263ce08a70dce6b332e13f7 |
C:\Windows\System\HHNGihY.exe
| MD5 | c8db09df69a75de47851874fa29057eb |
| SHA1 | 47fa0a35761c190c0c87cea003bbfd026040877b |
| SHA256 | ab22992f77e1e99081dc0f5da68c1167ec625668c84f75f13d7ca62585183b38 |
| SHA512 | 60367a3e43747499663649caf53bab93900ee2f5890b58d1f6805caaf98f38b5a034e2e6fdd778adf4d67cd7e7f892db9d8f4ff3f7b29454a2f8fdc52040edca |
memory/2152-57-0x00007FF640A30000-0x00007FF640D84000-memory.dmp
memory/5028-65-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp
C:\Windows\System\jEdwjIG.exe
| MD5 | 26c047cc3a99fbe133c2e81c6591782c |
| SHA1 | e033b1d9ce64eaf3b0c8adcb050e6dc3f5476f3f |
| SHA256 | ab462bdc867317d8ead6820e7f03aa6eebae0f2f0f07b142f664af96ffc513af |
| SHA512 | 88d8f067ef41c720372061c56f73e2b1270554625cda798cb1f27f0abe1593780399b50891ec3c7ed2853db9d1687765aeff67435d5b1c1016be41d58ba87dda |
memory/4252-66-0x00007FF7E8D00000-0x00007FF7E9054000-memory.dmp
memory/4716-63-0x00007FF66AFA0000-0x00007FF66B2F4000-memory.dmp
memory/2312-54-0x00007FF78CD00000-0x00007FF78D054000-memory.dmp
memory/2280-51-0x00007FF73BA60000-0x00007FF73BDB4000-memory.dmp
C:\Windows\System\HENcyQh.exe
| MD5 | 943d86ee0ab759c048f587f0c822d8b2 |
| SHA1 | cfc4433947da04ed30be6167e92b985fa2cfb1a3 |
| SHA256 | 5a2369ba6d56cefc173c65b9f88398fc98c75c86bfc5663b9ef6a0018a1fa7fc |
| SHA512 | ab0426d1ef89ee9bc14dc4aadf5951471644e26f509bf61ccf5e3a748ac7fa34eddd6e1ff08288e3b1bc295b872aa8fc905ebd33c4a6250ebb7d06c86f4d32fd |
C:\Windows\System\MRjiNuO.exe
| MD5 | d5d52392f6bc3c2367ff5eaab72b7eef |
| SHA1 | 66a12dc80f286c28ba54c688e1572645b9370afe |
| SHA256 | cc0bf06ebbeb90eba2af65d7c23e193e6b4e1bc121095848ff1876fee468ae40 |
| SHA512 | 0f55cb952bd147396eb3c3c71d4263ed316222605061421bc2c27f1da6feadaa53948bd381c3f9afa269f37961d0d827f1acb837295b4d59bf00694b46f4d9bb |
memory/2744-38-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp
memory/448-29-0x00007FF657760000-0x00007FF657AB4000-memory.dmp
memory/3324-21-0x00007FF766F00000-0x00007FF767254000-memory.dmp
C:\Windows\System\DspdAnL.exe
| MD5 | 0f07ae94d8b5d2407f1530ea7622eaa5 |
| SHA1 | fa978c1c5446de2d6f0cf8cf11ef1c4533e7c5ab |
| SHA256 | 7d660e758d850eb2ef24c8c6ab9dabac52497fbf6d6f584917e11f818d21091b |
| SHA512 | 3e4bd2f336583f7127f15b89507aab379363f0e755b827fc70e0d4715e47521b8dbdd750f376513218bb7b81bfbd74ebac0224599555e035f3f9f2cf5376f205 |
memory/4492-10-0x00007FF6AAF70000-0x00007FF6AB2C4000-memory.dmp
C:\Windows\System\AjgPayk.exe
| MD5 | 126f64a013f6cd2985b7ca6fba388bf9 |
| SHA1 | e1e2a0a0dd16f3be7979bd575e39e87bb7c52bc4 |
| SHA256 | 89a1f0ef5f061fc6fe52dcf1c6c554dca966cfcb694521adb1b20684f4a86dbc |
| SHA512 | 5aed9f40d0e354b2de5ecc4a49482e03e557d0c57916e5986670e2e09eeeb958c187ed1ecec49cddeeccde26e15fa00f6fe97328cb1c53b936fe58afc5efd4e0 |
memory/4200-74-0x00007FF74CF80000-0x00007FF74D2D4000-memory.dmp
C:\Windows\System\RwWxSCY.exe
| MD5 | d2a78c469896e87bf88da70e3110b00a |
| SHA1 | b2bf162072db2ba907ee51eba61fd464f4c825e3 |
| SHA256 | 955e6049a8c03b46de75b6c548105a9b71f0cf13c8460001f6747bd0f2a00717 |
| SHA512 | 974be2147ac44f51104cb63d67680e256f6a8c70a18547ced1f81350541f084ef8e2b136597d7c4ba75d66464b52393602f16889bd8199f13566515c64e1eeab |
memory/844-90-0x00007FF711950000-0x00007FF711CA4000-memory.dmp
memory/4492-98-0x00007FF6AAF70000-0x00007FF6AB2C4000-memory.dmp
memory/1992-104-0x00007FF63D1D0000-0x00007FF63D524000-memory.dmp
C:\Windows\System\fAwyONf.exe
| MD5 | cf96019e3c4accf5b6cc674f9ec42dc1 |
| SHA1 | 7e4b26a09a2f06f201ad66a13973ca079f91fe6a |
| SHA256 | 268dd38dce2edc07195c55e5412dc9e81d62d6f81c437e2982716d821de3e2f6 |
| SHA512 | fa19ce7c37f83371c21808ffe2a316972827feb89e9aae235228037725c00901b2366afc08ed0ef44aabab9314424d519ee7beee60814b7cc5c1b787d4b2b096 |
C:\Windows\System\EdzKrYG.exe
| MD5 | a5b1a658e43898f99dc14913b5abcf9d |
| SHA1 | 36579586e6031c28913ca13b7af965250c580752 |
| SHA256 | 920d9a3465d9c010f9ce8dff1937d9ada90f638951698506a697d1c2e46759f2 |
| SHA512 | 967c63cfa8544f9a846b0e5c1bc110bb88426b14e031950ef000789d938a21c75db4e428c8556b61c77e8b529123a340ce0e98f629b3aef530f9e33ec9e64005 |
C:\Windows\System\MtzZHfq.exe
| MD5 | 765833ce28ddef700bf1471746a94163 |
| SHA1 | 11156c8142e957179fad1e2d95584abd979f4b01 |
| SHA256 | a4e129885279ef002cc0a6bb2dcc86125ffbd0c77a99298abe26f8e0db5cb990 |
| SHA512 | 2217d8874dfd1f056ff5d7e611e3a24fe319e610a71f52edc5bee7140610b5b3510da28b14336699a8332402eae7cf1ad72e9d1ebcf99aa3575b8314ff99395d |
memory/1372-108-0x00007FF6E2E00000-0x00007FF6E3154000-memory.dmp
C:\Windows\System\aJEHkqC.exe
| MD5 | ffc6d839d7e494b65cb104eff8261511 |
| SHA1 | cae16fde3ad471602b98b56a328d308fe1a61bd4 |
| SHA256 | d5e94503c36b8cf14eca6179de847140e6535ae9696040070fe30266c78bbbf9 |
| SHA512 | c055a4a71d3d4f13893ee9daacdcde3d5d2473f4a75fa3d4583de62d164d417d83f92e4abed1840b5c08a7f1cab42986d0cf4f335db0126b3f31d8a207878eca |
memory/3324-99-0x00007FF766F00000-0x00007FF767254000-memory.dmp
memory/5048-96-0x00007FF753880000-0x00007FF753BD4000-memory.dmp
memory/4396-91-0x00007FF71B400000-0x00007FF71B754000-memory.dmp
C:\Windows\System\dWMVPkf.exe
| MD5 | a385b82efc66a43054a68f661376a234 |
| SHA1 | bd8d8f3b769c5046daf95f713669eb90ed04edc9 |
| SHA256 | ebcbf3ca4b508a072ca71e43e53d4d9f1d68fc1a9c612ce3ea14b97df8ef898f |
| SHA512 | eb445c908858e4fbf4427d65e10cfc5b31432f846b0ba8f077a76b50e5ca0391401b44c2ae3569f04411dd806f3b6dc26e6b31b95207fc4a62ec3ab42f8a88ff |
C:\Windows\System\xaKMAaC.exe
| MD5 | e4efaced4110340d0367351161b6cbf0 |
| SHA1 | 496308c0b91b60bee2845663cd6b98054eff0576 |
| SHA256 | 73ac3621a400e63c8f128e30509c26b2adfe57fa9e6bc09f1ecb801d9f135b9a |
| SHA512 | 5703ca8b0e0c7a1d168963c6a2a5468a88a239b624ad752c776a7cf0c6223bd89d1627b8cc1fa7a35b7c3fb09c7e81567c05a6b8f32b32649259b573d257286e |
memory/2288-78-0x00007FF740180000-0x00007FF7404D4000-memory.dmp
memory/448-118-0x00007FF657760000-0x00007FF657AB4000-memory.dmp
memory/4900-119-0x00007FF6F74E0000-0x00007FF6F7834000-memory.dmp
memory/1560-122-0x00007FF7F16B0000-0x00007FF7F1A04000-memory.dmp
C:\Windows\System\CijbwWT.exe
| MD5 | e0d9ec6a4e0ab4cbbe7ccaeb89f9e577 |
| SHA1 | a28e690533b3368c47dffddbc6fa91645954e3ed |
| SHA256 | dfc26f5185cf0626f416c6dfc1b458177dfbf54454d8d0e5d9a74dd2cbb379ac |
| SHA512 | f9024b644b024781585af9327d1ba6184c86bff13dd5975c05e1877901a296a3fc2691481e90caedd637f19ba33b6c30dcc38e86387e15167150baf99423682a |
C:\Windows\System\JgzFGTC.exe
| MD5 | cfafeab87280f715b0721bea97c83b6c |
| SHA1 | 8ae82e8cf995f9059bd29adb392934077b54128a |
| SHA256 | 0ab1442a207a5c60a55e4d4c5c499c900fff60b5e027ed9277a52e62f8d697ba |
| SHA512 | 038349cd29771683a74acb673e4fcaa6fb89ec1000f8fecda4c3f1e976f5d41b13465a080c04968d3c83fe666b07d202233cb71e16f12052378520f73b41c15b |
memory/2744-130-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp
memory/1288-132-0x00007FF7522C0000-0x00007FF752614000-memory.dmp
memory/2128-131-0x00007FF7B0200000-0x00007FF7B0554000-memory.dmp
memory/4716-134-0x00007FF66AFA0000-0x00007FF66B2F4000-memory.dmp
memory/2280-133-0x00007FF73BA60000-0x00007FF73BDB4000-memory.dmp
memory/2312-135-0x00007FF78CD00000-0x00007FF78D054000-memory.dmp
memory/5028-136-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp
memory/4252-137-0x00007FF7E8D00000-0x00007FF7E9054000-memory.dmp
memory/4200-138-0x00007FF74CF80000-0x00007FF74D2D4000-memory.dmp
memory/2288-139-0x00007FF740180000-0x00007FF7404D4000-memory.dmp
memory/5048-140-0x00007FF753880000-0x00007FF753BD4000-memory.dmp
memory/1992-141-0x00007FF63D1D0000-0x00007FF63D524000-memory.dmp
memory/1372-142-0x00007FF6E2E00000-0x00007FF6E3154000-memory.dmp
memory/4492-143-0x00007FF6AAF70000-0x00007FF6AB2C4000-memory.dmp
memory/2628-144-0x00007FF70BB00000-0x00007FF70BE54000-memory.dmp
memory/3324-145-0x00007FF766F00000-0x00007FF767254000-memory.dmp
memory/448-146-0x00007FF657760000-0x00007FF657AB4000-memory.dmp
memory/2744-147-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp
memory/2280-148-0x00007FF73BA60000-0x00007FF73BDB4000-memory.dmp
memory/2152-149-0x00007FF640A30000-0x00007FF640D84000-memory.dmp
memory/4716-151-0x00007FF66AFA0000-0x00007FF66B2F4000-memory.dmp
memory/2312-150-0x00007FF78CD00000-0x00007FF78D054000-memory.dmp
memory/5028-152-0x00007FF7BEE80000-0x00007FF7BF1D4000-memory.dmp
memory/4252-153-0x00007FF7E8D00000-0x00007FF7E9054000-memory.dmp
memory/4200-154-0x00007FF74CF80000-0x00007FF74D2D4000-memory.dmp
memory/2288-155-0x00007FF740180000-0x00007FF7404D4000-memory.dmp
memory/4396-156-0x00007FF71B400000-0x00007FF71B754000-memory.dmp
memory/5048-157-0x00007FF753880000-0x00007FF753BD4000-memory.dmp
memory/1992-159-0x00007FF63D1D0000-0x00007FF63D524000-memory.dmp
memory/1372-158-0x00007FF6E2E00000-0x00007FF6E3154000-memory.dmp
memory/4900-161-0x00007FF6F74E0000-0x00007FF6F7834000-memory.dmp
memory/1560-160-0x00007FF7F16B0000-0x00007FF7F1A04000-memory.dmp
memory/2128-162-0x00007FF7B0200000-0x00007FF7B0554000-memory.dmp
memory/1288-163-0x00007FF7522C0000-0x00007FF752614000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:11
Reported
2024-08-06 12:14
Platform
win7-20240704-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JTJybSy.exe | N/A |
| N/A | N/A | C:\Windows\System\DspdAnL.exe | N/A |
| N/A | N/A | C:\Windows\System\dOcyREd.exe | N/A |
| N/A | N/A | C:\Windows\System\MRjiNuO.exe | N/A |
| N/A | N/A | C:\Windows\System\HENcyQh.exe | N/A |
| N/A | N/A | C:\Windows\System\cQDwIFt.exe | N/A |
| N/A | N/A | C:\Windows\System\qHDLdHW.exe | N/A |
| N/A | N/A | C:\Windows\System\ZRsVyaD.exe | N/A |
| N/A | N/A | C:\Windows\System\nYupmBU.exe | N/A |
| N/A | N/A | C:\Windows\System\HHNGihY.exe | N/A |
| N/A | N/A | C:\Windows\System\jEdwjIG.exe | N/A |
| N/A | N/A | C:\Windows\System\AjgPayk.exe | N/A |
| N/A | N/A | C:\Windows\System\xaKMAaC.exe | N/A |
| N/A | N/A | C:\Windows\System\dWMVPkf.exe | N/A |
| N/A | N/A | C:\Windows\System\RwWxSCY.exe | N/A |
| N/A | N/A | C:\Windows\System\aJEHkqC.exe | N/A |
| N/A | N/A | C:\Windows\System\fAwyONf.exe | N/A |
| N/A | N/A | C:\Windows\System\MtzZHfq.exe | N/A |
| N/A | N/A | C:\Windows\System\EdzKrYG.exe | N/A |
| N/A | N/A | C:\Windows\System\JgzFGTC.exe | N/A |
| N/A | N/A | C:\Windows\System\CijbwWT.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe
"C:\Users\Admin\AppData\Local\Temp\69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20.exe"
C:\Windows\System\JTJybSy.exe
C:\Windows\System\JTJybSy.exe
C:\Windows\System\DspdAnL.exe
C:\Windows\System\DspdAnL.exe
C:\Windows\System\cQDwIFt.exe
C:\Windows\System\cQDwIFt.exe
C:\Windows\System\dOcyREd.exe
C:\Windows\System\dOcyREd.exe
C:\Windows\System\ZRsVyaD.exe
C:\Windows\System\ZRsVyaD.exe
C:\Windows\System\MRjiNuO.exe
C:\Windows\System\MRjiNuO.exe
C:\Windows\System\nYupmBU.exe
C:\Windows\System\nYupmBU.exe
C:\Windows\System\HENcyQh.exe
C:\Windows\System\HENcyQh.exe
C:\Windows\System\HHNGihY.exe
C:\Windows\System\HHNGihY.exe
C:\Windows\System\qHDLdHW.exe
C:\Windows\System\qHDLdHW.exe
C:\Windows\System\jEdwjIG.exe
C:\Windows\System\jEdwjIG.exe
C:\Windows\System\AjgPayk.exe
C:\Windows\System\AjgPayk.exe
C:\Windows\System\xaKMAaC.exe
C:\Windows\System\xaKMAaC.exe
C:\Windows\System\dWMVPkf.exe
C:\Windows\System\dWMVPkf.exe
C:\Windows\System\RwWxSCY.exe
C:\Windows\System\RwWxSCY.exe
C:\Windows\System\aJEHkqC.exe
C:\Windows\System\aJEHkqC.exe
C:\Windows\System\fAwyONf.exe
C:\Windows\System\fAwyONf.exe
C:\Windows\System\MtzZHfq.exe
C:\Windows\System\MtzZHfq.exe
C:\Windows\System\EdzKrYG.exe
C:\Windows\System\EdzKrYG.exe
C:\Windows\System\JgzFGTC.exe
C:\Windows\System\JgzFGTC.exe
C:\Windows\System\CijbwWT.exe
C:\Windows\System\CijbwWT.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2752-0-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2752-1-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2800-19-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\HENcyQh.exe
| MD5 | 943d86ee0ab759c048f587f0c822d8b2 |
| SHA1 | cfc4433947da04ed30be6167e92b985fa2cfb1a3 |
| SHA256 | 5a2369ba6d56cefc173c65b9f88398fc98c75c86bfc5663b9ef6a0018a1fa7fc |
| SHA512 | ab0426d1ef89ee9bc14dc4aadf5951471644e26f509bf61ccf5e3a748ac7fa34eddd6e1ff08288e3b1bc295b872aa8fc905ebd33c4a6250ebb7d06c86f4d32fd |
\Windows\system\cQDwIFt.exe
| MD5 | 0a81f512365b627bc560124929f8f76a |
| SHA1 | 68a8552a6b2c030daee8586ad8405a29e775d1ab |
| SHA256 | 38f49b97ba6abfea2fc60741930c88eb6eb8916a413ac97112696dc970e8b034 |
| SHA512 | 28a6c57c26da09229a90ac96a8920ee1b1a3031acbb84815c1a094e4fee9580790432bff1fb3f832790c795f87c0d7a447ebb5a338869363fe68ec7a2efbf5d2 |
C:\Windows\system\qHDLdHW.exe
| MD5 | 06e81f2688bc720d0965c095b9efeea3 |
| SHA1 | e73559a84e363a03736c32fa59b08460efbcf497 |
| SHA256 | 58fa74ae5eb01857deb0d73df54988c99327e92816c92ff6a66d662a2ff98f94 |
| SHA512 | 93abccc093abb2bd58588f0757f78df78cd3aca388aecfadd4d0b612414b3fb278cd135d667e31182b88c3c6aab368eaebe1bd990263ce08a70dce6b332e13f7 |
memory/2752-58-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2300-60-0x000000013F6F0000-0x000000013FA44000-memory.dmp
\Windows\system\jEdwjIG.exe
| MD5 | 26c047cc3a99fbe133c2e81c6591782c |
| SHA1 | e033b1d9ce64eaf3b0c8adcb050e6dc3f5476f3f |
| SHA256 | ab462bdc867317d8ead6820e7f03aa6eebae0f2f0f07b142f664af96ffc513af |
| SHA512 | 88d8f067ef41c720372061c56f73e2b1270554625cda798cb1f27f0abe1593780399b50891ec3c7ed2853db9d1687765aeff67435d5b1c1016be41d58ba87dda |
C:\Windows\system\xaKMAaC.exe
| MD5 | e4efaced4110340d0367351161b6cbf0 |
| SHA1 | 496308c0b91b60bee2845663cd6b98054eff0576 |
| SHA256 | 73ac3621a400e63c8f128e30509c26b2adfe57fa9e6bc09f1ecb801d9f135b9a |
| SHA512 | 5703ca8b0e0c7a1d168963c6a2a5468a88a239b624ad752c776a7cf0c6223bd89d1627b8cc1fa7a35b7c3fb09c7e81567c05a6b8f32b32649259b573d257286e |
C:\Windows\system\dWMVPkf.exe
| MD5 | a385b82efc66a43054a68f661376a234 |
| SHA1 | bd8d8f3b769c5046daf95f713669eb90ed04edc9 |
| SHA256 | ebcbf3ca4b508a072ca71e43e53d4d9f1d68fc1a9c612ce3ea14b97df8ef898f |
| SHA512 | eb445c908858e4fbf4427d65e10cfc5b31432f846b0ba8f077a76b50e5ca0391401b44c2ae3569f04411dd806f3b6dc26e6b31b95207fc4a62ec3ab42f8a88ff |
C:\Windows\system\JgzFGTC.exe
| MD5 | cfafeab87280f715b0721bea97c83b6c |
| SHA1 | 8ae82e8cf995f9059bd29adb392934077b54128a |
| SHA256 | 0ab1442a207a5c60a55e4d4c5c499c900fff60b5e027ed9277a52e62f8d697ba |
| SHA512 | 038349cd29771683a74acb673e4fcaa6fb89ec1000f8fecda4c3f1e976f5d41b13465a080c04968d3c83fe666b07d202233cb71e16f12052378520f73b41c15b |
\Windows\system\CijbwWT.exe
| MD5 | e0d9ec6a4e0ab4cbbe7ccaeb89f9e577 |
| SHA1 | a28e690533b3368c47dffddbc6fa91645954e3ed |
| SHA256 | dfc26f5185cf0626f416c6dfc1b458177dfbf54454d8d0e5d9a74dd2cbb379ac |
| SHA512 | f9024b644b024781585af9327d1ba6184c86bff13dd5975c05e1877901a296a3fc2691481e90caedd637f19ba33b6c30dcc38e86387e15167150baf99423682a |
C:\Windows\system\EdzKrYG.exe
| MD5 | a5b1a658e43898f99dc14913b5abcf9d |
| SHA1 | 36579586e6031c28913ca13b7af965250c580752 |
| SHA256 | 920d9a3465d9c010f9ce8dff1937d9ada90f638951698506a697d1c2e46759f2 |
| SHA512 | 967c63cfa8544f9a846b0e5c1bc110bb88426b14e031950ef000789d938a21c75db4e428c8556b61c77e8b529123a340ce0e98f629b3aef530f9e33ec9e64005 |
C:\Windows\system\MtzZHfq.exe
| MD5 | 765833ce28ddef700bf1471746a94163 |
| SHA1 | 11156c8142e957179fad1e2d95584abd979f4b01 |
| SHA256 | a4e129885279ef002cc0a6bb2dcc86125ffbd0c77a99298abe26f8e0db5cb990 |
| SHA512 | 2217d8874dfd1f056ff5d7e611e3a24fe319e610a71f52edc5bee7140610b5b3510da28b14336699a8332402eae7cf1ad72e9d1ebcf99aa3575b8314ff99395d |
C:\Windows\system\fAwyONf.exe
| MD5 | cf96019e3c4accf5b6cc674f9ec42dc1 |
| SHA1 | 7e4b26a09a2f06f201ad66a13973ca079f91fe6a |
| SHA256 | 268dd38dce2edc07195c55e5412dc9e81d62d6f81c437e2982716d821de3e2f6 |
| SHA512 | fa19ce7c37f83371c21808ffe2a316972827feb89e9aae235228037725c00901b2366afc08ed0ef44aabab9314424d519ee7beee60814b7cc5c1b787d4b2b096 |
C:\Windows\system\aJEHkqC.exe
| MD5 | ffc6d839d7e494b65cb104eff8261511 |
| SHA1 | cae16fde3ad471602b98b56a328d308fe1a61bd4 |
| SHA256 | d5e94503c36b8cf14eca6179de847140e6535ae9696040070fe30266c78bbbf9 |
| SHA512 | c055a4a71d3d4f13893ee9daacdcde3d5d2473f4a75fa3d4583de62d164d417d83f92e4abed1840b5c08a7f1cab42986d0cf4f335db0126b3f31d8a207878eca |
memory/2752-93-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\RwWxSCY.exe
| MD5 | d2a78c469896e87bf88da70e3110b00a |
| SHA1 | b2bf162072db2ba907ee51eba61fd464f4c825e3 |
| SHA256 | 955e6049a8c03b46de75b6c548105a9b71f0cf13c8460001f6747bd0f2a00717 |
| SHA512 | 974be2147ac44f51104cb63d67680e256f6a8c70a18547ced1f81350541f084ef8e2b136597d7c4ba75d66464b52393602f16889bd8199f13566515c64e1eeab |
memory/2752-117-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2752-118-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2752-88-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2520-83-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2096-77-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2752-76-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2964-72-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/1804-71-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2036-70-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2752-69-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2616-68-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\HHNGihY.exe
| MD5 | c8db09df69a75de47851874fa29057eb |
| SHA1 | 47fa0a35761c190c0c87cea003bbfd026040877b |
| SHA256 | ab22992f77e1e99081dc0f5da68c1167ec625668c84f75f13d7ca62585183b38 |
| SHA512 | 60367a3e43747499663649caf53bab93900ee2f5890b58d1f6805caaf98f38b5a034e2e6fdd778adf4d67cd7e7f892db9d8f4ff3f7b29454a2f8fdc52040edca |
C:\Windows\system\nYupmBU.exe
| MD5 | 609facbaaca3cd8563e5692251f9fc65 |
| SHA1 | 35b25c7cda22e1aa1d994e06d496a93395f7d529 |
| SHA256 | 1191f19b7ab9a8a779ccbc7220929591e8fadf8bab792f8960f18250d0a03cab |
| SHA512 | becf1f6b412c15486cc2c5361c4183cf21ad8679f198b93dd842ae18f11ef96eb27ad82d473c82853f7140e67e2bcf493a942b1dbeddf0956f149e528684e236 |
C:\Windows\system\AjgPayk.exe
| MD5 | 126f64a013f6cd2985b7ca6fba388bf9 |
| SHA1 | e1e2a0a0dd16f3be7979bd575e39e87bb7c52bc4 |
| SHA256 | 89a1f0ef5f061fc6fe52dcf1c6c554dca966cfcb694521adb1b20684f4a86dbc |
| SHA512 | 5aed9f40d0e354b2de5ecc4a49482e03e557d0c57916e5986670e2e09eeeb958c187ed1ecec49cddeeccde26e15fa00f6fe97328cb1c53b936fe58afc5efd4e0 |
memory/2764-47-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2752-30-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\dOcyREd.exe
| MD5 | ef8e2ca7f9d986151af330b7289665a0 |
| SHA1 | fa983502689d74a55583c3bf8142dda25259dfff |
| SHA256 | 56ed4de85831a024b611d3ebf27ee75343f903dc026521eb8021230d2b7b5e0a |
| SHA512 | b9b42ef825deb6c6a013f951813de516fa23d11664d6ac131e97382e91d2471e4cacf3254e837af7e4f6a56585255115563c676d0706e52ba4c32b1a8c6ac930 |
memory/2752-21-0x000000013F6F0000-0x000000013FA44000-memory.dmp
\Windows\system\ZRsVyaD.exe
| MD5 | a0a66df9eed8396cfa7869532a812c67 |
| SHA1 | 66829482d2e7651dae20c12b77138cb256a460c0 |
| SHA256 | 29fe6d2b548b779c450895bc25bae4251f7eb46a4316ec33fe4941d4f172a200 |
| SHA512 | 40c4737cd297ca5da4096ebdfad088f075c37f88c7c721b002e75da34be2563d9bad5c4249d65d85fcf2b286e61ed2d94a8f2337475e2c0c7b1ac3b651f4d23f |
memory/596-59-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2752-55-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2636-50-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2752-44-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2628-41-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2752-40-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2832-39-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\MRjiNuO.exe
| MD5 | d5d52392f6bc3c2367ff5eaab72b7eef |
| SHA1 | 66a12dc80f286c28ba54c688e1572645b9370afe |
| SHA256 | cc0bf06ebbeb90eba2af65d7c23e193e6b4e1bc121095848ff1876fee468ae40 |
| SHA512 | 0f55cb952bd147396eb3c3c71d4263ed316222605061421bc2c27f1da6feadaa53948bd381c3f9afa269f37961d0d827f1acb837295b4d59bf00694b46f4d9bb |
C:\Windows\system\DspdAnL.exe
| MD5 | 0f07ae94d8b5d2407f1530ea7622eaa5 |
| SHA1 | fa978c1c5446de2d6f0cf8cf11ef1c4533e7c5ab |
| SHA256 | 7d660e758d850eb2ef24c8c6ab9dabac52497fbf6d6f584917e11f818d21091b |
| SHA512 | 3e4bd2f336583f7127f15b89507aab379363f0e755b827fc70e0d4715e47521b8dbdd750f376513218bb7b81bfbd74ebac0224599555e035f3f9f2cf5376f205 |
memory/2752-10-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\JTJybSy.exe
| MD5 | 29996ecc6a7db31f2a94af2efdaf919c |
| SHA1 | a6dadd3072d37279f47d46740162a296a7a92dca |
| SHA256 | fff115db35dbed574aef8a1ec263bf653afd3c10fe7036f88872622c6e748a78 |
| SHA512 | b8645dab9798f0f6517535e1a4460f52489698b000a13b8fff65614fe415c2a13fee3bf49fcfa0e7f6c8c0e053ff10a50b69196d709fe41a6d4a4ae25b25e79b |
memory/2752-133-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/1804-136-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2964-137-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2036-135-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2616-134-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2096-138-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2520-139-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2516-140-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2800-141-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2832-142-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2628-143-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2636-145-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2764-144-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2300-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/596-146-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2516-148-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2096-149-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2616-150-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2036-151-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2520-154-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2964-153-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/1804-152-0x000000013F090000-0x000000013F3E4000-memory.dmp