xmrig | d0ea90eba1157f5ca44d8b60fc019a28501bc54811128b2d393cf26016455191

Analysis

max time kernel
137s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

004e824da6e7f3fed443cc240413f2c6_JaffaCakes118.exe
Size

1.6MB
MD5

004e824da6e7f3fed443cc240413f2c6
SHA1

2532583f34fd4efca2e0f95a7d15c58f41fad23d
SHA256

d0ea90eba1157f5ca44d8b60fc019a28501bc54811128b2d393cf26016455191
SHA512

fc41161b16bcd072eff9d88d39886c94f4700f0177e3bb1d7c60cb0bc506e29fe7b79380d7bb8d7ea857c35f9669368b7999024f6f4cea7cf0162724dd708715
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2Do+BRrCfULfVsK:knw9oUUEEDlGUjc2HhG82DiGVB

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral1/memory/2492-9-0x000000013F3B0000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/2592-240-0x000000013FAD0000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/2460-270-0x000000013F0A0000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/1588-268-0x000000013FF60000-0x0000000140351000-memory.dmp	xmrig
behavioral1/memory/2280-272-0x000000013FD90000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/852-273-0x000000013F420000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/1264-274-0x000000013FA00000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/1712-275-0x000000013F770000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2540-277-0x000000013F710000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2628-278-0x000000013F210000-0x000000013F601000-memory.dmp	xmrig
behavioral1/memory/2888-266-0x000000013FD00000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2940-264-0x000000013FB60000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2876-262-0x000000013F920000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/2760-260-0x000000013FD10000-0x0000000140101000-memory.dmp	xmrig
behavioral1/memory/1628-258-0x000000013FC50000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/1200-256-0x000000013F090000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2988-254-0x000000013F5D0000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2448-252-0x000000013FCA0000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2392-250-0x000000013F500000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/2444-248-0x000000013F210000-0x000000013F601000-memory.dmp	xmrig
behavioral1/memory/2536-246-0x000000013FE10000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2420-244-0x000000013F0A0000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2516-242-0x000000013F530000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/2492-408-0x000000013F3B0000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/1200-420-0x000000013F090000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2824-453-0x000000013F9B0000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/2524-469-0x000000013FCC0000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/1628-468-0x000000013FC50000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2876-467-0x000000013F920000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/2888-466-0x000000013FD00000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/852-465-0x000000013F420000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/1768-464-0x000000013F830000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/1480-463-0x000000013FE30000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/1624-462-0x000000013FC10000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/3024-461-0x000000013F7C0000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/1120-460-0x000000013F8D0000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/2644-459-0x000000013F610000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/1996-458-0x000000013F3B0000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/488-457-0x000000013F450000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/588-456-0x000000013F150000-0x000000013F541000-memory.dmp	xmrig
behavioral1/memory/452-451-0x000000013F770000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2628-449-0x000000013F210000-0x000000013F601000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2492	frKSQpX.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	004e824da6e7f3fed443cc240413f2c6_JaffaCakes118.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-0-0x000000013F770000-0x000000013FB61000-memory.dmp	upx
behavioral1/files/0x000a000000012255-3.dat	upx
behavioral1/memory/2492-9-0x000000013F3B0000-0x000000013F7A1000-memory.dmp	upx
behavioral1/files/0x000d0000000153cf-10.dat	upx
behavioral1/files/0x0036000000015c6d-17.dat	upx
behavioral1/files/0x0007000000015cb9-21.dat	upx
behavioral1/files/0x0007000000015cc1-25.dat	upx
behavioral1/files/0x0009000000015cca-29.dat	upx
behavioral1/files/0x0008000000015cdb-33.dat	upx
behavioral1/files/0x0007000000016597-36.dat	upx
behavioral1/files/0x0006000000016c17-48.dat	upx
behavioral1/files/0x0006000000016ced-76.dat	upx
behavioral1/files/0x0006000000016d1f-100.dat	upx
behavioral1/files/0x0006000000016d40-112.dat	upx
behavioral1/memory/2592-240-0x000000013FAD0000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2460-270-0x000000013F0A0000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/1588-268-0x000000013FF60000-0x0000000140351000-memory.dmp	upx
behavioral1/memory/2280-272-0x000000013FD90000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/852-273-0x000000013F420000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/1264-274-0x000000013FA00000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/1712-275-0x000000013F770000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2540-277-0x000000013F710000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2628-278-0x000000013F210000-0x000000013F601000-memory.dmp	upx
behavioral1/memory/2888-266-0x000000013FD00000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2940-264-0x000000013FB60000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2876-262-0x000000013F920000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/2760-260-0x000000013FD10000-0x0000000140101000-memory.dmp	upx
behavioral1/memory/1628-258-0x000000013FC50000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/1200-256-0x000000013F090000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/2988-254-0x000000013F5D0000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2448-252-0x000000013FCA0000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/2392-250-0x000000013F500000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/2444-248-0x000000013F210000-0x000000013F601000-memory.dmp	upx
behavioral1/memory/2536-246-0x000000013FE10000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/2420-244-0x000000013F0A0000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2516-242-0x000000013F530000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/2492-408-0x000000013F3B0000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/1200-420-0x000000013F090000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/2824-453-0x000000013F9B0000-0x000000013FDA1000-memory.dmp	upx
behavioral1/memory/2524-469-0x000000013FCC0000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/1628-468-0x000000013FC50000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/2876-467-0x000000013F920000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/2888-466-0x000000013FD00000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/852-465-0x000000013F420000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/1768-464-0x000000013F830000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/1480-463-0x000000013FE30000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/1624-462-0x000000013FC10000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/3024-461-0x000000013F7C0000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/1120-460-0x000000013F8D0000-0x000000013FCC1000-memory.dmp	upx
behavioral1/memory/2644-459-0x000000013F610000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/1996-458-0x000000013F3B0000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/488-457-0x000000013F450000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/588-456-0x000000013F150000-0x000000013F541000-memory.dmp	upx
behavioral1/memory/452-451-0x000000013F770000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2628-449-0x000000013F210000-0x000000013F601000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\frKSQpX.exe	004e824da6e7f3fed443cc240413f2c6_JaffaCakes118.exe
File created	C:\Windows\System32\nESELHM.exe	004e824da6e7f3fed443cc240413f2c6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2492	1712	004e824da6e7f3fed443cc240413f2c6_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2492	1712	004e824da6e7f3fed443cc240413f2c6_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2492	1712	004e824da6e7f3fed443cc240413f2c6_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\004e824da6e7f3fed443cc240413f2c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\004e824da6e7f3fed443cc240413f2c6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\System32\frKSQpX.exe
  C:\Windows\System32\frKSQpX.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System32\nESELHM.exe
  C:\Windows\System32\nESELHM.exe
  2⤵
  PID:2540
- C:\Windows\System32\efQfSOP.exe
  C:\Windows\System32\efQfSOP.exe
  2⤵
  PID:2628
- C:\Windows\System32\MLsWiSM.exe
  C:\Windows\System32\MLsWiSM.exe
  2⤵
  PID:2800
- C:\Windows\System32\EPfGKwY.exe
  C:\Windows\System32\EPfGKwY.exe
  2⤵
  PID:2524
- C:\Windows\System32\SzcyiPT.exe
  C:\Windows\System32\SzcyiPT.exe
  2⤵
  PID:2592
- C:\Windows\System32\fpFzUUe.exe
  C:\Windows\System32\fpFzUUe.exe
  2⤵
  PID:2516
- C:\Windows\System32\oDDgikE.exe
  C:\Windows\System32\oDDgikE.exe
  2⤵
  PID:2420
- C:\Windows\System32\oQenyQH.exe
  C:\Windows\System32\oQenyQH.exe
  2⤵
  PID:2536
- C:\Windows\System32\BzXDIWy.exe
  C:\Windows\System32\BzXDIWy.exe
  2⤵
  PID:2392
- C:\Windows\System32\heLjNrD.exe
  C:\Windows\System32\heLjNrD.exe
  2⤵
  PID:2760
- C:\Windows\System32\EzTTuHZ.exe
  C:\Windows\System32\EzTTuHZ.exe
  2⤵
  PID:2940
- C:\Windows\System32\ofMMYrp.exe
  C:\Windows\System32\ofMMYrp.exe
  2⤵
  PID:1264
- C:\Windows\System32\lRVDUdk.exe
  C:\Windows\System32\lRVDUdk.exe
  2⤵
  PID:1624
- C:\Windows\System32\PXesbmN.exe
  C:\Windows\System32\PXesbmN.exe
  2⤵
  PID:1572
- C:\Windows\System32\raLXLvq.exe
  C:\Windows\System32\raLXLvq.exe
  2⤵
  PID:2824
- C:\Windows\System32\FHcvAll.exe
  C:\Windows\System32\FHcvAll.exe
  2⤵
  PID:696
- C:\Windows\System32\mHpPGbe.exe
  C:\Windows\System32\mHpPGbe.exe
  2⤵
  PID:1556
- C:\Windows\System32\ovJiDau.exe
  C:\Windows\System32\ovJiDau.exe
  2⤵
  PID:2268
- C:\Windows\System32\eXDtEZg.exe
  C:\Windows\System32\eXDtEZg.exe
  2⤵
  PID:1120
- C:\Windows\System32\WrJJMLI.exe
  C:\Windows\System32\WrJJMLI.exe
  2⤵
  PID:1792
- C:\Windows\System32\yErxFyE.exe
  C:\Windows\System32\yErxFyE.exe
  2⤵
  PID:2068
- C:\Windows\System32\gcPSMrs.exe
  C:\Windows\System32\gcPSMrs.exe
  2⤵
  PID:2076
- C:\Windows\System32\kNZClae.exe
  C:\Windows\System32\kNZClae.exe
  2⤵
  PID:452
- C:\Windows\System32\sLRKStq.exe
  C:\Windows\System32\sLRKStq.exe
  2⤵
  PID:1976
- C:\Windows\System32\iSZpmlE.exe
  C:\Windows\System32\iSZpmlE.exe
  2⤵
  PID:3024
- C:\Windows\System32\QeelkER.exe
  C:\Windows\System32\QeelkER.exe
  2⤵
  PID:3040
- C:\Windows\System32\tSCAlMk.exe
  C:\Windows\System32\tSCAlMk.exe
  2⤵
  PID:1480
- C:\Windows\System32\EAxqwfE.exe
  C:\Windows\System32\EAxqwfE.exe
  2⤵
  PID:1972
- C:\Windows\System32\llezTEs.exe
  C:\Windows\System32\llezTEs.exe
  2⤵
  PID:1212
- C:\Windows\System32\BxnwMGF.exe
  C:\Windows\System32\BxnwMGF.exe
  2⤵
  PID:764
- C:\Windows\System32\uYwUykG.exe
  C:\Windows\System32\uYwUykG.exe
  2⤵
  PID:700
- C:\Windows\System32\CStirqU.exe
  C:\Windows\System32\CStirqU.exe
  2⤵
  PID:2796
- C:\Windows\System32\xGHsVCs.exe
  C:\Windows\System32\xGHsVCs.exe
  2⤵
  PID:2272
- C:\Windows\System32\BsPevdV.exe
  C:\Windows\System32\BsPevdV.exe
  2⤵
  PID:1936
- C:\Windows\System32\jWRWkKN.exe
  C:\Windows\System32\jWRWkKN.exe
  2⤵
  PID:3032
- C:\Windows\System32\YJABUEL.exe
  C:\Windows\System32\YJABUEL.exe
  2⤵
  PID:284
- C:\Windows\System32\rFFCqUJ.exe
  C:\Windows\System32\rFFCqUJ.exe
  2⤵
  PID:2568
- C:\Windows\System32\SlROplg.exe
  C:\Windows\System32\SlROplg.exe
  2⤵
  PID:2128
- C:\Windows\System32\AClYLTT.exe
  C:\Windows\System32\AClYLTT.exe
  2⤵
  PID:2340
- C:\Windows\System32\oPLVZUO.exe
  C:\Windows\System32\oPLVZUO.exe
  2⤵
  PID:1852
- C:\Windows\System32\eidFdjO.exe
  C:\Windows\System32\eidFdjO.exe
  2⤵
  PID:2440
- C:\Windows\System32\jajuIpT.exe
  C:\Windows\System32\jajuIpT.exe
  2⤵
  PID:1784
- C:\Windows\System32\CbHeoak.exe
  C:\Windows\System32\CbHeoak.exe
  2⤵
  PID:312
- C:\Windows\System32\YlYKCjn.exe
  C:\Windows\System32\YlYKCjn.exe
  2⤵
  PID:1736
- C:\Windows\System32\rZtQRfS.exe
  C:\Windows\System32\rZtQRfS.exe
  2⤵
  PID:2764
- C:\Windows\System32\rGveekR.exe
  C:\Windows\System32\rGveekR.exe
  2⤵
  PID:2180
- C:\Windows\System32\CjLtcsv.exe
  C:\Windows\System32\CjLtcsv.exe
  2⤵
  PID:1544
- C:\Windows\System32\QfnvUku.exe
  C:\Windows\System32\QfnvUku.exe
  2⤵
  PID:2064
- C:\Windows\System32\dKgONaE.exe
  C:\Windows\System32\dKgONaE.exe
  2⤵
  PID:1288
- C:\Windows\System32\dCpHFok.exe
  C:\Windows\System32\dCpHFok.exe
  2⤵
  PID:2028
- C:\Windows\System32\PpLHkbn.exe
  C:\Windows\System32\PpLHkbn.exe
  2⤵
  PID:1296
- C:\Windows\System32\GHBzCsO.exe
  C:\Windows\System32\GHBzCsO.exe
  2⤵
  PID:560
- C:\Windows\System32\GWTthKC.exe
  C:\Windows\System32\GWTthKC.exe
  2⤵
  PID:1528
- C:\Windows\System32\ekdJZte.exe
  C:\Windows\System32\ekdJZte.exe
  2⤵
  PID:2396
- C:\Windows\System32\NAqlgoa.exe
  C:\Windows\System32\NAqlgoa.exe
  2⤵
  PID:1844
- C:\Windows\System32\OEEFekQ.exe
  C:\Windows\System32\OEEFekQ.exe
  2⤵
  PID:616
- C:\Windows\System32\LrHIreK.exe
  C:\Windows\System32\LrHIreK.exe
  2⤵
  PID:2624
- C:\Windows\System32\eTrzbDr.exe
  C:\Windows\System32\eTrzbDr.exe
  2⤵
  PID:3108
- C:\Windows\System32\TlRSkay.exe
  C:\Windows\System32\TlRSkay.exe
  2⤵
  PID:3124
- C:\Windows\System32\kCVOAed.exe
  C:\Windows\System32\kCVOAed.exe
  2⤵
  PID:3140
- C:\Windows\System32\YAEuxLu.exe
  C:\Windows\System32\YAEuxLu.exe
  2⤵
  PID:3156
- C:\Windows\System32\vaKUwvD.exe
  C:\Windows\System32\vaKUwvD.exe
  2⤵
  PID:3172
- C:\Windows\System32\RcHXYSz.exe
  C:\Windows\System32\RcHXYSz.exe
  2⤵
  PID:3188
- C:\Windows\System32\PDfBCAP.exe
  C:\Windows\System32\PDfBCAP.exe
  2⤵
  PID:3212
- C:\Windows\System32\JZxgLjZ.exe
  C:\Windows\System32\JZxgLjZ.exe
  2⤵
  PID:3260
- C:\Windows\System32\TlDQpSY.exe
  C:\Windows\System32\TlDQpSY.exe
  2⤵
  PID:3292
- C:\Windows\System32\vIFeHOY.exe
  C:\Windows\System32\vIFeHOY.exe
  2⤵
  PID:3324
- C:\Windows\System32\DcwEMMX.exe
  C:\Windows\System32\DcwEMMX.exe
  2⤵
  PID:3356
- C:\Windows\System32\kFBHXoS.exe
  C:\Windows\System32\kFBHXoS.exe
  2⤵
  PID:3384
- C:\Windows\System32\sMHvTAG.exe
  C:\Windows\System32\sMHvTAG.exe
  2⤵
  PID:3416
- C:\Windows\System32\xOhzMQY.exe
  C:\Windows\System32\xOhzMQY.exe
  2⤵
  PID:2100
- C:\Windows\System32\lzuByDe.exe
  C:\Windows\System32\lzuByDe.exe
  2⤵
  PID:3372
- C:\Windows\System32\FMNVTvP.exe
  C:\Windows\System32\FMNVTvP.exe
  2⤵
  PID:3496
- C:\Windows\System32\eLInHBr.exe
  C:\Windows\System32\eLInHBr.exe
  2⤵
  PID:3556
- C:\Windows\System32\wlFxKca.exe
  C:\Windows\System32\wlFxKca.exe
  2⤵
  PID:3620
- C:\Windows\System32\bjYEeou.exe
  C:\Windows\System32\bjYEeou.exe
  2⤵
  PID:4292
- C:\Windows\System32\XZCPWIF.exe
  C:\Windows\System32\XZCPWIF.exe
  2⤵
  PID:5000
- C:\Windows\System32\TqDcgJu.exe
  C:\Windows\System32\TqDcgJu.exe
  2⤵
  PID:5028
- C:\Windows\System32\NEcQkLT.exe
  C:\Windows\System32\NEcQkLT.exe
  2⤵
  PID:4172
- C:\Windows\System32\zkRKpFD.exe
  C:\Windows\System32\zkRKpFD.exe
  2⤵
  PID:5992
- C:\Windows\System32\RjgKtrc.exe
  C:\Windows\System32\RjgKtrc.exe
  2⤵
  PID:6504
- C:\Windows\System32\uZfNsZH.exe
  C:\Windows\System32\uZfNsZH.exe
  2⤵
  PID:6620
- C:\Windows\System32\KrCExQa.exe
  C:\Windows\System32\KrCExQa.exe
  2⤵
  PID:6636
- C:\Windows\System32\OCYRSwX.exe
  C:\Windows\System32\OCYRSwX.exe
  2⤵
  PID:6652
- C:\Windows\System32\oMpwCsn.exe
  C:\Windows\System32\oMpwCsn.exe
  2⤵
  PID:6668
- C:\Windows\System32\TvlZlQm.exe
  C:\Windows\System32\TvlZlQm.exe
  2⤵
  PID:6684
- C:\Windows\System32\qcofTbU.exe
  C:\Windows\System32\qcofTbU.exe
  2⤵
  PID:6700
- C:\Windows\System32\NyfuRad.exe
  C:\Windows\System32\NyfuRad.exe
  2⤵
  PID:6716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BzXDIWy.exe

Filesize
1.7MB

MD5
fd54a3781251adbb06457588f1741500

SHA1
a4c986f719e918d9f345f77dc2e920def209d462

SHA256
eda485987db389ef3d2097c0cef4db1ba5cd0c1080ae9d2dc9d6230ea915ddce

SHA512
75b0f1cc1f8d83a3d4f90cd40230558d9843ac003112f2ead24711a91a9a15e75d771b4c4a1e194d4a42059d0b11f8b2a641a1a0bd295bcfc251fd018536c5a9

Download Submit
C:\Windows\System32\EPfGKwY.exe

Filesize
1.7MB

MD5
92cd80a233c8db6ae4711f82ae573ed6

SHA1
b216bad64616b3c24c8d3cfaeb302624f07b16c9

SHA256
884319ec8cee5c9edf1e0d71ac40e858a3bef466c08632cca813ac728f8c1bdd

SHA512
bf008e3b85c71799efd785dc64bcd2f3a2d1fb7f0f8c67ff0e3bf5c6a8651116d3f6870a6d8edfea7b5fbcceb165fb59e4bbab265b9d38a510f95a26f5c4655d

Download Submit
C:\Windows\System32\EzTTuHZ.exe

Filesize
1.7MB

MD5
5a437399785bba4d46fbd15586e23088

SHA1
f2cc175c6de41c8706c31a1a6afb938574ea0d5a

SHA256
9dc2b2696808a3d6a1e37576c3c8fa3ec9ff6e0464f3517e6f07ee5ae1dec82e

SHA512
189a4a6b98737685d25c8a760fd2b3ae8a18f16a35cf2886be6fb950c96abde044e008db23f06e44c436169c2177e74bcd22bfe9be529d164872c57063c7dee6

Download Submit
C:\Windows\System32\MLsWiSM.exe

Filesize
1.6MB

MD5
45c2145db674cc66f215cc73af25efde

SHA1
e9f6176ef8d868f0a0bf3417d7e4dd79289fecb7

SHA256
e4f9834b66ddabb8da833bf1f0ccc67ccd4e26966535658dd8ed226defe63dce

SHA512
4a516bbda58af42213b6fa0db0ff8a2dd078bc385fb6367e5757ea7e0693d91497f5f96633f8079b2b715b13f5b0acba93d8ac7dc0fa7cd7469598adb3bc7e8b

Download Submit
C:\Windows\System32\SzcyiPT.exe

Filesize
1.7MB

MD5
bddf1c11d70b1b723ec284a832d98fde

SHA1
fdaf76016aca97b56fbffe84b8b4767ae68fc545

SHA256
848f8cb4445842654e7e72c79f9280f1bc3af4dda3e0c26621e58dafbc3b450b

SHA512
bce563003f11895c01055a3da6e0a5befaa12a555b975610442ff5e4b0f2c2571191436e477fdf607e2ba0361090d855db89d2fb1dd9fc894fce08a160dea16f

Download Submit
C:\Windows\System32\efQfSOP.exe

Filesize
1.6MB

MD5
52a162641200fd26d71d96768e483157

SHA1
4844b63b7e9ea471fe9158d1ca24e826feb7fb51

SHA256
b28e581765155c8a9aa01bf6250f54bdf8b11cb5a81aaa1fffebe2078871b074

SHA512
8a63a84374ed7162eefc63b6de8e9f0b88126e735c06acfa0a1f174fa8ae9238f1b2223dcfa1e1fdb90463d853d9000645c10b9371be7537d29d0873e7484cd0

Download Submit
C:\Windows\System32\fpFzUUe.exe

Filesize
1.7MB

MD5
cdbd002d6091f9c3e2db4b74e27ae6af

SHA1
b17208541ff6c96c906238b638eb36cec0bdbe58

SHA256
87fc49349f9de6cf38d74a07f2a6c24a1c41dda6e4d08e111b195f399f5f7906

SHA512
73a54d302639e75229cc7946e0747859acaaeea0c07a3246d966752346cd9e34ea57553f347166ab5a3bb5851daa8bf94f42478781d00cdd1de0f6accabbcde5

Download Submit
C:\Windows\System32\lRVDUdk.exe

Filesize
1.7MB

MD5
0f19e6baa2cfe7282d7e385d1037efce

SHA1
1a1e19a12dab55d60a871438508fdf225dd1289c

SHA256
e7821627a5a1b403ed392aa24bae61de75630838c0b11dacdca13234c8afd924

SHA512
b2cf96e4cf8c6416545be7b25008d1d5ca28e0ef05090570580ddd2294747009d69324cdd76c3d2cf68f7b574a83e0f12ac31fc8cf02cfa0c0a94fdbcf5643d9

Download Submit
C:\Windows\System32\oDDgikE.exe

Filesize
1.7MB

MD5
ded6a0e864725f262863ddac21fa786b

SHA1
ed5a8aa4dfdd88211e009c7fd3a9391dc9783691

SHA256
ebf8a1cf9dedfd71704b9d6d6fc9dccf83c6109beb40a0ace6b114702a24dfba

SHA512
12f11396754301a80ddfa56d5317628446c05bcb2028fb98576b7214a0a02d8b84207f49cbb2b161dd6adc674ac0a85f476bee8814af5f6326f7c874749e93c4

Download Submit
C:\Windows\System32\ofMMYrp.exe

Filesize
1.7MB

MD5
4788b76e3069a4a144dc855542abe8fc

SHA1
d98262484418819f36378f8f92cc5d35dd4df8c7

SHA256
39a8b682837deb418f861404f1890b59343816a98b5373a75451a2c6345bb23c

SHA512
fb0ac3d64e295c50c7439e71870c932a744216aa075403e4b1b24ddfb612f327265e7434e3e1d73be18e3673c47b74bbfddb42f43f56cb4ea3e5651289f167d3

Download Submit
\Windows\System32\frKSQpX.exe

Filesize
1.6MB

MD5
bbd5814e8526f03aaa8ca20d09c3d86a

SHA1
b1a7f6f5b85dbc7cd2ac9b83747de858f017f348

SHA256
ec688863d1cd74841d0008d3e15ef6f34a5948d8c789c7f110d3b31d5a05136c

SHA512
017574ecc30336974d3d74fea24d61d3d5e52cca4e5fbafdde09d29cf4a830a24a3992cfd08f4ba330317594dcd4cd56cc9a464e01ea0f97a19173b86b62d94b

Download Submit
\Windows\System32\nESELHM.exe

Filesize
1.6MB

MD5
92ebb98e96b9fe711d24f34c67e76f9d

SHA1
88e9e2fee523a784382f8bf4087c95199fc4c63e

SHA256
9642f12cbaf71daf96b68b17db59f82b8d75b64c82828166bc4bd1afb3960427

SHA512
077f36322ff7b3c08d84a063bb9f8a8e99541924dd040f2c6dd8159959be4c1d75afc0ac70c0e5385f8138fc7c5d9bc7d175891af33362c488812df759f6329f

Download Submit
memory/452-451-0x000000013F770000-0x000000013FB61000-memory.dmp

Filesize
3.9MB

Download
memory/488-457-0x000000013F450000-0x000000013F841000-memory.dmp

Filesize
3.9MB

Download
memory/588-456-0x000000013F150000-0x000000013F541000-memory.dmp

Filesize
3.9MB

Download
memory/852-465-0x000000013F420000-0x000000013F811000-memory.dmp

Filesize
3.9MB

Download
memory/852-273-0x000000013F420000-0x000000013F811000-memory.dmp

Filesize
3.9MB

Download
memory/1120-460-0x000000013F8D0000-0x000000013FCC1000-memory.dmp

Filesize
3.9MB

Download
memory/1200-256-0x000000013F090000-0x000000013F481000-memory.dmp

Filesize
3.9MB

Download
memory/1200-420-0x000000013F090000-0x000000013F481000-memory.dmp

Filesize
3.9MB

Download
memory/1264-274-0x000000013FA00000-0x000000013FDF1000-memory.dmp

Filesize
3.9MB

Download
memory/1480-463-0x000000013FE30000-0x0000000140221000-memory.dmp

Filesize
3.9MB

Download
memory/1588-268-0x000000013FF60000-0x0000000140351000-memory.dmp

Filesize
3.9MB

Download
memory/1624-462-0x000000013FC10000-0x0000000140001000-memory.dmp

Filesize
3.9MB

Download
memory/1628-258-0x000000013FC50000-0x0000000140041000-memory.dmp

Filesize
3.9MB

Download
memory/1628-468-0x000000013FC50000-0x0000000140041000-memory.dmp

Filesize
3.9MB

Download
memory/1712-271-0x000000013FD90000-0x0000000140181000-memory.dmp

Filesize
3.9MB

Download
memory/1712-209-0x0000000002040000-0x0000000002431000-memory.dmp

Filesize
3.9MB

Download
memory/1712-0-0x000000013F770000-0x000000013FB61000-memory.dmp

Filesize
3.9MB

Download
memory/1712-275-0x000000013F770000-0x000000013FB61000-memory.dmp

Filesize
3.9MB

Download
memory/1712-267-0x000000013FF60000-0x0000000140351000-memory.dmp

Filesize
3.9MB

Download
memory/1712-1-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1712-243-0x000000013F0A0000-0x000000013F491000-memory.dmp

Filesize
3.9MB

Download
memory/1712-269-0x000000013F0A0000-0x000000013F491000-memory.dmp

Filesize
3.9MB

Download
memory/1712-265-0x000000013FD00000-0x00000001400F1000-memory.dmp

Filesize
3.9MB

Download
memory/1712-263-0x0000000002040000-0x0000000002431000-memory.dmp

Filesize
3.9MB

Download
memory/1712-257-0x000000013FC50000-0x0000000140041000-memory.dmp

Filesize
3.9MB

Download
memory/1712-261-0x0000000002040000-0x0000000002431000-memory.dmp

Filesize
3.9MB

Download
memory/1712-245-0x000000013FE10000-0x0000000140201000-memory.dmp

Filesize
3.9MB

Download
memory/1712-259-0x000000013FD10000-0x0000000140101000-memory.dmp

Filesize
3.9MB

Download
memory/1712-249-0x0000000002040000-0x0000000002431000-memory.dmp

Filesize
3.9MB

Download
memory/1712-7-0x0000000002040000-0x0000000002431000-memory.dmp

Filesize
3.9MB

Download
memory/1712-255-0x000000013F090000-0x000000013F481000-memory.dmp

Filesize
3.9MB

Download
memory/1712-180-0x0000000002040000-0x0000000002431000-memory.dmp

Filesize
3.9MB

Download
memory/1712-253-0x0000000002040000-0x0000000002431000-memory.dmp

Filesize
3.9MB

Download
memory/1712-247-0x000000013F210000-0x000000013F601000-memory.dmp

Filesize
3.9MB

Download
memory/1712-251-0x000000013FCA0000-0x0000000140091000-memory.dmp

Filesize
3.9MB

Download
memory/1768-464-0x000000013F830000-0x000000013FC21000-memory.dmp

Filesize
3.9MB

Download
memory/1996-458-0x000000013F3B0000-0x000000013F7A1000-memory.dmp

Filesize
3.9MB

Download
memory/2280-272-0x000000013FD90000-0x0000000140181000-memory.dmp

Filesize
3.9MB

Download
memory/2392-250-0x000000013F500000-0x000000013F8F1000-memory.dmp

Filesize
3.9MB

Download
memory/2420-244-0x000000013F0A0000-0x000000013F491000-memory.dmp

Filesize
3.9MB

Download
memory/2444-248-0x000000013F210000-0x000000013F601000-memory.dmp

Filesize
3.9MB

Download
memory/2448-252-0x000000013FCA0000-0x0000000140091000-memory.dmp

Filesize
3.9MB

Download
memory/2460-270-0x000000013F0A0000-0x000000013F491000-memory.dmp

Filesize
3.9MB

Download
memory/2492-408-0x000000013F3B0000-0x000000013F7A1000-memory.dmp

Filesize
3.9MB

Download
memory/2492-9-0x000000013F3B0000-0x000000013F7A1000-memory.dmp

Filesize
3.9MB

Download
memory/2516-242-0x000000013F530000-0x000000013F921000-memory.dmp

Filesize
3.9MB

Download
memory/2524-469-0x000000013FCC0000-0x00000001400B1000-memory.dmp

Filesize
3.9MB

Download
memory/2536-246-0x000000013FE10000-0x0000000140201000-memory.dmp

Filesize
3.9MB

Download
memory/2540-277-0x000000013F710000-0x000000013FB01000-memory.dmp

Filesize
3.9MB

Download
memory/2592-240-0x000000013FAD0000-0x000000013FEC1000-memory.dmp

Filesize
3.9MB

Download
memory/2628-449-0x000000013F210000-0x000000013F601000-memory.dmp

Filesize
3.9MB

Download
memory/2628-278-0x000000013F210000-0x000000013F601000-memory.dmp

Filesize
3.9MB

Download
memory/2644-459-0x000000013F610000-0x000000013FA01000-memory.dmp

Filesize
3.9MB

Download
memory/2760-260-0x000000013FD10000-0x0000000140101000-memory.dmp

Filesize
3.9MB

Download
memory/2824-453-0x000000013F9B0000-0x000000013FDA1000-memory.dmp

Filesize
3.9MB

Download
memory/2876-467-0x000000013F920000-0x000000013FD11000-memory.dmp

Filesize
3.9MB

Download
memory/2876-262-0x000000013F920000-0x000000013FD11000-memory.dmp

Filesize
3.9MB

Download
memory/2888-266-0x000000013FD00000-0x00000001400F1000-memory.dmp

Filesize
3.9MB

Download
memory/2888-466-0x000000013FD00000-0x00000001400F1000-memory.dmp

Filesize
3.9MB

Download
memory/2940-264-0x000000013FB60000-0x000000013FF51000-memory.dmp

Filesize
3.9MB

Download
memory/2988-254-0x000000013F5D0000-0x000000013F9C1000-memory.dmp

Filesize
3.9MB

Download
memory/3024-461-0x000000013F7C0000-0x000000013FBB1000-memory.dmp

Filesize
3.9MB

Download