Analysis Overview
SHA256
893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499
Threat Level: Known bad
The file 893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499 was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:59
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:59
Reported
2024-08-13 12:01
Platform
win7-20240704-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FDbORFg.exe | N/A |
| N/A | N/A | C:\Windows\System\FyTswzv.exe | N/A |
| N/A | N/A | C:\Windows\System\ScChGSj.exe | N/A |
| N/A | N/A | C:\Windows\System\bFvbRAV.exe | N/A |
| N/A | N/A | C:\Windows\System\miuOklf.exe | N/A |
| N/A | N/A | C:\Windows\System\hHVAvhw.exe | N/A |
| N/A | N/A | C:\Windows\System\hDubFHT.exe | N/A |
| N/A | N/A | C:\Windows\System\gtLAdJu.exe | N/A |
| N/A | N/A | C:\Windows\System\DSTdhHp.exe | N/A |
| N/A | N/A | C:\Windows\System\fKaqsiY.exe | N/A |
| N/A | N/A | C:\Windows\System\ESOSHkN.exe | N/A |
| N/A | N/A | C:\Windows\System\rrMrjyL.exe | N/A |
| N/A | N/A | C:\Windows\System\BYclDhl.exe | N/A |
| N/A | N/A | C:\Windows\System\BMLHSyO.exe | N/A |
| N/A | N/A | C:\Windows\System\WekvNYl.exe | N/A |
| N/A | N/A | C:\Windows\System\sQWVKbP.exe | N/A |
| N/A | N/A | C:\Windows\System\DBWrxvk.exe | N/A |
| N/A | N/A | C:\Windows\System\ghiAeza.exe | N/A |
| N/A | N/A | C:\Windows\System\rQDeivU.exe | N/A |
| N/A | N/A | C:\Windows\System\gMuDfkn.exe | N/A |
| N/A | N/A | C:\Windows\System\OtAfELt.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe
"C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe"
C:\Windows\System\FDbORFg.exe
C:\Windows\System\FDbORFg.exe
C:\Windows\System\FyTswzv.exe
C:\Windows\System\FyTswzv.exe
C:\Windows\System\hDubFHT.exe
C:\Windows\System\hDubFHT.exe
C:\Windows\System\ScChGSj.exe
C:\Windows\System\ScChGSj.exe
C:\Windows\System\DSTdhHp.exe
C:\Windows\System\DSTdhHp.exe
C:\Windows\System\bFvbRAV.exe
C:\Windows\System\bFvbRAV.exe
C:\Windows\System\fKaqsiY.exe
C:\Windows\System\fKaqsiY.exe
C:\Windows\System\miuOklf.exe
C:\Windows\System\miuOklf.exe
C:\Windows\System\ESOSHkN.exe
C:\Windows\System\ESOSHkN.exe
C:\Windows\System\hHVAvhw.exe
C:\Windows\System\hHVAvhw.exe
C:\Windows\System\rrMrjyL.exe
C:\Windows\System\rrMrjyL.exe
C:\Windows\System\gtLAdJu.exe
C:\Windows\System\gtLAdJu.exe
C:\Windows\System\BYclDhl.exe
C:\Windows\System\BYclDhl.exe
C:\Windows\System\BMLHSyO.exe
C:\Windows\System\BMLHSyO.exe
C:\Windows\System\WekvNYl.exe
C:\Windows\System\WekvNYl.exe
C:\Windows\System\sQWVKbP.exe
C:\Windows\System\sQWVKbP.exe
C:\Windows\System\DBWrxvk.exe
C:\Windows\System\DBWrxvk.exe
C:\Windows\System\ghiAeza.exe
C:\Windows\System\ghiAeza.exe
C:\Windows\System\rQDeivU.exe
C:\Windows\System\rQDeivU.exe
C:\Windows\System\gMuDfkn.exe
C:\Windows\System\gMuDfkn.exe
C:\Windows\System\OtAfELt.exe
C:\Windows\System\OtAfELt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2752-0-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2752-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\ScChGSj.exe
| MD5 | a38cdc6d038db7076efa3901851e8166 |
| SHA1 | 9d207583dd78b97d3cb63b308a9f2b0abad85d50 |
| SHA256 | e0fbd6373f7d24ed256fe900f9d0b1bf6ce6bb9018e4971701ea80063d52651b |
| SHA512 | f0d0529335aebbe4d75d9a12c1369f2776796b610422f95780991cacba7177fe71f1330390cd53078728d8a41f4b2d72a5bb78bf96ed492339781b49b5557fc9 |
\Windows\system\gtLAdJu.exe
| MD5 | 4cce6ee7ed281828a049602944b8644d |
| SHA1 | c2b8a6ecb3b3793616033845230cd72ab2e2f534 |
| SHA256 | c4361383f054f50b51253c9a8e21d040711d84f41326cf1110ae4e49581a05ad |
| SHA512 | 77e00b7c3eff2fbd1ed736ca86cfc9aae4e83141c2ada4012d1ffefa763579e08382b39a623b839eadc12ac8d400dcd7d9d8bf7fdc095d4b6edfa0d213338fed |
memory/2752-14-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2844-54-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\hHVAvhw.exe
| MD5 | 0eecbe84a6ec23ef3fab70303f333ac2 |
| SHA1 | 817e5af025743c9d91ac704e260ebf55101af7ab |
| SHA256 | 72aee72c0d6b05640a47842626cf1025bd7fcc4a5bf17a956c431652b79d544b |
| SHA512 | 68b50d0a6e1027b1ac825034ff78823690a94adb5cc79e3308935fa89390c73406fae96fc44093761fe674c43166565e8ccb939868614b73c1bc66bc99dc2b7b |
C:\Windows\system\miuOklf.exe
| MD5 | 21569a504803662a0388d33af34810d0 |
| SHA1 | be26898b1c822603a5d372b29fa7deca65792e83 |
| SHA256 | b0aa96846060981580467de1774a858ccdada306ea8ea91b759a54171f17a1f6 |
| SHA512 | 9cbdef75bf906c6968f7e647ffb5dbe9ba9aef2989507334630e4eea478978a86bd4f8d4f9cf4c83420b0c420362bb579fccbdeff957d479665ae0761653d3b0 |
memory/2752-29-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2832-39-0x000000013F220000-0x000000013F571000-memory.dmp
C:\Windows\system\sQWVKbP.exe
| MD5 | 6efaa11da4dafa23d4bd34673d36c596 |
| SHA1 | 6d8c32590214e2e8e0cbd2edb189f7d2e26f8a26 |
| SHA256 | 6fca6fab2d75df09695c592d418986c45c62ae9bfc8840416e943b5417729c8b |
| SHA512 | 2c746e489badccb2a366675471c00f8b4368026ec15858d954e2d79ddb279539a9afceed4866fde1c92f4cf1d33645ef2243c3fc86646502499ee5d6615474ca |
\Windows\system\gMuDfkn.exe
| MD5 | 5879539f996310f25d13e65f62a7bbfe |
| SHA1 | 492377a99e66e5b5b3bb5778183a33d1f27566af |
| SHA256 | dba0f2ca1c55783e51943acea0f0b1e01644e903ca5dc657ce287a357c77b63c |
| SHA512 | 489da99543bee493c659eaef67136c3aed2e2f4fa761f14421efb15feff9cb3f0951eb7765c11c1c7b546d3a738c3009fb1257dbe4635b3b4d3167dd55657b9a |
\Windows\system\OtAfELt.exe
| MD5 | 40018ac6cfc9beb9e78f75df0b2c96f4 |
| SHA1 | 3351952be25d41376794dbca23395deb9953265e |
| SHA256 | f3ce0052b131c668953551ed00851b3d95988e44c5e704e640b4bdbeedbb7285 |
| SHA512 | 504b8b6e4f352d62939ec38d29a7f92b31fc7f8e35e1c3ab6f0e7f19e338148f3f3d4ce57b0fe30b6f9e386fe382d388e3908d5b28b3bf01732f6968ab9e1493 |
C:\Windows\system\rQDeivU.exe
| MD5 | 404968c6440d7756d7540a6e888f46a2 |
| SHA1 | 8b61494cc00b958d20f3dd090c42efa1f16ed148 |
| SHA256 | 60118bfa74a48f0e3755d0b9f00d1ef2198e74fc24826a0af25ce95e7815f81e |
| SHA512 | d867d1f2308ce9a2dea92673e2775555c3c6f2300987e0c7fa77e42852807010eaa059a876b13e9add1d7440cf6bc3ad8475cd92166c8c6b0af3f02c15c23aba |
C:\Windows\system\DBWrxvk.exe
| MD5 | 522ced9a3e86c4bbc5cbb63bee2f6b38 |
| SHA1 | 7fb072c12949d4e28dacc9e12e9a08c3dcc1eddd |
| SHA256 | e0b88f57eef3185a6c949a93ee397eb91b17cf22269fd521459d7922314e0fc0 |
| SHA512 | d638cfaae599430a60db05f69719cee8a45f65428e1851c0c4f0ed1eea7485113d23899a5cf0ec7c611775a4e2a68212e9a048e63b12f816ff954533bc12beb4 |
C:\Windows\system\ghiAeza.exe
| MD5 | a038714d541f2def256a01f9df9645f0 |
| SHA1 | 38c9d6b175f3a07d64a4981d3de2aa27cd1bd2ae |
| SHA256 | 3384825c669c971e4174cb66a69d119b78115c2ad8fd16b008302473fbd4537b |
| SHA512 | 935490a71849ae9ae0292d9d5b9119c39a8030fcaea806557a1e10d31b01a3e3e8c5e93394bb79253c2a020a0de7f99e3e653f0aca01ded26733229f6154ce54 |
memory/2752-103-0x000000013FFF0000-0x0000000140341000-memory.dmp
C:\Windows\system\WekvNYl.exe
| MD5 | f11372932e76e7e648f1a4d6bd9c6bd1 |
| SHA1 | ff38d26f66918541bf5471a798e627b8533b30f7 |
| SHA256 | c5ea52918f63b380922595a58bdd8cceac796ba526f3a68b5aa92c7aebe6672d |
| SHA512 | 475f2a48712912509267c850a5fe97008793298299594ec25c2738e68b1136dbf81bc540ba8115cb729304da14b12dbba34cad3e1c8eaac369b6da81c6a560db |
memory/580-90-0x000000013FC10000-0x000000013FF61000-memory.dmp
C:\Windows\system\BYclDhl.exe
| MD5 | 717e3113a79637fc4f76309e39b9317e |
| SHA1 | fda9aaa6ec8f6467a20220d2348757f1acd7d5a2 |
| SHA256 | 0377adb8b312bd4e8836fd5a2d1f4ca65bf53fa55f26c3923679fe4f664e8778 |
| SHA512 | a37487214e5701c14c0478f0d5b02362406ab391500ac3e2bcb053da977a1b66937ea42c61f7272c5a65ba6a1a94680eb5863a192f400d7a603382fbd2b7cf3c |
memory/2576-97-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2752-134-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2752-96-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2280-85-0x000000013F050000-0x000000013F3A1000-memory.dmp
C:\Windows\system\rrMrjyL.exe
| MD5 | adff4bda999e3926632a20ef19a4437d |
| SHA1 | 1b20a44f6a6cd1e38f8ed15db925005b22d45c37 |
| SHA256 | f7e399f14b72d65c95cdb4d28a097e573d9c6545f2ff6f94efdbd058351d9cd3 |
| SHA512 | ca245ca485804b26a2b1bae054e4de021755073ecfc8b93cc13f32842bbe0bbf91d0a223cdcfc0e820cc67d648fca413945cc70f6f11b1b74094ae6daddfdcc2 |
memory/2672-82-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2596-81-0x000000013FAE0000-0x000000013FE31000-memory.dmp
C:\Windows\system\ESOSHkN.exe
| MD5 | 15c1050076ea99da1a91cec4835f654d |
| SHA1 | 1842ad6485339451a94fce07574da8ee3eec7411 |
| SHA256 | bebccdfbd7d41e25daf69febe528ac27ea119a32f56e9b7930159247564ec65c |
| SHA512 | ce3bd6d9b9fd7c7cd8822584cb3d6687ec8a375aadd3f40bdc49a4fdc21d3585a7483189ec4e33eda5cbfea65c4e81b7b392d388ae00e907acddf400d2b54dea |
C:\Windows\system\fKaqsiY.exe
| MD5 | 76a19057e9f90a66dacfe577843e5d45 |
| SHA1 | 148329ce77faaf35c8331277deb514d6a5fcd380 |
| SHA256 | 1afeb191a629a4f429a03ee5e5d01a9211b4811899dd9e25eee6114763e5786a |
| SHA512 | 100c1e67b94ed2a518ea41e47b23503384e1fd034380c0fc650e15c44b22eb857cf7330f6338adf372eb3729186677a2988af8042c6da098d618036bc5a2c7ee |
memory/2980-77-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/788-76-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2888-75-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2752-74-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2752-73-0x00000000023B0000-0x0000000002701000-memory.dmp
C:\Windows\system\DSTdhHp.exe
| MD5 | 1326f359be4a08360068dc071f2f4d67 |
| SHA1 | 5962c0f6530de8b351b7bc50e0abd9230f00354e |
| SHA256 | dbfc0f5b3dea5c5a6bd2eaca79eff1c567e50f9ae9d2dd441f04af069e04fda1 |
| SHA512 | 49758c71beeb88a584ad0befe00e54ce7803083cba8e717694b6bf5af8978e39b7d04a6ef2b1e138e180f225363e888e1336c140c692d26face531c40b70fcd0 |
memory/2752-71-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2752-70-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2752-69-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/848-67-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2624-66-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2752-65-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2752-64-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2752-63-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2752-60-0x000000013FAE0000-0x000000013FE31000-memory.dmp
C:\Windows\system\hDubFHT.exe
| MD5 | d80249b7664d1fb9d26f05119f70cf90 |
| SHA1 | 5ccaa2718639327caff60722d18231928c9f61fb |
| SHA256 | 9a320d108c8106b61848ba22840e1d5b0bb643f03929a488692b910ffeb81d3f |
| SHA512 | 411d9dac6df0594b8987393c231f02682c3afffa2d3bf25b9852e86d3b4be31f9bb5dc9d69d48a63fd50c00d90f10dad5c1511a34bddb9900301dcfa85abb58c |
memory/2816-56-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2832-136-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2800-135-0x000000013FA50000-0x000000013FDA1000-memory.dmp
C:\Windows\system\BMLHSyO.exe
| MD5 | 974b6be12acbee78037890b930bedf3d |
| SHA1 | b1872bdcf0675b1bfc823137fce15b9f6c9349a8 |
| SHA256 | 58060dfa265d20551a333529a8da8030dfe54b70bf24a8ccca68d68cd6bbb6a7 |
| SHA512 | abab7a42b2d8e4d84caab6be56d7f16c789497566d9a83136e28ca1d3f496c4affb16410f2947c21e5f0dff46e3f3e261361bc8c18b2d1f9b4584994f27b6272 |
memory/2800-21-0x000000013FA50000-0x000000013FDA1000-memory.dmp
C:\Windows\system\bFvbRAV.exe
| MD5 | b840cf39ae4cec4ca384dcef99292b15 |
| SHA1 | 105d2fb6067c9d1f10df61c61af744a819fe2c2e |
| SHA256 | c0fd2caa7b0797097837f3805c552cbf6fc07a97c71113919ca7ab59ad177a8e |
| SHA512 | 4bdfd2daedf795acabcdad979abb42a0cba0f22820cb431bb3dea2e70e602c66bb4ecd8b748a58939c2a4a2bb57389a4a69fab73bbf8c85290e7a12a4e1b200b |
C:\Windows\system\FyTswzv.exe
| MD5 | bedc5960b4de52aceb51829a15e11a85 |
| SHA1 | 249b3e05cb2e6838443f3109c8bf2de20df4084d |
| SHA256 | f051d47d21c8e54b45b4178a0455c4f3f6359ef021e01796b710db6a1ab7545e |
| SHA512 | 9121f69419d92fb09a149712e8e3e81d15b24bf3ec50d6af5ba42d629e28945ef8914c62ea077ae2984d3912229d3472bbff876b1d2dfefeb396a9aca5a4dbc1 |
C:\Windows\system\FDbORFg.exe
| MD5 | c77758a32bf07c84b7cb24fa3c7aae73 |
| SHA1 | 6c8ba050741a7e9564bfdc622a5711cb28c647fd |
| SHA256 | 9bdcc4cec1ebbe48374406f7131ec3202c8b2980849b150e157d81dece02eb87 |
| SHA512 | 05e752ac7372ad1f3f724ced1f5a6d4299573b6ae3b800049b79da4dc14b2f68ad23fac15cd808eef13866258ca3ad70eae4ff24ba8cc83b0cb702ccd865c073 |
memory/2752-9-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2752-138-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2752-139-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2980-144-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2280-150-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/580-152-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2596-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2864-158-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/3020-156-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2904-160-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1796-159-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2928-157-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2908-155-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2684-154-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2576-153-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2752-161-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2752-183-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2800-207-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2816-232-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2624-236-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2832-234-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2844-230-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/848-238-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2888-240-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/788-242-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2672-244-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2596-246-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2280-248-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/580-250-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2576-252-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2980-261-0x000000013FE40000-0x0000000140191000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:59
Reported
2024-08-13 12:01
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\InDujYZ.exe | N/A |
| N/A | N/A | C:\Windows\System\RhMAyak.exe | N/A |
| N/A | N/A | C:\Windows\System\QvdGWZW.exe | N/A |
| N/A | N/A | C:\Windows\System\AcgrbtU.exe | N/A |
| N/A | N/A | C:\Windows\System\btQYChs.exe | N/A |
| N/A | N/A | C:\Windows\System\pnYakYi.exe | N/A |
| N/A | N/A | C:\Windows\System\dOaOfii.exe | N/A |
| N/A | N/A | C:\Windows\System\EpgKhoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\yuNhoKH.exe | N/A |
| N/A | N/A | C:\Windows\System\thmJwlZ.exe | N/A |
| N/A | N/A | C:\Windows\System\NDsIWlG.exe | N/A |
| N/A | N/A | C:\Windows\System\gTHrJrl.exe | N/A |
| N/A | N/A | C:\Windows\System\HZAwXvf.exe | N/A |
| N/A | N/A | C:\Windows\System\dSRmYdl.exe | N/A |
| N/A | N/A | C:\Windows\System\VKVtImV.exe | N/A |
| N/A | N/A | C:\Windows\System\BoDZRDS.exe | N/A |
| N/A | N/A | C:\Windows\System\UKjaTQP.exe | N/A |
| N/A | N/A | C:\Windows\System\edEInXg.exe | N/A |
| N/A | N/A | C:\Windows\System\cqDqZVl.exe | N/A |
| N/A | N/A | C:\Windows\System\owchThs.exe | N/A |
| N/A | N/A | C:\Windows\System\ZnICEWK.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe
"C:\Users\Admin\AppData\Local\Temp\893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499.exe"
C:\Windows\System\InDujYZ.exe
C:\Windows\System\InDujYZ.exe
C:\Windows\System\RhMAyak.exe
C:\Windows\System\RhMAyak.exe
C:\Windows\System\QvdGWZW.exe
C:\Windows\System\QvdGWZW.exe
C:\Windows\System\AcgrbtU.exe
C:\Windows\System\AcgrbtU.exe
C:\Windows\System\btQYChs.exe
C:\Windows\System\btQYChs.exe
C:\Windows\System\dOaOfii.exe
C:\Windows\System\dOaOfii.exe
C:\Windows\System\pnYakYi.exe
C:\Windows\System\pnYakYi.exe
C:\Windows\System\EpgKhoJ.exe
C:\Windows\System\EpgKhoJ.exe
C:\Windows\System\yuNhoKH.exe
C:\Windows\System\yuNhoKH.exe
C:\Windows\System\thmJwlZ.exe
C:\Windows\System\thmJwlZ.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3988,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8
C:\Windows\System\NDsIWlG.exe
C:\Windows\System\NDsIWlG.exe
C:\Windows\System\gTHrJrl.exe
C:\Windows\System\gTHrJrl.exe
C:\Windows\System\HZAwXvf.exe
C:\Windows\System\HZAwXvf.exe
C:\Windows\System\dSRmYdl.exe
C:\Windows\System\dSRmYdl.exe
C:\Windows\System\VKVtImV.exe
C:\Windows\System\VKVtImV.exe
C:\Windows\System\BoDZRDS.exe
C:\Windows\System\BoDZRDS.exe
C:\Windows\System\UKjaTQP.exe
C:\Windows\System\UKjaTQP.exe
C:\Windows\System\edEInXg.exe
C:\Windows\System\edEInXg.exe
C:\Windows\System\cqDqZVl.exe
C:\Windows\System\cqDqZVl.exe
C:\Windows\System\owchThs.exe
C:\Windows\System\owchThs.exe
C:\Windows\System\ZnICEWK.exe
C:\Windows\System\ZnICEWK.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1332-0-0x00007FF675030000-0x00007FF675381000-memory.dmp
memory/1332-1-0x000001CC64610000-0x000001CC64620000-memory.dmp
C:\Windows\System\InDujYZ.exe
| MD5 | b2f87a19c2d4efb6576725b568e70728 |
| SHA1 | af860345bc457acd278f92ff9865c4b6dc9d2ed1 |
| SHA256 | bac957e190659dabd59f68883ce81526308cc4f9ccf0571177a0c5a8fa717f8b |
| SHA512 | 73241af549a896e28c0391c2afef49cb4ffbcc01edc3be8b795e64f66ff8ff120a593398ea541ee839674163d4c4cc9e24954cc03ddc6a6f65d8a4d27b84c4a8 |
C:\Windows\System\RhMAyak.exe
| MD5 | 3b5ba3f139df0ba5103ef2573bfde6be |
| SHA1 | 7bb4f24b7dfc9504dc4d144f90ee1a6f2bdd53ec |
| SHA256 | dc5c4417da80c7bd6a72c0fb64f0eb18a80308daaaa9fd33db1178f7b6469270 |
| SHA512 | 99be993faa848b9d5923fe7b198745d400425fdf8387fecc362b222242cdbb586845c192ad12a9a20b6dbcfc5ea43ebef762d8a9dafa0928507367f1e72d7d40 |
C:\Windows\System\QvdGWZW.exe
| MD5 | 40f9bf4ef08bcbea34eb5976db1d8680 |
| SHA1 | 2dc03de5cd3a3326e4ad4c942f1b72305bf3aed1 |
| SHA256 | d4b2a112db95be4d8b0ee8a2e8ff1bef31508be74c2a48e7460ccd466cdf7120 |
| SHA512 | b8a06330ff2ad041ac9be4ff5c12231ad78634b2eed65b82cf7298848eac9b9e281788481211124b6fe16077444cdc69942d0cf1a7c92c00ed7a0259001d357f |
C:\Windows\System\AcgrbtU.exe
| MD5 | ba17bebed7acdb5df99912c6a795a63a |
| SHA1 | 68ede31b080b4c869c4212c4c6e87e61ff6f86ae |
| SHA256 | afdc1de4ee29e8724ab489d08b62ac78efaf729a67b283796d53c1f13a2b9a01 |
| SHA512 | 3449b56696f495d2278b0febe7f405b7987f306889033538d2825edc79b3e0c3d38e497a03cc7896ce2cb6a4e68c8034eeb21a0ac789a33c0cf0712ef22e622d |
C:\Windows\System\btQYChs.exe
| MD5 | 5b1d4b721b960dbd1e7fb39087e7a542 |
| SHA1 | 6b24e9f0930fbd9c9a9c0e8859f0541ba264e1cc |
| SHA256 | 94c7392dad962f09805517ef06c504901111633557b4de69597347990c5bc0aa |
| SHA512 | 33278f933f28f847ba161ea16b88a42ebf644e57385d7e737a7dcfa07b1ccd805ec3ff51ec968ccd7b51a2aa7474d1f224cc99e200771aa52d9c5907b81ee8bc |
C:\Windows\System\pnYakYi.exe
| MD5 | b7fea18b10f9c962340fb1296a4649a3 |
| SHA1 | 8f7a5bfddb9f318adc2a330106c60fdb5b24c3c5 |
| SHA256 | a311e8403f2516ce59b4148b6ef1d862ee133bedb9228570f085b73e84e704d8 |
| SHA512 | a372b5548851d6e99dbadc91520a43a73a5decbe9548ab0c332cd31d50adce94eb5331b9a17535287da47e1fb61ed0227e8eba4f964165b12c231c660422e7dc |
C:\Windows\System\EpgKhoJ.exe
| MD5 | e739b07daf18eb820e25a169f73e312d |
| SHA1 | b51b083fee54ecdc7cc1f7327b683cb63dfc3c8a |
| SHA256 | 4fd8e568fd6992bb02fe21a38ebe0b20de3343afad5832f1744e42f2f6949278 |
| SHA512 | 1ed94f0604996cc22f1ea1581f3983f67378f9ee64dce086b0d1deefefd6bc5f55c0465944d142edaf9174b876d01d2cb0ba2034e8589c1f12ec5112a7514d1b |
memory/3024-53-0x00007FF61FF50000-0x00007FF6202A1000-memory.dmp
C:\Windows\System\yuNhoKH.exe
| MD5 | 195707483a51d8ad0cdb1c53b33d2b06 |
| SHA1 | 04389cbdacfdfcac57c7dab6628afd283f623d75 |
| SHA256 | 0ba4cb7df37c58eff97cd9217f317cba556810ddfa40bf5ee5e283cb7529c7ac |
| SHA512 | a52d4f3b8430e819d22147b7ca5b6365a277a4d4b452e7c3286c601b2606fbd358ee295daa53b62500ac18d08d2f82aa5ae94535ff08e31c50852c1f3d070cc0 |
memory/4660-54-0x00007FF6D55F0000-0x00007FF6D5941000-memory.dmp
memory/4544-50-0x00007FF773FF0000-0x00007FF774341000-memory.dmp
memory/2272-47-0x00007FF789D00000-0x00007FF78A051000-memory.dmp
memory/2224-46-0x00007FF7F87D0000-0x00007FF7F8B21000-memory.dmp
C:\Windows\System\dOaOfii.exe
| MD5 | 3ae06979d19d7000998d11737fcfa566 |
| SHA1 | 845b48c4bb21e23a786d3dc6555418e408985532 |
| SHA256 | 2ef56ea5ed14762adc33a0a2c10118d2689f3ccaa9084565c9d4ed2affb76b7e |
| SHA512 | 4f1c209ead3abc5f154b8675966da69a2f6c0ddccadbc4513cebf6cbaafc8504d02d10fa9798e7721bb1f1510e0a715b746858d9e69a709d840f8b1f0d7f76e5 |
memory/1416-39-0x00007FF793920000-0x00007FF793C71000-memory.dmp
memory/4184-26-0x00007FF6130A0000-0x00007FF6133F1000-memory.dmp
memory/3436-20-0x00007FF762F60000-0x00007FF7632B1000-memory.dmp
memory/3624-8-0x00007FF686690000-0x00007FF6869E1000-memory.dmp
C:\Windows\System\thmJwlZ.exe
| MD5 | 4a08f0d448fa9a173b3d99d03a0f31ca |
| SHA1 | 733a9d1d2bafe546baa8a49e6d732390a4971e67 |
| SHA256 | bfdbba2e8b74bc902036a875f4c1588f0b9588fc84b6844e066617f7fa7acf5f |
| SHA512 | 61e7728297c5edb93c3795c906e7e6b807369d8bba231ee20eadcc3f0da522ef9ed3cd49043601567e93d900076b82f288acafb5a32fb0350e5854f80de3dff1 |
C:\Windows\System\gTHrJrl.exe
| MD5 | 1fa112529f02694002184299b5c97e2e |
| SHA1 | 8dc9d4e7910cbd9c4739386e3149e9ea5f2f1674 |
| SHA256 | bfb8e07a79fffa9a6eee1b7370d1ec7e37a2204c02cd49392be36987b4aba569 |
| SHA512 | 1388218743f3d47dfed0f165daa912c10091131fb6abab333ce3b9597c8533fc957554e678817d745350cb300a4e0d0dea053a7cd700bac865a9da29559df607 |
C:\Windows\System\NDsIWlG.exe
| MD5 | f8b07f99a7d3da1d446c8706281bd91f |
| SHA1 | 9090bf548332a6148135d760907cbc79cbc0457d |
| SHA256 | bca5848f935d9de7e226884545e3dec9dbeb35752f4369a0065d7ced13d2cbdd |
| SHA512 | 4be8b5b250374a635f007715c42054e428e899b78144af2f940fdb51d87c4585602ba345709d9b7aa7dcfa07dd72f89e47e32e18dca9e6140d20bea6e49683c7 |
C:\Windows\System\dSRmYdl.exe
| MD5 | 1071e1daf765fce1d7c1100fb989c3c7 |
| SHA1 | 99ff48e65b54ab308bdc22a29d105b86ca5adb48 |
| SHA256 | 2430307fedd723fad7c33c15596b9c27160ffa35e808e530feee5bd57716285b |
| SHA512 | 8c1393bc9ccd29c00d3152373d311ecfb4ad732e5707328d9e774fc23c7cdd74f5192bcedecf68278d4df23f0555695f38fb3a06b922f03961f8b395a12cd225 |
memory/3864-87-0x00007FF6F6730000-0x00007FF6F6A81000-memory.dmp
C:\Windows\System\VKVtImV.exe
| MD5 | fe641aec0ae5b82bdbdc760c2f372e52 |
| SHA1 | f55f5448f5792e3c90499e603f494156a4ae48b8 |
| SHA256 | 89e147b940df653a0ed875c7c30725e9d91acfab67a57b39c3e82563c8b3a4e2 |
| SHA512 | 1ef43c7c66f4c54326f36c2abfe168b17042e5df66ae0d3e5e1bdd640b5a637e7f268e46e067e087b9674a6f6860324f6e9a4a65678fa098c4a3b952df9f886c |
C:\Windows\System\UKjaTQP.exe
| MD5 | 043d28a9d503c247e7bf12a0900331a8 |
| SHA1 | ef0b6782d5ce95bbf0532e0ba7ba6f73066a48b2 |
| SHA256 | c2d663b277a2218366a9c28e9770277f2f6e08c905606e96e7645b04429a62a9 |
| SHA512 | 142218c4b3b75f65d2fc41664fc1667b8999558d31355c5ae08af79b760e0ad8d80626418cd2ce9198f028f20d58f50fd34e426ceb09f9f45eece13a333a9bf1 |
C:\Windows\System\cqDqZVl.exe
| MD5 | bfb2874bc68245400ae938d560e7ccc0 |
| SHA1 | 43a1fe4190ca0772d26b9b2e7f940acd15a0b429 |
| SHA256 | 248f524ccc84177d67bc7dd6bec0bfec25a1e6515b6333633b505ce431fca30b |
| SHA512 | 223d986a8321fe19d9764966e6fd6a8527a8fe02effc7c5d3b60a3acfc3f841ca90964f43e4360c73df7e8fca3b8aceed92e35bb5868838f1525bd7749e48d1b |
memory/1416-124-0x00007FF793920000-0x00007FF793C71000-memory.dmp
memory/4504-127-0x00007FF7D6300000-0x00007FF7D6651000-memory.dmp
C:\Windows\System\owchThs.exe
| MD5 | e717d1ee6e36bde1e17adeec97fe9344 |
| SHA1 | 895d7acb4114b09f51e1a671f9b009b730251f12 |
| SHA256 | 6f276db18f0f40bed5e83ccb15a521ecc8d653438dbd1c149ac632f499edd877 |
| SHA512 | f2b7c369cd23243c8ad9b3b91773ab766e4ba9312a625d22ed134a75ce58e7610563ec305fd226d7675d76d614a11dcff126a8b785f038f37ccb2c51bad97e3e |
C:\Windows\System\edEInXg.exe
| MD5 | 0177f8bf3e61125cb8664e621e7a2750 |
| SHA1 | 25aa8ffff8a82bea1d740fc8dd2a031a3c85af48 |
| SHA256 | e55dd915c75d924c0b73ec14109cf9b5582ca60a9c87e6b4b62cf387e8eb3636 |
| SHA512 | 4f409304dbebe5005d6c1f15aa26b01052ede30be797b67f35d7a2deaebb04bac851f0a88ac5d83f68482d2bed06de91b075323964978d20bc4fe0bede47b3f7 |
memory/2660-119-0x00007FF668E30000-0x00007FF669181000-memory.dmp
memory/3740-118-0x00007FF76D490000-0x00007FF76D7E1000-memory.dmp
memory/1336-114-0x00007FF6B5C60000-0x00007FF6B5FB1000-memory.dmp
memory/4184-113-0x00007FF6130A0000-0x00007FF6133F1000-memory.dmp
memory/3436-112-0x00007FF762F60000-0x00007FF7632B1000-memory.dmp
memory/3624-107-0x00007FF686690000-0x00007FF6869E1000-memory.dmp
C:\Windows\System\BoDZRDS.exe
| MD5 | d23479daadf3817237b29335dcae0f4d |
| SHA1 | debaf6a60b6c2ea0362ba162fdcd85532efe60d7 |
| SHA256 | 12a418bc7acf5ce91e9e74c95a1350c98fc3919bf6a4ac4f62caf75a2ebd13ae |
| SHA512 | a9bd05222963ec0c585c3c8016d4a3ad39650a5e99a84d9aa24a8012a5d7a9d0652d79d53a13cbfded308efa46c1b68aaeb7a4f1a2aa1d9a1a3d1b7ee3a7ac92 |
memory/3924-103-0x00007FF7D46B0000-0x00007FF7D4A01000-memory.dmp
memory/1332-94-0x00007FF675030000-0x00007FF675381000-memory.dmp
memory/408-93-0x00007FF768210000-0x00007FF768561000-memory.dmp
C:\Windows\System\HZAwXvf.exe
| MD5 | e80755ed5dfe4c30ecfda130d3e6c25c |
| SHA1 | 6d7880f7067cdc81cc2af84efecc3160360af742 |
| SHA256 | 5afe1def6b6c32890922ab48c34766b6fd51510e8a16b379d84976d0da298f9b |
| SHA512 | 7341583a5b0a9a953872b44262456cad23fb0e2b62b79e77ab8a3efe6500e65b721dc93fefc6c6dec29ac90b8f14609f3c2f885ae2aa8456aeea5ad932e457fd |
memory/696-83-0x00007FF6BE830000-0x00007FF6BEB81000-memory.dmp
memory/1180-73-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp
memory/3520-70-0x00007FF6E72A0000-0x00007FF6E75F1000-memory.dmp
memory/1808-60-0x00007FF7D9310000-0x00007FF7D9661000-memory.dmp
C:\Windows\System\ZnICEWK.exe
| MD5 | 9d098fc080a21f48972429b713da7840 |
| SHA1 | 742d0e12adfaf7ff1a45610e8e4ead4abf0f6c46 |
| SHA256 | 535ba631b219fc33ba99e0919313f35c43928f379c99742b53b5aded650c220d |
| SHA512 | 16d2d9967496f3e9ce63e6e7aabbd2e8b8ffde3b75cc367bac89f37de57db3d5ee887cd49e4fe39efceeb96ba641fadc584aae6119de4a87faa2bb9efebfde4c |
memory/1332-130-0x00007FF675030000-0x00007FF675381000-memory.dmp
memory/4544-143-0x00007FF773FF0000-0x00007FF774341000-memory.dmp
memory/1808-141-0x00007FF7D9310000-0x00007FF7D9661000-memory.dmp
memory/4508-144-0x00007FF7D2F10000-0x00007FF7D3261000-memory.dmp
memory/3520-145-0x00007FF6E72A0000-0x00007FF6E75F1000-memory.dmp
memory/3864-148-0x00007FF6F6730000-0x00007FF6F6A81000-memory.dmp
memory/4504-154-0x00007FF7D6300000-0x00007FF7D6651000-memory.dmp
memory/3740-153-0x00007FF76D490000-0x00007FF76D7E1000-memory.dmp
memory/2660-152-0x00007FF668E30000-0x00007FF669181000-memory.dmp
memory/1336-151-0x00007FF6B5C60000-0x00007FF6B5FB1000-memory.dmp
memory/3924-150-0x00007FF7D46B0000-0x00007FF7D4A01000-memory.dmp
memory/696-147-0x00007FF6BE830000-0x00007FF6BEB81000-memory.dmp
memory/1180-146-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp
memory/408-149-0x00007FF768210000-0x00007FF768561000-memory.dmp
memory/1332-156-0x00007FF675030000-0x00007FF675381000-memory.dmp
memory/1332-173-0x00007FF675030000-0x00007FF675381000-memory.dmp
memory/3624-201-0x00007FF686690000-0x00007FF6869E1000-memory.dmp
memory/3436-203-0x00007FF762F60000-0x00007FF7632B1000-memory.dmp
memory/1416-205-0x00007FF793920000-0x00007FF793C71000-memory.dmp
memory/4184-207-0x00007FF6130A0000-0x00007FF6133F1000-memory.dmp
memory/4660-212-0x00007FF6D55F0000-0x00007FF6D5941000-memory.dmp
memory/2272-215-0x00007FF789D00000-0x00007FF78A051000-memory.dmp
memory/3024-214-0x00007FF61FF50000-0x00007FF6202A1000-memory.dmp
memory/2224-210-0x00007FF7F87D0000-0x00007FF7F8B21000-memory.dmp
memory/4544-217-0x00007FF773FF0000-0x00007FF774341000-memory.dmp
memory/3520-227-0x00007FF6E72A0000-0x00007FF6E75F1000-memory.dmp
memory/1808-229-0x00007FF7D9310000-0x00007FF7D9661000-memory.dmp
memory/1180-231-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp
memory/696-234-0x00007FF6BE830000-0x00007FF6BEB81000-memory.dmp
memory/408-235-0x00007FF768210000-0x00007FF768561000-memory.dmp
memory/3864-237-0x00007FF6F6730000-0x00007FF6F6A81000-memory.dmp
memory/4504-240-0x00007FF7D6300000-0x00007FF7D6651000-memory.dmp
memory/3924-247-0x00007FF7D46B0000-0x00007FF7D4A01000-memory.dmp
memory/1336-246-0x00007FF6B5C60000-0x00007FF6B5FB1000-memory.dmp
memory/2660-244-0x00007FF668E30000-0x00007FF669181000-memory.dmp
memory/3740-242-0x00007FF76D490000-0x00007FF76D7E1000-memory.dmp
memory/4508-251-0x00007FF7D2F10000-0x00007FF7D3261000-memory.dmp