xmrig | a377ee3359eedb94d1fdf741dba9e1b71433c746057ab703540718c0825d1875

Analysis

max time kernel
8s
max time network
10s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

601400160a03c0b1a5f4369908c3aae0_NEIKI.exe
Size

1.9MB
MD5

601400160a03c0b1a5f4369908c3aae0
SHA1

d269f2c78c1aea9c2728d0b7dfdd1c9f6b68dc46
SHA256

a377ee3359eedb94d1fdf741dba9e1b71433c746057ab703540718c0825d1875
SHA512

adf5e9614493c01939309957638defcc66cb8bef079ac96b5455d225dc4299aee8b9e3dcbde9013a9f81ec44205c61fcfe1993ce3062cb349e80e48294b6b37f
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1VqBQLLr:NAB8

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2512-68-0x000000013FD00000-0x00000001400F2000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2308	powershell.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-0-0x000000013FA80000-0x000000013FE72000-memory.dmp	upx
behavioral1/files/0x0009000000016176-3.dat	upx
behavioral1/files/0x0009000000016a29-7.dat	upx
behavioral1/files/0x0007000000016c51-13.dat	upx
behavioral1/files/0x0007000000016c7c-23.dat	upx
behavioral1/files/0x0009000000016cbe-28.dat	upx
behavioral1/files/0x0007000000016d16-41.dat	upx
behavioral1/files/0x0008000000016c04-18.dat	upx
behavioral1/files/0x000a000000016cb6-24.dat	upx
behavioral1/files/0x0007000000016d3e-49.dat	upx
behavioral1/files/0x0007000000016cc6-31.dat	upx
behavioral1/files/0x0007000000016d1a-42.dat	upx
behavioral1/files/0x0006000000016d57-73.dat	upx
behavioral1/memory/2512-68-0x000000013FD00000-0x00000001400F2000-memory.dmp	upx
behavioral1/files/0x000f000000005578-102.dat	upx
behavioral1/files/0x000600000001735a-110.dat	upx
behavioral1/files/0x00060000000173f2-128.dat	upx
behavioral1/files/0x0007000000016fed-103.dat	upx
behavioral1/files/0x000600000001737c-144.dat	upx
behavioral1/files/0x00140000000185e9-148.dat	upx
behavioral1/files/0x0006000000017371-114.dat	upx
behavioral1/files/0x0006000000017374-124.dat	upx
behavioral1/files/0x0009000000016be2-162.dat	upx
behavioral1/files/0x0005000000019159-189.dat	upx
behavioral1/files/0x0006000000019052-183.dat	upx
behavioral1/files/0x0006000000018ed8-174.dat	upx
behavioral1/files/0x0006000000018ba1-167.dat	upx
behavioral1/files/0x000500000001860c-157.dat	upx
behavioral1/files/0x00060000000174a5-149.dat	upx

C:\Users\Admin\AppData\Local\Temp\601400160a03c0b1a5f4369908c3aae0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\601400160a03c0b1a5f4369908c3aae0_NEIKI.exe"
1⤵
PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2308
- C:\Windows\System\GRhxoET.exe
  C:\Windows\System\GRhxoET.exe
  2⤵
  PID:1892
- C:\Windows\System\clhmmuH.exe
  C:\Windows\System\clhmmuH.exe
  2⤵
  PID:2952
- C:\Windows\System\cyvAJDu.exe
  C:\Windows\System\cyvAJDu.exe
  2⤵
  PID:2632
- C:\Windows\System\xUoxfNk.exe
  C:\Windows\System\xUoxfNk.exe
  2⤵
  PID:2656
- C:\Windows\System\uwzxNOa.exe
  C:\Windows\System\uwzxNOa.exe
  2⤵
  PID:2712
- C:\Windows\System\ohjQXZv.exe
  C:\Windows\System\ohjQXZv.exe
  2⤵
  PID:2884
- C:\Windows\System\wmFqGFl.exe
  C:\Windows\System\wmFqGFl.exe
  2⤵
  PID:2688
- C:\Windows\System\QpkhjQS.exe
  C:\Windows\System\QpkhjQS.exe
  2⤵
  PID:1324
- C:\Windows\System\QSJqONf.exe
  C:\Windows\System\QSJqONf.exe
  2⤵
  PID:1200
- C:\Windows\System\uyVQruX.exe
  C:\Windows\System\uyVQruX.exe
  2⤵
  PID:856
- C:\Windows\System\DVGuFeC.exe
  C:\Windows\System\DVGuFeC.exe
  2⤵
  PID:796
- C:\Windows\System\afIrICK.exe
  C:\Windows\System\afIrICK.exe
  2⤵
  PID:616
- C:\Windows\System\IIXrZBg.exe
  C:\Windows\System\IIXrZBg.exe
  2⤵
  PID:2224
- C:\Windows\System\ZzbtoVK.exe
  C:\Windows\System\ZzbtoVK.exe
  2⤵
  PID:1016
- C:\Windows\System\xgMmmlq.exe
  C:\Windows\System\xgMmmlq.exe
  2⤵
  PID:2832
- C:\Windows\System\xAngLMQ.exe
  C:\Windows\System\xAngLMQ.exe
  2⤵
  PID:692
- C:\Windows\System\lnljKpE.exe
  C:\Windows\System\lnljKpE.exe
  2⤵
  PID:1436
- C:\Windows\System\VPtZcfw.exe
  C:\Windows\System\VPtZcfw.exe
  2⤵
  PID:1984
- C:\Windows\System\FMdawrG.exe
  C:\Windows\System\FMdawrG.exe
  2⤵
  PID:1716
- C:\Windows\System\HJsifhD.exe
  C:\Windows\System\HJsifhD.exe
  2⤵
  PID:2152
- C:\Windows\System\VdHhgBe.exe
  C:\Windows\System\VdHhgBe.exe
  2⤵
  PID:2648
- C:\Windows\System\YUUtLRk.exe
  C:\Windows\System\YUUtLRk.exe
  2⤵
  PID:2052
- C:\Windows\System\JAwKsjC.exe
  C:\Windows\System\JAwKsjC.exe
  2⤵
  PID:2908
- C:\Windows\System\cCzwGQB.exe
  C:\Windows\System\cCzwGQB.exe
  2⤵
  PID:2804
- C:\Windows\System\jfknmRf.exe
  C:\Windows\System\jfknmRf.exe
  2⤵
  PID:3052
- C:\Windows\System\UUiwStM.exe
  C:\Windows\System\UUiwStM.exe
  2⤵
  PID:2588
- C:\Windows\System\CaYJaMN.exe
  C:\Windows\System\CaYJaMN.exe
  2⤵
  PID:2372
- C:\Windows\System\imGzbRk.exe
  C:\Windows\System\imGzbRk.exe
  2⤵
  PID:2112
- C:\Windows\System\xJrzHIO.exe
  C:\Windows\System\xJrzHIO.exe
  2⤵
  PID:1456
- C:\Windows\System\UKyYCHf.exe
  C:\Windows\System\UKyYCHf.exe
  2⤵
  PID:1044
- C:\Windows\System\suTbTbG.exe
  C:\Windows\System\suTbTbG.exe
  2⤵
  PID:2840
- C:\Windows\System\jiAqgYF.exe
  C:\Windows\System\jiAqgYF.exe
  2⤵
  PID:1724
- C:\Windows\System\LRyHNGw.exe
  C:\Windows\System\LRyHNGw.exe
  2⤵
  PID:2604
- C:\Windows\System\UcWSdel.exe
  C:\Windows\System\UcWSdel.exe
  2⤵
  PID:1912
- C:\Windows\System\FRPPmuB.exe
  C:\Windows\System\FRPPmuB.exe
  2⤵
  PID:1556
- C:\Windows\System\hZUJPTN.exe
  C:\Windows\System\hZUJPTN.exe
  2⤵
  PID:1884
- C:\Windows\System\agRHMXm.exe
  C:\Windows\System\agRHMXm.exe
  2⤵
  PID:2028
- C:\Windows\System\CEUxYHB.exe
  C:\Windows\System\CEUxYHB.exe
  2⤵
  PID:2104
- C:\Windows\System\GmDqjFZ.exe
  C:\Windows\System\GmDqjFZ.exe
  2⤵
  PID:680
- C:\Windows\System\iFcGxgb.exe
  C:\Windows\System\iFcGxgb.exe
  2⤵
  PID:2132
- C:\Windows\System\sKByRDT.exe
  C:\Windows\System\sKByRDT.exe
  2⤵
  PID:404
- C:\Windows\System\UEpmjjE.exe
  C:\Windows\System\UEpmjjE.exe
  2⤵
  PID:888
- C:\Windows\System\vaclZYP.exe
  C:\Windows\System\vaclZYP.exe
  2⤵
  PID:2420
- C:\Windows\System\XDgwsyX.exe
  C:\Windows\System\XDgwsyX.exe
  2⤵
  PID:1464
- C:\Windows\System\cgpqvVE.exe
  C:\Windows\System\cgpqvVE.exe
  2⤵
  PID:112
- C:\Windows\System\DoQstiR.exe
  C:\Windows\System\DoQstiR.exe
  2⤵
  PID:2456
- C:\Windows\System\ChJMjTJ.exe
  C:\Windows\System\ChJMjTJ.exe
  2⤵
  PID:1552
- C:\Windows\System\iuuYSHw.exe
  C:\Windows\System\iuuYSHw.exe
  2⤵
  PID:3128
- C:\Windows\System\zWlPAFj.exe
  C:\Windows\System\zWlPAFj.exe
  2⤵
  PID:3296
- C:\Windows\System\CseYadM.exe
  C:\Windows\System\CseYadM.exe
  2⤵
  PID:3332
- C:\Windows\System\SDvbZVJ.exe
  C:\Windows\System\SDvbZVJ.exe
  2⤵
  PID:3348
- C:\Windows\System\XCzawUE.exe
  C:\Windows\System\XCzawUE.exe
  2⤵
  PID:3556
- C:\Windows\System\huQcVRe.exe
  C:\Windows\System\huQcVRe.exe
  2⤵
  PID:3748
- C:\Windows\System\oGBuqEk.exe
  C:\Windows\System\oGBuqEk.exe
  2⤵
  PID:3992
- C:\Windows\System\NmjoCaT.exe
  C:\Windows\System\NmjoCaT.exe
  2⤵
  PID:3176
- C:\Windows\System\GITslsk.exe
  C:\Windows\System\GITslsk.exe
  2⤵
  PID:3244
- C:\Windows\System\ZaswdzG.exe
  C:\Windows\System\ZaswdzG.exe
  2⤵
  PID:2296
- C:\Windows\System\epeQBpx.exe
  C:\Windows\System\epeQBpx.exe
  2⤵
  PID:3124
- C:\Windows\System\cihnUQy.exe
  C:\Windows\System\cihnUQy.exe
  2⤵
  PID:2008
- C:\Windows\System\WrGnJPX.exe
  C:\Windows\System\WrGnJPX.exe
  2⤵
  PID:3788
- C:\Windows\System\AIavwpT.exe
  C:\Windows\System\AIavwpT.exe
  2⤵
  PID:3856
- C:\Windows\System\qcZUHeo.exe
  C:\Windows\System\qcZUHeo.exe
  2⤵
  PID:3952
- C:\Windows\System\DuGYgue.exe
  C:\Windows\System\DuGYgue.exe
  2⤵
  PID:4016
- C:\Windows\System\skJfdHw.exe
  C:\Windows\System\skJfdHw.exe
  2⤵
  PID:4052
- C:\Windows\System\qchkoah.exe
  C:\Windows\System\qchkoah.exe
  2⤵
  PID:2060
- C:\Windows\System\scTzthh.exe
  C:\Windows\System\scTzthh.exe
  2⤵
  PID:3172
- C:\Windows\System\XRnTDET.exe
  C:\Windows\System\XRnTDET.exe
  2⤵
  PID:3940
- C:\Windows\System\npkPAbc.exe
  C:\Windows\System\npkPAbc.exe
  2⤵
  PID:3756
- C:\Windows\System\FBAdnLo.exe
  C:\Windows\System\FBAdnLo.exe
  2⤵
  PID:3552
- C:\Windows\System\NMbzaBX.exe
  C:\Windows\System\NMbzaBX.exe
  2⤵
  PID:4200
- C:\Windows\System\pRDAldP.exe
  C:\Windows\System\pRDAldP.exe
  2⤵
  PID:4216
- C:\Windows\System\aNKuBIF.exe
  C:\Windows\System\aNKuBIF.exe
  2⤵
  PID:4284
- C:\Windows\System\zWCUPsp.exe
  C:\Windows\System\zWCUPsp.exe
  2⤵
  PID:4300
- C:\Windows\System\zxQlQiS.exe
  C:\Windows\System\zxQlQiS.exe
  2⤵
  PID:4332
- C:\Windows\System\AIVVmzG.exe
  C:\Windows\System\AIVVmzG.exe
  2⤵
  PID:4364
- C:\Windows\System\obsWmpj.exe
  C:\Windows\System\obsWmpj.exe
  2⤵
  PID:4512
- C:\Windows\System\FMvTgau.exe
  C:\Windows\System\FMvTgau.exe
  2⤵
  PID:5032
- C:\Windows\System\XgYhnGk.exe
  C:\Windows\System\XgYhnGk.exe
  2⤵
  PID:5048
- C:\Windows\System\aqyYGkp.exe
  C:\Windows\System\aqyYGkp.exe
  2⤵
  PID:4192
- C:\Windows\System\tmdXzlT.exe
  C:\Windows\System\tmdXzlT.exe
  2⤵
  PID:4716
- C:\Windows\System\OouGmRm.exe
  C:\Windows\System\OouGmRm.exe
  2⤵
  PID:4976
- C:\Windows\System\NECTEHq.exe
  C:\Windows\System\NECTEHq.exe
  2⤵
  PID:2260
- C:\Windows\System\FIpAaTj.exe
  C:\Windows\System\FIpAaTj.exe
  2⤵
  PID:3464
- C:\Windows\System\SsEEETo.exe
  C:\Windows\System\SsEEETo.exe
  2⤵
  PID:4632
- C:\Windows\System\SRaclxB.exe
  C:\Windows\System\SRaclxB.exe
  2⤵
  PID:4588
- C:\Windows\System\Qvucons.exe
  C:\Windows\System\Qvucons.exe
  2⤵
  PID:5196
- C:\Windows\System\piGDJRp.exe
  C:\Windows\System\piGDJRp.exe
  2⤵
  PID:5452
- C:\Windows\System\ASwqDMT.exe
  C:\Windows\System\ASwqDMT.exe
  2⤵
  PID:5596
- C:\Windows\System\ndgzTAw.exe
  C:\Windows\System\ndgzTAw.exe
  2⤵
  PID:5708
- C:\Windows\System\oJNhegH.exe
  C:\Windows\System\oJNhegH.exe
  2⤵
  PID:5852
- C:\Windows\System\VgporVJ.exe
  C:\Windows\System\VgporVJ.exe
  2⤵
  PID:5968
- C:\Windows\System\cFdnVqp.exe
  C:\Windows\System\cFdnVqp.exe
  2⤵
  PID:4992
- C:\Windows\System\jsriuKN.exe
  C:\Windows\System\jsriuKN.exe
  2⤵
  PID:5448
- C:\Windows\System\jXzhUTt.exe
  C:\Windows\System\jXzhUTt.exe
  2⤵
  PID:5704
- C:\Windows\System\LAUdNBO.exe
  C:\Windows\System\LAUdNBO.exe
  2⤵
  PID:5880
- C:\Windows\System\iKErPgS.exe
  C:\Windows\System\iKErPgS.exe
  2⤵
  PID:5864
- C:\Windows\System\fJgBYfH.exe
  C:\Windows\System\fJgBYfH.exe
  2⤵
  PID:6040
- C:\Windows\System\BjVaYUA.exe
  C:\Windows\System\BjVaYUA.exe
  2⤵
  PID:5412
- C:\Windows\System\BkbwAoI.exe
  C:\Windows\System\BkbwAoI.exe
  2⤵
  PID:1900
- C:\Windows\System\QXXROil.exe
  C:\Windows\System\QXXROil.exe
  2⤵
  PID:5224
- C:\Windows\System\TYkkQCI.exe
  C:\Windows\System\TYkkQCI.exe
  2⤵
  PID:6432
- C:\Windows\System\syvXKdl.exe
  C:\Windows\System\syvXKdl.exe
  2⤵
  PID:6612
- C:\Windows\System\SZIeVrD.exe
  C:\Windows\System\SZIeVrD.exe
  2⤵
  PID:6744
- C:\Windows\System\ywcBwdK.exe
  C:\Windows\System\ywcBwdK.exe
  2⤵
  PID:6832
- C:\Windows\System\LTPLZtG.exe
  C:\Windows\System\LTPLZtG.exe
  2⤵
  PID:6848
- C:\Windows\System\aFogozZ.exe
  C:\Windows\System\aFogozZ.exe
  2⤵
  PID:6868
- C:\Windows\System\yEtOrsU.exe
  C:\Windows\System\yEtOrsU.exe
  2⤵
  PID:6884
- C:\Windows\System\HTuPTgR.exe
  C:\Windows\System\HTuPTgR.exe
  2⤵
  PID:6900
- C:\Windows\System\VyHkxVa.exe
  C:\Windows\System\VyHkxVa.exe
  2⤵
  PID:6920
- C:\Windows\System\eCVBHXp.exe
  C:\Windows\System\eCVBHXp.exe
  2⤵
  PID:7024
- C:\Windows\System\yfCwLhG.exe
  C:\Windows\System\yfCwLhG.exe
  2⤵
  PID:5752
- C:\Windows\System\SZtaDUd.exe
  C:\Windows\System\SZtaDUd.exe
  2⤵
  PID:6492
- C:\Windows\System\SpfUtQm.exe
  C:\Windows\System\SpfUtQm.exe
  2⤵
  PID:1648
- C:\Windows\System\oLLHgiS.exe
  C:\Windows\System\oLLHgiS.exe
  2⤵
  PID:6508
- C:\Windows\System\wOdcseE.exe
  C:\Windows\System\wOdcseE.exe
  2⤵
  PID:6156
- C:\Windows\System\aJydwGi.exe
  C:\Windows\System\aJydwGi.exe
  2⤵
  PID:7572
- C:\Windows\System\XIXADQI.exe
  C:\Windows\System\XIXADQI.exe
  2⤵
  PID:7688
- C:\Windows\System\ybLjycP.exe
  C:\Windows\System\ybLjycP.exe
  2⤵
  PID:7704
- C:\Windows\System\momuoVu.exe
  C:\Windows\System\momuoVu.exe
  2⤵
  PID:7724
- C:\Windows\System\LfTMPHJ.exe
  C:\Windows\System\LfTMPHJ.exe
  2⤵
  PID:7788
- C:\Windows\System\pJxoWZK.exe
  C:\Windows\System\pJxoWZK.exe
  2⤵
  PID:7964
- C:\Windows\System\hqJzfwP.exe
  C:\Windows\System\hqJzfwP.exe
  2⤵
  PID:8072
- C:\Windows\System\qdNvmJm.exe
  C:\Windows\System\qdNvmJm.exe
  2⤵
  PID:6640
- C:\Windows\System\TMEjQkK.exe
  C:\Windows\System\TMEjQkK.exe
  2⤵
  PID:6756
- C:\Windows\System\nRUyuyb.exe
  C:\Windows\System\nRUyuyb.exe
  2⤵
  PID:7396
- C:\Windows\System\NHlcbnl.exe
  C:\Windows\System\NHlcbnl.exe
  2⤵
  PID:7696
- C:\Windows\System\jSwuBzw.exe
  C:\Windows\System\jSwuBzw.exe
  2⤵
  PID:7748
- C:\Windows\System\wqBMaWy.exe
  C:\Windows\System\wqBMaWy.exe
  2⤵
  PID:2896
- C:\Windows\System\pLIuyZT.exe
  C:\Windows\System\pLIuyZT.exe
  2⤵
  PID:7756
- C:\Windows\System\ekhKexi.exe
  C:\Windows\System\ekhKexi.exe
  2⤵
  PID:7776
- C:\Windows\System\vyRqxNy.exe
  C:\Windows\System\vyRqxNy.exe
  2⤵
  PID:7816
- C:\Windows\System\OzILOnx.exe
  C:\Windows\System\OzILOnx.exe
  2⤵
  PID:7836
- C:\Windows\System\FvYdeZk.exe
  C:\Windows\System\FvYdeZk.exe
  2⤵
  PID:7872
- C:\Windows\System\vZeCKDH.exe
  C:\Windows\System\vZeCKDH.exe
  2⤵
  PID:2464
- C:\Windows\System\HzdXBvn.exe
  C:\Windows\System\HzdXBvn.exe
  2⤵
  PID:7944
- C:\Windows\System\GFLKOYX.exe
  C:\Windows\System\GFLKOYX.exe
  2⤵
  PID:7956
- C:\Windows\System\zcFEMqm.exe
  C:\Windows\System\zcFEMqm.exe
  2⤵
  PID:8048
- C:\Windows\System\MPLSIBs.exe
  C:\Windows\System\MPLSIBs.exe
  2⤵
  PID:7920
- C:\Windows\System\NYOTOTL.exe
  C:\Windows\System\NYOTOTL.exe
  2⤵
  PID:8000
- C:\Windows\System\dcldJEr.exe
  C:\Windows\System\dcldJEr.exe
  2⤵
  PID:8068
- C:\Windows\System\zDsDspt.exe
  C:\Windows\System\zDsDspt.exe
  2⤵
  PID:8148
- C:\Windows\System\PdFdkCV.exe
  C:\Windows\System\PdFdkCV.exe
  2⤵
  PID:8096
- C:\Windows\System\dBOolBz.exe
  C:\Windows\System\dBOolBz.exe
  2⤵
  PID:1820
- C:\Windows\System\srLLiOL.exe
  C:\Windows\System\srLLiOL.exe
  2⤵
  PID:7552
- C:\Windows\System\eUmWnxQ.exe
  C:\Windows\System\eUmWnxQ.exe
  2⤵
  PID:8132
- C:\Windows\System\QSavUkQ.exe
  C:\Windows\System\QSavUkQ.exe
  2⤵
  PID:7084
- C:\Windows\System\USLHYJD.exe
  C:\Windows\System\USLHYJD.exe
  2⤵
  PID:7352
- C:\Windows\System\FScIJLA.exe
  C:\Windows\System\FScIJLA.exe
  2⤵
  PID:6768
- C:\Windows\System\lZpPnnN.exe
  C:\Windows\System\lZpPnnN.exe
  2⤵
  PID:6932
- C:\Windows\System\sLcRxLy.exe
  C:\Windows\System\sLcRxLy.exe
  2⤵
  PID:6984
- C:\Windows\System\sQoxAVF.exe
  C:\Windows\System\sQoxAVF.exe
  2⤵
  PID:7712
- C:\Windows\System\EjMzmKg.exe
  C:\Windows\System\EjMzmKg.exe
  2⤵
  PID:6592
- C:\Windows\System\VPAKykN.exe
  C:\Windows\System\VPAKykN.exe
  2⤵
  PID:7272
- C:\Windows\System\vPsmcNk.exe
  C:\Windows\System\vPsmcNk.exe
  2⤵
  PID:7428
- C:\Windows\System\kQdXvhp.exe
  C:\Windows\System\kQdXvhp.exe
  2⤵
  PID:7596
- C:\Windows\System\CcumwJQ.exe
  C:\Windows\System\CcumwJQ.exe
  2⤵
  PID:7368
- C:\Windows\System\NTtLhWh.exe
  C:\Windows\System\NTtLhWh.exe
  2⤵
  PID:7504
- C:\Windows\System\XKmwBoc.exe
  C:\Windows\System\XKmwBoc.exe
  2⤵
  PID:2932
- C:\Windows\System\dEFLpzs.exe
  C:\Windows\System\dEFLpzs.exe
  2⤵
  PID:7768
- C:\Windows\System\ZYUjxQx.exe
  C:\Windows\System\ZYUjxQx.exe
  2⤵
  PID:8016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BBGCers.exe

Filesize
1.9MB

MD5
5315c14f4b1cfae17932a7f5e1504472

SHA1
aae5a0d6def58595c7fce588cf49f728c7231026

SHA256
338e87ee9f7146b576be056e7e489bf363b9a82041b603c51fd18eaddde43ac6

SHA512
4d723de5f952de0110cb001b3593df0cec03ef3931eb63bccaa3e1a81999e6169cf7b90b31955fadf02a6765e5babe5c6f2df51a6dba585d95793029902e4c03

Download Submit
C:\Windows\system\BpAcLBu.exe

Filesize
1.9MB

MD5
1d41ac0168ed14148b71f4b29e168587

SHA1
debcecb58af5855e539c10613523c6210702152a

SHA256
f6c10f7978b16cd7a9e707246bdd3ae5d39ec33ab2cf10f318e5ae37393ad42c

SHA512
cc4d2957deffdd4f06e1b01702698d6aeafd4cebc3919fff20c5f67a58a96b82a4fc9bc35b7babfa5daf2c931d0e1ff5c5d5529e5b43dd290e2fa69b728b9769

Download Submit
C:\Windows\system\GjUMyLF.exe

Filesize
1.9MB

MD5
b8bb1e54c0ad7a2a5b03295930934893

SHA1
6011ccc8984c0bf6236bd43ac79c76cad56bfe03

SHA256
cd00e9588210e67661e3c76c5768875b894dea682fe448f106ea39327b7f55cb

SHA512
3091867cba3f06dc3a693e4edb5d558be8f83f6f00b1604ea889daa2aafe435fe55879ceac871e196b87423382ffc403208fa1b912cba7da86e7be9ef165e7bc

Download Submit
C:\Windows\system\QSJqONf.exe

Filesize
1.9MB

MD5
c2ee89caef3283db4699a36fa14f04f9

SHA1
b952618dc718482ac6a88addae81f9eb323eb408

SHA256
a9b4d6e749b9f3011ebb91c7ced23b6af3ca2c1fc25acda50063f0c381e7370d

SHA512
22f625d2695b6958018abd24ddb65ae466f9df619f97dcb81f5b682a95d24a5eabc61d0ea80f28d4069a853355c54e64df0ae88cbed7d05def10b227cb454cd3

Download Submit
C:\Windows\system\YoQwKwR.exe

Filesize
1.9MB

MD5
50223a6194a82a1729a9f68dc9891fa0

SHA1
c85c8416e6c945f18bae9bdebdb0d829ded5f7fa

SHA256
a33a3773ee6baabeade45c7112e4a21887986dfe32fabe023e7821bb2c0c38ad

SHA512
2391f452c8efd01cbcba0f8f5e2cd440f2610ba95867177f4b6ed40c492a0a6b7fad24e82dd8d0550855d3c334b1619e6bd02f10b18a3da98814211998934f71

Download Submit
C:\Windows\system\ZKcqrGP.exe

Filesize
1.9MB

MD5
2d52c21896e93af70de447538800409d

SHA1
01f15281f177bcb4712f201015b4e538e7be0cee

SHA256
e25058831cf82f3f7800ec39e667da054407763baf18b77ae19bf3109dd6882c

SHA512
00a4c971f077a0ed50f86e9d2d2f88ff16e9d878d8f6e0b31737c359ba554b7c5f7434d465b992b8fab394410ede5b0fb4ca342c6f5428954ecfc2c348270363

Download Submit
C:\Windows\system\clhmmuH.exe

Filesize
1.9MB

MD5
fac2c069bd651d47cadd709bdd41e984

SHA1
a2b5d5d07519f04b0f375187cdcfe419b2d0d120

SHA256
993b76486d0d5fd35f50d2f515da9d414f44b62b3a915e0a09079c1a94d1900d

SHA512
1d70457fbc7294f70103bc8a59337835e7fb574fe00cfe1928238e942dbb44260de2ea78cb504fd76704276ec460c8805f89091cf1313a28339291a99fd56047

Download Submit
C:\Windows\system\cqGShiG.exe

Filesize
1.9MB

MD5
9e142571431b47d67b680d487aea9eeb

SHA1
9e12338a8756672c1f436a4bda61aaa8a9e32c09

SHA256
1d502b383ea6def841485bd66a6342b958a44cb603ca4227a5ed61b8d6bca80c

SHA512
2fd90691f506dfcd4e90077487a84f3c42239e018703f469a355ffde0e1638547712a614aca909cb011cc8778e4c9d7cf4cb48d7d286d24ad3958c25754b6219

Download Submit
C:\Windows\system\sTvJsDB.exe

Filesize
1.9MB

MD5
306fcb4705e252db8561720fac20897f

SHA1
4b1f87ac3dd050d0c3b9faf84a5654667a7f3ec2

SHA256
f805e6feef424561912be3c943e128ff7f2c095fedbc24291b98e6e1a93425e2

SHA512
c3714c03620018981bb6f0ae9e1e95442a8e182bea37d0fbf1cd7179f0b1ce3bf7f9bfa4ae73df99b9051e5850ada4bb40e761a2efe6ba94e3f1746b6f6bca97

Download Submit
C:\Windows\system\uwzxNOa.exe

Filesize
1.9MB

MD5
25ba444cdf3bf4c7b5bfbbd866d81cb0

SHA1
d98033be727df6a30dfb1b2e3639c7cdafeeda1d

SHA256
752886209833a75c254c952da8ec16b2b5d773070c8be00c9ff9a43d4bfae3ff

SHA512
137379ef6a62a0ff1297842109e7acd9232c5037003bae754c5087e7b0edfc902dd154a3c9d31fc6a339c4369a786ff23ef15c04f6f83fc421172c07088f421a

Download Submit
C:\Windows\system\vmidMRC.exe

Filesize
1.9MB

MD5
ee4d1be1ea46a58ea78a3c615177fccd

SHA1
3276b806c32c49b8125ce74d35b45f7abc0476c1

SHA256
b1536607d7835ae56e68c029d8a804a13dbbcbdfb9142931478ae9234499726d

SHA512
17d99bfef9629ca52c7482121ef065df4fbcbdaa5ceda4646fa38c83d29503170bbcb5dffcdcd18435189c8bdc2f3b1f7edb08be85af6336de790e1947bbd247

Download Submit
C:\Windows\system\xSVMBLA.exe

Filesize
1.9MB

MD5
de599f789468345caebdd5abd6136f81

SHA1
a87c53e71e6e90be58e89a6450e7c81831483d36

SHA256
5f60eeca5b77cfa6ddbb88c27a8aafcb7116c9c51f6026e947449ec27bc154e3

SHA512
418e59ba02dff0845658c03959f7f93f13e0c7431f3c3d949801f9bc50bab27cca8859b9656a523906017a0e3034762ecfd3a116ba9f168f519f24045a3087f2

Download Submit
\Windows\system\DVGuFeC.exe

Filesize
1.9MB

MD5
223cb56fb8053cdee9ee3811439fd4d0

SHA1
f4e1838dd1203783f562be4ad35578982e6ba8f0

SHA256
7854111ee928c5cbab66b59ddac607e9477e1532e159dbac565984c62766a800

SHA512
c9f46e6291773ec03b9fc23fb451881aaa3320ab43be40d34458f62309ccb1122d5c0f6d0906dd74a520845b0611eac58cf111bab6373df4845e48ce474045da

Download Submit
\Windows\system\ElPVwKv.exe

Filesize
1.9MB

MD5
9bfd834b83738e6b6ec35d1836739837

SHA1
ede7749aeb88a5eefe3be26fbfad47a0e38f44a7

SHA256
5c55929ac4402e935fbf6b8f81573a126247f4b5afe32508342744ea7b7a9f4a

SHA512
b7f503385d546540b9060780272a9647ed08f9eaf0679642a5b0c8958b121589692d0f8cf0e3afb3909790b773af79564c3a2ef4d62f4ea1f94b9bd7ccbff7ab

Download Submit
\Windows\system\EwooOed.exe

Filesize
1.9MB

MD5
8a71547c8301fb722b21c37938bb6e90

SHA1
0e7075fc708fda3f10527a5c76f8fcf964d79adc

SHA256
45d6f34809b999c8b0d11e7b9601441a0825444d4fd6849ee9dbcab5ad7d1efb

SHA512
4d1c5630698d86463abf72ab46bce5c201b4671ca8d6f3053abff802b28c6233eb9dbca620bb5c67587c08270c0aa9e4bf25d7d5a4cf335e0cd5a936e7110ec2

Download Submit
\Windows\system\GRhxoET.exe

Filesize
1.9MB

MD5
1156688d0e7550392bd21a5c5ffcb9e2

SHA1
e69bb7e4c254bc2982d1ac1400c5b6309554a314

SHA256
29d41b1d0cba912f637a33d1a6b3b95a7e3e7e66ff4563b6ab66f1f460f14c82

SHA512
c9afdb22cc89c961580aef8e5a369f6f45112f1c763869af41e46c58d84de7de995692a09a32d7a82badb393fff1003e5e7ef50c95b485a7ac40cd3c647a8bcb

Download Submit
\Windows\system\JBpQpJU.exe

Filesize
1.9MB

MD5
50e796b8096a5d11415d81b6ffba5e49

SHA1
fff90121a8db3db06385a0986f8e479b9c0164ab

SHA256
f3adbbb5da1648507f1d728d6295eb8044cba448f7f7f0c663d428419191acec

SHA512
5df88a763b61b6310208f6681ff4e79eadbdd4a3be60681569f49cb4d307305385bdff02de5ac40c7f94087bac1f721c27b77c455af4f46576a04777d1cb3c8b

Download Submit
\Windows\system\KhPIXKU.exe

Filesize
1.9MB

MD5
d3997c958b06e71b165e46555ec14bbc

SHA1
fc409f711ed83dcdbf5c3c32d6eab58d15e11d67

SHA256
77f673435cf51962c202062739d8ff111fd29aaff968efd18922046d8627faa5

SHA512
3fb7ae9ff161c30eb5b684ef691cb163d8707a59363ea6577b9f7de2042475f13b4c40ba328f9133e500139be2bf067deb079dfed3803a5b29c2c31f81cdbb50

Download Submit
\Windows\system\QpkhjQS.exe

Filesize
1.9MB

MD5
61cbbaf91d8259ccef0768dd8bbd2460

SHA1
1fd4db04bce9661b46fa6861ecd59dba77711a01

SHA256
596735663e1e9a0430947e139fcbb843e2262ceb7ea323d8a4709e96442d6593

SHA512
96726962b6de82f9e1de37bf44bae0eca5d6c7f7ca5283a3121efca28b7ce2a154179c37944d858b5b5522e41df557070d895b96252190755c0d6ac6dbc7efdc

Download Submit
\Windows\system\QxabKAF.exe

Filesize
1.9MB

MD5
d801c35be37f8edb6f6075f646108c9e

SHA1
e3212b5708fa9b759e32ec5cc1253d9c89a6c5d9

SHA256
9fab5da4643f5a13112fa7fd3ff50d20bf3cf7d74775cd4b1ad83b36f14733a6

SHA512
b2ff896af0b8d72128b34648364b624d65f0cccdc3525b9643820f5308931bac88ea7bd61774c582b00f070d3b3f9844933ca5547696e8bed6a1a79c97999bb7

Download Submit
\Windows\system\RVHouXM.exe

Filesize
2.0MB

MD5
a78410d206fe52727375a60f8e5b0265

SHA1
23ae2dd5c3604d2d91099b04273205c899762416

SHA256
2ce0eb9a4fdc34efeca25fa3b27b1f3cf7554c540d8c29140d0a4c6ef021a531

SHA512
a3845f1ae4d86b94681ead65309d2a4d9a39e493056bf592264a4b81b65d1b868a50b2aec9df1c7d191fbb7fbaf0e5e1b554451f319c0d07429d9310bf0cad66

Download Submit
\Windows\system\VysGTaP.exe

Filesize
2.0MB

MD5
ff63d21198f41c9fe283a45bef463f76

SHA1
c161932121a76f0dd476d421f162168f9b913db9

SHA256
cc634aca2d5d89e02515396a5a8dd7e96d46db8476fc35ae8b8177a7009c52c0

SHA512
c48bb2223f9d43654ad1f88932467f66d2d510d1c62748b465adb563d98cf7a3d00aca293bcf529b850f80d26910152661b9d9a8a9c3e680cccba526a0f76746

Download Submit
\Windows\system\afIrICK.exe

Filesize
1.9MB

MD5
7a4405a20c8fbf5087a26815c84776c7

SHA1
2f8b6f1a08f0f5261407ebfa041b7f2089034580

SHA256
fe723284e108db33a5e35fb6f6da753ec8292a9102c179c252b2594bbb8b8415

SHA512
e681c6310b76dd10967c9c2daad3bd07551bc96c25110147b9869f235d1f825f3446d4e3c70ea8342b383772a9b97781282b48b045e673e0bfc9e584273f14c2

Download Submit
\Windows\system\cyvAJDu.exe

Filesize
1.9MB

MD5
c3e1c29d62a138f69c74330ce14be5cc

SHA1
95400b8c4a62ec2c6fcd790f285657832f576401

SHA256
7fa4270a1c54b1e45ed06830f970e7f161c96dd60485d5a6a5e96f9312e0d47d

SHA512
a547d8d0015bc32392ee5d12bc24cec80b47b7a3dcaaf3971d565f431d2883c8c728aa2cc737cea46af306853b9358072fe7d72f8ecac779d41af5accbc86c43

Download Submit
\Windows\system\ohjQXZv.exe

Filesize
1.9MB

MD5
8009abcf379de608ca681da094b8318e

SHA1
f2a484267ce31619510c41be573dfca77b6f61ab

SHA256
28f33d3bc0ae61c78c6fcc5f8f7c6e8a448d67e37036154eeaa3721d2f88d561

SHA512
7da9f32956b1c6741a01c62a901f6c4387a9d0ec5c78436203a375d5cf42a1e81ac8d85d03702571ac6643c54fc0c8359d3fd077032e318b8c969432b7ecfe2c

Download Submit
\Windows\system\wmFqGFl.exe

Filesize
1.9MB

MD5
303359e670d18a5fa05d0fd522b25fe8

SHA1
46e891adcfdb1d58752f175551e8f33b336673b0

SHA256
b11c2d7a61266e5d1275e73b352b2daed8523ad798f16d4d974a0a5fed13c4db

SHA512
d230f53e929d705813c30b0e10c84548d1a907aa316e0e92f2e1e787918c79e621cad9f2193f16fe4bc9c7498e17fb42666dd581d1c0638af7f838b9377bdb39

Download Submit
\Windows\system\xUoxfNk.exe

Filesize
1.9MB

MD5
c3da7ef5b9ec425e4f4a693fbba14d83

SHA1
5cc22c8278c24055a2f669093a666ac273f8457d

SHA256
bbc066ae66591d347819814df4af32b93d7712d96bf11e66b966cc1993ef0ea0

SHA512
b53aa781525284a0de5378ca629294fa40a2592fe9065b0fb21d01c6e8063e04506a1da56e11fbf4b930695dcfeb4ab0daf5ebf38e5b9f35a3da1cd28d06a3fb

Download Submit
memory/1972-0-0x000000013FA80000-0x000000013FE72000-memory.dmp

Filesize
3.9MB

Download
memory/1972-65-0x000000013F510000-0x000000013F902000-memory.dmp

Filesize
3.9MB

Download
memory/1972-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2308-246-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2308-176-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2512-68-0x000000013FD00000-0x00000001400F2000-memory.dmp

Filesize
3.9MB

Download