xmrig | ac8464357a272c7c31a9c02f7e104eab60a95c95c28a7a0bbb32ffde434a7ec8

Analysis

max time kernel
77s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 14:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

75c59b11f7a166bb4e20023a621b4bac.exe
Size

1.3MB
MD5

75c59b11f7a166bb4e20023a621b4bac
SHA1

f568b4deb151131bcc38f9e759505d7511a0941e
SHA256

ac8464357a272c7c31a9c02f7e104eab60a95c95c28a7a0bbb32ffde434a7ec8
SHA512

0019807e329d1f0631b68979e3a07e2ca28188dcdd7a1c229f92812715b4b7805b2f5f9964c257d4779844c54fc93e70245c59069424888463993d4c4907b4ab
SSDEEP

24576:RVIl/WDGCi7/qkat6Q5aILMCfmARvKYYwdy2VlmNCQgIT0rKiwnotfohd:ROdWCCi7/raZ5aIwC+Ax4ErWThi7JId

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/1384-442-0x00007FF73AFD0000-0x00007FF73B321000-memory.dmp	xmrig
behavioral2/memory/2900-605-0x00007FF7E52F0000-0x00007FF7E5641000-memory.dmp	xmrig
behavioral2/memory/4236-827-0x00007FF7F9C60000-0x00007FF7F9FB1000-memory.dmp	xmrig
behavioral2/memory/2664-829-0x00007FF74A720000-0x00007FF74AA71000-memory.dmp	xmrig
behavioral2/memory/888-1156-0x00007FF69F290000-0x00007FF69F5E1000-memory.dmp	xmrig
behavioral2/memory/15392-2563-0x00007FF6C0EA0000-0x00007FF6C11F1000-memory.dmp	xmrig
behavioral2/memory/9816-2562-0x00007FF739130000-0x00007FF739481000-memory.dmp	xmrig
behavioral2/memory/9700-2561-0x00007FF6D5C40000-0x00007FF6D5F91000-memory.dmp	xmrig
behavioral2/memory/9712-2560-0x00007FF785840000-0x00007FF785B91000-memory.dmp	xmrig
behavioral2/memory/9960-2202-0x00007FF628620000-0x00007FF628971000-memory.dmp	xmrig
behavioral2/memory/1700-2125-0x00007FF758B50000-0x00007FF758EA1000-memory.dmp	xmrig
behavioral2/memory/15236-2085-0x00007FF7B1B80000-0x00007FF7B1ED1000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2104	CbKmUsq.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1560-0-0x00007FF73C1D0000-0x00007FF73C521000-memory.dmp	upx
behavioral2/files/0x000d00000002315a-5.dat	upx
behavioral2/files/0x000300000001e982-46.dat	upx
behavioral2/memory/1384-442-0x00007FF73AFD0000-0x00007FF73B321000-memory.dmp	upx
behavioral2/memory/2900-605-0x00007FF7E52F0000-0x00007FF7E5641000-memory.dmp	upx
behavioral2/memory/4236-827-0x00007FF7F9C60000-0x00007FF7F9FB1000-memory.dmp	upx
behavioral2/memory/2664-829-0x00007FF74A720000-0x00007FF74AA71000-memory.dmp	upx
behavioral2/memory/888-1156-0x00007FF69F290000-0x00007FF69F5E1000-memory.dmp	upx
behavioral2/memory/10468-1933-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp	upx
behavioral2/memory/7844-1960-0x00007FF7B68C0000-0x00007FF7B6C11000-memory.dmp	upx
behavioral2/memory/3472-2429-0x00007FF6048B0000-0x00007FF604C01000-memory.dmp	upx
behavioral2/memory/8328-2467-0x00007FF7FC450000-0x00007FF7FC7A1000-memory.dmp	upx
behavioral2/memory/4800-2505-0x00007FF642A00000-0x00007FF642D51000-memory.dmp	upx
behavioral2/memory/15392-2563-0x00007FF6C0EA0000-0x00007FF6C11F1000-memory.dmp	upx
behavioral2/memory/9816-2562-0x00007FF739130000-0x00007FF739481000-memory.dmp	upx
behavioral2/memory/9700-2561-0x00007FF6D5C40000-0x00007FF6D5F91000-memory.dmp	upx
behavioral2/memory/9712-2560-0x00007FF785840000-0x00007FF785B91000-memory.dmp	upx
behavioral2/memory/14200-2539-0x00007FF65A5C0000-0x00007FF65A911000-memory.dmp	upx
behavioral2/memory/16248-2537-0x00007FF73FEE0000-0x00007FF740231000-memory.dmp	upx
behavioral2/memory/3828-2535-0x00007FF61A4D0000-0x00007FF61A821000-memory.dmp	upx
behavioral2/memory/10760-2534-0x00007FF77C720000-0x00007FF77CA71000-memory.dmp	upx
behavioral2/memory/15256-2536-0x00007FF7A8A50000-0x00007FF7A8DA1000-memory.dmp	upx
behavioral2/memory/9856-2532-0x00007FF7B9250000-0x00007FF7B95A1000-memory.dmp	upx
behavioral2/memory/14504-2529-0x00007FF7C3200000-0x00007FF7C3551000-memory.dmp	upx
behavioral2/memory/13124-2506-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp	upx
behavioral2/memory/14404-2528-0x00007FF6216A0000-0x00007FF6219F1000-memory.dmp	upx
behavioral2/memory/14528-2527-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp	upx
behavioral2/memory/3352-2492-0x00007FF722180000-0x00007FF7224D1000-memory.dmp	upx
behavioral2/memory/16132-2491-0x00007FF7FE4C0000-0x00007FF7FE811000-memory.dmp	upx
behavioral2/memory/14736-2490-0x00007FF6E4C20000-0x00007FF6E4F71000-memory.dmp	upx
behavioral2/memory/3540-2489-0x00007FF68DDA0000-0x00007FF68E0F1000-memory.dmp	upx
behavioral2/memory/448-2488-0x00007FF6BF230000-0x00007FF6BF581000-memory.dmp	upx
behavioral2/memory/6584-2494-0x00007FF7512C0000-0x00007FF751611000-memory.dmp	upx
behavioral2/memory/16160-2493-0x00007FF712F50000-0x00007FF7132A1000-memory.dmp	upx
behavioral2/memory/8120-2472-0x00007FF6B4DF0000-0x00007FF6B5141000-memory.dmp	upx
behavioral2/memory/8808-2487-0x00007FF74E920000-0x00007FF74EC71000-memory.dmp	upx
behavioral2/memory/15116-2466-0x00007FF7276C0000-0x00007FF727A11000-memory.dmp	upx
behavioral2/memory/10016-2463-0x00007FF75F4B0000-0x00007FF75F801000-memory.dmp	upx
behavioral2/memory/10812-2438-0x00007FF6A4C40000-0x00007FF6A4F91000-memory.dmp	upx
behavioral2/memory/5684-2430-0x00007FF686EA0000-0x00007FF6871F1000-memory.dmp	upx
behavioral2/memory/9960-2202-0x00007FF628620000-0x00007FF628971000-memory.dmp	upx
behavioral2/memory/1700-2125-0x00007FF758B50000-0x00007FF758EA1000-memory.dmp	upx
behavioral2/memory/15236-2085-0x00007FF7B1B80000-0x00007FF7B1ED1000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System\CbKmUsq.exe	75c59b11f7a166bb4e20023a621b4bac.exe
File created	C:\Windows\System\jBnTXpX.exe	75c59b11f7a166bb4e20023a621b4bac.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2104	1560	75c59b11f7a166bb4e20023a621b4bac.exe	89
PID 1560 wrote to memory of 2104	1560	75c59b11f7a166bb4e20023a621b4bac.exe	89

C:\Users\Admin\AppData\Local\Temp\75c59b11f7a166bb4e20023a621b4bac.exe
"C:\Users\Admin\AppData\Local\Temp\75c59b11f7a166bb4e20023a621b4bac.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\System\CbKmUsq.exe
  C:\Windows\System\CbKmUsq.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\jBnTXpX.exe
  C:\Windows\System\jBnTXpX.exe
  2⤵
  PID:4464
- C:\Windows\System\NHKoXVc.exe
  C:\Windows\System\NHKoXVc.exe
  2⤵
  PID:3012
- C:\Windows\System\eITozSI.exe
  C:\Windows\System\eITozSI.exe
  2⤵
  PID:2004
- C:\Windows\System\FrkoYLc.exe
  C:\Windows\System\FrkoYLc.exe
  2⤵
  PID:4964
- C:\Windows\System\LIxHZRD.exe
  C:\Windows\System\LIxHZRD.exe
  2⤵
  PID:228
- C:\Windows\System\NkeGZtM.exe
  C:\Windows\System\NkeGZtM.exe
  2⤵
  PID:4184
- C:\Windows\System\gbpGCCG.exe
  C:\Windows\System\gbpGCCG.exe
  2⤵
  PID:4808
- C:\Windows\System\rWOrCyv.exe
  C:\Windows\System\rWOrCyv.exe
  2⤵
  PID:2900
- C:\Windows\System\FJKlhAv.exe
  C:\Windows\System\FJKlhAv.exe
  2⤵
  PID:4236
- C:\Windows\System\KXQzHZp.exe
  C:\Windows\System\KXQzHZp.exe
  2⤵
  PID:916
- C:\Windows\System\HeXvlsw.exe
  C:\Windows\System\HeXvlsw.exe
  2⤵
  PID:5600
- C:\Windows\System\gBbUamX.exe
  C:\Windows\System\gBbUamX.exe
  2⤵
  PID:6164
- C:\Windows\System\TbGPYbL.exe
  C:\Windows\System\TbGPYbL.exe
  2⤵
  PID:6148
- C:\Windows\System\XioPbKj.exe
  C:\Windows\System\XioPbKj.exe
  2⤵
  PID:7228
- C:\Windows\System\ADCCMTl.exe
  C:\Windows\System\ADCCMTl.exe
  2⤵
  PID:9096
- C:\Windows\System\GLxGWpV.exe
  C:\Windows\System\GLxGWpV.exe
  2⤵
  PID:10612
- C:\Windows\System\EMWQlgT.exe
  C:\Windows\System\EMWQlgT.exe
  2⤵
  PID:13024
- C:\Windows\System\mglwOFx.exe
  C:\Windows\System\mglwOFx.exe
  2⤵
  PID:1700
- C:\Windows\System\ULfHqKp.exe
  C:\Windows\System\ULfHqKp.exe
  2⤵
  PID:8464
- C:\Windows\System\bfIgwKR.exe
  C:\Windows\System\bfIgwKR.exe
  2⤵
  PID:12964
- C:\Windows\System\yNLoSSk.exe
  C:\Windows\System\yNLoSSk.exe
  2⤵
  PID:6944
- C:\Windows\System\ettGFWq.exe
  C:\Windows\System\ettGFWq.exe
  2⤵
  PID:10808
- C:\Windows\System\IEbZnjQ.exe
  C:\Windows\System\IEbZnjQ.exe
  2⤵
  PID:5684
- C:\Windows\System\ySIETOs.exe
  C:\Windows\System\ySIETOs.exe
  2⤵
  PID:14948
- C:\Windows\System\KxgKxIm.exe
  C:\Windows\System\KxgKxIm.exe
  2⤵
  PID:10760
- C:\Windows\System\PkLBreZ.exe
  C:\Windows\System\PkLBreZ.exe
  2⤵
  PID:3828
- C:\Windows\System\XTNFCTi.exe
  C:\Windows\System\XTNFCTi.exe
  2⤵
  PID:9856
- C:\Windows\System\DJdLtID.exe
  C:\Windows\System\DJdLtID.exe
  2⤵
  PID:14504
- C:\Windows\System\cdWPTsi.exe
  C:\Windows\System\cdWPTsi.exe
  2⤵
  PID:14528
- C:\Windows\System\lWFMtLX.exe
  C:\Windows\System\lWFMtLX.exe
  2⤵
  PID:14404
- C:\Windows\System\mRUYEnY.exe
  C:\Windows\System\mRUYEnY.exe
  2⤵
  PID:3472
- C:\Windows\System\RagwCmt.exe
  C:\Windows\System\RagwCmt.exe
  2⤵
  PID:4900
- C:\Windows\System\XRfeIlC.exe
  C:\Windows\System\XRfeIlC.exe
  2⤵
  PID:9268
- C:\Windows\System\lWQFXiW.exe
  C:\Windows\System\lWQFXiW.exe
  2⤵
  PID:4876
- C:\Windows\System\MZZDsOQ.exe
  C:\Windows\System\MZZDsOQ.exe
  2⤵
  PID:4572
- C:\Windows\System\DHGaZLY.exe
  C:\Windows\System\DHGaZLY.exe
  2⤵
  PID:11168
- C:\Windows\System\aXomEoY.exe
  C:\Windows\System\aXomEoY.exe
  2⤵
  PID:14200
- C:\Windows\System\qprOMUq.exe
  C:\Windows\System\qprOMUq.exe
  2⤵
  PID:6108
- C:\Windows\System\LBAfZeM.exe
  C:\Windows\System\LBAfZeM.exe
  2⤵
  PID:5536
- C:\Windows\System\PGCukYO.exe
  C:\Windows\System\PGCukYO.exe
  2⤵
  PID:10876
- C:\Windows\System\IAmNKGg.exe
  C:\Windows\System\IAmNKGg.exe
  2⤵
  PID:12812
- C:\Windows\System\IPhDzGf.exe
  C:\Windows\System\IPhDzGf.exe
  2⤵
  PID:12568
- C:\Windows\System\dgMStzM.exe
  C:\Windows\System\dgMStzM.exe
  2⤵
  PID:14132
- C:\Windows\System\oFRChWL.exe
  C:\Windows\System\oFRChWL.exe
  2⤵
  PID:15700
- C:\Windows\System\YINkWLI.exe
  C:\Windows\System\YINkWLI.exe
  2⤵
  PID:2892
- C:\Windows\System\OQfOqcf.exe
  C:\Windows\System\OQfOqcf.exe
  2⤵
  PID:448
- C:\Windows\System\CWXXsvf.exe
  C:\Windows\System\CWXXsvf.exe
  2⤵
  PID:13640
- C:\Windows\System\MqNRGwu.exe
  C:\Windows\System\MqNRGwu.exe
  2⤵
  PID:6524
- C:\Windows\System\PYkuUYk.exe
  C:\Windows\System\PYkuUYk.exe
  2⤵
  PID:13472
- C:\Windows\System\tFIwqFC.exe
  C:\Windows\System\tFIwqFC.exe
  2⤵
  PID:13392
- C:\Windows\System\PnmvrfA.exe
  C:\Windows\System\PnmvrfA.exe
  2⤵
  PID:12716
- C:\Windows\System\qkRyfoI.exe
  C:\Windows\System\qkRyfoI.exe
  2⤵
  PID:2672
- C:\Windows\System\SZgYZWr.exe
  C:\Windows\System\SZgYZWr.exe
  2⤵
  PID:6732
- C:\Windows\System\SgCpmkJ.exe
  C:\Windows\System\SgCpmkJ.exe
  2⤵
  PID:10632
- C:\Windows\System\VRzalmC.exe
  C:\Windows\System\VRzalmC.exe
  2⤵
  PID:12548
- C:\Windows\System\GnCYygl.exe
  C:\Windows\System\GnCYygl.exe
  2⤵
  PID:8808
- C:\Windows\System\yVOAwQx.exe
  C:\Windows\System\yVOAwQx.exe
  2⤵
  PID:16108
- C:\Windows\System\EveeQhF.exe
  C:\Windows\System\EveeQhF.exe
  2⤵
  PID:9016
- C:\Windows\System\qXtpmZi.exe
  C:\Windows\System\qXtpmZi.exe
  2⤵
  PID:8096
- C:\Windows\System\FtYimyF.exe
  C:\Windows\System\FtYimyF.exe
  2⤵
  PID:7972
- C:\Windows\System\CiDbwyO.exe
  C:\Windows\System\CiDbwyO.exe
  2⤵
  PID:10276
- C:\Windows\System\UpHThRL.exe
  C:\Windows\System\UpHThRL.exe
  2⤵
  PID:7876
- C:\Windows\System\nSZLfAi.exe
  C:\Windows\System\nSZLfAi.exe
  2⤵
  PID:7796
- C:\Windows\System\uwEyyAz.exe
  C:\Windows\System\uwEyyAz.exe
  2⤵
  PID:11416
- C:\Windows\System\NsJxwbU.exe
  C:\Windows\System\NsJxwbU.exe
  2⤵
  PID:1164
- C:\Windows\System\GzAgbyN.exe
  C:\Windows\System\GzAgbyN.exe
  2⤵
  PID:16136
- C:\Windows\System\vvdksoF.exe
  C:\Windows\System\vvdksoF.exe
  2⤵
  PID:5088
- C:\Windows\System\KyHPcDI.exe
  C:\Windows\System\KyHPcDI.exe
  2⤵
  PID:3540
- C:\Windows\System\eiXZvuB.exe
  C:\Windows\System\eiXZvuB.exe
  2⤵
  PID:3352
- C:\Windows\System\Qobwqei.exe
  C:\Windows\System\Qobwqei.exe
  2⤵
  PID:16232
- C:\Windows\System\szSbINE.exe
  C:\Windows\System\szSbINE.exe
  2⤵
  PID:16132
- C:\Windows\System\PrMzZvs.exe
  C:\Windows\System\PrMzZvs.exe
  2⤵
  PID:16160
- C:\Windows\System\OhQzbot.exe
  C:\Windows\System\OhQzbot.exe
  2⤵
  PID:16176
- C:\Windows\System\oKvGtmz.exe
  C:\Windows\System\oKvGtmz.exe
  2⤵
  PID:16192
- C:\Windows\System\NKUyYBp.exe
  C:\Windows\System\NKUyYBp.exe
  2⤵
  PID:16208
- C:\Windows\System\RYeoJoN.exe
  C:\Windows\System\RYeoJoN.exe
  2⤵
  PID:4800
- C:\Windows\System\cASOihl.exe
  C:\Windows\System\cASOihl.exe
  2⤵
  PID:16344
- C:\Windows\System\XvWzYKN.exe
  C:\Windows\System\XvWzYKN.exe
  2⤵
  PID:16300
- C:\Windows\System\JboitSA.exe
  C:\Windows\System\JboitSA.exe
  2⤵
  PID:16276
- C:\Windows\System\irSxlWE.exe
  C:\Windows\System\irSxlWE.exe
  2⤵
  PID:15644
- C:\Windows\System\iPRWkoN.exe
  C:\Windows\System\iPRWkoN.exe
  2⤵
  PID:15620
- C:\Windows\System\WPjSSdd.exe
  C:\Windows\System\WPjSSdd.exe
  2⤵
  PID:15596
- C:\Windows\System\kHbfLLC.exe
  C:\Windows\System\kHbfLLC.exe
  2⤵
  PID:15472
- C:\Windows\System\MTBRuTx.exe
  C:\Windows\System\MTBRuTx.exe
  2⤵
  PID:10016
- C:\Windows\System\GFvHfee.exe
  C:\Windows\System\GFvHfee.exe
  2⤵
  PID:15344
- C:\Windows\System\fSLPRRs.exe
  C:\Windows\System\fSLPRRs.exe
  2⤵
  PID:15288
- C:\Windows\System\BZyizqB.exe
  C:\Windows\System\BZyizqB.exe
  2⤵
  PID:15256
- C:\Windows\System\gYdnQbI.exe
  C:\Windows\System\gYdnQbI.exe
  2⤵
  PID:15116
- C:\Windows\System\pDovmWQ.exe
  C:\Windows\System\pDovmWQ.exe
  2⤵
  PID:15004
- C:\Windows\System\xKmhmBT.exe
  C:\Windows\System\xKmhmBT.exe
  2⤵
  PID:16248
- C:\Windows\System\OohnAcO.exe
  C:\Windows\System\OohnAcO.exe
  2⤵
  PID:14788
- C:\Windows\System\AbxpirY.exe
  C:\Windows\System\AbxpirY.exe
  2⤵
  PID:14736
- C:\Windows\System\NkmLZNK.exe
  C:\Windows\System\NkmLZNK.exe
  2⤵
  PID:14580
- C:\Windows\System\nIxVrZb.exe
  C:\Windows\System\nIxVrZb.exe
  2⤵
  PID:7276
- C:\Windows\System\IVUOuaJ.exe
  C:\Windows\System\IVUOuaJ.exe
  2⤵
  PID:7220
- C:\Windows\System\coronrd.exe
  C:\Windows\System\coronrd.exe
  2⤵
  PID:7184
- C:\Windows\System\vQJjnPD.exe
  C:\Windows\System\vQJjnPD.exe
  2⤵
  PID:8328
- C:\Windows\System\SMkCgic.exe
  C:\Windows\System\SMkCgic.exe
  2⤵
  PID:14236
- C:\Windows\System\NjcPizL.exe
  C:\Windows\System\NjcPizL.exe
  2⤵
  PID:14096
- C:\Windows\System\jLWBQTL.exe
  C:\Windows\System\jLWBQTL.exe
  2⤵
  PID:13964
- C:\Windows\System\MjMErIA.exe
  C:\Windows\System\MjMErIA.exe
  2⤵
  PID:13848
- C:\Windows\System\YuxTBrB.exe
  C:\Windows\System\YuxTBrB.exe
  2⤵
  PID:13236
- C:\Windows\System\sTdByhV.exe
  C:\Windows\System\sTdByhV.exe
  2⤵
  PID:13200
- C:\Windows\System\UTERYwb.exe
  C:\Windows\System\UTERYwb.exe
  2⤵
  PID:13164
- C:\Windows\System\gTkhFRE.exe
  C:\Windows\System\gTkhFRE.exe
  2⤵
  PID:15764
- C:\Windows\System\keqzjdu.exe
  C:\Windows\System\keqzjdu.exe
  2⤵
  PID:15968
- C:\Windows\System\MQJQuAc.exe
  C:\Windows\System\MQJQuAc.exe
  2⤵
  PID:13124
- C:\Windows\System\moFiAGg.exe
  C:\Windows\System\moFiAGg.exe
  2⤵
  PID:13040
- C:\Windows\System\OIcUbJT.exe
  C:\Windows\System\OIcUbJT.exe
  2⤵
  PID:13004
- C:\Windows\System\ydWFVqJ.exe
  C:\Windows\System\ydWFVqJ.exe
  2⤵
  PID:12932
- C:\Windows\System\AZLsjSb.exe
  C:\Windows\System\AZLsjSb.exe
  2⤵
  PID:15880
- C:\Windows\System\BrhtHZA.exe
  C:\Windows\System\BrhtHZA.exe
  2⤵
  PID:11976
- C:\Windows\System\dhCDreN.exe
  C:\Windows\System\dhCDreN.exe
  2⤵
  PID:15760
- C:\Windows\System\LQSDDiW.exe
  C:\Windows\System\LQSDDiW.exe
  2⤵
  PID:3468
- C:\Windows\System\KftqCNF.exe
  C:\Windows\System\KftqCNF.exe
  2⤵
  PID:7616
- C:\Windows\System\gLQowVE.exe
  C:\Windows\System\gLQowVE.exe
  2⤵
  PID:6560
- C:\Windows\System\CUKlGhh.exe
  C:\Windows\System\CUKlGhh.exe
  2⤵
  PID:8712
- C:\Windows\System\yetDPKF.exe
  C:\Windows\System\yetDPKF.exe
  2⤵
  PID:8344
- C:\Windows\System\XdQpdDM.exe
  C:\Windows\System\XdQpdDM.exe
  2⤵
  PID:6584
- C:\Windows\System\PfgXbli.exe
  C:\Windows\System\PfgXbli.exe
  2⤵
  PID:8120
- C:\Windows\System\EkEKGXL.exe
  C:\Windows\System\EkEKGXL.exe
  2⤵
  PID:16052
- C:\Windows\System\SsJbfoa.exe
  C:\Windows\System\SsJbfoa.exe
  2⤵
  PID:11136
- C:\Windows\System\EyXfMoI.exe
  C:\Windows\System\EyXfMoI.exe
  2⤵
  PID:11008
- C:\Windows\System\lEiuEoA.exe
  C:\Windows\System\lEiuEoA.exe
  2⤵
  PID:12764
- C:\Windows\System\XvBoUcY.exe
  C:\Windows\System\XvBoUcY.exe
  2⤵
  PID:12460
- C:\Windows\System\uXjKYSy.exe
  C:\Windows\System\uXjKYSy.exe
  2⤵
  PID:12268
- C:\Windows\System\lRgunhq.exe
  C:\Windows\System\lRgunhq.exe
  2⤵
  PID:12236
- C:\Windows\System\YgFJRLR.exe
  C:\Windows\System\YgFJRLR.exe
  2⤵
  PID:12200
- C:\Windows\System\gapYwwp.exe
  C:\Windows\System\gapYwwp.exe
  2⤵
  PID:12160
- C:\Windows\System\AvVlKAz.exe
  C:\Windows\System\AvVlKAz.exe
  2⤵
  PID:12108
- C:\Windows\System\XWqwNcq.exe
  C:\Windows\System\XWqwNcq.exe
  2⤵
  PID:12072
- C:\Windows\System\LWZigGn.exe
  C:\Windows\System\LWZigGn.exe
  2⤵
  PID:12028
- C:\Windows\System\hzDvENP.exe
  C:\Windows\System\hzDvENP.exe
  2⤵
  PID:11964
- C:\Windows\System\LWypBiM.exe
  C:\Windows\System\LWypBiM.exe
  2⤵
  PID:10812
- C:\Windows\System\lOnzuti.exe
  C:\Windows\System\lOnzuti.exe
  2⤵
  PID:15808
- C:\Windows\System\ZwoFlkA.exe
  C:\Windows\System\ZwoFlkA.exe
  2⤵
  PID:11776
- C:\Windows\System\RmlnygK.exe
  C:\Windows\System\RmlnygK.exe
  2⤵
  PID:11720
- C:\Windows\System\GXoqTSR.exe
  C:\Windows\System\GXoqTSR.exe
  2⤵
  PID:11684
- C:\Windows\System\OrbaGiN.exe
  C:\Windows\System\OrbaGiN.exe
  2⤵
  PID:15796
- C:\Windows\System\IsJsscM.exe
  C:\Windows\System\IsJsscM.exe
  2⤵
  PID:15776
- C:\Windows\System\yhwZffx.exe
  C:\Windows\System\yhwZffx.exe
  2⤵
  PID:11612
- C:\Windows\System\eHcmJSX.exe
  C:\Windows\System\eHcmJSX.exe
  2⤵
  PID:10740
- C:\Windows\System\bFklKzS.exe
  C:\Windows\System\bFklKzS.exe
  2⤵
  PID:11396
- C:\Windows\System\XmmorPn.exe
  C:\Windows\System\XmmorPn.exe
  2⤵
  PID:11356
- C:\Windows\System\QHUqMqx.exe
  C:\Windows\System\QHUqMqx.exe
  2⤵
  PID:11320
- C:\Windows\System\CfQELyy.exe
  C:\Windows\System\CfQELyy.exe
  2⤵
  PID:11276
- C:\Windows\System\KxMSYFx.exe
  C:\Windows\System\KxMSYFx.exe
  2⤵
  PID:8188
- C:\Windows\System\cmCqGok.exe
  C:\Windows\System\cmCqGok.exe
  2⤵
  PID:7776
- C:\Windows\System\UYRnpaZ.exe
  C:\Windows\System\UYRnpaZ.exe
  2⤵
  PID:7612
- C:\Windows\System\DOAQvuC.exe
  C:\Windows\System\DOAQvuC.exe
  2⤵
  PID:6816
- C:\Windows\System\QVzaYfz.exe
  C:\Windows\System\QVzaYfz.exe
  2⤵
  PID:10636
- C:\Windows\System\eqHIGqi.exe
  C:\Windows\System\eqHIGqi.exe
  2⤵
  PID:10588
- C:\Windows\System\uvwfCRK.exe
  C:\Windows\System\uvwfCRK.exe
  2⤵
  PID:10532
- C:\Windows\System\wuZBnlF.exe
  C:\Windows\System\wuZBnlF.exe
  2⤵
  PID:10464
- C:\Windows\System\YXQnCRz.exe
  C:\Windows\System\YXQnCRz.exe
  2⤵
  PID:10408
- C:\Windows\System\cyBqKdC.exe
  C:\Windows\System\cyBqKdC.exe
  2⤵
  PID:10364
- C:\Windows\System\uqEuAGF.exe
  C:\Windows\System\uqEuAGF.exe
  2⤵
  PID:7816
- C:\Windows\System\zGfmyOZ.exe
  C:\Windows\System\zGfmyOZ.exe
  2⤵
  PID:7476
- C:\Windows\System\jpkmmGp.exe
  C:\Windows\System\jpkmmGp.exe
  2⤵
  PID:10184
- C:\Windows\System\nDXLGOv.exe
  C:\Windows\System\nDXLGOv.exe
  2⤵
  PID:10056
- C:\Windows\System\cuZJTTE.exe
  C:\Windows\System\cuZJTTE.exe
  2⤵
  PID:15532
- C:\Windows\System\IkECxWw.exe
  C:\Windows\System\IkECxWw.exe
  2⤵
  PID:15516
- C:\Windows\System\GWWLfkc.exe
  C:\Windows\System\GWWLfkc.exe
  2⤵
  PID:15496

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:15432

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:7524

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CbKmUsq.exe

Filesize
449KB

MD5
9b1c97486eebeab43048bc2aec9aae1c

SHA1
4bf1c3294b3d7cba30de14356b6b5ca16e67331f

SHA256
79aef7bf45f644105d7db3783bbf13041e43af0a08ff65ad7c4b6d07d1d06568

SHA512
3ab2c651d53e3a865d01d409195eaaf8a6f5d1934db1e3b1c1d8fae9352000ab25f0d3b4f46741f9ccfb8793f97846ac3ec45f106c70f908544615a5e5d30592

Download Submit
C:\Windows\System\NkeGZtM.exe

Filesize
64KB

MD5
990857d2b61cee085cf72ce6c8c7e46a

SHA1
a136ecea2aaba10562bf1d8189d9c2777159d971

SHA256
8edfb8d06bf599bef40497a1cfe0da6d9256e3b8c9619315be56bd2761cb5511

SHA512
719bbf375652bffd6ae76238414df170479a8cbf7761efd15600ad91bbbc5fd228ed7522c7fba049cc3f7b460fd15326ccd67d752cd58b5f4b7705a4a3de6e6c

Download Submit
memory/448-2488-0x00007FF6BF230000-0x00007FF6BF581000-memory.dmp

Filesize
3.3MB

Download
memory/888-1156-0x00007FF69F290000-0x00007FF69F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-442-0x00007FF73AFD0000-0x00007FF73B321000-memory.dmp

Filesize
3.3MB

Download
memory/1560-0-0x00007FF73C1D0000-0x00007FF73C521000-memory.dmp

Filesize
3.3MB

Download
memory/1560-1-0x000001BFC81E0000-0x000001BFC81F0000-memory.dmp

Filesize
64KB

Download
memory/1700-2125-0x00007FF758B50000-0x00007FF758EA1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-829-0x00007FF74A720000-0x00007FF74AA71000-memory.dmp

Filesize
3.3MB

Download
memory/2900-605-0x00007FF7E52F0000-0x00007FF7E5641000-memory.dmp

Filesize
3.3MB

Download
memory/3352-2492-0x00007FF722180000-0x00007FF7224D1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-2429-0x00007FF6048B0000-0x00007FF604C01000-memory.dmp

Filesize
3.3MB

Download
memory/3540-2489-0x00007FF68DDA0000-0x00007FF68E0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3828-2535-0x00007FF61A4D0000-0x00007FF61A821000-memory.dmp

Filesize
3.3MB

Download
memory/4236-827-0x00007FF7F9C60000-0x00007FF7F9FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4800-2505-0x00007FF642A00000-0x00007FF642D51000-memory.dmp

Filesize
3.3MB

Download
memory/5684-2430-0x00007FF686EA0000-0x00007FF6871F1000-memory.dmp

Filesize
3.3MB

Download
memory/6584-2494-0x00007FF7512C0000-0x00007FF751611000-memory.dmp

Filesize
3.3MB

Download
memory/7844-1960-0x00007FF7B68C0000-0x00007FF7B6C11000-memory.dmp

Filesize
3.3MB

Download
memory/8120-2472-0x00007FF6B4DF0000-0x00007FF6B5141000-memory.dmp

Filesize
3.3MB

Download
memory/8328-2467-0x00007FF7FC450000-0x00007FF7FC7A1000-memory.dmp

Filesize
3.3MB

Download
memory/8808-2487-0x00007FF74E920000-0x00007FF74EC71000-memory.dmp

Filesize
3.3MB

Download
memory/9700-2561-0x00007FF6D5C40000-0x00007FF6D5F91000-memory.dmp

Filesize
3.3MB

Download
memory/9712-2560-0x00007FF785840000-0x00007FF785B91000-memory.dmp

Filesize
3.3MB

Download
memory/9816-2562-0x00007FF739130000-0x00007FF739481000-memory.dmp

Filesize
3.3MB

Download
memory/9856-2532-0x00007FF7B9250000-0x00007FF7B95A1000-memory.dmp

Filesize
3.3MB

Download
memory/9960-2202-0x00007FF628620000-0x00007FF628971000-memory.dmp

Filesize
3.3MB

Download
memory/10016-2463-0x00007FF75F4B0000-0x00007FF75F801000-memory.dmp

Filesize
3.3MB

Download
memory/10468-1933-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp

Filesize
3.3MB

Download
memory/10760-2534-0x00007FF77C720000-0x00007FF77CA71000-memory.dmp

Filesize
3.3MB

Download
memory/10812-2438-0x00007FF6A4C40000-0x00007FF6A4F91000-memory.dmp

Filesize
3.3MB

Download
memory/13124-2506-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp

Filesize
3.3MB

Download
memory/14200-2539-0x00007FF65A5C0000-0x00007FF65A911000-memory.dmp

Filesize
3.3MB

Download
memory/14404-2528-0x00007FF6216A0000-0x00007FF6219F1000-memory.dmp

Filesize
3.3MB

Download
memory/14504-2529-0x00007FF7C3200000-0x00007FF7C3551000-memory.dmp

Filesize
3.3MB

Download
memory/14528-2527-0x00007FF73FDD0000-0x00007FF740121000-memory.dmp

Filesize
3.3MB

Download
memory/14736-2490-0x00007FF6E4C20000-0x00007FF6E4F71000-memory.dmp

Filesize
3.3MB

Download
memory/15116-2466-0x00007FF7276C0000-0x00007FF727A11000-memory.dmp

Filesize
3.3MB

Download
memory/15236-2085-0x00007FF7B1B80000-0x00007FF7B1ED1000-memory.dmp

Filesize
3.3MB

Download
memory/15256-2536-0x00007FF7A8A50000-0x00007FF7A8DA1000-memory.dmp

Filesize
3.3MB

Download
memory/15392-2563-0x00007FF6C0EA0000-0x00007FF6C11F1000-memory.dmp

Filesize
3.3MB

Download
memory/16132-2491-0x00007FF7FE4C0000-0x00007FF7FE811000-memory.dmp

Filesize
3.3MB

Download
memory/16160-2493-0x00007FF712F50000-0x00007FF7132A1000-memory.dmp

Filesize
3.3MB

Download
memory/16248-2537-0x00007FF73FEE0000-0x00007FF740231000-memory.dmp

Filesize
3.3MB

Download