Analysis Overview
SHA256
9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8c
Threat Level: Known bad
The file 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-10 13:56
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 13:56
Reported
2024-11-10 13:59
Platform
win10v2004-20241007-en
Max time kernel
110s
Max time network
114s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ekHvoAq.exe | N/A |
| N/A | N/A | C:\Windows\System\vRlKGQa.exe | N/A |
| N/A | N/A | C:\Windows\System\SvUqiuH.exe | N/A |
| N/A | N/A | C:\Windows\System\gMzxFMe.exe | N/A |
| N/A | N/A | C:\Windows\System\fsmBMci.exe | N/A |
| N/A | N/A | C:\Windows\System\ugmHIqA.exe | N/A |
| N/A | N/A | C:\Windows\System\RlajyXG.exe | N/A |
| N/A | N/A | C:\Windows\System\xbomhsA.exe | N/A |
| N/A | N/A | C:\Windows\System\NpJwVuI.exe | N/A |
| N/A | N/A | C:\Windows\System\RYYwpDW.exe | N/A |
| N/A | N/A | C:\Windows\System\vTmMOyh.exe | N/A |
| N/A | N/A | C:\Windows\System\PzdjiVL.exe | N/A |
| N/A | N/A | C:\Windows\System\YcLbGIU.exe | N/A |
| N/A | N/A | C:\Windows\System\NEIuxZa.exe | N/A |
| N/A | N/A | C:\Windows\System\sZzTnVY.exe | N/A |
| N/A | N/A | C:\Windows\System\sFccLeD.exe | N/A |
| N/A | N/A | C:\Windows\System\eXwZCsN.exe | N/A |
| N/A | N/A | C:\Windows\System\IzFfcPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qOEzeDd.exe | N/A |
| N/A | N/A | C:\Windows\System\wounOUU.exe | N/A |
| N/A | N/A | C:\Windows\System\bWPMcmV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe
"C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"
C:\Windows\System\ekHvoAq.exe
C:\Windows\System\ekHvoAq.exe
C:\Windows\System\vRlKGQa.exe
C:\Windows\System\vRlKGQa.exe
C:\Windows\System\SvUqiuH.exe
C:\Windows\System\SvUqiuH.exe
C:\Windows\System\gMzxFMe.exe
C:\Windows\System\gMzxFMe.exe
C:\Windows\System\fsmBMci.exe
C:\Windows\System\fsmBMci.exe
C:\Windows\System\ugmHIqA.exe
C:\Windows\System\ugmHIqA.exe
C:\Windows\System\RlajyXG.exe
C:\Windows\System\RlajyXG.exe
C:\Windows\System\xbomhsA.exe
C:\Windows\System\xbomhsA.exe
C:\Windows\System\NpJwVuI.exe
C:\Windows\System\NpJwVuI.exe
C:\Windows\System\RYYwpDW.exe
C:\Windows\System\RYYwpDW.exe
C:\Windows\System\vTmMOyh.exe
C:\Windows\System\vTmMOyh.exe
C:\Windows\System\PzdjiVL.exe
C:\Windows\System\PzdjiVL.exe
C:\Windows\System\YcLbGIU.exe
C:\Windows\System\YcLbGIU.exe
C:\Windows\System\NEIuxZa.exe
C:\Windows\System\NEIuxZa.exe
C:\Windows\System\sZzTnVY.exe
C:\Windows\System\sZzTnVY.exe
C:\Windows\System\sFccLeD.exe
C:\Windows\System\sFccLeD.exe
C:\Windows\System\eXwZCsN.exe
C:\Windows\System\eXwZCsN.exe
C:\Windows\System\qOEzeDd.exe
C:\Windows\System\qOEzeDd.exe
C:\Windows\System\wounOUU.exe
C:\Windows\System\wounOUU.exe
C:\Windows\System\IzFfcPQ.exe
C:\Windows\System\IzFfcPQ.exe
C:\Windows\System\bWPMcmV.exe
C:\Windows\System\bWPMcmV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4780-0-0x00007FF627030000-0x00007FF627381000-memory.dmp
memory/4780-1-0x000001B841A90000-0x000001B841AA0000-memory.dmp
C:\Windows\System\ekHvoAq.exe
| MD5 | ebe0cf06c48754962f292c41e3d8d774 |
| SHA1 | a154066345453b2f4a41a3a5de38a9ea74d63aea |
| SHA256 | 23ff92e5bffb3429ec21947e179f33585ce5711335dcd22a2cd39e2fc1f25b63 |
| SHA512 | 5af918499474f4ea7191a8de0c4d9ef29ff346fbae3cbe6943c277b65667ccddb621d91b840231571cb4d4f33aa8217c24682e36cd6e4e2c7ebf55d12cdc1ef2 |
memory/4820-8-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp
C:\Windows\System\vRlKGQa.exe
| MD5 | 43cb3f544a2b07a999afd35eabf5b155 |
| SHA1 | 30cc148db3c21e27f3094a628fdc474d4b4ec733 |
| SHA256 | 98979d1acb3b9f6a06db2b298869336ff182aa7883032a9982a21b431bb68ead |
| SHA512 | 60de4eb68b8b624d3c4590a639bdcd89da1f32ddce7361f5c3bd5b25dc2bc587bb4eaaa683af6ac57a2ed4381cbbc35fc2cfac24a3858a2b86c6cd4161b7b14e |
memory/4540-12-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp
C:\Windows\System\SvUqiuH.exe
| MD5 | 7db360efa94bad923e6731b0dc44c80d |
| SHA1 | b819745ab0699f84f29a04a3f61891fd7196f874 |
| SHA256 | 195cc4702c55c21886b4814f5dca927b38e0990e509ed1d789bb1a50732870be |
| SHA512 | 3b7f7477cbf98c3781bd22b41a125a9e751e97cc708075723d8605ae3a792031546138f32a331e42e0ab6fd22f87a8f44a960a2ad758d31c1022c1ee2c4bc195 |
C:\Windows\System\gMzxFMe.exe
| MD5 | 61106d9617efe1adc55221dd25073bb6 |
| SHA1 | 8da41e1840070c479e8247ac84924557d64a93f6 |
| SHA256 | cca5cbfcc2963a783b585651fa4c990bc614b769ba38c14a31d21fac378d78a8 |
| SHA512 | 51e1c899346c379f3ec0dc438ac66d0ab47a6cecea926658a092a96854d1e7a4fe47d564859782c6d5fded264717cc826ccc8fc566e1ce4709cb09b7c79062af |
memory/4596-21-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp
C:\Windows\System\ugmHIqA.exe
| MD5 | 051284e965c1383e6b45debf8f8e643c |
| SHA1 | ca2a3a56434a49baeb69753a50e968650e713373 |
| SHA256 | 18e984f3074812ec577b300bfc7e324e5c817c34fb725812160703f18d295ce5 |
| SHA512 | e0c23b9b3d185bf0ed51d89d79ae21a05c73f0c0b4ce0aaefa914c688b52bf4a8390256ff129b1afbcecb76d0acbcf8a98ba8a47fe7a45e0bca6fda8ebbc5426 |
C:\Windows\System\RlajyXG.exe
| MD5 | d78e0514e5bd3d6a84183327ca7663e7 |
| SHA1 | be9d4adc650673d4310ec71a8386b6eee4e3ff84 |
| SHA256 | 0d0de0595907434f5e17e1357c43568ea02a60ce912fb063b9981f0e46019ae8 |
| SHA512 | f99756789647441bdaee2c071edf354a0221e8e06b978446419277f63294a41cac60867c485d1da05a7788552cc8ce191f051f970ae87d5b19ff0d187c85389e |
C:\Windows\System\xbomhsA.exe
| MD5 | b51856889301e3b5c5571b46da25a198 |
| SHA1 | ca4baa10d0f5d86f96356ba1d8e9cffd1729602a |
| SHA256 | 7b38a0c31a498cd62b5589fae18cbbdf0c010d1f51caa7da987a15a2e457786d |
| SHA512 | 6c7b9e42169e67862295b4bffe6eef74cb6a97ffccdd10b53a487b4c4877ec00d9f8afc2dc2f6ca2b503e12bdd7fa43e7c324f173e830a0cad24c22f4443dd5a |
memory/4952-51-0x00007FF7800C0000-0x00007FF780411000-memory.dmp
C:\Windows\System\PzdjiVL.exe
| MD5 | 078702d27239dbf99aed271c0aa5b783 |
| SHA1 | 2fdfae471709a428d816843beb6831c9ea390722 |
| SHA256 | 5df2dac6387bc0afb1f0d7f83e734cb59d80a23aa7167a31244ecee3196641bc |
| SHA512 | b2cffdcf7ee4135766aca4add6714a39ff7043e0dd01404021c6269f421f385fe8cdc0eb9ea561e136ad47241cf8c3c2d38aa602371eb3239b644ca7a81eeb17 |
C:\Windows\System\YcLbGIU.exe
| MD5 | 9dc64d07c30eabd3cadde647264ccdd3 |
| SHA1 | c84ae1b82c6e38341b72f6d50e6e2bf3a9e45b62 |
| SHA256 | 0fa366dc3632669b7ecb1d672ce45fd73bc91778c8e58bb0c614ef4d37e4691e |
| SHA512 | 5b068d960779ef27b6dcf700d7bfcffa8ffeb513c196263d317c282eb36913522539ce27625b70dabadbb1b93264a10fb353f1b53c3fc43da9788b239b09aad1 |
memory/4756-80-0x00007FF6F35C0000-0x00007FF6F3911000-memory.dmp
C:\Windows\System\sZzTnVY.exe
| MD5 | 00fc4c5fcb5c78c87b77e8ae3fb7df9b |
| SHA1 | c8e4393755714a67cc7a0a72135dbe1419341660 |
| SHA256 | 2b130667a6f8e913955228741bb4e2b141e8e75eba9f9d125297f1f282450d65 |
| SHA512 | 88a51559f0d4dc22c58408bb10ff443c1ac0f62a0ce97598fe42d474289c0dc1e49d2de1f704105cedb936711bae5af08f03a7fc069d890b4e7c7edbf43eecb2 |
memory/4744-90-0x00007FF7EDA50000-0x00007FF7EDDA1000-memory.dmp
memory/1364-91-0x00007FF7C8090000-0x00007FF7C83E1000-memory.dmp
memory/4380-89-0x00007FF72F7C0000-0x00007FF72FB11000-memory.dmp
C:\Windows\System\NEIuxZa.exe
| MD5 | 1c209986663ff58d682178e33926055f |
| SHA1 | 021e855c3bf48420fc2fd0d6e556ca5d64bce417 |
| SHA256 | b7f7e0e32d972e3892cf4c93688c34248c14dc8185c70fd6f8bb2ac3ddf78b27 |
| SHA512 | f9969c84e651a82dc8c62be09707860f2d2bb2872e394c5bc4b1a977bf1879924c789ceeeebc2c11e428bd5265e69cbd003b7e8125e72578eabcf86e20888d28 |
memory/4724-84-0x00007FF7E3B40000-0x00007FF7E3E91000-memory.dmp
memory/3136-81-0x00007FF7C8730000-0x00007FF7C8A81000-memory.dmp
C:\Windows\System\vTmMOyh.exe
| MD5 | 7d37b3d1fbafb212ad870d650c9b21e7 |
| SHA1 | 7724a3d1c4d0373ad7fe1fe7360ff8dadc85f606 |
| SHA256 | 25dd6e0d36142fb366c77cc25c122a1b1e63b28d01a837c4575121d0a29b0e1f |
| SHA512 | 02a22ebb4ec6e8b5b3a145f3aac77364519321e0726e538e2155f850e9deb88b0d7fec40b14c90c8522a29ed167db1883fba3f5edff178fe159d7349c7af9b87 |
C:\Windows\System\RYYwpDW.exe
| MD5 | b6ae04400b159fa930578e7da2787b9e |
| SHA1 | 4567125bb54b8fdc95e422af6cf7e1c452cd6359 |
| SHA256 | a4e86f894360dc2ed59dfbcfb120527981ab90cba1de678323b9e5409fe95db7 |
| SHA512 | bca8087ff1d2443e05cec5d5a5f3164f8aca6c4cf1c6575726358b0a8e2ec1d351ef26db52d8bf9026d261058f77e17f0f3005537bc22f089ff3fe7694cce106 |
C:\Windows\System\NpJwVuI.exe
| MD5 | 3722a101c3b89a4cccc785c747066e7c |
| SHA1 | 6ffa69dedd205961a085d78b312246d6468f1ff0 |
| SHA256 | 25959d593a5eea39c5c7fc49a4159b5607e3729d46b018a6d4477ee513ea5f65 |
| SHA512 | b661e2c590b027ba9bedcb7ed8bfb77d07f0d0d20717521bb2bca95411d2a7486940d8677ea6195c5052e9794ed154aad3bc8cdc472339bbd6905bee5b8feec3 |
memory/2912-55-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp
memory/884-48-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp
memory/4808-42-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp
memory/3964-29-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp
C:\Windows\System\fsmBMci.exe
| MD5 | 2606917091aa97c4ce010a2d5e355757 |
| SHA1 | 5adfa1ee7d864590d28dfd9951e26d8a034455f6 |
| SHA256 | 6aff6abd3ccef24786048d902eff7f722dc043e006395d2c65af492577d60980 |
| SHA512 | f87d63042d2ddb02ff0127cf2db5bcf75f5bbe1a231b9acdbea182abf8e42534fd4d5b86511ed9f5c7b71131f2c9ece004dcc017ab1862de7caf07f19bb38186 |
memory/1288-24-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp
memory/4540-95-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp
memory/4808-99-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp
C:\Windows\System\sFccLeD.exe
| MD5 | b093240e4d21d912ee53a44d24ebefd0 |
| SHA1 | 5706e68378212293060bd8914b340dbea1b26bb3 |
| SHA256 | 5b79e810782b68f848a310a7a86dc470f01418c1c9fb6766ddd7125c52821e25 |
| SHA512 | 71481c17ca2facff02a1baad1d9c4d04ed634e718219ef4e3849181050118799ba714770a22d8adf890692ed67cab06cba68bf687f0e188d87dd1fcd0e877974 |
C:\Windows\System\eXwZCsN.exe
| MD5 | 5bf32d9e897401fda076a6c00c98973f |
| SHA1 | 102f1afaad02379d94466307c24f40d4dca7c4f5 |
| SHA256 | a3b4afa8863579f08858f6576fa342d1fc00080dc61cf131c8668432948c12c1 |
| SHA512 | 8f11d39b57a7d665739201b5c42e573c0d0c501cadef6e93c0fa18427cc5e13dcb23e2bd5ce60f76885ffde8be52dd0bfbe1fcf5aeeef52a06f3a3f562e516c6 |
C:\Windows\System\wounOUU.exe
| MD5 | 096bab978e09edb5c4c16e5a47a63725 |
| SHA1 | 115474f1cd8108f7e1ba7348d0257f78c0a6ec03 |
| SHA256 | 08ba1ad1df6b9988b6ecd3eb47b6a179703122f38907d0a7957f12b79e218e0b |
| SHA512 | 37592ab263b36121de298772dc59795362d87d210973bdf830c4b30857f5644d31eb679566e4958ab4c3ab0a1a74e04a7654f9cfade4d6ae987e3eb75a42a1b2 |
memory/400-133-0x00007FF729650000-0x00007FF7299A1000-memory.dmp
C:\Windows\System\qOEzeDd.exe
| MD5 | 785865a0bca0cdab161abbbc3f79b67b |
| SHA1 | cfde894b730e0789f93622e174eb9dbb2693a40f |
| SHA256 | 2d49634d952f87dd464d6e1f6c25b988dd392dac6e168802aa896350e27cc66f |
| SHA512 | ef898bb094cc11e8be56d260267b4594c2377b81f43b489eac34c85e13a33f23f7e9be4b3a961c275a296f162815cc5d334389a4f339fb15002a1d74ad8fc33d |
C:\Windows\System\bWPMcmV.exe
| MD5 | 635d108cb29398736ea4ceacb0ad202e |
| SHA1 | e66717e13b135b8503b0be42e73d4b70f3ca2619 |
| SHA256 | 34a0748f53ee8ffbb008591032c1ca83b98ce6ec3c2372f66ee7e1fdb6de6d14 |
| SHA512 | ff6ac5e28e5247aadb9c31957eddb926f8df589cdceac48c06324cef2aa3886c7866e5abdcea0095a99e61f0371f697ebd871db6ef00b81a130194788bbcd367 |
memory/1556-138-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp
C:\Windows\System\IzFfcPQ.exe
| MD5 | 5c08a14ae4161344ddd1235c1ebfb9b8 |
| SHA1 | e3a98e83ca4d3f8a526e720ed96a106f8b150eab |
| SHA256 | 0dee5d0cd49d89d09a124b4b98f04c25a18d9854751e742b4a564d3d034f5eff |
| SHA512 | 334ad5a4b90b0cbedd3c3ad19bd96641c5101a4afcab91c4c1ac9a632d59628b55ef4815fb091063e9415389fd3f4f3af0444fd50b3b35acaf5374882938fb85 |
memory/4832-135-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp
memory/1972-134-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp
memory/2112-128-0x00007FF6F0DE0000-0x00007FF6F1131000-memory.dmp
memory/4804-110-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp
memory/4780-104-0x00007FF627030000-0x00007FF627381000-memory.dmp
memory/884-101-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp
memory/1288-97-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp
memory/3964-98-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp
memory/4596-96-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp
memory/4820-94-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp
memory/2912-102-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp
memory/4780-145-0x00007FF627030000-0x00007FF627381000-memory.dmp
memory/4804-156-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp
memory/4832-164-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp
memory/400-165-0x00007FF729650000-0x00007FF7299A1000-memory.dmp
memory/1972-163-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp
memory/1556-166-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp
memory/4780-167-0x00007FF627030000-0x00007FF627381000-memory.dmp
memory/4820-195-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp
memory/4540-197-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp
memory/4596-216-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp
memory/3964-218-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp
memory/1288-221-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp
memory/4952-223-0x00007FF7800C0000-0x00007FF780411000-memory.dmp
memory/4808-224-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp
memory/884-228-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp
memory/2912-227-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp
memory/4756-239-0x00007FF6F35C0000-0x00007FF6F3911000-memory.dmp
memory/4744-240-0x00007FF7EDA50000-0x00007FF7EDDA1000-memory.dmp
memory/3136-237-0x00007FF7C8730000-0x00007FF7C8A81000-memory.dmp
memory/4724-235-0x00007FF7E3B40000-0x00007FF7E3E91000-memory.dmp
memory/4380-231-0x00007FF72F7C0000-0x00007FF72FB11000-memory.dmp
memory/1364-233-0x00007FF7C8090000-0x00007FF7C83E1000-memory.dmp
memory/4804-249-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp
memory/2112-251-0x00007FF6F0DE0000-0x00007FF6F1131000-memory.dmp
memory/4832-253-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp
memory/400-255-0x00007FF729650000-0x00007FF7299A1000-memory.dmp
memory/1556-257-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp
memory/1972-259-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 13:56
Reported
2024-11-10 13:58
Platform
win7-20240903-en
Max time kernel
120s
Max time network
104s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rnlDFHl.exe | N/A |
| N/A | N/A | C:\Windows\System\oxLfYpC.exe | N/A |
| N/A | N/A | C:\Windows\System\vGKaJQF.exe | N/A |
| N/A | N/A | C:\Windows\System\dsmKYdO.exe | N/A |
| N/A | N/A | C:\Windows\System\KFPoFWg.exe | N/A |
| N/A | N/A | C:\Windows\System\riqvWkP.exe | N/A |
| N/A | N/A | C:\Windows\System\CbjxYLB.exe | N/A |
| N/A | N/A | C:\Windows\System\ZFlLtOP.exe | N/A |
| N/A | N/A | C:\Windows\System\MBayiyI.exe | N/A |
| N/A | N/A | C:\Windows\System\jsxZAxv.exe | N/A |
| N/A | N/A | C:\Windows\System\YBKPqup.exe | N/A |
| N/A | N/A | C:\Windows\System\fNkaaGg.exe | N/A |
| N/A | N/A | C:\Windows\System\PouiAeA.exe | N/A |
| N/A | N/A | C:\Windows\System\CMmyUfV.exe | N/A |
| N/A | N/A | C:\Windows\System\VyxUwaG.exe | N/A |
| N/A | N/A | C:\Windows\System\uqzhUhm.exe | N/A |
| N/A | N/A | C:\Windows\System\ftrPwmC.exe | N/A |
| N/A | N/A | C:\Windows\System\zxfVcpp.exe | N/A |
| N/A | N/A | C:\Windows\System\upIrkor.exe | N/A |
| N/A | N/A | C:\Windows\System\qzHlpFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\CvhcTiv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe
"C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"
C:\Windows\System\rnlDFHl.exe
C:\Windows\System\rnlDFHl.exe
C:\Windows\System\oxLfYpC.exe
C:\Windows\System\oxLfYpC.exe
C:\Windows\System\vGKaJQF.exe
C:\Windows\System\vGKaJQF.exe
C:\Windows\System\riqvWkP.exe
C:\Windows\System\riqvWkP.exe
C:\Windows\System\dsmKYdO.exe
C:\Windows\System\dsmKYdO.exe
C:\Windows\System\CbjxYLB.exe
C:\Windows\System\CbjxYLB.exe
C:\Windows\System\KFPoFWg.exe
C:\Windows\System\KFPoFWg.exe
C:\Windows\System\ZFlLtOP.exe
C:\Windows\System\ZFlLtOP.exe
C:\Windows\System\MBayiyI.exe
C:\Windows\System\MBayiyI.exe
C:\Windows\System\jsxZAxv.exe
C:\Windows\System\jsxZAxv.exe
C:\Windows\System\YBKPqup.exe
C:\Windows\System\YBKPqup.exe
C:\Windows\System\fNkaaGg.exe
C:\Windows\System\fNkaaGg.exe
C:\Windows\System\PouiAeA.exe
C:\Windows\System\PouiAeA.exe
C:\Windows\System\CMmyUfV.exe
C:\Windows\System\CMmyUfV.exe
C:\Windows\System\VyxUwaG.exe
C:\Windows\System\VyxUwaG.exe
C:\Windows\System\ftrPwmC.exe
C:\Windows\System\ftrPwmC.exe
C:\Windows\System\uqzhUhm.exe
C:\Windows\System\uqzhUhm.exe
C:\Windows\System\zxfVcpp.exe
C:\Windows\System\zxfVcpp.exe
C:\Windows\System\upIrkor.exe
C:\Windows\System\upIrkor.exe
C:\Windows\System\qzHlpFZ.exe
C:\Windows\System\qzHlpFZ.exe
C:\Windows\System\CvhcTiv.exe
C:\Windows\System\CvhcTiv.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2508-0-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2508-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\rnlDFHl.exe
| MD5 | c0ff4510fd451d832fdb2c3d9ea5d679 |
| SHA1 | d104c8c59290f936151222217b3bcbbad6ecf09b |
| SHA256 | b0a4da9a34000a280bd0debf109e10bf63890c6beef36657fabd5fe9c1d0319c |
| SHA512 | 0b058848a06a9a350879112da4651f0901bb4d01c857d980cf288ed0a824712eb14d296e0b789cc5d45f0b09dcb9f7187fc5be3473753796e3b6b346f8e2b328 |
C:\Windows\system\oxLfYpC.exe
| MD5 | 2c59c4f96f9e32d318c3161176c695a9 |
| SHA1 | fc0bb3971240a721a368f9d21c9656529d601a1a |
| SHA256 | d36183c2ca4a1ab264569c03483d09de821d1ed70c13a3b63cd49713a7d76aa0 |
| SHA512 | c20b85f6e35ba6fa33c686b2a460a9c656cbcb8202bfcbe97fc2954960c77a222611afc136fb897b029b539e8489d6d7d6f9faf0f541089e9829cf0183a32c19 |
\Windows\system\vGKaJQF.exe
| MD5 | 40554e4d69e8e24338e0159ecaa59938 |
| SHA1 | 9f09f9cb5285c668f1427412f83d870a3b63dc4f |
| SHA256 | 16b5a403311aed0d73f1db1142f44e0b9fb208433a0b275743d4784ee6f1c825 |
| SHA512 | 5800944f37b0ea837ce3ea06118d084afb9c2ac2db237224a59aeebd6046dc5156187f9c90d264fb6172e465a701e6d720a3518544d0547030b8078f3021feed |
memory/2508-43-0x000000013FD90000-0x00000001400E1000-memory.dmp
\Windows\system\riqvWkP.exe
| MD5 | 40277bc9b9b3460f75c8c03824a63736 |
| SHA1 | d5cfeae0e7d193b0fac02bb3ae1a466e18751ab5 |
| SHA256 | a6d147bfbf511042ea346954b775a793eb3b8a6d1b0d6ffb8ff2b87d7b09ff63 |
| SHA512 | f2c53d8684a5d03aa78041ecf4791c9b327de28199aec3bd3b18f08ae4a054abe906c40cc71b4a65b23b05faa091c401b8e96e3d0f50d5b684f2607490780fca |
memory/2704-49-0x000000013F500000-0x000000013F851000-memory.dmp
C:\Windows\system\ZFlLtOP.exe
| MD5 | f1e611a4c7a6ba6486fdb2337c35625a |
| SHA1 | 705edba064c998608ca96e05b4cdd95e7f7edbdc |
| SHA256 | f38d392dff2352a277016b799102225bd30234019b933485aa5dd8fc5fec83e2 |
| SHA512 | 167cd6dac92a9750219e25f54879dc98af662db7cdacdd9c16167ca2ad85703850cf6271f83eac51a481d4622987e10f4fa2914c64f01bc6863c41f0c3302cb3 |
memory/2972-63-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2508-68-0x000000013FA00000-0x000000013FD51000-memory.dmp
C:\Windows\system\YBKPqup.exe
| MD5 | 22f0e5e3c1a5efccbb317fc372a743b9 |
| SHA1 | 09777b0fa21602af72398850459366e6da654e86 |
| SHA256 | 33ac40a98b5bc9d9991317321328094e811732313d3f1ea5d772ea5f78b76e85 |
| SHA512 | fe013b44888857fb4635801830423c1f7fe5aae2289d548ba89bb1f160202d3fe5432f06909c4842d00641ec1fc0b09e4c9925c4e8dec2ca23f7fd173065c5d0 |
memory/2056-78-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2648-84-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/1944-94-0x000000013F640000-0x000000013F991000-memory.dmp
C:\Windows\system\VyxUwaG.exe
| MD5 | cc1b255b321c7f17406a619a52da0ce3 |
| SHA1 | 6fb4e401a42597a7e73dfee8654c34a5420ce9c6 |
| SHA256 | 7a93e43201eb785cac09f75b570b96280b111f434f41d55a9ae977a414360594 |
| SHA512 | 880b0f1caff1e53ccac3f83e698005cad107372f5234e0124181799cf731cf2f158e40a67c17330a662a2de44874b60e6b8acf54d76d5a388693332dd69368aa |
C:\Windows\system\zxfVcpp.exe
| MD5 | 4d465948e271b78accfa6d0a58f7bdae |
| SHA1 | eba3a3406722c67af98db3f5fa36a20e4b57f9fe |
| SHA256 | 59062140e201b40e4efa14aa6475864793c69be96f9e140d736328626c1203c1 |
| SHA512 | c9ca736219c72b781841fd9036d23ce9c6647e4c69dca90dfb866291a66492acad9e4a4a13c7c3886bd8e8ae261f2abece29c0e35bdc7e50907e40f4b9c50c91 |
C:\Windows\system\CvhcTiv.exe
| MD5 | 528487bd22d8aaedbcb34cd30ed0d454 |
| SHA1 | 17c3f4654ec0bebde4e0952e29a111d5bd6c022b |
| SHA256 | b8cfb92a5246823c7a06d0d2555ecee91232162a48c590236d4866c18c4fe1d2 |
| SHA512 | b10745187e93f120ecd0d724a86893f7d2936cf3103451b60bccf0bdb9d7b47c0e99ee82c672217eacefe91982e2b96dacba33ef7d5c0b281014e31e7fb74d11 |
C:\Windows\system\qzHlpFZ.exe
| MD5 | d54db5238803216dc6d1c1b79e1c6c8e |
| SHA1 | 7b2101ab4610d6e989fa46d1a72d1041a9546178 |
| SHA256 | e1bb77389269b10e8c0bfa55370a05a8ea0569f9edb072223736bd3d82ca2366 |
| SHA512 | b061ce3d166e44cc486d6422cf13998195506ccc56d1392ceaa046a19d0df50a0387bbfc12f25fa65251f15c1a0ae797764093c525522b4d3a22fe90f985f5dd |
C:\Windows\system\upIrkor.exe
| MD5 | f94de6e51ca3277c3b1342d09991780e |
| SHA1 | 3506866840492f90308baf9b5a442d4dd654ee58 |
| SHA256 | 85c800e3550b83011c069d39e67a7b6a92caa331166047376dc099986afe0e2a |
| SHA512 | 20d7e902a6d3c0b5967800d0bfaae60690bfc09d02da90a0c793ca9d7292afe0ebef8a65739809c65414e49e43ce8f7ffa94dbbbd9b57d835483d494b060ebe9 |
C:\Windows\system\ftrPwmC.exe
| MD5 | 8d42319951dd7caa560087b49dd5e137 |
| SHA1 | d64434ce2ad9fd600f270a7f1a8fa1fa540b972f |
| SHA256 | 69efd87b0d0a91aad982d6698c5a976aaf28d696c6fcfe7d8d940ed6a25feeff |
| SHA512 | e2d4bca91bf7dfc542d99857744e709d41544a236dc480936fb7e67465e5c844b8f9aa813f015e93270d852305ce269b98221fcc3932405ef45f756eaf7ff98e |
memory/2508-111-0x000000013F140000-0x000000013F491000-memory.dmp
C:\Windows\system\uqzhUhm.exe
| MD5 | e9818cf3a5d53bae721bea34d02c3c13 |
| SHA1 | 50f6d19528c09dd112c9bdb02a49e065711bcc1e |
| SHA256 | a3911bdbebe51cfd1fc19d59f4318d95be78a64482d0f2ba7e8265f762246317 |
| SHA512 | 31d1504e19531182ae82a586712ada0f247172108ff232f1f36aa3f4ad7eaf16c4d027dd5169eabf59e08b3b3419091d44af679bc9ed1d2cc076db002421a0af |
memory/2508-139-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2772-107-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2952-100-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2508-99-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2972-98-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
C:\Windows\system\CMmyUfV.exe
| MD5 | 7f7855bb32d61379bd313dc9612a3ab3 |
| SHA1 | f725c4b0acf47e5f0ad4ecb02e48157d3c01b6f2 |
| SHA256 | d11b6926d9942dba366752f3a4e525b746c3cc15bf94e37d9e981e84a0df5001 |
| SHA512 | 89f375045f079c67516da36a4714f651c74620b373be1c518397f2c2f58ed66b093540b4c69c2c765359b335a5a0ed0d4bf9fdf0c8eae807524acaa84f2c263c |
memory/2648-141-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2508-140-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2508-93-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2508-92-0x000000013FE20000-0x0000000140171000-memory.dmp
C:\Windows\system\PouiAeA.exe
| MD5 | 5ebe9a875dc9d9ebae02aaef0658befd |
| SHA1 | 033bb5fd05d098bf97792d3969fc1ccb34e8d350 |
| SHA256 | 38a5fba0b035ff74637603f649c0f2ac8b62247df104b7d9781bbc75c68c6032 |
| SHA512 | 2edd3c5dcee63ea7d28799f23742b4085dc03db9966e4b7633776dd38588af8932e1222fd978d6dcda854865a9884788bff037823537b0e41a9932dd277e1c68 |
memory/2508-83-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2704-82-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2508-142-0x000000013F640000-0x000000013F991000-memory.dmp
C:\Windows\system\fNkaaGg.exe
| MD5 | cd283d70a182800c582a284c808093e1 |
| SHA1 | 414b0423fd53b1f4b7c32ad7d5b03b1e4fb4ff33 |
| SHA256 | f45c8ae56971622b8c4300c4dcd7d1801cec56b881ae9bc0f2ceffddc3c4f72a |
| SHA512 | e146bbdd4388e222ec4b1f4a1ba52d44ca56cbbd6d63c0aa5e106a9ab1fd5909b35562fe02d04c5714628325d51b1e04c866a208e7a944d6e2292bc502f1916c |
memory/2508-77-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2772-69-0x000000013F180000-0x000000013F4D1000-memory.dmp
C:\Windows\system\jsxZAxv.exe
| MD5 | f1c8c4dc179781ec9a0127dc289a9f18 |
| SHA1 | c748f23880914dccf8802ae8ab9436a93e58b46c |
| SHA256 | 250ba2a844e61d9470e643a79bc4565504b141b644bbecc23ec94301af4894a7 |
| SHA512 | 7d9687c7ef7b898c6456265553a3123004c3ffab1714ba389e32c798af9d55877e263e83f2f3253d3ed94c49eca9a3a26ddeb3187a7e0c979a98a1688618def6 |
memory/2508-62-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2952-144-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2508-143-0x000000013F530000-0x000000013F881000-memory.dmp
C:\Windows\system\MBayiyI.exe
| MD5 | 17cecb58005483958d285fca1d8dcf66 |
| SHA1 | 463183e162e3e4d42ac5474d06f8e6a008721e1a |
| SHA256 | d93fe5ac33c1908c5745e1832ac19965a6f012c316b6da5c6e3bb5a59f356d31 |
| SHA512 | fa9a964df0b15ec8da12b67496bf26d9188af45e2912800d2e5b68203ba611606f01a576fc6e59b7b123dbbb2700c5fa2ab338847729ba6d63e70d910fbcd602 |
memory/3012-57-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2508-56-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2508-145-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2328-48-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2508-31-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/1812-30-0x000000013F120000-0x000000013F471000-memory.dmp
\Windows\system\CbjxYLB.exe
| MD5 | f5784d5054be473e75c4e6d5cb912f3b |
| SHA1 | 5873574d31298a86c6c8a888adf35de9808f83b4 |
| SHA256 | 23b5f4d23e287e8bfa3ef850c58dc371b9cd22beb9b7f20fa91acd58ecf1fcba |
| SHA512 | 098eab8d43897dacec213ebd343515d558b639041ff09f7aa3a1aff2e8a8f16cff5d0a6c077cdea880fc2890d231c66d2898a40740d4ada75f3e788562a0a841 |
memory/2860-44-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/1176-166-0x000000013F310000-0x000000013F661000-memory.dmp
memory/268-165-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/1096-164-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1304-163-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2968-162-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2836-161-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1580-160-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2508-42-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2508-40-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2508-39-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
C:\Windows\system\KFPoFWg.exe
| MD5 | c01aaf976b3f1805161be1295ad47ffb |
| SHA1 | bcf3fc7cbcd470b5f1b9332e55e4c5c06653d644 |
| SHA256 | f756b6e68bc9393c232cc60844113369119bef2e680a8c7d4c5e2a83f6f98eff |
| SHA512 | f4ce638b817d7f9bb3206e63f6b8c76ace2fca28affbe2717c94fd167f399f2e1bd38ef4752883aeb5a971269d1a513b93d0b42fea7a351467ba83107be76909 |
memory/1832-37-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2508-28-0x000000013F120000-0x000000013F471000-memory.dmp
memory/1736-27-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
C:\Windows\system\dsmKYdO.exe
| MD5 | c499ce736a196384754de67cfb405e77 |
| SHA1 | fcbffaa6827c1b176aae8e07c847d9c4282a8cc7 |
| SHA256 | 8048171c61a46d15cff34662e6e3b5c953f1a20e3059a60cef770fb7f9deb920 |
| SHA512 | 63202aff1c95db66a3b6e7e6e5c9a81d1f690f2219b9d645fedf758baa2d1386f3574343e6059d72d2af5eaaa0a5e0ff0de262efb5b5178603295c13abed9cee |
memory/2096-24-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2508-167-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2096-220-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/1812-222-0x000000013F120000-0x000000013F471000-memory.dmp
memory/1736-224-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1832-226-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2860-228-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2328-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/3012-239-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2704-241-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2972-243-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2772-245-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2056-247-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2648-249-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/1944-251-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2952-260-0x000000013F530000-0x000000013F881000-memory.dmp