Analysis Overview
SHA256
e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1
Threat Level: Known bad
The file e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1 was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:51
Reported
2024-08-15 10:53
Platform
win7-20240705-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pNeUTif.exe | N/A |
| N/A | N/A | C:\Windows\System\obsqxNl.exe | N/A |
| N/A | N/A | C:\Windows\System\QPXJSxo.exe | N/A |
| N/A | N/A | C:\Windows\System\hcKEmuA.exe | N/A |
| N/A | N/A | C:\Windows\System\fFUTFtA.exe | N/A |
| N/A | N/A | C:\Windows\System\TKWVWjn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZGaSjhh.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxCNvtS.exe | N/A |
| N/A | N/A | C:\Windows\System\YkkUYjw.exe | N/A |
| N/A | N/A | C:\Windows\System\oXtzcXT.exe | N/A |
| N/A | N/A | C:\Windows\System\bbdvqTT.exe | N/A |
| N/A | N/A | C:\Windows\System\mXHhqKr.exe | N/A |
| N/A | N/A | C:\Windows\System\GMdwZHW.exe | N/A |
| N/A | N/A | C:\Windows\System\YHnqPjN.exe | N/A |
| N/A | N/A | C:\Windows\System\sACSDfI.exe | N/A |
| N/A | N/A | C:\Windows\System\bTXGbch.exe | N/A |
| N/A | N/A | C:\Windows\System\unZvjEf.exe | N/A |
| N/A | N/A | C:\Windows\System\HJeYymq.exe | N/A |
| N/A | N/A | C:\Windows\System\DFWgMil.exe | N/A |
| N/A | N/A | C:\Windows\System\QiAhZMx.exe | N/A |
| N/A | N/A | C:\Windows\System\wdiLCzd.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe
"C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"
C:\Windows\System\pNeUTif.exe
C:\Windows\System\pNeUTif.exe
C:\Windows\System\QPXJSxo.exe
C:\Windows\System\QPXJSxo.exe
C:\Windows\System\obsqxNl.exe
C:\Windows\System\obsqxNl.exe
C:\Windows\System\hcKEmuA.exe
C:\Windows\System\hcKEmuA.exe
C:\Windows\System\fFUTFtA.exe
C:\Windows\System\fFUTFtA.exe
C:\Windows\System\TKWVWjn.exe
C:\Windows\System\TKWVWjn.exe
C:\Windows\System\ZGaSjhh.exe
C:\Windows\System\ZGaSjhh.exe
C:\Windows\System\oXtzcXT.exe
C:\Windows\System\oXtzcXT.exe
C:\Windows\System\ZxCNvtS.exe
C:\Windows\System\ZxCNvtS.exe
C:\Windows\System\bbdvqTT.exe
C:\Windows\System\bbdvqTT.exe
C:\Windows\System\YkkUYjw.exe
C:\Windows\System\YkkUYjw.exe
C:\Windows\System\mXHhqKr.exe
C:\Windows\System\mXHhqKr.exe
C:\Windows\System\GMdwZHW.exe
C:\Windows\System\GMdwZHW.exe
C:\Windows\System\YHnqPjN.exe
C:\Windows\System\YHnqPjN.exe
C:\Windows\System\sACSDfI.exe
C:\Windows\System\sACSDfI.exe
C:\Windows\System\bTXGbch.exe
C:\Windows\System\bTXGbch.exe
C:\Windows\System\unZvjEf.exe
C:\Windows\System\unZvjEf.exe
C:\Windows\System\HJeYymq.exe
C:\Windows\System\HJeYymq.exe
C:\Windows\System\DFWgMil.exe
C:\Windows\System\DFWgMil.exe
C:\Windows\System\QiAhZMx.exe
C:\Windows\System\QiAhZMx.exe
C:\Windows\System\wdiLCzd.exe
C:\Windows\System\wdiLCzd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2680-0-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2680-1-0x0000000000300000-0x0000000000310000-memory.dmp
memory/2520-15-0x000000013FCC0000-0x0000000140011000-memory.dmp
C:\Windows\system\obsqxNl.exe
| MD5 | 903d373db2f11f2bb9597d974192ce76 |
| SHA1 | 474b2c62237ac20cf500d912a0f9446850053095 |
| SHA256 | 8e5011e80f22435676a9183b17a976fe8bf3c772c2ddfbd8d24cc5a9aca433d6 |
| SHA512 | c9025c97468768861688357c67fffa6c7ae71b4f226893f54e4a7d06a65a3bf042c70d1e302dbd2b321228d66c3b5df037178be269ad8a68164224179ba569e6 |
C:\Windows\system\QPXJSxo.exe
| MD5 | d668fd47baaa63f4317ab6283bb61ad8 |
| SHA1 | ea841838af3ec79ae3da1d10502ce0e304bc8e5a |
| SHA256 | f8c6051e1c3a65880f12ab6813a55387c527fd58c97fc32f41da18bb26910feb |
| SHA512 | 9645436c5195bf302fcbae583e29a48a881eb5d254d4fbff31c3aa068e56f2ed798c8980cdd7f6bc45dcde4828a8b26d4f3bc7f5518372d88d7403c8b00e520b |
C:\Windows\system\pNeUTif.exe
| MD5 | 6ce81c54a0315b87165b806bb4085549 |
| SHA1 | a92e1aa30df9c5492666f9ef1c8d5d971ec16665 |
| SHA256 | a506a226c826d60306192ea6540d63644480f60f9ccc07570b9a35f43284b2ab |
| SHA512 | f2f927809eda3cd2fd2a812f973417869b0d047618da90030e0bdec26008049c9ba5ef7668267b2056d06d1c8b61adb41821a7b80986a8f5e92edc847257d86a |
\Windows\system\hcKEmuA.exe
| MD5 | a83052784b96e368afe241e080dab7fb |
| SHA1 | 5f19cfbf45937c54a30c07d8b80a0850c4f47edf |
| SHA256 | 4cc347dd33a8f57e5af9d821de8707334870694adffd80e102afe80ac194ca25 |
| SHA512 | 7db23a4ce19ecfd8012f39652a18ce09c959b99df1057bb19cb1aa4302cb3923a51b0a439832ba9fd5dbd8959f1ecc932003ea53c451cb8539ad75ecb222a836 |
memory/2680-23-0x000000013F2E0000-0x000000013F631000-memory.dmp
\Windows\system\YkkUYjw.exe
| MD5 | a987252775eaebb7c85f0b4516ef45e7 |
| SHA1 | 9d9df9e08127445e734eb8e4c094a2e2daadc6db |
| SHA256 | 1d1391182cb84cc25b6f94e9e676fb7033ce65b4acd1f63e5ee7c56c0499c360 |
| SHA512 | cc94e7b2ce921e65e901b84cbb5900656e6708511698d18da836d451500e658b613b679135ee26dd1aa83e980e0a96466bd9d3936a503f48f6974cdee7c6f164 |
memory/2636-91-0x000000013FE60000-0x00000001401B1000-memory.dmp
C:\Windows\system\bbdvqTT.exe
| MD5 | 3f708a9675d5771fc8e97af63804d484 |
| SHA1 | 58a09d2d0e18753db3860e83c675941bdbbbe31f |
| SHA256 | 80197c037897dc2fa70d34b29b3e77bf1efb0445033af9715b6a3d59965dfec8 |
| SHA512 | 4603f4cdf2d6f079f72e393b9e5f5f7d87bf2d32273adbde07b8bc06ea65ea9dc3a126e52fdc53bffc3ecfe47d575e5516f6fdcc5a34d1a445d3994f858f2078 |
memory/2520-95-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2680-97-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2680-96-0x000000013F2E0000-0x000000013F631000-memory.dmp
\Windows\system\YHnqPjN.exe
| MD5 | f540d381314c595570aff0884615628e |
| SHA1 | e172b8cb1e158a02bcc642ff426645b3eb110413 |
| SHA256 | aa6ad9c5685e10f9bc0a71d310db1d56febd7ea9c6397d500a1c3f711027041a |
| SHA512 | 21cb72ca807bf032f8e7844b2c33867d91bd9bd54c419f1b7d390fd3b8853e979450f1b988dae0c31450be58a96cda851107bb3cd273b7e19a7280e48dbc6512 |
C:\Windows\system\mXHhqKr.exe
| MD5 | e95c32544c2fb0e839640fdfbf726ea0 |
| SHA1 | 4ae37b9bfc8317476e16d49d418a5e08175e657d |
| SHA256 | 50da6336326ddd04e5b34f57a2a5a52e3d0a9497c76d288bac2c4461a345803f |
| SHA512 | 72f5e422b2662574e04e53d17e0d8746e7ea910d1bbc1da47457ee9270bbd21dbab52d07229ac68d2b742c472214d0f491e2591efeb50cf12d0f95af0afdac0e |
memory/2644-102-0x000000013FB80000-0x000000013FED1000-memory.dmp
C:\Windows\system\bTXGbch.exe
| MD5 | 3bc11bbab5ebc181a64f5e24f2bca2e0 |
| SHA1 | 2026a10a61b812ca8f2fd55ed54f038aea384165 |
| SHA256 | 292a7e9cd4452283c71c8082111a97abec4642f81a127f928ef2791d1adb4ede |
| SHA512 | 4e56da5545d1136638bfd693554852d0e53793d302baf06e6d75e8bf2610723e900160a69f1c760202fa9355ced87d082454ae72f65709bb275775209a36a2bb |
C:\Windows\system\HJeYymq.exe
| MD5 | 5cef17c5d530e1b4b46a650e6054d928 |
| SHA1 | 42fa5cac93247b89a37d516e50857bc1d08762c1 |
| SHA256 | 2aeb316c2dafd2a96b1859e3c0ae38be7ca40323b90c386c43ceb086a9717bc4 |
| SHA512 | ff196b05c723463ec0952122073469e963f55ccc93ebf39605fd398571bc181c69ca604803d694d0b83f730d3c92c7969e57e494b75f4e937f59a322370c3b1a |
C:\Windows\system\QiAhZMx.exe
| MD5 | 641e5f44bf180e7dcebec5672a0faf34 |
| SHA1 | 8d686d4d7dd5b2f35f96d2fecec8370e53ad3706 |
| SHA256 | 5fdc6313a2a2ae5e9cab2e1f51c4500b713201a6b95da5b5ccea31de4de777f3 |
| SHA512 | 6fad3aea39d498b4328e6a35ea90029435fa0e6d88b9073e19e7b2dbd7d314ec78f12d279be2d6ef42d0699b5abfb9e4c48c0ec01ca47beba6736370c91bc816 |
C:\Windows\system\wdiLCzd.exe
| MD5 | 35515f313c1f26da9ce294db480cac47 |
| SHA1 | 7834c7c6a114faa237e2889fc04e9d92ed517482 |
| SHA256 | fb9483a57c159d584c6c73b0416f5ad758fde601e76008f95268ddc80db8eb1b |
| SHA512 | 4d954dc8d8097834bf1c2b7537b62ba10b0657cd85fdd1962477c2ded5049093c755b93933a0c0f690c2c39b46ce4e0da794bb6702636a263c2b832dac85ae2a |
C:\Windows\system\DFWgMil.exe
| MD5 | 59eb5ef8d47bfa752ebe4dac72c746af |
| SHA1 | 1882ae6e9f4f2deb37675301203c7d683cb47f5a |
| SHA256 | 555ae055659589b82e66ade04a808541d8734e23a2bf94c259f8f71d3bbfdfc8 |
| SHA512 | 09a01b7bc07a5323f65240ebf501e29af0e28bf011d18c488bbab2de5903c195fc85dcc84532491e52c8655ad7c6d6b317682e39acf38121b632644fc0da6896 |
memory/2468-138-0x000000013F620000-0x000000013F971000-memory.dmp
C:\Windows\system\unZvjEf.exe
| MD5 | ce36291168304a847d7f55fc496d88d4 |
| SHA1 | 31da3a796f4703f0bcd756e126c4dcfbf8a25c1a |
| SHA256 | a948197d9a88d0bf1aa129fd73203c18ca34e7ee6f0ebc14126492caa1c1fbd9 |
| SHA512 | c07813e2d010d4068560ad6e9caa987ca1b7d08e99f887110332430fb73b49bd796ea762028839362211713337329ffe7526b17bf69700e30822c7812542a1dc |
memory/2752-139-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2680-107-0x000000013F650000-0x000000013F9A1000-memory.dmp
C:\Windows\system\sACSDfI.exe
| MD5 | c62711399e05115672c6cdccea90ecdd |
| SHA1 | 4e37e34d89598688bac4ece85ce246bfecae797b |
| SHA256 | 5e3b27c03ccd0c17dbf38a004728b30b2f6917664c6d1f9d7b4951d18314e2be |
| SHA512 | 6ab25075ffbe41859270b496d2130e2b06c6e8e22ac5dbe5c9fd8b4385e64bdda81dced052030acb543e6319f4f79c19e682b707fc33f84a49a2026ea35aa3ac |
memory/2616-93-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2680-92-0x000000013F770000-0x000000013FAC1000-memory.dmp
C:\Windows\system\oXtzcXT.exe
| MD5 | 18d2a5e38db922cc516cddc8ae3abb4c |
| SHA1 | acd19990f60de557126b05714c9907428ee263d8 |
| SHA256 | 1c5681f9fcab0b112459882627eee15b7250defc619da722519ef7046ff729a8 |
| SHA512 | 4bbcbcbfdc6af8432a8ac2bfc8a0f8bd1b5d95ea06a7d02da966b74252e07011fcb6b13d8b3c53492138ae1052651faa57b01f5cd77a9040d36fda618b488103 |
memory/2904-76-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2820-75-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2680-140-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2680-74-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2680-73-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2680-71-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2728-70-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2680-68-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2680-67-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2680-66-0x000000013F2F0000-0x000000013F641000-memory.dmp
C:\Windows\system\ZxCNvtS.exe
| MD5 | d71f67fdaec2c05650b744e4b9bb39ff |
| SHA1 | c6dbaa08eb69b8bc4e1743ea355c907dd70c7f52 |
| SHA256 | bab8af46e5e1df25fb6a35d9a69cf5d8af04e78bda1ba11e1bfc39ee8177a4b7 |
| SHA512 | 32aca56a178acd20cff4e88145fbc2c699b3ea75c5738d265973fa3d049003512b178e96ca0b0f2dc42b0b8d1d2c32a97305919c8c0e604cb787e9448651ce3f |
memory/2752-48-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2900-90-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2804-89-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2680-88-0x000000013FC80000-0x000000013FFD1000-memory.dmp
C:\Windows\system\GMdwZHW.exe
| MD5 | 5757d2f11aa55f3aefe39eb8abb23853 |
| SHA1 | 10efd588b64624f1142669d9a30f7a3d8b980454 |
| SHA256 | 4f73409ad9b0aaeef417539b1b6501c5301b7907ac2f34b3d9e331a322ec4805 |
| SHA512 | 0fb683e75e249d1c5dcd5b321097aeb8f18155efe99249203edc19bf3c39e9c087d9417387ca01c7a33bc1d984d491fa0f093ed903c93fbdb71ffaa3a57b96c5 |
\Windows\system\TKWVWjn.exe
| MD5 | df842d95fb255a9204225c8e4b6850cc |
| SHA1 | 2015f5723fcdf5f1c0b42e4fe2ff91bbdb2db6c0 |
| SHA256 | 25a2d52744b6d510f231710a381d4f183d241d32cb407bb9a8cecd9f3a1aeae8 |
| SHA512 | 7fab9152e877430aea495d014018d0c48834766ef1f70e01ab66d00d59c117e0c0c89e99e2456091382faac1dfc5e5bbba85a9d780136243016cada913fdf774 |
C:\Windows\system\ZGaSjhh.exe
| MD5 | f7a9c6b5d190b69574ebdb803b312c01 |
| SHA1 | d9d6b86e7c617cc6ffc287745c9ca038d12016c6 |
| SHA256 | 6329eaa882b3c4c109df8b940d77a8eba04a668cf95966987bf380bd0d2ace11 |
| SHA512 | afbc729bf44a81e692b2b4788608a7200fb0e6715626da393cdd469094488ee5c7730eb17b29e032c434fe80907f62d2e5740fe2dc73bcbf09b41ae08cd9599f |
memory/2680-44-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2468-36-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2680-34-0x000000013F620000-0x000000013F971000-memory.dmp
C:\Windows\system\fFUTFtA.exe
| MD5 | 5daed108b3b4cea064efaa10de663e51 |
| SHA1 | 3f19e4326b8242c526a9f1b1595696dd327547c4 |
| SHA256 | 4a0ac9355e79662cbcc7fa061f4b7b1a8e1efdb956ab6acf6670da29ee51954a |
| SHA512 | 5d1e6843584bc16d597fa2c4dc5d3673c125fe8a7b53f72800a610e3795ad6df9c8d1d956ef169f947f27406bc7fc3a89a7e71d366879f05e27b782d106b2207 |
memory/2036-29-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2680-28-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2384-27-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2680-26-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/1272-24-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2680-141-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/1520-157-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2944-161-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2680-162-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2668-160-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2128-159-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2920-158-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2504-156-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2936-163-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2680-164-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2520-224-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1272-226-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2384-228-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2036-230-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2468-232-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2820-235-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2752-236-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2728-238-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2904-240-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2804-242-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2900-244-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2616-248-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2636-246-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2644-257-0x000000013FB80000-0x000000013FED1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:51
Reported
2024-08-15 10:53
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\syGzeJX.exe | N/A |
| N/A | N/A | C:\Windows\System\cyQJUgl.exe | N/A |
| N/A | N/A | C:\Windows\System\PTTVOXo.exe | N/A |
| N/A | N/A | C:\Windows\System\PkoPHWu.exe | N/A |
| N/A | N/A | C:\Windows\System\VcAJkRz.exe | N/A |
| N/A | N/A | C:\Windows\System\jjXCTXi.exe | N/A |
| N/A | N/A | C:\Windows\System\voROaav.exe | N/A |
| N/A | N/A | C:\Windows\System\GmevZhw.exe | N/A |
| N/A | N/A | C:\Windows\System\TZucjTU.exe | N/A |
| N/A | N/A | C:\Windows\System\nCmMzXw.exe | N/A |
| N/A | N/A | C:\Windows\System\vEYtLWr.exe | N/A |
| N/A | N/A | C:\Windows\System\myCPWkZ.exe | N/A |
| N/A | N/A | C:\Windows\System\NUtHBNQ.exe | N/A |
| N/A | N/A | C:\Windows\System\BMtVVOj.exe | N/A |
| N/A | N/A | C:\Windows\System\jZfQyus.exe | N/A |
| N/A | N/A | C:\Windows\System\kqLKiMk.exe | N/A |
| N/A | N/A | C:\Windows\System\LonmFaS.exe | N/A |
| N/A | N/A | C:\Windows\System\FFIYHLw.exe | N/A |
| N/A | N/A | C:\Windows\System\onWtCAC.exe | N/A |
| N/A | N/A | C:\Windows\System\fSiLWIC.exe | N/A |
| N/A | N/A | C:\Windows\System\HXqaKKt.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe
"C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"
C:\Windows\System\syGzeJX.exe
C:\Windows\System\syGzeJX.exe
C:\Windows\System\cyQJUgl.exe
C:\Windows\System\cyQJUgl.exe
C:\Windows\System\PTTVOXo.exe
C:\Windows\System\PTTVOXo.exe
C:\Windows\System\PkoPHWu.exe
C:\Windows\System\PkoPHWu.exe
C:\Windows\System\voROaav.exe
C:\Windows\System\voROaav.exe
C:\Windows\System\VcAJkRz.exe
C:\Windows\System\VcAJkRz.exe
C:\Windows\System\jjXCTXi.exe
C:\Windows\System\jjXCTXi.exe
C:\Windows\System\GmevZhw.exe
C:\Windows\System\GmevZhw.exe
C:\Windows\System\TZucjTU.exe
C:\Windows\System\TZucjTU.exe
C:\Windows\System\nCmMzXw.exe
C:\Windows\System\nCmMzXw.exe
C:\Windows\System\vEYtLWr.exe
C:\Windows\System\vEYtLWr.exe
C:\Windows\System\myCPWkZ.exe
C:\Windows\System\myCPWkZ.exe
C:\Windows\System\NUtHBNQ.exe
C:\Windows\System\NUtHBNQ.exe
C:\Windows\System\BMtVVOj.exe
C:\Windows\System\BMtVVOj.exe
C:\Windows\System\jZfQyus.exe
C:\Windows\System\jZfQyus.exe
C:\Windows\System\kqLKiMk.exe
C:\Windows\System\kqLKiMk.exe
C:\Windows\System\LonmFaS.exe
C:\Windows\System\LonmFaS.exe
C:\Windows\System\FFIYHLw.exe
C:\Windows\System\FFIYHLw.exe
C:\Windows\System\onWtCAC.exe
C:\Windows\System\onWtCAC.exe
C:\Windows\System\fSiLWIC.exe
C:\Windows\System\fSiLWIC.exe
C:\Windows\System\HXqaKKt.exe
C:\Windows\System\HXqaKKt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5072-0-0x00007FF650780000-0x00007FF650AD1000-memory.dmp
memory/5072-1-0x000001414FE90000-0x000001414FEA0000-memory.dmp
C:\Windows\System\syGzeJX.exe
| MD5 | d05e332c616ba3749f913d1e908df4e4 |
| SHA1 | c97f23d64fd9e897a97222cf998ec0706c151c74 |
| SHA256 | 86b8aed94b72a645b79193a4e0178e1a3e58cfaa4e73253313e9a1c0388f3711 |
| SHA512 | 70f4a47ce1fc8e7ca10c18be9c83b1e3442f26cdb1570397d8aadaa94e9922841e255022f2dac56970ebd9e11554f912b3fd4c9b2569358068bf6977344cb744 |
C:\Windows\System\PTTVOXo.exe
| MD5 | 0c952a955f80f81da2c54e8eb4cec37a |
| SHA1 | f65706554411135c3a2f04d535fb16e65f8d449d |
| SHA256 | 8c5d864fbf08460f45698d1ca01c98df2a0e475455bf04db5cb73b83006f07be |
| SHA512 | a3022e2935941bbd7458084b94e3881c0104071f13826dd464ddf4b34468934bbe92a74621d5d4c140ddf3ab373ab322b4fc3f42baabaf149406948a34a00902 |
memory/4112-10-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp
C:\Windows\System\cyQJUgl.exe
| MD5 | 2bb2f3143a6af41659e8fed8be77b1a9 |
| SHA1 | 08a407ed1f8e22b792779eace13b13444d9da098 |
| SHA256 | 7a2f8b0fc287f8d3b6dde5694a2c5a0c69775f1063d23bea0f14f6c0a8158c41 |
| SHA512 | 693b74d7086e9bb28d6c7f9061a8351abae76bb86844802adfb5b833814350b6c9803d7d2724ebc513630435369de96cb5f0184931f9e3a5bc8df2f912029e9f |
C:\Windows\System\VcAJkRz.exe
| MD5 | 4253c58ec62da2cdf8ac3afab89be42b |
| SHA1 | fe9757268590a6718afdc3cde1b7d84942716fc2 |
| SHA256 | 3e8e8856f3708200bb8c0113a8336578fdff64b98828f7d288a97f3d10111d91 |
| SHA512 | b811db860dda6a9621ecbc21c8668373d9a971595ec3444f66f58044647cd6530b7b5603e55703c17e392a28891a9cfc1ae451b5897a2253404f69254768360e |
C:\Windows\System\GmevZhw.exe
| MD5 | bfaebe19879cd49e595d3b53d68e0064 |
| SHA1 | aa720f5106590802ac297aeca7a3aaa7215c077b |
| SHA256 | cb76bc14b15941b8f6d044b4ceb0f97cf9c1f85354dfb210cba763f5085b2b9d |
| SHA512 | 2e43e0daf491c81413bd5e04a0f7cf1dc8ec88ec2f90058b67e39e382ff96e3dbf8441fefa49a2becbc1f8e6874f892a335f807e1723015358bf9cb887686987 |
C:\Windows\System\vEYtLWr.exe
| MD5 | 72362f2e4570f8958083847b6018a7c1 |
| SHA1 | a858206575461a5a7e05f612402029a02e2325f5 |
| SHA256 | 58d6af6706a939dabd0b94398121459a40f1b6dbbf2c36c14d3538142d1bc643 |
| SHA512 | 8a2098e57701fc10949d1ab6ceb3c694364e4978e1cb908480a9a0b04311e27ab8c8f4dc5b73643a3fdfb884ca4909867ca041fe7f6581af4b5af828b83c7035 |
C:\Windows\System\NUtHBNQ.exe
| MD5 | d2875043b32e7b011ebeec2c373d59ce |
| SHA1 | e492a48f9e4ba76639dd3955693056004b7e9619 |
| SHA256 | 8159f17f4e2999477f43ad5ac795be2539f1133063f5eb81fb5a0faf685ad3f7 |
| SHA512 | 9b9a193d58e5359eabd1e8ccccd769afa909b37d27a5798477d728ae0485f4635c9f026e90408b81a431d5884b156acc41e07140ff0f9dac0e83d108d3601d11 |
C:\Windows\System\BMtVVOj.exe
| MD5 | 4b211459992ab69688558f1cf3857ce5 |
| SHA1 | c977e5f547e087716d1730b0b7b9e98dac17cb3d |
| SHA256 | 55cbac2cef77a5dbb273d84ab8034491cc9c728f5efe29a0cc2bb077f0516e1f |
| SHA512 | 1827a027eb0b154d0302c621fde0806ea5a1035297a644e3feedb58eb0a072c6a5a023ea721e111b3cea2cc0b500d371b32a469a53fc978ad20cfc6f93ce093c |
C:\Windows\System\jZfQyus.exe
| MD5 | 8007febfc9b4af57ea4ef33644a9a880 |
| SHA1 | 4da87b6827d209c1d0480c577b5f902961e2a8d4 |
| SHA256 | 483976cf592d4b6db8c12d08057e3dd40ccf93932721dc01f755482944fb5ef2 |
| SHA512 | 864a79b0a0f523bb883a90750e1f692e2a1b5c171e5d225f3bf81d069539181b732d89015ebab28685b449d586806302fc442323586047e0b96812d5d04663c9 |
C:\Windows\System\FFIYHLw.exe
| MD5 | fe3b7f12b0aef90d675b57bdbeb4d501 |
| SHA1 | f6806d66a380b4124d5e23a24e1a81a254d40f3d |
| SHA256 | c5a53f9113e50cbcb08fb69db66f0993c93e1440f2baaa2254aaf4456650fafa |
| SHA512 | 8759345c812646644f160b3c3b0e4cfff01cb998a5efd4473968fa6e777f92978e5e443d37d1632324989bcc1b571f101bcd30f3477b363c68b04f1b4032f25c |
C:\Windows\System\LonmFaS.exe
| MD5 | 787dba466af6da8d01d36c35607be92f |
| SHA1 | 33494afecc642002eabbc0f424111b2c2656c726 |
| SHA256 | a2c52d820bd2ec0404bc4e8c9f6236e01f475f8b20f037a5e0b29297eea104f0 |
| SHA512 | 3e38d2a116c1f86877561d80f98c3917684193c50aa509306195af10b69044c63a6d05f98533f0852f5772212c3b38a3db8a4efb850894447ebc29ee8b7d39f9 |
C:\Windows\System\fSiLWIC.exe
| MD5 | b2871d1432db2027f51b7305eb8eba30 |
| SHA1 | d9561a0c9bc37d7458660107ecc87b0063f3c74d |
| SHA256 | 37d18f692fc5f911d9c6b56a4125f848c63e78abd848d1267d00a2553784bd50 |
| SHA512 | 75ebe87e914bb9bb2f160cd68f963c566ab6377241c288e20323b31b3ace095d530c2444909890763fe19ae9f50515c0975421f02b9244a631f619b303b781f4 |
memory/4964-125-0x00007FF690980000-0x00007FF690CD1000-memory.dmp
memory/2392-127-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp
memory/4612-126-0x00007FF634860000-0x00007FF634BB1000-memory.dmp
memory/1340-124-0x00007FF71CE20000-0x00007FF71D171000-memory.dmp
memory/1432-121-0x00007FF6FD100000-0x00007FF6FD451000-memory.dmp
memory/2676-120-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp
C:\Windows\System\HXqaKKt.exe
| MD5 | 54a61ddb5df63404226a4a6848eb92e1 |
| SHA1 | 85610db14d86e6cade7e78b4c985560e09bbf251 |
| SHA256 | b7781a5d2db922da9d03fa98133190d6929640bc497175803a00a22ab4ec927f |
| SHA512 | 60ba2b301277d3afe313da31b31a30fe143377f948345a941396756438e2360a3f2b612b26b11a082cb791de829e7f1ec679591c1280c2405d371a8471689473 |
memory/2344-117-0x00007FF62DBC0000-0x00007FF62DF11000-memory.dmp
C:\Windows\System\onWtCAC.exe
| MD5 | 2538eca90d2699e0d7d901d0ca090cbf |
| SHA1 | 90006b7fd625b73b5952ca77aa30bda444c937c6 |
| SHA256 | 0db0c60f79b8f256382b561a5c330de225d31f05505e4d9b76ee3189b7d8e753 |
| SHA512 | 17709c746cd8362d1597e46f18f951ef6dddf8d0eb85f3b39d1f81c973c24eef19e3ae9579fdc6bbdbc55c25cce8d033079e757f8ec6b9d0095b9c553350036b |
memory/1932-112-0x00007FF7D79E0000-0x00007FF7D7D31000-memory.dmp
memory/3468-111-0x00007FF741890000-0x00007FF741BE1000-memory.dmp
memory/2916-107-0x00007FF790C70000-0x00007FF790FC1000-memory.dmp
C:\Windows\System\kqLKiMk.exe
| MD5 | 3ad61adcfb43d0bc91f3fd6209a1e5d6 |
| SHA1 | 01ec34769c5d62f2f04c556290c7ff7618274b0f |
| SHA256 | 8abe6c31df0f8fa60018d4fde8fa857354c570f785ab9ae0ddd8d59f42a1dab4 |
| SHA512 | 37a5ac79490371dc4c916153b1c641af6e74b0ab0fb952aea5265a60e2243df62d91d072d88d9f82dfa1866d15e9a2cc69e3b17638734e07dffd1d56a5f22909 |
C:\Windows\System\myCPWkZ.exe
| MD5 | 5322e71ef83de1999aa6a485e686778b |
| SHA1 | f22bf425383d49d3b108ed831976eba3065bc13e |
| SHA256 | f5b4bc13fe0a54d8574efefeb69dac0456182d9e12e077af99f189ab5390a1be |
| SHA512 | 8889895ceb64328033a5e56f5917888a3623e096b84d362a5da934103765b07cfb0ccee782ead8cd4eb10de26a92cb57b25be77d83ddd86800fb62f52c76ad29 |
memory/2912-77-0x00007FF696A30000-0x00007FF696D81000-memory.dmp
C:\Windows\System\nCmMzXw.exe
| MD5 | cf3033f0935d4fc5d226546a2e3a4293 |
| SHA1 | 6d6576f67662e5609ffbf30afaa581e3803912cd |
| SHA256 | 2a040b6b0c1f8e9e548e5192e7eb2c909fa184580cde18b16991a59ad7c2a78d |
| SHA512 | af46448d94c0867235a750d7b464830554f0e9455a0973cfdf080f04bfc1cf55d00e247609e6f1f695462b8fab71dfaa9047a923e4c47d95dc050c2824b8e114 |
C:\Windows\System\TZucjTU.exe
| MD5 | 9be6b54bc207c56abc68f4132b781756 |
| SHA1 | d4a6f24b9dc2f3303acbc36c870d8ce0111805db |
| SHA256 | 173c79a4be2d3271f6264dbe396c552c41a11fe14a792bca63d8789221ffcffa |
| SHA512 | 20987397a6d861ecc3003ba42c92587021ba8433ffe84f69d6fb03ac34df418b97dc6172569633fc37617097bb6a587dc1f1d6b149dbdf772404141edb2733e0 |
memory/184-68-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp
memory/4476-57-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp
memory/4756-55-0x00007FF675370000-0x00007FF6756C1000-memory.dmp
C:\Windows\System\voROaav.exe
| MD5 | fce1cd158471c04438eb1998e1f723d6 |
| SHA1 | 36d44a4680745fc92f2ea4282593a9afcf7b21be |
| SHA256 | 78e167936ffb2d2c18afb9431881dc3cb802f9a5d25575579ec7107af655fbf9 |
| SHA512 | cf098685c9a0f88d2852a087ad700f600bb2f581c1edcf5f551257450100b7d552087fe7762a204534bfdaf64f957c8125148ba6eb1ff5983d45ca98490dd124 |
C:\Windows\System\jjXCTXi.exe
| MD5 | 0579e8e3db7a68b72c34063d24d6365b |
| SHA1 | 93d3d1f4f8b237c51808f7f834dedfbd597a6294 |
| SHA256 | 498db4d5f07a247da4956b5b3ccf1f32484e0409c96e4a9c3b743ade185f6a41 |
| SHA512 | fb940755b7fe8ecf97b74a3a637702d0c0d951fbe7df688076b8af2255d3eb9bb4e3a723554b7367eee803ee275e5e13d7a71a58718d026327a519f92102473d |
memory/2464-48-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp
memory/320-41-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp
memory/3696-35-0x00007FF79B330000-0x00007FF79B681000-memory.dmp
C:\Windows\System\PkoPHWu.exe
| MD5 | 24890541ae2a9fd034e3355d029d2081 |
| SHA1 | d05bc30c2c7c28d5283b8a77aaf7d174e8baa1d7 |
| SHA256 | e84bbb94b9bb99089a9521adee8dd75bee58a71d21f21197422ae6a0f7f83ab7 |
| SHA512 | 6023969a33d0a3bf24766d3c31541b27c0ba12e61e8ad593b9027264e40092011e2cac6e7621f2b1e85b5ae4f7beb2209333817268f528956c57a3c8e77df1c8 |
memory/1916-31-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp
memory/3940-25-0x00007FF628FB0000-0x00007FF629301000-memory.dmp
memory/4556-24-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp
memory/5072-128-0x00007FF650780000-0x00007FF650AD1000-memory.dmp
memory/5072-129-0x00007FF650780000-0x00007FF650AD1000-memory.dmp
memory/4556-131-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp
memory/4112-130-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp
memory/184-143-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp
memory/2912-141-0x00007FF696A30000-0x00007FF696D81000-memory.dmp
memory/4476-140-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp
memory/2676-149-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp
memory/4756-138-0x00007FF675370000-0x00007FF6756C1000-memory.dmp
memory/320-136-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp
memory/2464-139-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp
memory/3696-137-0x00007FF79B330000-0x00007FF79B681000-memory.dmp
memory/1916-135-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp
memory/3940-134-0x00007FF628FB0000-0x00007FF629301000-memory.dmp
memory/5072-153-0x00007FF650780000-0x00007FF650AD1000-memory.dmp
memory/4112-209-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp
memory/4556-211-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp
memory/3940-213-0x00007FF628FB0000-0x00007FF629301000-memory.dmp
memory/1916-215-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp
memory/3696-228-0x00007FF79B330000-0x00007FF79B681000-memory.dmp
memory/2916-236-0x00007FF790C70000-0x00007FF790FC1000-memory.dmp
memory/2464-235-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp
memory/4476-238-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp
memory/320-233-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp
memory/4756-231-0x00007FF675370000-0x00007FF6756C1000-memory.dmp
memory/2912-251-0x00007FF696A30000-0x00007FF696D81000-memory.dmp
memory/2344-252-0x00007FF62DBC0000-0x00007FF62DF11000-memory.dmp
memory/1432-256-0x00007FF6FD100000-0x00007FF6FD451000-memory.dmp
memory/1340-254-0x00007FF71CE20000-0x00007FF71D171000-memory.dmp
memory/2392-258-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp
memory/4964-247-0x00007FF690980000-0x00007FF690CD1000-memory.dmp
memory/3468-242-0x00007FF741890000-0x00007FF741BE1000-memory.dmp
memory/1932-241-0x00007FF7D79E0000-0x00007FF7D7D31000-memory.dmp
memory/184-249-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp
memory/4612-245-0x00007FF634860000-0x00007FF634BB1000-memory.dmp
memory/2676-260-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp