Analysis Overview
SHA256
93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74
Threat Level: Known bad
The file 93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74 was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 12:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 12:06
Reported
2024-08-13 12:08
Platform
win7-20240729-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PTplEjX.exe | N/A |
| N/A | N/A | C:\Windows\System\lSthnKE.exe | N/A |
| N/A | N/A | C:\Windows\System\vKuhoXg.exe | N/A |
| N/A | N/A | C:\Windows\System\hYiXRul.exe | N/A |
| N/A | N/A | C:\Windows\System\XuhaPGK.exe | N/A |
| N/A | N/A | C:\Windows\System\yOvKBim.exe | N/A |
| N/A | N/A | C:\Windows\System\WITiXrm.exe | N/A |
| N/A | N/A | C:\Windows\System\bbIMAIh.exe | N/A |
| N/A | N/A | C:\Windows\System\TvfkAPg.exe | N/A |
| N/A | N/A | C:\Windows\System\vfsQsCv.exe | N/A |
| N/A | N/A | C:\Windows\System\gKUTgig.exe | N/A |
| N/A | N/A | C:\Windows\System\dYAgbRn.exe | N/A |
| N/A | N/A | C:\Windows\System\RiYaKYb.exe | N/A |
| N/A | N/A | C:\Windows\System\bClDEDU.exe | N/A |
| N/A | N/A | C:\Windows\System\JrlCEMz.exe | N/A |
| N/A | N/A | C:\Windows\System\LjUvUdC.exe | N/A |
| N/A | N/A | C:\Windows\System\SJPSISW.exe | N/A |
| N/A | N/A | C:\Windows\System\YZPjDZx.exe | N/A |
| N/A | N/A | C:\Windows\System\Dkcdemf.exe | N/A |
| N/A | N/A | C:\Windows\System\UFdOIer.exe | N/A |
| N/A | N/A | C:\Windows\System\LiYljDl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe
"C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe"
C:\Windows\System\PTplEjX.exe
C:\Windows\System\PTplEjX.exe
C:\Windows\System\lSthnKE.exe
C:\Windows\System\lSthnKE.exe
C:\Windows\System\XuhaPGK.exe
C:\Windows\System\XuhaPGK.exe
C:\Windows\System\vKuhoXg.exe
C:\Windows\System\vKuhoXg.exe
C:\Windows\System\yOvKBim.exe
C:\Windows\System\yOvKBim.exe
C:\Windows\System\hYiXRul.exe
C:\Windows\System\hYiXRul.exe
C:\Windows\System\WITiXrm.exe
C:\Windows\System\WITiXrm.exe
C:\Windows\System\bbIMAIh.exe
C:\Windows\System\bbIMAIh.exe
C:\Windows\System\TvfkAPg.exe
C:\Windows\System\TvfkAPg.exe
C:\Windows\System\vfsQsCv.exe
C:\Windows\System\vfsQsCv.exe
C:\Windows\System\gKUTgig.exe
C:\Windows\System\gKUTgig.exe
C:\Windows\System\dYAgbRn.exe
C:\Windows\System\dYAgbRn.exe
C:\Windows\System\RiYaKYb.exe
C:\Windows\System\RiYaKYb.exe
C:\Windows\System\bClDEDU.exe
C:\Windows\System\bClDEDU.exe
C:\Windows\System\YZPjDZx.exe
C:\Windows\System\YZPjDZx.exe
C:\Windows\System\JrlCEMz.exe
C:\Windows\System\JrlCEMz.exe
C:\Windows\System\Dkcdemf.exe
C:\Windows\System\Dkcdemf.exe
C:\Windows\System\LjUvUdC.exe
C:\Windows\System\LjUvUdC.exe
C:\Windows\System\UFdOIer.exe
C:\Windows\System\UFdOIer.exe
C:\Windows\System\SJPSISW.exe
C:\Windows\System\SJPSISW.exe
C:\Windows\System\LiYljDl.exe
C:\Windows\System\LiYljDl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2388-0-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2388-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\XuhaPGK.exe
| MD5 | 81cdf4f572a3ffb883710e787ec4d8b7 |
| SHA1 | 678dc5c8a0876f09f1ed1342db1f5e57ca668883 |
| SHA256 | 6ec435ef07e2e36d6c027d29979d6e3bf8aff7759b7947f94a89d4b5d37933fd |
| SHA512 | c2256cbbb73bb2386e79f5a67868a64068e473e1e031e9e66f4b3b550e4cdff639333bd7076c0de6684fd26299f900609054839ce5adaff45c7db3592ebd88c3 |
C:\Windows\system\hYiXRul.exe
| MD5 | ccf6153e9624096cc5b07aacdc634257 |
| SHA1 | 81b3afc856d97a19b094dac4c1cba7414074da29 |
| SHA256 | 8ee7206484c05b720c63cac07b3a874b2142114288de56f36f3f76fa2f14d631 |
| SHA512 | 6ccd68a4d085cc758144148e0b10820f4a9c24e78b7528739610dc679589e1eed805aed73d2982efbf15b977283f31ce7152a4dc5055725919e64107c709aa51 |
memory/2828-34-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2388-33-0x000000013FA00000-0x000000013FD51000-memory.dmp
\Windows\system\WITiXrm.exe
| MD5 | 93448b75367b729489f7b7ef073bec86 |
| SHA1 | 8ddfba8c023aae79c262b1a86ad417e87add865f |
| SHA256 | 6d9fdd01b6df5037ed1034bd62e0c896d92c3310e463283738693a441bb04c9e |
| SHA512 | 33b0c4500a7860e2273feea05e7be2b609b82e1d87722295b2c34c11f5fb38626b61174ac81c25f5d287cdb91383638af42b48850cadbbe2f24982319b9738ae |
C:\Windows\system\vKuhoXg.exe
| MD5 | 97d36f07d3d1c999dcb3b4ce93e5d6bb |
| SHA1 | dbb766919bbc51d1a6050e4237e8dd4116d223d8 |
| SHA256 | 6885ed3c9c1464674fb25a39fff373db77fd50c229c668885711814805998391 |
| SHA512 | 04943b340b949456ee97f8d9ac0112bb8a12c1997e18cdae3bc0f06fd10f7cfd1294e7d8c4654f703f4c49c46377189fd640251d3f5cf467c8bb37b567424611 |
memory/1904-48-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2800-46-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2388-45-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2188-44-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2108-42-0x000000013FF80000-0x00000001402D1000-memory.dmp
C:\Windows\system\yOvKBim.exe
| MD5 | 6b8b420f9a9c1cd5873535aee5fe7da5 |
| SHA1 | d763d6f37a83261a15e9416786b3b86b79138cd8 |
| SHA256 | 18cf7bd9c7ba162c4d8182577a5c29a2a1a3e629d722c4435ed12800375abc3b |
| SHA512 | f0a8d62bc67e8fab1f49ca036e1b9ea9f2424575ee363ee3f9be8639298e74e2685c9f22b929b0f1f5fbc6f65fc516f5fb65e5899ae51d1c858c2a93275bbf28 |
memory/2388-40-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2520-38-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2388-14-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
C:\Windows\system\lSthnKE.exe
| MD5 | e759f4368b0cb02936af726cf44a848d |
| SHA1 | 850c2cc5ef0e271c1bb349fbfd5b358464f20e12 |
| SHA256 | b1bbc8f167a2e5086911b7cb57c79926d3eeb5a4ab39725d3fa62d4f8361cac7 |
| SHA512 | f7d202bfd3eb073bd2ef98e5f0a185345e1caeaa183f912b9d0486c0d37ae457beaf5db7790bba1e65843c7f7a3a14c9f6f35a87bacef37c71ee91c07ad70a5f |
memory/2120-25-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2388-7-0x00000000024C0000-0x0000000002811000-memory.dmp
C:\Windows\system\PTplEjX.exe
| MD5 | 7ed014c29bbb6c6e67f19b056cc913ef |
| SHA1 | 91c9dc560d6151f9c4a568939f7da3baa5c6126c |
| SHA256 | d097730b7aeaccfa8565f0724757388a6d1f69c9ee38da39d5486ac027beed23 |
| SHA512 | e4f9bb563d1d8e69e1f4481dc538cf50f0cf0572f2d926fab4081659c7b5cd06d2ba6a3d3ccc9d1e785a54106705153f0bf95d48d67bfe1ac531d31415e1a644 |
\Windows\system\bbIMAIh.exe
| MD5 | bfa3d46a4e910d940203a71be3bc243f |
| SHA1 | 31ba040ed827a36d7db45fd053ef4a052e77b48f |
| SHA256 | defcf05e5f3da6c5c9c754628f219b931cbb1e62b861e155dd844859b90e2cd7 |
| SHA512 | 535c5e36a4bddfbd8385b4dae6e2f6c5f24d8bbc7ca97ba870f228034489a718135ece6d7975d3a73166df8a4ef91dee38b7baadc102ec8877738cde22be7fb5 |
C:\Windows\system\TvfkAPg.exe
| MD5 | 05b195b09ee951b8133ff14c2d43489d |
| SHA1 | 00d099749863b73329d7ee91ae2a43c65dbfaea9 |
| SHA256 | ef0fbae61808a744e30b2afd22e7511b991aec14a7aaa4d67c828f8e15474364 |
| SHA512 | cf557cf12db4374bb1f53c982524802b4f25acd7e8e8f6771a34e54458d449e508dcac320b0ec279f6688fe0be3f5c6e006619579adb9680e4727d35aaa5b3c9 |
memory/2388-58-0x00000000024C0000-0x0000000002811000-memory.dmp
memory/2388-63-0x00000000024C0000-0x0000000002811000-memory.dmp
memory/2744-62-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2992-60-0x000000013F840000-0x000000013FB91000-memory.dmp
\Windows\system\vfsQsCv.exe
| MD5 | d3c41899ae1fa5f24ae3353fc0620e70 |
| SHA1 | 58f07ef0ec2ca4f67e736fbe5bd53ee6173379b3 |
| SHA256 | cca0c67b6bf3328fe1b0a6452eef829edc575ebca97035dc8f0f37753b4a439b |
| SHA512 | 4860415c669ab345b9d6d5a81a0dcf25cab314ab13809f44479acaeccbd6fb15944b7b31e8a0ecd3f25e26e382595029c30964d1c41f223129110933fdc45fdc |
memory/2316-68-0x000000013F360000-0x000000013F6B1000-memory.dmp
\Windows\system\gKUTgig.exe
| MD5 | 044b957a8b6a21008224153b11c19201 |
| SHA1 | aa5b090131d15eb9d0604bc3473a85d9a351aa35 |
| SHA256 | 8bf5f4575837bb44497b90a8f4e160e5174809ffec0f84c873cd0ebe771e1504 |
| SHA512 | bfca3ecaab9522c1334018e60ea4c06fa631624acfd3197093157c2cd404b5b3231765873c38d336ef1e1d35282a46a08f109444a73d0125173400893715119e |
memory/2388-76-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2388-74-0x00000000024C0000-0x0000000002811000-memory.dmp
memory/2308-77-0x000000013F590000-0x000000013F8E1000-memory.dmp
C:\Windows\system\dYAgbRn.exe
| MD5 | b51c5d5ddaa60daaa11daf3ed3ba3bb6 |
| SHA1 | 058c809127f3b6dfc3dd2d00fb5b622a3e2972d5 |
| SHA256 | bdc17d58bd12b4df2cdbfa8478ec11cccc80ff2401476b3e4c73f6bc0d6a0567 |
| SHA512 | bb869ca006a2c80dbb87b4157facf204ca6c41987ffb39d1aa0d3fb11ca19cd74a6a71ec4f944336c3a672afff5c24a0e3f1d0cd83099e82cb9778d5ea8d540a |
memory/2388-83-0x00000000024C0000-0x0000000002811000-memory.dmp
\Windows\system\JrlCEMz.exe
| MD5 | c76d9303bea3d1bba79f9b5772106bfc |
| SHA1 | 944153f8b9e1acff49d6e936c6d7b17cb299f31c |
| SHA256 | 38ec31c7b812040749d1364b98812ee3a1ec6ea64fbc4d93d1fb3e98968a4c47 |
| SHA512 | 1bd98e2c17fa91ffdb38e5cbe10c6302724a817e86075c8e55f48426f5f8dd21e7f841f20a06691cd86a9cddf1ee245be0a1a0449dde289857f067bdc4fd49de |
C:\Windows\system\SJPSISW.exe
| MD5 | 7ac0418fc33dcc18b288d416d69276e5 |
| SHA1 | 7f489f7ec636d8c41f06242931db8f8e72d654a2 |
| SHA256 | e26a98598db383d5d4741d9018e101021da5b69f035fdd43ac901e1f3d31b579 |
| SHA512 | 01db960f3bdcfe6024725a60c8f1939e60226894a6ff5f5fb586f07f691ab066b666a705e6be6655e4ba0e5ef56294f6a571c509e842469c8456a2857813cb78 |
memory/2788-124-0x000000013FCC0000-0x0000000140011000-memory.dmp
C:\Windows\system\Dkcdemf.exe
| MD5 | 019ba72920c3a3a9dd699b2b16e2ffd6 |
| SHA1 | 81d4f90f1eaeac72599f350adf7058787917afd1 |
| SHA256 | 9cc434dc4bf8027c4ff0ca5ae811a67addf74be45668cf8f7a6a8bdd716c699f |
| SHA512 | 9c4a72a4f10c30e05ff51a8b2305243e1de98374163e860ed6ac4e7cb24a5d2258e938eaf36643175cdc42b7e4ece9201d4c4d2ae6c332e2d035c5d5f3d2c159 |
\Windows\system\UFdOIer.exe
| MD5 | f9bcab118828f9ecf79870a0bb53fbee |
| SHA1 | 1cd28c27202dbea2bc5e0073ad708bdcae83acb5 |
| SHA256 | 821c4bdbf9d35a0dbb6c276f52af72b8b19362821d4d3574db5130c6b4463db6 |
| SHA512 | 951990c66fd9f985b0d53305cc98329b4232780bda5f7a4db0533ed8f90ca70821794b8575d96e156d8afba668d11e19ab934e8f35d07d7de05d7e9ed0ee785e |
\Windows\system\LiYljDl.exe
| MD5 | cd17810d82f07952f77d22427e80e41b |
| SHA1 | c688a83a7a7182aa6e4416e412cfb626a9867cb1 |
| SHA256 | 8d839d30d8307e51b7c730cca549677f86f4e9203dc14a792e59e926f16d95ba |
| SHA512 | 1d90fb8c0a9655e1bfa7c92bac54962ede88e373ab1be90c402c6d0340a77adb7f8059af3671c1e373f74a5e2cefcf20a78ade8ba46e8ceafe7f3c051d900d4b |
memory/2388-127-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2388-126-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\bClDEDU.exe
| MD5 | 742e0c9078581f15f187ff23fc5e984e |
| SHA1 | 3bb4c69bcc417e3b21f0b419ae237ee0e9bf8a29 |
| SHA256 | 3a73d33a05d9f952dca433079d8389c56fbc8ed3b7585ef8f29a5caf977f2c59 |
| SHA512 | 9e280c9bb40163a5791adbf830bcaedfe69176ff56aaa2a8c16bf4a4b9f8d8aedc93798af4407fdb2f46aab4cc359c5d247423b8e7b8030e2b368d3d07ebb464 |
memory/2388-121-0x000000013FC80000-0x000000013FFD1000-memory.dmp
\Windows\system\YZPjDZx.exe
| MD5 | 10b59d9d3b13d99d2fa78f3d7392c729 |
| SHA1 | fc48fe319b4388c17abbf1bed0f1a010e8a661a5 |
| SHA256 | fcc3641cee28477d18475eb667a77314955bb0d3ec302777384ca37caeddf96b |
| SHA512 | bf927a8f8cb3b045ede237888e53c61af43e0a65d46afcbd7f43d1d5901c9c0345ec602a9eca8a4da0cb129074e1a4252fb08dd773ceadd48771b14fe818b77f |
memory/608-119-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\LjUvUdC.exe
| MD5 | 3000587eacd46550eaac847171dfd81e |
| SHA1 | 67e9f1b8f915931e8bea8decae05786260220667 |
| SHA256 | edf1f4df58870d521f82feb2c841d6b04ee3c41b654843af17d5edd10a08f727 |
| SHA512 | 414dc3eaac2c7cbb937df7e5a98b05b6a37bcd063827491852c33dfc22b1df63b9f9eff2e16e9e398efe3d93ccb7f77ba83911cf08911c0404628504df65100f |
memory/1300-110-0x000000013F330000-0x000000013F681000-memory.dmp
C:\Windows\system\RiYaKYb.exe
| MD5 | 5a1a3fca95668eaf6853db5c0d986627 |
| SHA1 | 5ce389e3e56843bb6d9865373095d0d62ab4dbc8 |
| SHA256 | f7a826e50d5bf02486fca9ac69e6238ab6255adf1d2acc7b30548484e9fcc683 |
| SHA512 | 01e3e514ec38f3ca0ca5591d405b46e001513e713666b6493beb13d770c03376b86f030cbeac77d99b86ca9e423a4787a09e173f5386a6e15714764c44f687a5 |
memory/1904-134-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2388-135-0x00000000024C0000-0x0000000002811000-memory.dmp
memory/2388-136-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2316-146-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/608-149-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/1268-155-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/1080-157-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2592-156-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/3032-154-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2940-153-0x000000013F500000-0x000000013F851000-memory.dmp
memory/3016-151-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2920-152-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2388-158-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2388-180-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2388-181-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2120-205-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2520-207-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2108-209-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2828-211-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2188-213-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2800-215-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/1904-221-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2992-223-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2744-225-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2316-227-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2308-240-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1300-242-0x000000013F330000-0x000000013F681000-memory.dmp
memory/2788-244-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/608-246-0x000000013F080000-0x000000013F3D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 12:06
Reported
2024-08-13 12:08
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IGtTain.exe | N/A |
| N/A | N/A | C:\Windows\System\vAGaira.exe | N/A |
| N/A | N/A | C:\Windows\System\NKXQgdE.exe | N/A |
| N/A | N/A | C:\Windows\System\vDnMyUB.exe | N/A |
| N/A | N/A | C:\Windows\System\KEBUKbw.exe | N/A |
| N/A | N/A | C:\Windows\System\cxZvpfN.exe | N/A |
| N/A | N/A | C:\Windows\System\DuZOvLc.exe | N/A |
| N/A | N/A | C:\Windows\System\qFmMGwi.exe | N/A |
| N/A | N/A | C:\Windows\System\PioGgfk.exe | N/A |
| N/A | N/A | C:\Windows\System\PeSzhup.exe | N/A |
| N/A | N/A | C:\Windows\System\nnAVGAq.exe | N/A |
| N/A | N/A | C:\Windows\System\dgIHHBW.exe | N/A |
| N/A | N/A | C:\Windows\System\ERrDWNv.exe | N/A |
| N/A | N/A | C:\Windows\System\eraujBj.exe | N/A |
| N/A | N/A | C:\Windows\System\bVBvEDl.exe | N/A |
| N/A | N/A | C:\Windows\System\jvIuiuC.exe | N/A |
| N/A | N/A | C:\Windows\System\VbRDnvM.exe | N/A |
| N/A | N/A | C:\Windows\System\RqSnwoi.exe | N/A |
| N/A | N/A | C:\Windows\System\qydxbtB.exe | N/A |
| N/A | N/A | C:\Windows\System\ogzKPRM.exe | N/A |
| N/A | N/A | C:\Windows\System\wvJzbhw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe
"C:\Users\Admin\AppData\Local\Temp\93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74.exe"
C:\Windows\System\IGtTain.exe
C:\Windows\System\IGtTain.exe
C:\Windows\System\vAGaira.exe
C:\Windows\System\vAGaira.exe
C:\Windows\System\NKXQgdE.exe
C:\Windows\System\NKXQgdE.exe
C:\Windows\System\vDnMyUB.exe
C:\Windows\System\vDnMyUB.exe
C:\Windows\System\KEBUKbw.exe
C:\Windows\System\KEBUKbw.exe
C:\Windows\System\cxZvpfN.exe
C:\Windows\System\cxZvpfN.exe
C:\Windows\System\DuZOvLc.exe
C:\Windows\System\DuZOvLc.exe
C:\Windows\System\qFmMGwi.exe
C:\Windows\System\qFmMGwi.exe
C:\Windows\System\PioGgfk.exe
C:\Windows\System\PioGgfk.exe
C:\Windows\System\PeSzhup.exe
C:\Windows\System\PeSzhup.exe
C:\Windows\System\nnAVGAq.exe
C:\Windows\System\nnAVGAq.exe
C:\Windows\System\dgIHHBW.exe
C:\Windows\System\dgIHHBW.exe
C:\Windows\System\ERrDWNv.exe
C:\Windows\System\ERrDWNv.exe
C:\Windows\System\eraujBj.exe
C:\Windows\System\eraujBj.exe
C:\Windows\System\bVBvEDl.exe
C:\Windows\System\bVBvEDl.exe
C:\Windows\System\jvIuiuC.exe
C:\Windows\System\jvIuiuC.exe
C:\Windows\System\VbRDnvM.exe
C:\Windows\System\VbRDnvM.exe
C:\Windows\System\RqSnwoi.exe
C:\Windows\System\RqSnwoi.exe
C:\Windows\System\qydxbtB.exe
C:\Windows\System\qydxbtB.exe
C:\Windows\System\ogzKPRM.exe
C:\Windows\System\ogzKPRM.exe
C:\Windows\System\wvJzbhw.exe
C:\Windows\System\wvJzbhw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5064-0-0x00007FF7D8780000-0x00007FF7D8AD1000-memory.dmp
memory/5064-1-0x000002618C9C0000-0x000002618C9D0000-memory.dmp
C:\Windows\System\IGtTain.exe
| MD5 | 4b33c247391903aed9ef26b3a51c1790 |
| SHA1 | 9818048d71101ff56c924b3a9b5281a003d15b2c |
| SHA256 | 258cc0122b4a5d1429ceeca390d4a09ac8af76b9b7c22cc5153db58e8b4df418 |
| SHA512 | f23366cd17c1bf536be72180cd73525a1ad3c9e201159e12d8858b1f8777c516c0b038921e2dbefd7a57abc783a42440506d41e9541a0e3129de24f1208a3a14 |
C:\Windows\System\NKXQgdE.exe
| MD5 | bd2330c91d0d78c5f120754131611877 |
| SHA1 | e83baeb452e7073d9a8e4e88a5adfcce2cb637e1 |
| SHA256 | 7d39a51d3f66641c61b317a1491d330f359dfdb6905c5c7a0e97e6a86caaf690 |
| SHA512 | 16d8ccffb1b745c2b853a959929054c3fea7f3401a87a23aebddde668689994bb02057eb14ea5e7e39bd932bca164e991ff18fbeb560eda389c529c0bdf65717 |
C:\Windows\System\vAGaira.exe
| MD5 | 134c89a3096f873ae1319ff651ce72a2 |
| SHA1 | 667b72c82f16f7e0fe63d480eaa6d479a8f62ca2 |
| SHA256 | 19e3c2ab9c3dd032097e33d6cbb49630cd1096cb69a97177e4cd781a4c737517 |
| SHA512 | f81418ec44ae780807aa44f155f4c1c4b48a5d389e07fb48ea36645f2d0ee6a3a6da9a033406ffd17847e83541f116850256dd9f6ac680804c93131ca637e5f6 |
memory/4632-14-0x00007FF681FA0000-0x00007FF6822F1000-memory.dmp
C:\Windows\System\vDnMyUB.exe
| MD5 | 21b8ab3b5ce88ac3c0e122c2aab1b4e3 |
| SHA1 | d6d549de77591bc4ec57a067b8721bbbadf27ca8 |
| SHA256 | 94f997ff483c4cab2d99e411bde4054158a2ed31a48107ca0c493e15567cc459 |
| SHA512 | 563481f99d54e4728b6b0f30c2b968423d87288b8046f03cb83ccd731179566f01935b5a7b4d68863109e10d295ba7df2c954a6c277b2c2ed441d0ba39fac6b7 |
C:\Windows\System\cxZvpfN.exe
| MD5 | 2402649bd65346486d903c36a004c7b5 |
| SHA1 | 7a8ee5f9bee54d858d4482087de26d20a4c84641 |
| SHA256 | 1f24ed0c8b5b71b3db47c52dbe11d2fffa45bd635fda4243028c65f4f4ed8fc6 |
| SHA512 | b953da02d42d90cf16b4c20085a974eff228541f7874cc7231c6ade9f73a2abf39bd5484127884fa79d0409ab24e842303ab51301235473779f20a2600477107 |
C:\Windows\System\KEBUKbw.exe
| MD5 | 1656658fa84ab411e156edec8c449702 |
| SHA1 | 1464d3286224fad4fda24203a50a8fb7de7b637a |
| SHA256 | 84158312dacca85c884631aeb301009d7a552bb65a32dd5919eff2100cd7e866 |
| SHA512 | d60164179d992ca04a3f818a8fac099339fbe73fee79c41ffdc4157df86831d7a759657b096744722161e1333226489e3545313117d111517e1a98f67f995a63 |
C:\Windows\System\nnAVGAq.exe
| MD5 | 6cd047c004a5ad7a0f5e90788a194240 |
| SHA1 | fb5869a7315fa479d2cbe2d2e8b346f55a4419ab |
| SHA256 | 3a75fb35ee5a9bd6430799595b96134790e456831bc15dac98fc4b11a29bb475 |
| SHA512 | ed7ceb80d62bf75a823bfb2a6f85fbfa9e509da333e0d105ae774ec847ef63fd59adfaf177a9e3609abf5d171f10b342060d1d053d7a0857b8b1e0c43558dbfb |
memory/1388-65-0x00007FF61BDF0000-0x00007FF61C141000-memory.dmp
C:\Windows\System\eraujBj.exe
| MD5 | 6b5f3d9f9ecd3063cace23e4c8d192d4 |
| SHA1 | 1ff777ac3ad2a2d3e23bfb45e18e0012e1dcfa94 |
| SHA256 | 41f2124f85bb830503b2564afdff672f87d377010202b1b689ffce963e180bcd |
| SHA512 | 179713cfc4279374ddcb5468188f0010a4483b9d28cc70f408b2defd3adbf49bd3cbc673c3e4133484603fd560793f20dd02c36932758654fb8f9662017e8cb0 |
C:\Windows\System\qydxbtB.exe
| MD5 | a1a7865c46d6bb66cee3931a93fab04f |
| SHA1 | d20298a234b5a2ddcbdac03ca8750d46fddeae80 |
| SHA256 | 17cd08e77bb20d4fed5105119a9449b6017181e6c392b1cb549a29df3ee09273 |
| SHA512 | df251bd73ddc0cbcd6755dd918973d613c5a1532828eeba16b16e3bfbf6629dd48aa8a4f08a64f59a3568ccb19aecf90be6b9a928bf12400d97db88311e4b913 |
C:\Windows\System\wvJzbhw.exe
| MD5 | 2dcaf9d558fbdc622e225d6bba633918 |
| SHA1 | 985605e7eaec5aa817497d943d798799a7e19056 |
| SHA256 | a85c7138a1dabca746fd44be26b1c178da5dc55ad77f196acfcd6ee0a9a4c950 |
| SHA512 | e40d9157579eb97296cff7c141ce44e482f68bf1f4af65b8b9c31cb43ba7eed62fc15d5919709089f75f08dcbb26f5595581e4cfe80034dab99163f02a07113d |
C:\Windows\System\jvIuiuC.exe
| MD5 | 0ad165ba5751d5d55587fcd51d12489e |
| SHA1 | 59c37f6e9b345b71931754e63e49670215163b5b |
| SHA256 | 0497efb9836cd89f8c27f54f3e11ca97756502ba204430658239c4923cf9ccdb |
| SHA512 | 9f1795a6ab7a449ab57be78589219b2d868d342477e8b723ae3d968b6166cc1acd5dc157da8b00064988a697705bdcf2b8a44be2e09b6cf13fef84f9c7ff7acc |
C:\Windows\System\ogzKPRM.exe
| MD5 | d56a0af0081ce3710b7347ad6539de28 |
| SHA1 | cb9a683c2ccdf3bf0298bc94408c00a07d999bb0 |
| SHA256 | e969ccbb6056f792a81efb045bb39a9797d539a6fef9c8f1f68480c31042f3e2 |
| SHA512 | 160375e37e5d281c3020977ceec33a4739b922dd11aaabf692618801d2e562bcc525141cb81430658fe27ce2d8581383ac55c41a491111c39c19559fcef094ec |
memory/3316-120-0x00007FF7116B0000-0x00007FF711A01000-memory.dmp
memory/3624-125-0x00007FF733AF0000-0x00007FF733E41000-memory.dmp
memory/1280-124-0x00007FF66B020000-0x00007FF66B371000-memory.dmp
memory/2444-119-0x00007FF68F4D0000-0x00007FF68F821000-memory.dmp
memory/840-118-0x00007FF626DF0000-0x00007FF627141000-memory.dmp
memory/1508-117-0x00007FF6AB800000-0x00007FF6ABB51000-memory.dmp
memory/1896-114-0x00007FF6183B0000-0x00007FF618701000-memory.dmp
memory/1204-112-0x00007FF623340000-0x00007FF623691000-memory.dmp
memory/376-111-0x00007FF634C30000-0x00007FF634F81000-memory.dmp
C:\Windows\System\RqSnwoi.exe
| MD5 | e02cb461f4fc3cca9de78bc8bae7edb5 |
| SHA1 | b777aed6ecf3258f047391ea426248a30b5b67e2 |
| SHA256 | 4e4746e0ebb8af062d81d77d45a27944c1bb730e80db61f572a5325b347bd368 |
| SHA512 | 9678f1660f473e733bbe439c2468aaa749338bba253de7689f931e08c9fb58d6e4f4074b624fdd61a724653552c32e0c69b2fc46eaeda99e1366ad437aed29e7 |
C:\Windows\System\VbRDnvM.exe
| MD5 | 721d0582c046492fa1b5765bafdb2f10 |
| SHA1 | 01ca9fa22eb52c0745369eea97e5f5142db2ff4a |
| SHA256 | 1bdaf5e850bcd130fd9595e87b6b325e4a34afcb6d66f4b92bf3dc2abd7ca70e |
| SHA512 | 33413c9e0f9032953d6e91cd834fdb0d3c743744f8a0db4eb0e797e389c3057b5e37bd628176052af618b5f79697617fdc16ca7677912d8b011cc79c64e4f7fe |
memory/5000-103-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp
memory/1692-102-0x00007FF724610000-0x00007FF724961000-memory.dmp
C:\Windows\System\bVBvEDl.exe
| MD5 | 86ad3a52151b641bdc6041dfc0ed5246 |
| SHA1 | 997533844ffdbcfe6759adba0ae55f1f77d483b6 |
| SHA256 | 94bef5dbcc126074aded223ba582aeb51ac0402a2298c3cfee6f19362271deca |
| SHA512 | e62e2f3e407071a9a15b00e5ddcdc392507ac734cb45489f0fde02f072acc295acfd998f29a99c6f6f42159e3f8a7628bb40d3a06ba51b34c417abeebc5ab675 |
memory/3540-98-0x00007FF7BCAB0000-0x00007FF7BCE01000-memory.dmp
memory/2992-89-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp
memory/3216-87-0x00007FF715B70000-0x00007FF715EC1000-memory.dmp
C:\Windows\System\ERrDWNv.exe
| MD5 | 30cb817f74bfebb7a1534d45e582bf6a |
| SHA1 | 3ff96abb3e717d1a962916658f65f4daeb45e435 |
| SHA256 | 2fad6896ed5f74c425e8ddcb7e31e57b5f597b4232942a343cbc0f021c3c807b |
| SHA512 | e437bf1701bd53687d32f80823894c3c635f2425ade5749aa9b6061fa49f547184ff6b8fa442381f84557c90a6a58d556393325daf71ff13cffdf8a8de705aeb |
C:\Windows\System\dgIHHBW.exe
| MD5 | 946ec9f8b83e4662a276bfd9d560d938 |
| SHA1 | 580b69094d25b383eb49cc01268f56046331319d |
| SHA256 | 0b029371ccc0d530c96205a807ee0e971dcad72e32972ec7eba4cee12a73d31d |
| SHA512 | 6689b8f921167d1bff1cd32deff5114fbdb358bad83501f69bb6728310dee4dd1db2b7bb08fd31da77c5a86c0058389b99e9fe1de6dcd022256ac64a33253274 |
memory/2472-75-0x00007FF7B8390000-0x00007FF7B86E1000-memory.dmp
C:\Windows\System\PeSzhup.exe
| MD5 | c1ec8342da6684637aa6498d2abd73b8 |
| SHA1 | d435d850154e7d0b01d308b1cc60748f9b42e762 |
| SHA256 | 33eb66a4bb4015e36eb5dc4f9173cb31295bcbc32ff9966faa9e1a3759724da3 |
| SHA512 | ae4a346731c3d4b65e80b15ee1434bbec135e6dbc1e4e0f3b8fe362311dc3f709142b49f541adaf9a9c7e2621827ddba52148f5f4a2a30f619896fcaee287f4c |
C:\Windows\System\PioGgfk.exe
| MD5 | 7c3a199c551afae6139ad13f4f9017d1 |
| SHA1 | 28ed042ae4132f3f2ef1ffe9dd035b1326a11c45 |
| SHA256 | d20b975ae8ae87e01a96110976f11e8f85ab6e0e37c8910dfab7aa323662c344 |
| SHA512 | 375b7ee335667aa4eb32cc2f7ad5d0a1260c2fb65ded2e19606e1fcb47c68809b5a5dc38a0e7986db1d653049e8806355f8443ccf1aea89d1ba2d1872ca5f890 |
memory/4088-56-0x00007FF6F8A70000-0x00007FF6F8DC1000-memory.dmp
C:\Windows\System\qFmMGwi.exe
| MD5 | d6477e334ecd516a1fc2b60dd475f329 |
| SHA1 | d660d71d97e92460f4b5a2465c04a5a2ba94722a |
| SHA256 | 958d2b23bd80c3f65af0cd9efe7da38ebb1f93071c05c2407167389c6856f22b |
| SHA512 | f7198bd076e674a47e8d6c49eb9992cf780a345516c18acf68b0644ac975e60f25f271307382a8ef483e757c05c90871d66253b19b9ee20e99cd85f589ca8750 |
memory/2580-41-0x00007FF608280000-0x00007FF6085D1000-memory.dmp
C:\Windows\System\DuZOvLc.exe
| MD5 | 1c0dd96880b5c80d2574ca74c87bf7d3 |
| SHA1 | 7b4c0806e2ee41d15c7d52ba9b67694959bfe4a5 |
| SHA256 | 1e17acdf76a372a96ef6ff07cbeb1e0d8c1ecf6b9482de7193aede7d4b691f0c |
| SHA512 | 61d10f0605d24effba5514e9c54d9340b16b8b0bc8a93563579a2448bc61bd9b9102d6923de8a252ba08860c15d36230a7f00969beb2fc24c8a1cc15b6be23ae |
memory/2408-28-0x00007FF61E070000-0x00007FF61E3C1000-memory.dmp
memory/4128-20-0x00007FF758520000-0x00007FF758871000-memory.dmp
memory/2408-132-0x00007FF61E070000-0x00007FF61E3C1000-memory.dmp
memory/2992-142-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp
memory/2472-138-0x00007FF7B8390000-0x00007FF7B86E1000-memory.dmp
memory/2580-133-0x00007FF608280000-0x00007FF6085D1000-memory.dmp
memory/4128-130-0x00007FF758520000-0x00007FF758871000-memory.dmp
memory/5064-128-0x00007FF7D8780000-0x00007FF7D8AD1000-memory.dmp
memory/3624-148-0x00007FF733AF0000-0x00007FF733E41000-memory.dmp
memory/376-149-0x00007FF634C30000-0x00007FF634F81000-memory.dmp
memory/5000-147-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp
memory/1692-146-0x00007FF724610000-0x00007FF724961000-memory.dmp
memory/3540-144-0x00007FF7BCAB0000-0x00007FF7BCE01000-memory.dmp
memory/3216-139-0x00007FF715B70000-0x00007FF715EC1000-memory.dmp
memory/1388-137-0x00007FF61BDF0000-0x00007FF61C141000-memory.dmp
memory/5064-150-0x00007FF7D8780000-0x00007FF7D8AD1000-memory.dmp
memory/5064-172-0x00007FF7D8780000-0x00007FF7D8AD1000-memory.dmp
memory/4632-196-0x00007FF681FA0000-0x00007FF6822F1000-memory.dmp
memory/4128-198-0x00007FF758520000-0x00007FF758871000-memory.dmp
memory/2408-200-0x00007FF61E070000-0x00007FF61E3C1000-memory.dmp
memory/1204-202-0x00007FF623340000-0x00007FF623691000-memory.dmp
memory/4088-204-0x00007FF6F8A70000-0x00007FF6F8DC1000-memory.dmp
memory/2580-208-0x00007FF608280000-0x00007FF6085D1000-memory.dmp
memory/1896-207-0x00007FF6183B0000-0x00007FF618701000-memory.dmp
memory/1508-210-0x00007FF6AB800000-0x00007FF6ABB51000-memory.dmp
memory/1388-212-0x00007FF61BDF0000-0x00007FF61C141000-memory.dmp
memory/2472-214-0x00007FF7B8390000-0x00007FF7B86E1000-memory.dmp
memory/2444-216-0x00007FF68F4D0000-0x00007FF68F821000-memory.dmp
memory/3216-218-0x00007FF715B70000-0x00007FF715EC1000-memory.dmp
memory/840-226-0x00007FF626DF0000-0x00007FF627141000-memory.dmp
memory/1280-224-0x00007FF66B020000-0x00007FF66B371000-memory.dmp
memory/2992-222-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp
memory/3316-221-0x00007FF7116B0000-0x00007FF711A01000-memory.dmp
memory/3540-229-0x00007FF7BCAB0000-0x00007FF7BCE01000-memory.dmp
memory/376-231-0x00007FF634C30000-0x00007FF634F81000-memory.dmp
memory/5000-232-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp
memory/3624-234-0x00007FF733AF0000-0x00007FF733E41000-memory.dmp
memory/1692-238-0x00007FF724610000-0x00007FF724961000-memory.dmp