Analysis Overview
SHA256
2787d8692bd406c6c1d6b085c5e6ddcdeca4d05d5a2619083cc0e3b7375a12cb
Threat Level: Known bad
The file dfc8a622d0d0d1285a5d02644b908880N.exe was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
Cobaltstrike
xmrig
XMRig Miner payload
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 09:56
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 09:56
Reported
2024-08-15 09:58
Platform
win7-20240704-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TMxwOdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xxzGdFD.exe | N/A |
| N/A | N/A | C:\Windows\System\eFmEBrj.exe | N/A |
| N/A | N/A | C:\Windows\System\dwMcnMj.exe | N/A |
| N/A | N/A | C:\Windows\System\sccSQoc.exe | N/A |
| N/A | N/A | C:\Windows\System\rkqYrqY.exe | N/A |
| N/A | N/A | C:\Windows\System\blLahYe.exe | N/A |
| N/A | N/A | C:\Windows\System\lqIUhYc.exe | N/A |
| N/A | N/A | C:\Windows\System\OIyiBwe.exe | N/A |
| N/A | N/A | C:\Windows\System\ngCJMIS.exe | N/A |
| N/A | N/A | C:\Windows\System\uqVXUgo.exe | N/A |
| N/A | N/A | C:\Windows\System\njfJHFN.exe | N/A |
| N/A | N/A | C:\Windows\System\iXSEQFN.exe | N/A |
| N/A | N/A | C:\Windows\System\hyxTIvQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HzvZTeY.exe | N/A |
| N/A | N/A | C:\Windows\System\sTRsWwH.exe | N/A |
| N/A | N/A | C:\Windows\System\pyOaNOO.exe | N/A |
| N/A | N/A | C:\Windows\System\NpBUEJL.exe | N/A |
| N/A | N/A | C:\Windows\System\jvYfQmM.exe | N/A |
| N/A | N/A | C:\Windows\System\djnUtmx.exe | N/A |
| N/A | N/A | C:\Windows\System\Imwvwsk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe
"C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"
C:\Windows\System\TMxwOdQ.exe
C:\Windows\System\TMxwOdQ.exe
C:\Windows\System\xxzGdFD.exe
C:\Windows\System\xxzGdFD.exe
C:\Windows\System\eFmEBrj.exe
C:\Windows\System\eFmEBrj.exe
C:\Windows\System\dwMcnMj.exe
C:\Windows\System\dwMcnMj.exe
C:\Windows\System\sccSQoc.exe
C:\Windows\System\sccSQoc.exe
C:\Windows\System\rkqYrqY.exe
C:\Windows\System\rkqYrqY.exe
C:\Windows\System\lqIUhYc.exe
C:\Windows\System\lqIUhYc.exe
C:\Windows\System\blLahYe.exe
C:\Windows\System\blLahYe.exe
C:\Windows\System\OIyiBwe.exe
C:\Windows\System\OIyiBwe.exe
C:\Windows\System\ngCJMIS.exe
C:\Windows\System\ngCJMIS.exe
C:\Windows\System\uqVXUgo.exe
C:\Windows\System\uqVXUgo.exe
C:\Windows\System\njfJHFN.exe
C:\Windows\System\njfJHFN.exe
C:\Windows\System\iXSEQFN.exe
C:\Windows\System\iXSEQFN.exe
C:\Windows\System\hyxTIvQ.exe
C:\Windows\System\hyxTIvQ.exe
C:\Windows\System\HzvZTeY.exe
C:\Windows\System\HzvZTeY.exe
C:\Windows\System\sTRsWwH.exe
C:\Windows\System\sTRsWwH.exe
C:\Windows\System\pyOaNOO.exe
C:\Windows\System\pyOaNOO.exe
C:\Windows\System\NpBUEJL.exe
C:\Windows\System\NpBUEJL.exe
C:\Windows\System\jvYfQmM.exe
C:\Windows\System\jvYfQmM.exe
C:\Windows\System\djnUtmx.exe
C:\Windows\System\djnUtmx.exe
C:\Windows\System\Imwvwsk.exe
C:\Windows\System\Imwvwsk.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2732-0-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2732-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\TMxwOdQ.exe
| MD5 | c6a2c8cb5f507d5f14f7964cdac745f3 |
| SHA1 | 1f132e27880dd8ff9a5a1b0e4c671b3083dda8c8 |
| SHA256 | 0517b7f752b7749f6d4a66761802806ceee236c1a544dcce3ed1e265d3ab36b7 |
| SHA512 | 004a8ad41469faee3367007edfada59cfab26b7d239900a437c85dab144f91e383ea43c0b2a9b7f9f83cc0fcb154d110e73b762931c9e84b4ebcf0c16f5a906b |
memory/2840-7-0x000000013FC80000-0x000000013FFD1000-memory.dmp
\Windows\system\xxzGdFD.exe
| MD5 | 34fb38e494bf9c50560f1b9642d8c179 |
| SHA1 | d5026a0d1e95f7d3672988d3a7b692a26cbeec84 |
| SHA256 | d65a966156c27e0d6f4e706e939a8ed04db7aecb06a6bc228583345666d32127 |
| SHA512 | c0905e040113263afb5edcd8a70d99b8062a66fc67c7c4c0737ed54cd290b9b7668e03ec3084c841012975df86bf7ad7e1cfffb6564bc7f502f84bacd3602725 |
memory/2716-13-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
C:\Windows\system\eFmEBrj.exe
| MD5 | 02b41161f1e856243653a43376eddd4c |
| SHA1 | 839af24440ae0a9542d1de638d01bd822a20fbf8 |
| SHA256 | 523c3adbb213f65841b88edf41d24f0c851542e93aee7de56c599b6a0745ad36 |
| SHA512 | a9decd9d6525ec92815726baba6bf350a8c55fe703da247975d6ca97d96f6f52e0d0fb3e8715594fed0ed5791f7aa77eaf5b1a8ddb08e3017b6c54ad531fa1ff |
memory/2868-19-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2732-17-0x0000000002230000-0x0000000002581000-memory.dmp
\Windows\system\dwMcnMj.exe
| MD5 | d03336c862735a1e5aaef85397b1f712 |
| SHA1 | 31c05dbfb0ecd622714d690df2377252354f84cb |
| SHA256 | 0301254ca1c544eed3b2e2bc4c275bf86de8a2180d001c585440c1501416d7a4 |
| SHA512 | 7ef002167f443ca0d35f17de83f26f52f9447014e3de2ec43a4f1e1ae0ecba2dc7277f98158d60d8d3eb4257942a8aab4c3b85614c27097a513f261b76a2833c |
memory/2644-26-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2732-23-0x000000013F910000-0x000000013FC61000-memory.dmp
\Windows\system\sccSQoc.exe
| MD5 | 19de1090a6bab7263d38b615ae0ce93f |
| SHA1 | 03531fb7041fc2d18800eabe3c0217bf6bb4b5d2 |
| SHA256 | c2706cd14f9978a987ff640be3519deaf6c205aabbfa52661aa5e064b7463195 |
| SHA512 | 54ea801318c50218f3967bf8526ab81bdf298ee66f1d9a0bb0d673a315db2f26282caf15159f46d730439f1092d5633b93cde1c53d6be9348e11857afaae5b53 |
memory/2732-32-0x000000013F470000-0x000000013F7C1000-memory.dmp
C:\Windows\system\rkqYrqY.exe
| MD5 | 9c171ba5b4b0da3a8ff4bb34edeacf8a |
| SHA1 | 147d1ee6b4ec9fd5e024f16e43119e226bce612a |
| SHA256 | e3f75a8f9aa6bab26261ebab1595e6add18130ed8afe9b66525b67e42fab1412 |
| SHA512 | a0dfdf4c765e89023704db23237b65345cf183004bc54ac6779483a667e042fae86a869dd867b5a96bba855c31fea5655d0593af0deb536df91c970076b521b7 |
C:\Windows\system\blLahYe.exe
| MD5 | ecc378b572979023c521bc48b0b180bd |
| SHA1 | 9c8b56604125a008ba9a44638b18c869e1b794f7 |
| SHA256 | 2466059a4398980b40a2100613718aba06523b83af6e0073688e32045f20b007 |
| SHA512 | 055003ed2ead19a291ae16c3fdb4cf75800f43fc09b4eb332d2c156c466d22d8135053d88f34c960111da304428b5d8dca024f94d7f36c40613aa974274bbbc3 |
C:\Windows\system\lqIUhYc.exe
| MD5 | 0919a6f9fac3fca338cbe11ace3636d6 |
| SHA1 | 13b0c0fd5dcbf96216a4f23fba70ef50a146b0a5 |
| SHA256 | d5c2ef7d36e10a791f4598537727a89a03e49f2505bca57902dc16ec4c8c9f32 |
| SHA512 | 070109670e345489dafb84dbff51e1d2260c4fee8ea1d038d099f9579fa42b7dcdc179bb81323280ebdc277515cc07c556fe6d05e61f8fd3b58f36e72bab1c2d |
memory/2044-57-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2840-40-0x000000013FC80000-0x000000013FFD1000-memory.dmp
\Windows\system\ngCJMIS.exe
| MD5 | c1e86c19ff6cfcea94e7e5ed06112e2f |
| SHA1 | 1cd3cd8ff3fc94a8e203f4bca02fddce36c856d2 |
| SHA256 | 780e27dcb43930087b9006e92bdc248b4d2a54a8e559a6151d4e891afd0294f2 |
| SHA512 | 9e3ac243d42aa7de085095b64e0927a704e750c1e35711ef9b45cae34e2ea6c8ae9413fa48e7add356a8bd7f163aea9f98ae9035ab2d3fb6244f52dbaaefcdfe |
memory/340-69-0x000000013F810000-0x000000013FB61000-memory.dmp
\Windows\system\njfJHFN.exe
| MD5 | 669ab117d89ebf325be920d28e3bbac6 |
| SHA1 | bb4e863db66414123846a6cb695274a78eb2326f |
| SHA256 | ebe2359254e2c4564c2a1730e22c6adde7c256e3625330262b39254ff0e30d65 |
| SHA512 | 126009d13ee6650b4a9a274e310e8470512a08bb0e9d70916457f81805af94e1417786cbb9b91d25d6c66da7ddaf7c24c3f57013213b77d4eba2b44c959a7c6c |
memory/2344-82-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2080-75-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2928-98-0x000000013FE80000-0x00000001401D1000-memory.dmp
C:\Windows\system\NpBUEJL.exe
| MD5 | 67cef716e2bf3a453cfe7f58b13199e2 |
| SHA1 | 7c78973f293000b690fb9ed139660063cf4a5c4c |
| SHA256 | f2ef88b54b9f0518a66e5f9e57aa22e2b8e831905ee52a2edbaf4173acf1d41d |
| SHA512 | b61ee88783a8f614c74c5c183029017b357e29c9e8642a3ae35d806512c0fab70940a3565a2207a462b65edbc75bab8015f35f66931b3798fbf8eaa2679b2519 |
C:\Windows\system\jvYfQmM.exe
| MD5 | 9d54178fbbe157ffeadcd525ff17b781 |
| SHA1 | b7e17092eb94ca2ccc93f24f7b8d6a1dd3bb2afe |
| SHA256 | 4a20ecaaecde0438a3a57f87405901c6d5b7827306e444523b6c083f3c6aa76c |
| SHA512 | 7592f44b28ff9452084137101484ce3b6615431ce06a6e7701c093a6ad56ae7b70306b51862269317da940438116bb41043d8146d262ff307831352728b858da |
\Windows\system\Imwvwsk.exe
| MD5 | 2f54d393fc48362bda9ced39f459f445 |
| SHA1 | f2a2df92bd948c0d32775e27d2aa447c8bb9efdc |
| SHA256 | 3071b3c71acf71d46e4a6127c3d6d52fe3510bdbfb248a6bbb1653534050b194 |
| SHA512 | 9fe0610998d866febe5a59e11a95c65be4006b744aa66e6f33f3daaa0d41b5abba9ad5e0c65d5700256f6b0072580f548707d461d58d1acb00fa1f33500fe12c |
C:\Windows\system\djnUtmx.exe
| MD5 | 24845f6dc241fff20a151e05b6f4dd84 |
| SHA1 | 2eab1374c9c8e96593cfd305e162468234fc2149 |
| SHA256 | 078a6779078b28e6237460c246a973b1ba6e22140d8bb6c35f597eb378cfce73 |
| SHA512 | 71f51d9169664e15cb07de738f51dbb62d595bd065614cbc17040d9d612d1a6ed0075a97ccdd7e2fe964fcf753ae1d448fde246b6727743a00bb5dc7a70e7927 |
memory/340-135-0x000000013F810000-0x000000013FB61000-memory.dmp
C:\Windows\system\pyOaNOO.exe
| MD5 | 45fbba86c5eb28714a531ca902608c1c |
| SHA1 | 32e9d177bc4dd9d5620af2729eade964befa0216 |
| SHA256 | 733ff48a9f614bf7a930d5d2845b622d570595dc6d932ba54ab0c5b58c3317bc |
| SHA512 | 195d9553bd18bcda74c8e75a951a431884e48fc2421cdfa2237d7eaa9a7a3ffa5cae0d8efef11d475df981a4bfd1dd04cbac7c1a6f004da0fc0def4a3c1c4c57 |
C:\Windows\system\HzvZTeY.exe
| MD5 | be3a8f21e5fbeeafa277578b7c08d388 |
| SHA1 | 5314a97a066b3f64afeb9d3ca52efc03e02ebc3c |
| SHA256 | 28abe659d0d62d2d5d431d0f157684402432151b8d43b44fe173ffa4078998d5 |
| SHA512 | 569f75715f55de37a036adab497eadaf7e8f1a14e2ad383a456568aaf58a5f677cf7444a1d43c09c951595cf0d42725d454e1e951049cc3053996fa7e0f1ea56 |
C:\Windows\system\sTRsWwH.exe
| MD5 | 7c950ca2f94cf295f4b66d9b61dfc40a |
| SHA1 | 6b2aa57bbdf95050ddb4a03d18b4b9e9b9b1f510 |
| SHA256 | 479cb74d81fc55cbefaa1985d1a2510f9f18b0038cc3339435cecd6cd98455bd |
| SHA512 | 92df3bc48c34ba36dfab553dd01e7d7c46f043fb6dd94e9310f7494560b1589f197e1c03896e3ba8b833d25f95d28bff075ecbfb778aeb1144b34e9c5a21b05f |
memory/2072-91-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2044-90-0x000000013FE10000-0x0000000140161000-memory.dmp
C:\Windows\system\iXSEQFN.exe
| MD5 | 6981f3fde8a9ac61ff00677370d4d62f |
| SHA1 | 0ecffd9d6da58cbe4d86640efc2074dea8292a5c |
| SHA256 | 7fd72e7c36dd79773bc5cedcd310eca477aa1d6c2eb2b1d1085857f18e8ec5a3 |
| SHA512 | ff3f024cc583b56d43afab45dda0088d820e9b0e77942ed0605dcd9fcdc896340fe0376ccd8fc3c3496f29a5c4149eced7434ca8b486d8a58d121e4ecc5e7dbc |
memory/2732-87-0x0000000002230000-0x0000000002581000-memory.dmp
memory/2080-136-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2128-86-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\hyxTIvQ.exe
| MD5 | 8d3e8aff44413e9ad8130037fcfe439b |
| SHA1 | ab1e149818d1adbe331c5c3059ee202695ede587 |
| SHA256 | 4513c5ab1397e98337becc05953c11a50f422977f39efea67b3948cbd51971b3 |
| SHA512 | caba7dbd2d966105bafc042485b48230fe7556b90e43188155ac40f4ca53cd7ba083a7fa5c3024577753b0554c958b1dec0f83b06d51728f52bcc0c6252a1d72 |
memory/2732-95-0x000000013FE80000-0x00000001401D1000-memory.dmp
C:\Windows\system\uqVXUgo.exe
| MD5 | 39229a4d601b25baed68242f35fcc766 |
| SHA1 | 6b7561d26940796cf854b92b8c12601b9cda43d7 |
| SHA256 | 76b330b11da2e2be8c5960bf393eb759d702157ea8e8f6cfedee31b636b90fa3 |
| SHA512 | acaa60a1f03530cde2c1728627c63c9f85d61b547a2a96a4ac86cda464e07ea49f4d18d384c0dd269da00dbb220fc1efdd00d1d03fc718fa9fc6df7e6dd3c675 |
memory/2660-81-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2644-66-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/1728-63-0x000000013F5B0000-0x000000013F901000-memory.dmp
C:\Windows\system\OIyiBwe.exe
| MD5 | 4bdc82ec7d4ca7c35de453b82600fab0 |
| SHA1 | 9e8a105f0477139d08a601ffcea1f3ab5ec72e86 |
| SHA256 | a9a606e6d2fab063f1caad7d53206ee9659cb73b1d629f61dc8173fd6af41cb2 |
| SHA512 | 201d88408c624e15444f06f13d8238aedff5750cc96ed739d57d9eba9cdf59c12d90881b44eec988e37de162e85032a510b8d5c2f7313f89dfe68d608bcb68bb |
memory/2344-137-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2732-59-0x0000000002230000-0x0000000002581000-memory.dmp
memory/2868-55-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2128-53-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2660-50-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2716-49-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2732-139-0x0000000002230000-0x0000000002581000-memory.dmp
memory/2732-138-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2608-47-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2732-45-0x0000000002230000-0x0000000002581000-memory.dmp
memory/2732-36-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2072-143-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2732-145-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2928-150-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/1728-152-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2976-158-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/1960-162-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2920-161-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2904-160-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/112-159-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2648-163-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/336-164-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2732-165-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2840-212-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2716-216-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2644-220-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2868-221-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2608-230-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2660-232-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2128-234-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2044-236-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/340-238-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2080-240-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2344-242-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2072-253-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2928-255-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/1728-266-0x000000013F5B0000-0x000000013F901000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 09:56
Reported
2024-08-15 09:58
Platform
win10v2004-20240802-en
Max time kernel
116s
Max time network
126s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nGekGZO.exe | N/A |
| N/A | N/A | C:\Windows\System\sGMWqsp.exe | N/A |
| N/A | N/A | C:\Windows\System\QHSisKK.exe | N/A |
| N/A | N/A | C:\Windows\System\CMqDAeR.exe | N/A |
| N/A | N/A | C:\Windows\System\sGCnoRM.exe | N/A |
| N/A | N/A | C:\Windows\System\NMRDfkC.exe | N/A |
| N/A | N/A | C:\Windows\System\sgjNlzP.exe | N/A |
| N/A | N/A | C:\Windows\System\isrSXJa.exe | N/A |
| N/A | N/A | C:\Windows\System\LCQdvQa.exe | N/A |
| N/A | N/A | C:\Windows\System\fAuZHhk.exe | N/A |
| N/A | N/A | C:\Windows\System\fZFsKeK.exe | N/A |
| N/A | N/A | C:\Windows\System\fbGoHmU.exe | N/A |
| N/A | N/A | C:\Windows\System\NObfxuw.exe | N/A |
| N/A | N/A | C:\Windows\System\numwASX.exe | N/A |
| N/A | N/A | C:\Windows\System\sMAvOxH.exe | N/A |
| N/A | N/A | C:\Windows\System\udkZlkH.exe | N/A |
| N/A | N/A | C:\Windows\System\dSNAFuB.exe | N/A |
| N/A | N/A | C:\Windows\System\MUVjJmK.exe | N/A |
| N/A | N/A | C:\Windows\System\GYRvjCb.exe | N/A |
| N/A | N/A | C:\Windows\System\IJirQQK.exe | N/A |
| N/A | N/A | C:\Windows\System\ZIjFayx.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe
"C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"
C:\Windows\System\nGekGZO.exe
C:\Windows\System\nGekGZO.exe
C:\Windows\System\sGMWqsp.exe
C:\Windows\System\sGMWqsp.exe
C:\Windows\System\QHSisKK.exe
C:\Windows\System\QHSisKK.exe
C:\Windows\System\CMqDAeR.exe
C:\Windows\System\CMqDAeR.exe
C:\Windows\System\sGCnoRM.exe
C:\Windows\System\sGCnoRM.exe
C:\Windows\System\NMRDfkC.exe
C:\Windows\System\NMRDfkC.exe
C:\Windows\System\sgjNlzP.exe
C:\Windows\System\sgjNlzP.exe
C:\Windows\System\isrSXJa.exe
C:\Windows\System\isrSXJa.exe
C:\Windows\System\LCQdvQa.exe
C:\Windows\System\LCQdvQa.exe
C:\Windows\System\fAuZHhk.exe
C:\Windows\System\fAuZHhk.exe
C:\Windows\System\fZFsKeK.exe
C:\Windows\System\fZFsKeK.exe
C:\Windows\System\fbGoHmU.exe
C:\Windows\System\fbGoHmU.exe
C:\Windows\System\NObfxuw.exe
C:\Windows\System\NObfxuw.exe
C:\Windows\System\numwASX.exe
C:\Windows\System\numwASX.exe
C:\Windows\System\sMAvOxH.exe
C:\Windows\System\sMAvOxH.exe
C:\Windows\System\udkZlkH.exe
C:\Windows\System\udkZlkH.exe
C:\Windows\System\dSNAFuB.exe
C:\Windows\System\dSNAFuB.exe
C:\Windows\System\MUVjJmK.exe
C:\Windows\System\MUVjJmK.exe
C:\Windows\System\GYRvjCb.exe
C:\Windows\System\GYRvjCb.exe
C:\Windows\System\IJirQQK.exe
C:\Windows\System\IJirQQK.exe
C:\Windows\System\ZIjFayx.exe
C:\Windows\System\ZIjFayx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1936-0-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp
memory/1936-1-0x000001BE9F890000-0x000001BE9F8A0000-memory.dmp
C:\Windows\System\nGekGZO.exe
| MD5 | 917cecf9e81a0192fcbaabee761b6529 |
| SHA1 | 8586eee827f74251a83351233268b2440f746162 |
| SHA256 | 326458a4fcebc21ce140b82507c0312ad9292e4a885b0ab362301ffb60fd2727 |
| SHA512 | c4f8be1c722151d78144aab0dbe34d4b06663651d3728f5379ba06bb571058b8135a4304d759dea64fce074c08a834a703b62f140db95915dd974c5fb9023f20 |
memory/1068-8-0x00007FF683420000-0x00007FF683771000-memory.dmp
C:\Windows\System\QHSisKK.exe
| MD5 | 418da85a9fb2e4a1996762b337dbcc17 |
| SHA1 | db6b0da2bb235297c5f03485bf42591abbbb4251 |
| SHA256 | c919adde334d16d786ebef3b715a13feb38abcc10ff4844a486e5fa64f22661d |
| SHA512 | 370c235fb3d693c5c065aec82330b874b0ee699aa5fe68fc1cafee838cefac69190411e031be368c71895864e58bc0308044ca815c7da3b0e5e806d5378be1f9 |
C:\Windows\System\sGMWqsp.exe
| MD5 | e40d81805a747a70b905957ab6a5851d |
| SHA1 | ec5f20b0b835ee0a8f0ad4a8e823d8a895ba6d6c |
| SHA256 | e6bf8145c17d1ecf7b6c3ed28e82ec8e81f25ebc278f29672c176f89353f13ff |
| SHA512 | 5d62e2002dd34600402522b3289ab1258266fe6530dbd93aa5eeed00ff99bd6308cb3c1439b4e431ea737a7132e6a8b9b0baadd012c8cbeed724544ac4894410 |
C:\Windows\System\CMqDAeR.exe
| MD5 | 8b5b1b75c6255532334ebf1731e7f096 |
| SHA1 | 6d3f733c546428ccd4eef26719becdad504cd5a1 |
| SHA256 | 03af8600255395a235d9dbfa66db17623caf0f8e654d67eeddf6b3e4eb373a36 |
| SHA512 | 36ae012e5fef6bb548b9c4043394cb13802b97a2bfd359b5582e6ad74b23ece1cb5999c97e299ca34c83154644fc6bce42afd41a253fe48199c055bd3a11c552 |
C:\Windows\System\sGCnoRM.exe
| MD5 | 50a738b4636721dcc742c5f240e56867 |
| SHA1 | 170da6e849d07d6913068543ddab45052b2235f9 |
| SHA256 | fa1a1bd5c929c78dc98fa3ba361241f1337922fe05dbac3793efc48566b0f9a7 |
| SHA512 | 896c523ff104c323a4f410939802cd11d7efd21ca7471231054d4edd306d36db3d17e7d27128f72feb8f74433459c10e5dfaa054b98db67a79f7c5b201f5a4fc |
C:\Windows\System\sgjNlzP.exe
| MD5 | 66505fd2b68f2fbe1645b2dc00266c4b |
| SHA1 | 265db95ffce95d4d081e30a80028b87163bbbfd3 |
| SHA256 | 6bd66af1ac4527742b2aaa37262614400fea5968c6353198fc8bf4f995f695ac |
| SHA512 | 9042a35c502712110877534353cd20ff20c666ca37d0dd537895e7e76579dc8cfcb72de04a4e9185b42cbc2d6e72b8539528de39bcf22e2ec641e948e600c2de |
C:\Windows\System\isrSXJa.exe
| MD5 | c36c0e4a650f0da7a106e3a030d57758 |
| SHA1 | fedf2954614e5e08125d1ccd2f862b2717e450cd |
| SHA256 | 2256043826b0cee17c113a84bad06d9b864e6b4928ab34b38d72a23d1aac0630 |
| SHA512 | b70e80e7d5cc33104ca7a8e97a1811420a819c3572ad1924aa002618809dc3d5aa3c91b9a90a07db74da46693cb18f6453970b47e7023118a48e83e3ea1896c7 |
C:\Windows\System\fAuZHhk.exe
| MD5 | 98c257e2a0355b36196db2ac4b56805d |
| SHA1 | 29f57b63dfc04343ecdba0a0ff143d32a22713e9 |
| SHA256 | a13a6dffa58272495480e2cea18b1d96520cec4e5971d2f9e70a6e53e8c7c2aa |
| SHA512 | 3eed6dac6a28cc56eee96c22e427e411669b46ed14f0cc8a37f9d5c9c255f28de6520b52ea618f4b20ce32cbe5534ddf56e2798a056d3eeeebca01ff0420f33d |
C:\Windows\System\fZFsKeK.exe
| MD5 | c9dd21662579b9c1a6656c9c641775c6 |
| SHA1 | cbf3cdfe99dc03d953aa26e092359ba9d3889ff0 |
| SHA256 | b73c341010b385759a2a6cea8d555bdebbb15886c76ea7a093621216be775a32 |
| SHA512 | e74a2398df6f63f1a4d55f99fe2752b8ce5193fda6cdab745fcafa49c0cc57aaf59a0b1237a340e7e70a331e814762b381775ff65df6d6258787530dc75d8436 |
C:\Windows\System\NObfxuw.exe
| MD5 | bc116653bb5a07193928a9a92ed8617f |
| SHA1 | d8a4399fadf26b92988cf8afd785b39865c44ec0 |
| SHA256 | 69ba588e45dae25d2e1c6d8acd71be0f5b2963d67e1cdba1378371917840c6c4 |
| SHA512 | fddd435b86928a1a3f3398e1eb785a257f72ed61d3802dbc9fb3404cf059b13ae5746eb7f3ad6dda288f87e1804aaa4da949b6f2ca104736b4d390435aa93776 |
C:\Windows\System\numwASX.exe
| MD5 | b57a5a34c444ddefebbb6c815f90f5ed |
| SHA1 | 6ea331be6460cf9f8e42cb992d3040d5c18a55c7 |
| SHA256 | b3d4bcaae5811cd9d897f6410d14e298d4be90dfbf571b8d220c21412441365a |
| SHA512 | d017f19a6ceeb9afaae4424385184ca3743dc3fc1e85ea06015cd299be07b004502747cba6e263c5d64513460e0e37610ad1f84b223a60f5c741d9efae690dfe |
C:\Windows\System\udkZlkH.exe
| MD5 | 85763807ffa4023088209af65de31f1c |
| SHA1 | 6c37a3869d7ebea3529e27b7fb2351af0d37df97 |
| SHA256 | ac6b72e3bc82c1836da148e462920b2f97c91ee3453ed4be3b30771df9718416 |
| SHA512 | 8d7140073a79c21def8bc19c4d0624dd644565d4889826a1e573ff7cbc3d1458df09c126e0a7e89aae2f81eb13305f7c4102eca623bd33c90776922c667d6e65 |
C:\Windows\System\GYRvjCb.exe
| MD5 | 74bde36d0cced7fb522f9f067c6bfc9b |
| SHA1 | a756f7328518cd198a5661ebb33729e1d3b982a1 |
| SHA256 | 2951ececb26ea5924a27c63d826aa2d6b092db7d4985b77f3848f6f26185d464 |
| SHA512 | 32ad4b6469fc30fa53423fa86a28bc8e5220b6081f69dca018aac454ce358f073c118b7a8607dbf1abe6389d8d80373f1024fd7905a6cdfbb74327099dd9e879 |
C:\Windows\System\ZIjFayx.exe
| MD5 | 922146d280feefefe98bac8486b7641a |
| SHA1 | 1b6717899bc6bfc606a4e1d07c5590ad81f3bf5c |
| SHA256 | e1556d1fea069c6ce0553ce9fa81b4032e4413be677df4f17e11bc4984d09bff |
| SHA512 | 41212000608f168dac86174a8a3b9ee9dfd58d4f9b6f9b1383e71be212111bf63d62491379ab47f6760f52bdc859da56039374acf86ab269513f458e6d632e92 |
C:\Windows\System\IJirQQK.exe
| MD5 | a662823cc28d5479e71ce12c83e34b1f |
| SHA1 | 689e2c0ce6cc522b46dc416fe53e394dd53286f2 |
| SHA256 | 1430c888c952cd9f30bfa0cf4d807f29e1f301a39a3d89261c7a444b12d586c2 |
| SHA512 | aba561c9286e629dac579a0fa22bfff37c09158fb1c3b9d525bb2be898f19798a501a3d5ff0e13a9de684a92b544eb4debc6fbee6f3512245067cc982008ea15 |
C:\Windows\System\MUVjJmK.exe
| MD5 | 7338579a293ab737b70f8fdc9bda8170 |
| SHA1 | b4a87b1dde79521945c7b3eb561e0fc2bc8489ae |
| SHA256 | dbcb6932eae52aa90daddce0bae531c11c537c07f98523e80d15d2a1b544d079 |
| SHA512 | cff37643c837e858c20cb40fafb77779071f06fca3cebb07d9f4de113517073b9c4b9199e42c2692cab564469107e878fc459495e7cc918e2a78e903ddf61565 |
C:\Windows\System\dSNAFuB.exe
| MD5 | 82cdf330d67b0017a05f09847290add1 |
| SHA1 | 49470dd435aa3a34635232aedd00b4293f3d10d9 |
| SHA256 | 382a92d553d349131c504d329452cc660fd0ff57c7c717feab933c621313028a |
| SHA512 | f088c6fb1c077cfb85c5e9382e05063b02ef4da1846daca985f3f4712a4e3b9eb7a58521095ea22fee2d91a24a9a1dc20a20fb5116a9902cfd65ac8a87db9af3 |
C:\Windows\System\sMAvOxH.exe
| MD5 | 2c8d54dff95451a6c8e4ae43c8583cd7 |
| SHA1 | 090b4e5ab375f8ac08599818f3b25d20f3790f6c |
| SHA256 | 2d608f37296f4fb7948e9c64244ec5f56fa299682b3fafa054c7175d7f6b6aa4 |
| SHA512 | 663345621c03f576bf97e61694fb7bcbd218a5198e1a67922cd7f4fedf60cb0f1c879eef3d3227afe2f6125993c8536d0347119b691af4f2796627fb236bf7bb |
C:\Windows\System\fbGoHmU.exe
| MD5 | 7e6c559bca4d3adead5bb7b50acd9584 |
| SHA1 | 8b2ed3b6658369496273c48d696bd9e75e494b5b |
| SHA256 | 83e37d7a120bd596a2ca9ed082e3e26dcbbd2d22dc36ce2930da3c433362a24c |
| SHA512 | b0a70a4eb1435532822cf77a628a374aeae704883bbf05b9fff57310158e9b879d6c5a992e8d94e9e0ba2ecaf2ee49a77c07003c36c85c5ff809df795df60709 |
C:\Windows\System\LCQdvQa.exe
| MD5 | 2af98bd749b9773fd5250de45a01fcbb |
| SHA1 | 93ceb65bb26be712dac5a4895644d8bf346fef62 |
| SHA256 | e3e2bf0028b45b80f792aa3146738b31e47e30c75bfbe7bd9ab9c6a3bda3e8d8 |
| SHA512 | 177b38ae7932efa3dec21bf0b89b39542155f9b7a35bded1570abdab8b60d34a845a9d106b9824a59482f15e8c86e6139abf74a64512e01dba5e90633a3612b0 |
memory/2576-56-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp
memory/3220-50-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp
C:\Windows\System\NMRDfkC.exe
| MD5 | 6e37ae946c943d7f924ace1bde9deb6c |
| SHA1 | 71b6d32d78c399f6f5d16499a1ecc9e5bdd94f7d |
| SHA256 | 23fec14d1a24cd694feac7f0fa3c3fb96b0122ca86a7c80444390c30b228c132 |
| SHA512 | b8da5aadc8215bea893e997c718fff2377410cc816808df3f62da9b4c8d30f137da67683ee1f2b37ed60c838f57744120796131383e744d517aa3a01f5756b58 |
memory/3752-42-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp
memory/376-38-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp
memory/4624-34-0x00007FF64F010000-0x00007FF64F361000-memory.dmp
memory/212-27-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp
memory/1012-18-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp
memory/2840-13-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp
memory/3236-116-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp
memory/1068-118-0x00007FF683420000-0x00007FF683771000-memory.dmp
memory/1936-117-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp
memory/5052-120-0x00007FF7EC840000-0x00007FF7ECB91000-memory.dmp
memory/2388-122-0x00007FF6DB780000-0x00007FF6DBAD1000-memory.dmp
memory/4256-123-0x00007FF7C7090000-0x00007FF7C73E1000-memory.dmp
memory/800-121-0x00007FF637E50000-0x00007FF6381A1000-memory.dmp
memory/4756-124-0x00007FF766F30000-0x00007FF767281000-memory.dmp
memory/2840-119-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp
memory/1784-125-0x00007FF7BCA10000-0x00007FF7BCD61000-memory.dmp
memory/1012-127-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp
memory/4312-130-0x00007FF77E8F0000-0x00007FF77EC41000-memory.dmp
memory/212-129-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp
memory/2244-131-0x00007FF7F3C20000-0x00007FF7F3F71000-memory.dmp
memory/4528-128-0x00007FF67EFE0000-0x00007FF67F331000-memory.dmp
memory/1936-132-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp
memory/4540-134-0x00007FF665E50000-0x00007FF6661A1000-memory.dmp
memory/4624-133-0x00007FF64F010000-0x00007FF64F361000-memory.dmp
memory/1208-126-0x00007FF650070000-0x00007FF6503C1000-memory.dmp
memory/3752-136-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp
memory/3236-139-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp
memory/2576-138-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp
memory/376-135-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp
memory/3220-137-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp
memory/1936-151-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp
memory/1068-201-0x00007FF683420000-0x00007FF683771000-memory.dmp
memory/2840-203-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp
memory/1012-215-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp
memory/212-217-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp
memory/4624-219-0x00007FF64F010000-0x00007FF64F361000-memory.dmp
memory/3752-221-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp
memory/376-223-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp
memory/2576-225-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp
memory/3220-227-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp
memory/3236-229-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp
memory/2388-238-0x00007FF6DB780000-0x00007FF6DBAD1000-memory.dmp
memory/4540-244-0x00007FF665E50000-0x00007FF6661A1000-memory.dmp
memory/5052-242-0x00007FF7EC840000-0x00007FF7ECB91000-memory.dmp
memory/800-241-0x00007FF637E50000-0x00007FF6381A1000-memory.dmp
memory/4756-248-0x00007FF766F30000-0x00007FF767281000-memory.dmp
memory/1784-250-0x00007FF7BCA10000-0x00007FF7BCD61000-memory.dmp
memory/4256-246-0x00007FF7C7090000-0x00007FF7C73E1000-memory.dmp
memory/4528-257-0x00007FF67EFE0000-0x00007FF67F331000-memory.dmp
memory/2244-255-0x00007FF7F3C20000-0x00007FF7F3F71000-memory.dmp
memory/1208-258-0x00007FF650070000-0x00007FF6503C1000-memory.dmp
memory/4312-254-0x00007FF77E8F0000-0x00007FF77EC41000-memory.dmp