Analysis Overview
SHA256
6a58ba2ed9733230e539e9b630bf02e9090ed1eb6a7d1f0dbed90681b89b0fae
Threat Level: Known bad
The file 7921fefb99b3d5e667e5718e684b4c10N.exe was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobaltstrike
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 06:12
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 06:12
Reported
2024-08-13 06:15
Platform
win7-20240708-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\aFbXQxM.exe | N/A |
| N/A | N/A | C:\Windows\System\xnqhNHY.exe | N/A |
| N/A | N/A | C:\Windows\System\FLcOkDm.exe | N/A |
| N/A | N/A | C:\Windows\System\mZLnWfd.exe | N/A |
| N/A | N/A | C:\Windows\System\rBTxpGO.exe | N/A |
| N/A | N/A | C:\Windows\System\arXPlVP.exe | N/A |
| N/A | N/A | C:\Windows\System\cBZURLj.exe | N/A |
| N/A | N/A | C:\Windows\System\LCrMfNh.exe | N/A |
| N/A | N/A | C:\Windows\System\rroZmgH.exe | N/A |
| N/A | N/A | C:\Windows\System\wEWfEMs.exe | N/A |
| N/A | N/A | C:\Windows\System\stYeRar.exe | N/A |
| N/A | N/A | C:\Windows\System\IBNYIHH.exe | N/A |
| N/A | N/A | C:\Windows\System\yqwBTLJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JDximkL.exe | N/A |
| N/A | N/A | C:\Windows\System\jfUQQWy.exe | N/A |
| N/A | N/A | C:\Windows\System\teGsXNX.exe | N/A |
| N/A | N/A | C:\Windows\System\qwhXxIV.exe | N/A |
| N/A | N/A | C:\Windows\System\HESHeCF.exe | N/A |
| N/A | N/A | C:\Windows\System\mhiKXfp.exe | N/A |
| N/A | N/A | C:\Windows\System\hHqlYYD.exe | N/A |
| N/A | N/A | C:\Windows\System\qBmrsCr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe
"C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe"
C:\Windows\System\aFbXQxM.exe
C:\Windows\System\aFbXQxM.exe
C:\Windows\System\xnqhNHY.exe
C:\Windows\System\xnqhNHY.exe
C:\Windows\System\FLcOkDm.exe
C:\Windows\System\FLcOkDm.exe
C:\Windows\System\mZLnWfd.exe
C:\Windows\System\mZLnWfd.exe
C:\Windows\System\rBTxpGO.exe
C:\Windows\System\rBTxpGO.exe
C:\Windows\System\arXPlVP.exe
C:\Windows\System\arXPlVP.exe
C:\Windows\System\cBZURLj.exe
C:\Windows\System\cBZURLj.exe
C:\Windows\System\LCrMfNh.exe
C:\Windows\System\LCrMfNh.exe
C:\Windows\System\rroZmgH.exe
C:\Windows\System\rroZmgH.exe
C:\Windows\System\wEWfEMs.exe
C:\Windows\System\wEWfEMs.exe
C:\Windows\System\stYeRar.exe
C:\Windows\System\stYeRar.exe
C:\Windows\System\IBNYIHH.exe
C:\Windows\System\IBNYIHH.exe
C:\Windows\System\yqwBTLJ.exe
C:\Windows\System\yqwBTLJ.exe
C:\Windows\System\JDximkL.exe
C:\Windows\System\JDximkL.exe
C:\Windows\System\jfUQQWy.exe
C:\Windows\System\jfUQQWy.exe
C:\Windows\System\teGsXNX.exe
C:\Windows\System\teGsXNX.exe
C:\Windows\System\qwhXxIV.exe
C:\Windows\System\qwhXxIV.exe
C:\Windows\System\HESHeCF.exe
C:\Windows\System\HESHeCF.exe
C:\Windows\System\mhiKXfp.exe
C:\Windows\System\mhiKXfp.exe
C:\Windows\System\hHqlYYD.exe
C:\Windows\System\hHqlYYD.exe
C:\Windows\System\qBmrsCr.exe
C:\Windows\System\qBmrsCr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2556-0-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2556-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\aFbXQxM.exe
| MD5 | f0247e1436d4815e2ef63201911c5883 |
| SHA1 | 4ca6244cb50b878e56e41b550e2cfadfb16256c1 |
| SHA256 | 200af33ae4427389cc052cee88d4445ad9e3500769b03526de979e7c4538c44b |
| SHA512 | 78347f6a7b050fd2c9c0a1eae889fcc2c0b9d87cef1e9675f1c1232f8213189a3230077d7e9c60e97a3878b3dba9d8be521b2ec17464daee7702d397d20282fc |
C:\Windows\system\xnqhNHY.exe
| MD5 | 08b721d8be6bcf0ea76f56aa5245d8ea |
| SHA1 | 9203ec4533e796aeeaf3834d3b04acd42c245f86 |
| SHA256 | eae93a0a3a32ac613c3cab0655d1fc8dcb1f8aad68a1da75376c49fab79f38c8 |
| SHA512 | d0d7f2e8ac5770acecedfa197f615e76c9403b61e070ba76424bd090eb9da25b09ba4f82c46c5edeecbaa57ccf64f6ecd1d284b7486450eec9c60f260193e331 |
C:\Windows\system\FLcOkDm.exe
| MD5 | 14b60556f3240c21ba7f66e493c90220 |
| SHA1 | f30c78eb57da0f4a4ddbd96b01c648812bef3d37 |
| SHA256 | 3e1ad6907e0c71173234ba97eb7fe0ede8a5b6239db6e07569da3f23f6e09da7 |
| SHA512 | e5003d9d4cf949d5b5c6ee2ea5dc30ad52b79593459fd9eb04125b476cac7f3281188a01508f38980317109df5edc2c21bf9052c973718f732caa9ae5efbd627 |
memory/2840-16-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2556-15-0x0000000002220000-0x0000000002571000-memory.dmp
memory/612-11-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2556-7-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2556-18-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2748-23-0x000000013F600000-0x000000013F951000-memory.dmp
\Windows\system\mZLnWfd.exe
| MD5 | e2c13907a60b985d2dd9e8cb931ec949 |
| SHA1 | 9357b8a364e303d323d228e50ebcc1bac46bede3 |
| SHA256 | cbd6a2d5dc507e326b1c420de12dd0d2d1587d72afeec297e2a0a2a9f30f3498 |
| SHA512 | 66e6270c4a3b2d912ad4762d0df316492193265c54c6166e3c35e0d91ebf2542fc607bfce3cbfeb2bf6c78030afb634e5dc30e6eec2fb9044d7829fd1414f1d1 |
memory/2616-29-0x000000013F7F0000-0x000000013FB41000-memory.dmp
\Windows\system\rBTxpGO.exe
| MD5 | b3afef3c28f21be165afe10901f3d629 |
| SHA1 | 152465f9b6b33c4eafe368e63c18a5bf1f25404c |
| SHA256 | b17e1086986af37fed35f3bfea7775a0d703aff8c59e838c800a54501899766e |
| SHA512 | d03e940bada7821b63f3ede4dc8463e2fd928b3e0fe08659d9f10773447b45f77624a04439dd883cb607a5fbf1d45fb880cce7ff604d257432c0349f74b3d3a8 |
\Windows\system\cBZURLj.exe
| MD5 | 96a1f2d8fa6e64e8c19c8669fe87e204 |
| SHA1 | 82806fed24dbffa63473ad6b079150ae479922fc |
| SHA256 | b3d791f8d9445e68220e50a7bbbbe6830437f24f0f7a5555b1682e94003843b6 |
| SHA512 | 327e802417732385525674156758b13b092264ee33cbae69e7b43172ea730a52fb801c2c4afc18d9c781ecc8641f1ff80bd535be04c30af960f23e350cf902b3 |
\Windows\system\arXPlVP.exe
| MD5 | af14ea71f849c0d376ea9d55f15ce896 |
| SHA1 | 3bee1518926410e815365820efabb395b393ed54 |
| SHA256 | af3e2c9320e5fe6d991f4cda4e6c8d27a545f4a02fb189dd90cc93e9c4917de6 |
| SHA512 | 21d12af3afcc3cb05d5d4e10339e38bffc9a051107fa3e5156d5d1f116853142b5f65ee1908241ae8e066cd8003197870f5427921fc25ada66410c0d33dda1c8 |
memory/2556-54-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2556-56-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2808-57-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2556-60-0x000000013F7D0000-0x000000013FB21000-memory.dmp
\Windows\system\rroZmgH.exe
| MD5 | 366b336f3330d1825f4f7a09c3c1c29c |
| SHA1 | 9032ef8efd553bdbdcdff32231bbe99d61fa62f3 |
| SHA256 | 0530a27a80f48a31b5b9598593a9733ef17de7720ecbc574008034217858ddc2 |
| SHA512 | c54602b210ce9328a3bcb43a73b20958b058be29778cfc71b9074903d4690abbd00f66546b77389835c9153427d727a10a4f1f924d4f62937bac3d9cf9c2ad27 |
memory/612-55-0x000000013F0B0000-0x000000013F401000-memory.dmp
C:\Windows\system\LCrMfNh.exe
| MD5 | 939aa332d3db537c83421d29a102f0f6 |
| SHA1 | 3a500f5fdd6b7c07b90a016cdd89b2c1cbcc3592 |
| SHA256 | bf90ac6f689d4c239c8bd9231a78da3f57073ed96cd5e59c8f28ddcb179ea65a |
| SHA512 | 039425342a3ba7b23841392bc17595ff4d91166da9dcd405be90f8e10499f2a043248ed15b25d05722783b9e472fd7fe6d42515cac4f3f4c7f26bd53ecb20252 |
memory/2744-49-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2556-48-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2556-46-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2644-45-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/352-42-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/1708-65-0x000000013F7D0000-0x000000013FB21000-memory.dmp
\Windows\system\wEWfEMs.exe
| MD5 | 1a8d235f41b91d53b2d60e40d4470133 |
| SHA1 | d9e1d4e1773533c76437052d3d5c286c63670b2d |
| SHA256 | f0dedc2df7a567e6c0e44a0064e17f73fcf754d3f36ebc712f8973aa1627378b |
| SHA512 | 26c5683550d6dc2a10fcc980b0d5f6d74e32217779825a81ffdac4770473105f9fdf0b22e055d7bd486f6b719731ac56f1ae00275325adcb23d2c1698f07fa5c |
memory/2556-75-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2748-80-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2556-79-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2252-78-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2140-77-0x000000013FF10000-0x0000000140261000-memory.dmp
\Windows\system\stYeRar.exe
| MD5 | bdc20104c0ebf6c5fafafe117eb44191 |
| SHA1 | 5975ca66f344fe457b161559fc3eb7669b5048c7 |
| SHA256 | 1d1096713fccba7c9a1911a178f1d982f04b08ab2c37a8d4715e7767873682f9 |
| SHA512 | a42d186726df348ca36395e22efb87b06b16b86bd5c0b7ba5626d300ac394e5ff29ec425dac28a9e969fbc0d6460e8f322a6bd2daea5b2d5e443bbdcca6997f1 |
C:\Windows\system\IBNYIHH.exe
| MD5 | df68fb3dbcc8993bdfdc76cb08a26a83 |
| SHA1 | 72be75fb9a6c14d5aff62473393930b5229664a7 |
| SHA256 | 3e07a3156b14a271b77bf8b94e8061310d5aaffb0a0f50795d0fea48c620b6ef |
| SHA512 | 094918c42e4c8a30125282703e77b3698d72e7d972b3b57e14cfec8dc982b8a1adeed3ccdead8262bebe3135129d2bd96d4b72a34683f51da16b2d9672f23ce7 |
memory/2068-88-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2556-87-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2616-86-0x000000013F7F0000-0x000000013FB41000-memory.dmp
C:\Windows\system\yqwBTLJ.exe
| MD5 | 6db3748d04660083d17d612371e846d2 |
| SHA1 | 6311722ac74b7f604cb4dcb728efb44767c2eb48 |
| SHA256 | facbe76d3c7505a166d87f51ba7c7602f4b14f6bc0724bb96c2ef04ae0d4beba |
| SHA512 | 0eedebd40e6bde06db5312207b005614079623975442ab628a6cf35a5d7015a64f33b8f3b01d90eafe192a644d88386bb03c7183d7930f5f0d98004cc2d986e0 |
memory/1964-96-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2556-95-0x000000013FEF0000-0x0000000140241000-memory.dmp
C:\Windows\system\JDximkL.exe
| MD5 | 99b10b2a2605c07e167fc71ce9e690b4 |
| SHA1 | 7d119e71384e9a181131a086f1d436b6d95315ad |
| SHA256 | 2395ee53442e324c95ab181c6ffde3b0c5607d9e96f0bd97bb602ab86353fbd5 |
| SHA512 | ba910e6d89e110b506ae2791deb33415f6e2f63e33d4d46cdd0e53a5481dabb7f5f8d8bbdbd7bcdae46468c10590590997051ae3a944aba25d85c55d3910445e |
memory/2576-103-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2556-102-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/352-93-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2556-109-0x0000000002220000-0x0000000002571000-memory.dmp
C:\Windows\system\jfUQQWy.exe
| MD5 | 99baffce9ca2f664ab1d0cd3769680d4 |
| SHA1 | 232589fe87ba17b9fd8f6500eede3d4e6b2a10ec |
| SHA256 | 94a25847d67ea26962d4fc200f5914eba5664ab5bcacd65703fad1c01a4ea6ed |
| SHA512 | 2c286e4e29d609bb134e59af2313d7b68a6a9eddb70fd57752ff9bb9a1ebb6a4b4239a7f8ba4163682504dd98e4fc7cc29971b5db5eb023c2c5cea27b80f8306 |
C:\Windows\system\HESHeCF.exe
| MD5 | 64b93913a5498b01b2e7de73350da3c3 |
| SHA1 | 8c30d4d97f3cb36055e438c66be58aa7ea8ac357 |
| SHA256 | 1a0edddde86ef773da89bc8e041526da5b239c4a2fc5c421833cc4cdeab77155 |
| SHA512 | 4919688134b8988a59811df1655f7429b9dcd3fc9fed9727d6af9c0d4251b9f7bf076658706f340d21fce415cfe3775ca35b3ab3b675a86b46efca6e02fe850c |
\Windows\system\mhiKXfp.exe
| MD5 | d0bdcde31ac4a146c6d59c9c67a5f63f |
| SHA1 | 4a7d599ee5848e06ea1c9e02d4438ba91a19f98c |
| SHA256 | 880cb63f27d709c82da3496ad8c71ac5aa54a4351ed5578e666ecc515f65e71b |
| SHA512 | e89332dc89539bc2c2652ad653336bb5e8328dda77da538de4cabf677f805eedc841e163cab3bd605a50af0501155d28482d461a4480f534a71df1781f1066d2 |
\Windows\system\qBmrsCr.exe
| MD5 | aeec45eb530518e96fca45e388286988 |
| SHA1 | 588a2a17ce1a1d67acecddafcffa9f242c87f246 |
| SHA256 | dc0b61e6adcf128543958d852d6fee6810edb43cd4d82171eaf46dac8956023a |
| SHA512 | 16fbd3668226c5927b05c93abea8ce0565829e53544a2f22ef6e60c314990351d08d5183002dfaf263d27f399115d2a09a4eec56929124f39e53795eb330c183 |
C:\Windows\system\hHqlYYD.exe
| MD5 | 3f7001113fd071841ef3938998de8466 |
| SHA1 | 164f246f5149c1d7e8993bc71090b29745666f12 |
| SHA256 | 98e4be4a3fd6bbca4e7e57d63a591c34c0176e6f2a15d7fcbe4e5c7288d4e7d8 |
| SHA512 | bcd7471e959f2f649d49052cae03cbb2caa0e29eff1e86e048e78cf23d7eec17d7e040735c47ce2eb69445f8009af1b2d495b4b38e30bd026eb8b686508d965f |
C:\Windows\system\qwhXxIV.exe
| MD5 | 177112a6a57c92eb128a33ac98e525af |
| SHA1 | 463b8e1ee86061bd649a639d25c4a695898881bc |
| SHA256 | 5555b1498d6a668bfb6bf05cc939be0651d3159ded39967f0696ad983569e10c |
| SHA512 | 3e8a653e84dd2ca0043ac462baab05c1ea1b26a86a5db02c22eeed9d5fc19dc8a55023c8f5f7aaf4526b2f7e5a573ae1ec52279a59d8078c5515c2ff1f26b858 |
C:\Windows\system\teGsXNX.exe
| MD5 | e546a88bbbc79bce57a1f68c6723f2a0 |
| SHA1 | fef2703c7b53911af0acee72873a460e8a0c3127 |
| SHA256 | f16683f6cab1f28bd311fe880853d9c9daf0deef4a4411a0e6b0ce682de00e1e |
| SHA512 | 8b694c59c56b7b333bb416a0cc59cca58ce97629984843c891508e23497d0ae2048b0913f3365a8ecf440f003922de7284153bd3b46d1ac4cb7a70e4d7267ea0 |
memory/2556-139-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2808-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2940-156-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2132-160-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2556-162-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/688-161-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2920-159-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2184-158-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2956-157-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2676-155-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2556-163-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2556-173-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2556-177-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2556-187-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2556-188-0x0000000002220000-0x0000000002571000-memory.dmp
memory/612-217-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2840-219-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2748-221-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2616-223-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/352-225-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2644-227-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2744-229-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2808-231-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1708-236-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2140-238-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2252-240-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2068-242-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/1964-251-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2576-253-0x000000013FBD0000-0x000000013FF21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 06:12
Reported
2024-08-13 06:15
Platform
win10v2004-20240802-en
Max time kernel
112s
Max time network
124s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gaXqBqx.exe | N/A |
| N/A | N/A | C:\Windows\System\mMdhRaC.exe | N/A |
| N/A | N/A | C:\Windows\System\PnmYKYt.exe | N/A |
| N/A | N/A | C:\Windows\System\mhSQMrA.exe | N/A |
| N/A | N/A | C:\Windows\System\XLNnfND.exe | N/A |
| N/A | N/A | C:\Windows\System\nSgyVkn.exe | N/A |
| N/A | N/A | C:\Windows\System\wOThBqt.exe | N/A |
| N/A | N/A | C:\Windows\System\xZOEhhg.exe | N/A |
| N/A | N/A | C:\Windows\System\vMYDyYL.exe | N/A |
| N/A | N/A | C:\Windows\System\cNxEWVy.exe | N/A |
| N/A | N/A | C:\Windows\System\ItEFcPh.exe | N/A |
| N/A | N/A | C:\Windows\System\kZkUzIh.exe | N/A |
| N/A | N/A | C:\Windows\System\LHkYHWh.exe | N/A |
| N/A | N/A | C:\Windows\System\OVQryvw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZkqLPrK.exe | N/A |
| N/A | N/A | C:\Windows\System\LijAtXU.exe | N/A |
| N/A | N/A | C:\Windows\System\Xxtxxyf.exe | N/A |
| N/A | N/A | C:\Windows\System\CxUPuAZ.exe | N/A |
| N/A | N/A | C:\Windows\System\MkGsJRE.exe | N/A |
| N/A | N/A | C:\Windows\System\QoijMRg.exe | N/A |
| N/A | N/A | C:\Windows\System\NoudIQg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe
"C:\Users\Admin\AppData\Local\Temp\7921fefb99b3d5e667e5718e684b4c10N.exe"
C:\Windows\System\gaXqBqx.exe
C:\Windows\System\gaXqBqx.exe
C:\Windows\System\mMdhRaC.exe
C:\Windows\System\mMdhRaC.exe
C:\Windows\System\PnmYKYt.exe
C:\Windows\System\PnmYKYt.exe
C:\Windows\System\mhSQMrA.exe
C:\Windows\System\mhSQMrA.exe
C:\Windows\System\XLNnfND.exe
C:\Windows\System\XLNnfND.exe
C:\Windows\System\nSgyVkn.exe
C:\Windows\System\nSgyVkn.exe
C:\Windows\System\wOThBqt.exe
C:\Windows\System\wOThBqt.exe
C:\Windows\System\xZOEhhg.exe
C:\Windows\System\xZOEhhg.exe
C:\Windows\System\vMYDyYL.exe
C:\Windows\System\vMYDyYL.exe
C:\Windows\System\cNxEWVy.exe
C:\Windows\System\cNxEWVy.exe
C:\Windows\System\kZkUzIh.exe
C:\Windows\System\kZkUzIh.exe
C:\Windows\System\ItEFcPh.exe
C:\Windows\System\ItEFcPh.exe
C:\Windows\System\LHkYHWh.exe
C:\Windows\System\LHkYHWh.exe
C:\Windows\System\OVQryvw.exe
C:\Windows\System\OVQryvw.exe
C:\Windows\System\ZkqLPrK.exe
C:\Windows\System\ZkqLPrK.exe
C:\Windows\System\LijAtXU.exe
C:\Windows\System\LijAtXU.exe
C:\Windows\System\Xxtxxyf.exe
C:\Windows\System\Xxtxxyf.exe
C:\Windows\System\CxUPuAZ.exe
C:\Windows\System\CxUPuAZ.exe
C:\Windows\System\QoijMRg.exe
C:\Windows\System\QoijMRg.exe
C:\Windows\System\MkGsJRE.exe
C:\Windows\System\MkGsJRE.exe
C:\Windows\System\NoudIQg.exe
C:\Windows\System\NoudIQg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4512-0-0x00007FF697C60000-0x00007FF697FB1000-memory.dmp
memory/4512-1-0x000001C74C7D0000-0x000001C74C7E0000-memory.dmp
C:\Windows\System\gaXqBqx.exe
| MD5 | 7675fc4d458d8464dafbb07c2edd6a08 |
| SHA1 | 08335787f0ff33ffc2731620b0031ee3d55373de |
| SHA256 | 4a5decff52d8daa9e5432be6243c7747e5033332a21bfa64c72ebd66c3e4585f |
| SHA512 | 30a50c45b4d1cd257d6f8964dd45d0c915a0f08893003078702aaf2bdb0cfee287a1be6519f3dbd979c01fb7ef82d4a00bcbe805250c8fe91fd8062e1d341cd2 |
C:\Windows\System\PnmYKYt.exe
| MD5 | 55c3f86c061357d2497e1947eb15250f |
| SHA1 | d17a12f67bea909183d1cad6cb042d8b50191e8c |
| SHA256 | 68aa6cd64ebcaaed37f12d8746f934e6c568e98e0b9afbcd351eec955c44f5fa |
| SHA512 | c9ba3ca799aa03d27720913ccf8fa1141e02c75f5477d2374093b8ea38cdd4f40056f0f72fdf4a581ccbb5ca580de9adb01ecf2d341ca7f98a340e490a053afa |
C:\Windows\System\mhSQMrA.exe
| MD5 | 0469570f748a8eaad8754a22d9c8a7d0 |
| SHA1 | 1eb43e63e6532acf144bb0267337b68f3db18d64 |
| SHA256 | afb5cdb24601c0b176316feca0fad3f916ca251534e4bb470bf664d69dabe539 |
| SHA512 | ffb30a4034787885b04fbf7cfa78cb001c27f9a81d2c8e7f36138cf8e365fda6e0b532c0312b4c624bce4ba9d96525d29ac672e5e9b3c866cbb0663c5cc139de |
C:\Windows\System\XLNnfND.exe
| MD5 | 0aba0e28ccf5ed5714b4ee280b62bb1d |
| SHA1 | 9ecb8e6c46f1d43aa40b6c7be71d384392add8b6 |
| SHA256 | 9ae1b07a214daf44a164e1aa84b992e9bc0c7fba5db589ea3b165269d8573242 |
| SHA512 | 5445817056ddbc719eb58f11ab958088b108efdfb37dced8628c3def252f43bde1dfed0cce79112a761ccc8c30f13035b5505654ccca88419699c748498fc390 |
memory/1104-30-0x00007FF702A10000-0x00007FF702D61000-memory.dmp
memory/1540-27-0x00007FF6BA9E0000-0x00007FF6BAD31000-memory.dmp
memory/1212-25-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp
memory/3040-15-0x00007FF7E1D80000-0x00007FF7E20D1000-memory.dmp
C:\Windows\System\mMdhRaC.exe
| MD5 | 8784d1e95deea603651494a25542b409 |
| SHA1 | 9c4ddeb96f0c5df4b1e6c4a7f3ee62c5c0f4d651 |
| SHA256 | 13664e8f40a17586538e71fda415eaf39ba92bd4281da2320977e52119b45640 |
| SHA512 | f7fd1dd6a561432328725e598f29ad291c360ae58930bde76474e4f0aa54cb37c58ec30789b1cafefa468b92d88822e76d5274b41d56c071d2d7b8de92186914 |
memory/4968-8-0x00007FF6CFF30000-0x00007FF6D0281000-memory.dmp
C:\Windows\System\wOThBqt.exe
| MD5 | a9810692530df4a8d2e95ae8d60172cc |
| SHA1 | bbd77e0ae95742251ec29480260718675a326398 |
| SHA256 | f251b88caefd05fee87683ae2945406c1d0daf8bec8d3cc4926513c82f2caa61 |
| SHA512 | 1fc689da8fed86fb23bb3aa9cc11d3974906f44b272fa4dfe12775cf048a2f5e8bf359566f6f23b64a3f5abfc793fc587c49ea6da50df68bd6d82adf1c32aaaf |
C:\Windows\System\vMYDyYL.exe
| MD5 | d490487482a9418e7cc64035bd5ad2c8 |
| SHA1 | 7388f2ab235918ed98e5eb6f403d288300ee309f |
| SHA256 | 5dcb39fe235d437913ad10ac7f4ef0ba1e06ebb887226beddd8ed1a9ef14047d |
| SHA512 | 1c626bda69e237a00b34777b1149f9951c599dcda2c01c21a4d304f70a5fd95574ee412898ddc2a16ab0bb471eea9b0e6fecfb90f66e9a9ec9c80a1720e6a96f |
C:\Windows\System\cNxEWVy.exe
| MD5 | 2eab3c374fa55da61763549fbe0c2db8 |
| SHA1 | 204cb5f0407e4507a672441e7f6cfb648d2ccfdd |
| SHA256 | a65117da6f29d84e238f17feb148a5f9b344890df4b66d4493f1c76b1f5ca612 |
| SHA512 | 6ba6ea823ce5ac3f2a2f988ed66dcfe047c6f2131bd6965ca0c034d8ae9482af848a9e8cdc53546df137649f2b90e6e63f533176f1747d823671c963202122d3 |
memory/4512-58-0x00007FF697C60000-0x00007FF697FB1000-memory.dmp
memory/4968-70-0x00007FF6CFF30000-0x00007FF6D0281000-memory.dmp
memory/2236-74-0x00007FF74A6B0000-0x00007FF74AA01000-memory.dmp
C:\Windows\System\kZkUzIh.exe
| MD5 | df3e29904c72bdd872e2f202675e111e |
| SHA1 | 025b66536a3bbd066da958d6fbdeb3e0105b8937 |
| SHA256 | e1abc19dbb75b00ffa087a8f1fccc06a075b1ddb1a850c85537a4fb4b51bf984 |
| SHA512 | bca5a0b2452361f0ceb818f91e626e736fe713c5cad3317255a39f74cb6ea5c607a2a9fcafba8ddf3d33380e98aba00d591e383e187badf5dacf87fea0249d18 |
C:\Windows\System\ItEFcPh.exe
| MD5 | 47a746db7e736a9327431265d1e524ac |
| SHA1 | 05f09ec03479a824ac296a295d100aa29b1832af |
| SHA256 | 01e51b9132ebcacab3ee50ecb91164f2823cfe4417a71ca454a4275bd35bc494 |
| SHA512 | bdd52bd4521d2d0c3cc7a43ca0a48172a39a2f4a81ebc99a143e72a78b344a8c7080dc255fc4b87e89f979bc736e2d1e4782846b92d48397482edda8d88200b9 |
memory/4748-71-0x00007FF7778A0000-0x00007FF777BF1000-memory.dmp
memory/2896-64-0x00007FF73D630000-0x00007FF73D981000-memory.dmp
memory/5040-57-0x00007FF615CB0000-0x00007FF616001000-memory.dmp
memory/3592-55-0x00007FF7A7FE0000-0x00007FF7A8331000-memory.dmp
memory/5084-48-0x00007FF7CEAE0000-0x00007FF7CEE31000-memory.dmp
C:\Windows\System\xZOEhhg.exe
| MD5 | f711ee969224eadca2b0abeb830a2ac0 |
| SHA1 | a17d9f87fe16ae985ccd2ab90e3ce3abfca88d41 |
| SHA256 | 1932be587e21919a436f38067294f9a4f939a252202c60f2ffd934595d0aadf7 |
| SHA512 | ebd40065f4afc9c54fe491d92bfab25d52204f39b60606e3aa7b2af9e1721540818cd3161081cfff2e1dad8907e262f7daa722925f6263d649b56fd1decc983d |
memory/4628-43-0x00007FF7840E0000-0x00007FF784431000-memory.dmp
C:\Windows\System\nSgyVkn.exe
| MD5 | fa123946de865bb79e331663e30cccc3 |
| SHA1 | 762801e217788d16c1965150e9b40713e9ce70d5 |
| SHA256 | 4001a8172ded75276ae5562421d43fd1a556edf9c46175c38276e59db77949b4 |
| SHA512 | 22b0d27866fec36cfd1bed7c0b7113848b7b8cd262c754e19c304d79dcd5bb8bb2cfb27a512ced483ee61d6e5fe4dae2b9fb4014fc121eef8919a7fe760eedfd |
C:\Windows\System\LijAtXU.exe
| MD5 | 3afc4aaa9d9835d2e8b0e0e2895c985e |
| SHA1 | 7774cb35f9cffa8eeadf3ba92d9e1f4571a20e8e |
| SHA256 | e2337f4e1d5b552604e0c9eaf9d3cd1aec557c1b568945164a1814ad8b96806b |
| SHA512 | 709521d0afd50d2815f0d382e81743896400b37c0561ffe1a16bdda87fd542b2a0f4caf3d0168aa906427845b948d9d8839671a912303709dd2194cb11ce95d1 |
C:\Windows\System\Xxtxxyf.exe
| MD5 | c0b685593b44b3b6f37641f7bd661813 |
| SHA1 | 05bb5bbc5000bd700a21cb3dabfc9aac6d12b842 |
| SHA256 | 79ee5ce902083e5463d2676842e8fe3857a9b90363e39b81c405a5b10112cad8 |
| SHA512 | a16a791d22db36241b89711b749a43dcf709016afbf2fbfd7c3e13164be15fea6eb2ccd48eb1cfaa63b0165a4167b35933aa1d124bf1ab4e3578d208c02bcfcc |
memory/3592-115-0x00007FF7A7FE0000-0x00007FF7A8331000-memory.dmp
memory/1808-122-0x00007FF6C25F0000-0x00007FF6C2941000-memory.dmp
C:\Windows\System\MkGsJRE.exe
| MD5 | 95378b55ed32350c4f6ce9f467d6ad7f |
| SHA1 | 4bc1852a29aeb61b7b4cdfd58080630d86ed8ba4 |
| SHA256 | 909962bf969c122f2dc4c91905dea071634c305b6f9e7fff8bb562f1ebf49e85 |
| SHA512 | f42e3342aa9f4b0c0a0c0207829960e2dbc671eb50eebf784b0ecabb25297f810ad1b5d67ca1bea112be0925ae352f04d2c5e742bb38c1b73d5704ddc350ec06 |
memory/2540-129-0x00007FF662500000-0x00007FF662851000-memory.dmp
C:\Windows\System\NoudIQg.exe
| MD5 | d5d8ae75ef99a065d3058de50c174014 |
| SHA1 | ad42a1abf46e0200c116b9d3b861a1ad3121306a |
| SHA256 | 206682021d5c4963dbdb720062a37137e8e01a77368132a40deada784327fab3 |
| SHA512 | 0fdf3ab8437825b0d7a239210f06661bcc24201f911eec053dbacdf190ede1b81fca44cbe312b5b39b52ae8c5fbe8e875d59ca640f80335092b12ac2cc458e3e |
C:\Windows\System\QoijMRg.exe
| MD5 | 1eac2db3f2c4a0bbe9c9a3ec16776a9b |
| SHA1 | e1f9422b1833f9a8fbdcbe1fb057243a01abd738 |
| SHA256 | 5823e48d6218c31fb42ea6747825fc9880dfd8cd0dfd54df54e391a1bfe395b7 |
| SHA512 | e587a82abd33c4cb85a21bc741cc512fcfadea92386c1f72d7a0fd03fc760abccdf66615e509160079e7262a0ef2ac1d9055f4ab753f3a210dd3769742da0695 |
memory/3244-127-0x00007FF7F0080000-0x00007FF7F03D1000-memory.dmp
memory/5104-126-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp
memory/5040-123-0x00007FF615CB0000-0x00007FF616001000-memory.dmp
C:\Windows\System\CxUPuAZ.exe
| MD5 | 31785c90f902874d03fee4d360096473 |
| SHA1 | ed53ef94942c25229e510c6c41195f484c8ad5d0 |
| SHA256 | a6602637e01ee924524948af85f0750e2becb8ac29e75484f0c95fe847f06b5d |
| SHA512 | 9bb102a072cbecdc68c8b6f7bebace4bc706deb70a1166b874fb620f9c05f3343f45a053d110f2f2b79ac3185b5f6cd7f445013add1306c2fafb53900bf4a5c9 |
memory/3236-114-0x00007FF67A4C0000-0x00007FF67A811000-memory.dmp
memory/4884-104-0x00007FF7C0FE0000-0x00007FF7C1331000-memory.dmp
memory/4628-99-0x00007FF7840E0000-0x00007FF784431000-memory.dmp
C:\Windows\System\ZkqLPrK.exe
| MD5 | fede65f1e1152df878edd20ef9de9353 |
| SHA1 | 3d2df06ac6693b66f95fd987b5a571510614fb0a |
| SHA256 | 1fad2239bb6fd86cacd5c28c921be0be8617e603a1a85b3df229b08b2f221127 |
| SHA512 | fb4b33539900784661526488fe6cdbe7404eadbdbaf2cecba014edabb88dbf3b9106b603639cbc9ea1cf729d85bf0bd0f693ee747a624f4b6f666e4c5150a34f |
memory/940-95-0x00007FF71B210000-0x00007FF71B561000-memory.dmp
memory/1104-93-0x00007FF702A10000-0x00007FF702D61000-memory.dmp
memory/4812-89-0x00007FF799830000-0x00007FF799B81000-memory.dmp
memory/5108-91-0x00007FF7065D0000-0x00007FF706921000-memory.dmp
C:\Windows\System\OVQryvw.exe
| MD5 | 158e510316487603fca6cd886e8e0021 |
| SHA1 | 01112f55a7cda84f9ff223b9ff4072e2fa89f82b |
| SHA256 | fc12cc9154c45b2bc3acb6b66ca9f07817c71889814bf7c6022d98c081f8b6f3 |
| SHA512 | 1b630e2a6dc2253cd529681575953c0dfe79e5ed2c6f71c51b5d54708e8470c45e4724ea5d58700e871b44c33e9945b804995b73d4a8d88ee2e0f8204482906b |
C:\Windows\System\LHkYHWh.exe
| MD5 | 92f75e707f62f7bca84eafd32c8df114 |
| SHA1 | 5760943d473c4e861b80b5979fc6b9fc74209907 |
| SHA256 | 2bb576ca9f86e5315b87049a50b571ce9618c24f56aaf8983c72cfbc572ae2dd |
| SHA512 | 2995073798c3e1a701ba1f296028bd7fbd59ed318f64925e87f56a2967a89ab226292a1e8a8edb1897c9006034c97270df799252387651872a5f1ed32e9d429e |
memory/4512-134-0x00007FF697C60000-0x00007FF697FB1000-memory.dmp
memory/2236-145-0x00007FF74A6B0000-0x00007FF74AA01000-memory.dmp
memory/2896-144-0x00007FF73D630000-0x00007FF73D981000-memory.dmp
memory/4748-146-0x00007FF7778A0000-0x00007FF777BF1000-memory.dmp
memory/940-149-0x00007FF71B210000-0x00007FF71B561000-memory.dmp
memory/1808-152-0x00007FF6C25F0000-0x00007FF6C2941000-memory.dmp
memory/5104-153-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp
memory/3244-155-0x00007FF7F0080000-0x00007FF7F03D1000-memory.dmp
memory/4884-150-0x00007FF7C0FE0000-0x00007FF7C1331000-memory.dmp
memory/3236-151-0x00007FF67A4C0000-0x00007FF67A811000-memory.dmp
memory/4512-156-0x00007FF697C60000-0x00007FF697FB1000-memory.dmp
memory/4968-201-0x00007FF6CFF30000-0x00007FF6D0281000-memory.dmp
memory/3040-213-0x00007FF7E1D80000-0x00007FF7E20D1000-memory.dmp
memory/1212-215-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp
memory/1540-217-0x00007FF6BA9E0000-0x00007FF6BAD31000-memory.dmp
memory/1104-219-0x00007FF702A10000-0x00007FF702D61000-memory.dmp
memory/4628-221-0x00007FF7840E0000-0x00007FF784431000-memory.dmp
memory/5084-223-0x00007FF7CEAE0000-0x00007FF7CEE31000-memory.dmp
memory/3592-225-0x00007FF7A7FE0000-0x00007FF7A8331000-memory.dmp
memory/5040-227-0x00007FF615CB0000-0x00007FF616001000-memory.dmp
memory/2896-229-0x00007FF73D630000-0x00007FF73D981000-memory.dmp
memory/4748-242-0x00007FF7778A0000-0x00007FF777BF1000-memory.dmp
memory/2236-244-0x00007FF74A6B0000-0x00007FF74AA01000-memory.dmp
memory/5108-247-0x00007FF7065D0000-0x00007FF706921000-memory.dmp
memory/4812-248-0x00007FF799830000-0x00007FF799B81000-memory.dmp
memory/3236-250-0x00007FF67A4C0000-0x00007FF67A811000-memory.dmp
memory/940-252-0x00007FF71B210000-0x00007FF71B561000-memory.dmp
memory/4884-254-0x00007FF7C0FE0000-0x00007FF7C1331000-memory.dmp
memory/1808-256-0x00007FF6C25F0000-0x00007FF6C2941000-memory.dmp
memory/5104-258-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp
memory/2540-260-0x00007FF662500000-0x00007FF662851000-memory.dmp
memory/3244-263-0x00007FF7F0080000-0x00007FF7F03D1000-memory.dmp