Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-dy7ggacg3v
Target d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b
SHA256 d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b

Threat Level: Known bad

The file d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike family

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 03:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 03:26

Reported

2024-05-30 03:28

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\avnLcNq.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\mHERTJf.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\ayOhFAr.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\qJPxtiM.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\azvirUP.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\YtZsUvg.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\swjFvUj.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\iQxlxHm.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\TriXBGF.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\XBkbUsc.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\yVVPMJK.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\iMztHxR.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\rjGvxSK.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\qMFHYGu.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\gAPvlpm.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\QnGLZLA.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\kxpXHcp.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\UrLtSje.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\zDkeEVL.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\GnPuriU.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\aEesDTf.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\kxpXHcp.exe
PID 2848 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\kxpXHcp.exe
PID 2848 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\kxpXHcp.exe
PID 2848 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\avnLcNq.exe
PID 2848 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\avnLcNq.exe
PID 2848 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\avnLcNq.exe
PID 2848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\TriXBGF.exe
PID 2848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\TriXBGF.exe
PID 2848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\TriXBGF.exe
PID 2848 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\XBkbUsc.exe
PID 2848 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\XBkbUsc.exe
PID 2848 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\XBkbUsc.exe
PID 2848 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\UrLtSje.exe
PID 2848 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\UrLtSje.exe
PID 2848 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\UrLtSje.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\yVVPMJK.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\yVVPMJK.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\yVVPMJK.exe
PID 2848 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\mHERTJf.exe
PID 2848 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\mHERTJf.exe
PID 2848 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\mHERTJf.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iMztHxR.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iMztHxR.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iMztHxR.exe
PID 2848 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\ayOhFAr.exe
PID 2848 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\ayOhFAr.exe
PID 2848 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\ayOhFAr.exe
PID 2848 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\zDkeEVL.exe
PID 2848 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\zDkeEVL.exe
PID 2848 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\zDkeEVL.exe
PID 2848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\YtZsUvg.exe
PID 2848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\YtZsUvg.exe
PID 2848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\YtZsUvg.exe
PID 2848 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\swjFvUj.exe
PID 2848 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\swjFvUj.exe
PID 2848 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\swjFvUj.exe
PID 2848 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\GnPuriU.exe
PID 2848 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\GnPuriU.exe
PID 2848 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\GnPuriU.exe
PID 2848 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iQxlxHm.exe
PID 2848 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iQxlxHm.exe
PID 2848 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iQxlxHm.exe
PID 2848 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\rjGvxSK.exe
PID 2848 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\rjGvxSK.exe
PID 2848 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\rjGvxSK.exe
PID 2848 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\qJPxtiM.exe
PID 2848 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\qJPxtiM.exe
PID 2848 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\qJPxtiM.exe
PID 2848 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\qMFHYGu.exe
PID 2848 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\qMFHYGu.exe
PID 2848 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\qMFHYGu.exe
PID 2848 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\gAPvlpm.exe
PID 2848 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\gAPvlpm.exe
PID 2848 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\gAPvlpm.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\aEesDTf.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\aEesDTf.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\aEesDTf.exe
PID 2848 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\azvirUP.exe
PID 2848 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\azvirUP.exe
PID 2848 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\azvirUP.exe
PID 2848 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\QnGLZLA.exe
PID 2848 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\QnGLZLA.exe
PID 2848 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\QnGLZLA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe

"C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe"

C:\Windows\System\kxpXHcp.exe

C:\Windows\System\kxpXHcp.exe

C:\Windows\System\avnLcNq.exe

C:\Windows\System\avnLcNq.exe

C:\Windows\System\TriXBGF.exe

C:\Windows\System\TriXBGF.exe

C:\Windows\System\XBkbUsc.exe

C:\Windows\System\XBkbUsc.exe

C:\Windows\System\UrLtSje.exe

C:\Windows\System\UrLtSje.exe

C:\Windows\System\yVVPMJK.exe

C:\Windows\System\yVVPMJK.exe

C:\Windows\System\mHERTJf.exe

C:\Windows\System\mHERTJf.exe

C:\Windows\System\iMztHxR.exe

C:\Windows\System\iMztHxR.exe

C:\Windows\System\ayOhFAr.exe

C:\Windows\System\ayOhFAr.exe

C:\Windows\System\zDkeEVL.exe

C:\Windows\System\zDkeEVL.exe

C:\Windows\System\YtZsUvg.exe

C:\Windows\System\YtZsUvg.exe

C:\Windows\System\swjFvUj.exe

C:\Windows\System\swjFvUj.exe

C:\Windows\System\GnPuriU.exe

C:\Windows\System\GnPuriU.exe

C:\Windows\System\iQxlxHm.exe

C:\Windows\System\iQxlxHm.exe

C:\Windows\System\rjGvxSK.exe

C:\Windows\System\rjGvxSK.exe

C:\Windows\System\qJPxtiM.exe

C:\Windows\System\qJPxtiM.exe

C:\Windows\System\qMFHYGu.exe

C:\Windows\System\qMFHYGu.exe

C:\Windows\System\gAPvlpm.exe

C:\Windows\System\gAPvlpm.exe

C:\Windows\System\aEesDTf.exe

C:\Windows\System\aEesDTf.exe

C:\Windows\System\azvirUP.exe

C:\Windows\System\azvirUP.exe

C:\Windows\System\QnGLZLA.exe

C:\Windows\System\QnGLZLA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2848-0-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2848-1-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

C:\Windows\system\kxpXHcp.exe

MD5 cc834d8bf83d3d4c1546163b45539011
SHA1 4eef5af59c47e8cb5a250d64e6efb2a11c5a6341
SHA256 22489c532a35c3aecdac4a9e2fb46415d07eb07eb5e0223a2240323eeae62dfa
SHA512 bd2d2315b71015a1bb6c0e214b7edd59a84150d3690784bd201b4776d7347363ac5d0c86e123166cf8ad18033783d0498a0db15e7df4f7d56064dbe6f7194df6

memory/3036-9-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2848-8-0x000000013FF90000-0x00000001402E4000-memory.dmp

C:\Windows\system\avnLcNq.exe

MD5 7c4dc88d455eb9b774938b4b498fcf6b
SHA1 fbb60bf9b3a286507a7a504bb8fbbd78b25937c0
SHA256 376a9aafc7c2933a4a3b412e290f15149e107aead22c74706db794380f79eacf
SHA512 c34150b0a9eabff4e8a9bc3c4513b83b433dcbe146d5ff89b2622f6f1be6f7b365f7c5925bae463f19ca4bd1c2245faa2500abbba677ad2c80fd8930d6def888

memory/2848-15-0x000000013F3D0000-0x000000013F724000-memory.dmp

\Windows\system\XBkbUsc.exe

MD5 723df4682eba6ebca3baaeceda07710a
SHA1 24a2056ff936ff1281384ec57f085b908d6a22f9
SHA256 bbfad5a016082143b15877e67b69dda84474660f21f86479bc630adf31faba48
SHA512 66ca7ff704ee68da2d9d1a0e89054758a5cfec9ee19f2c7940fcf1500f97b908563c1f55773a929c67930cdb7e845933a84d01cadf361a0801d5d411771b1007

memory/2128-21-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2676-29-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2848-27-0x000000013F160000-0x000000013F4B4000-memory.dmp

C:\Windows\system\TriXBGF.exe

MD5 f6eb578cd1bab88bf1b8981bc447f52b
SHA1 f1cf58e2e2ecf6147aa63ea993b33d9ea204c14c
SHA256 ae5b6dd1487e4daa946a675e2fa5bf817954845711d835ed7aa0a447540e681e
SHA512 284770b5e737923c69811506d11425edcce58149785060e04840bc99a5d7ee8acc003b0e78fc5b068e122cc309cf8f9c3cf9503db65174b73e9629c16925abde

memory/2144-17-0x000000013F3D0000-0x000000013F724000-memory.dmp

\Windows\system\UrLtSje.exe

MD5 05125c22802d70f73df1bcbc39b1fe1b
SHA1 fff0f9ed0af8772e35da9bea5671e5b5714726e3
SHA256 901db15b2094d6462d6f60bc210a66f8e61f519c5da6c130ef2a8b34ae33a4bc
SHA512 c7a7a4733f33c26103ae4181deac1bcb6534466a0d49ab726ac197ac35fb0d2846f30f31989d895e6e95f4965959351598837957f29d5d9f6f5ba4a6783057ef

C:\Windows\system\yVVPMJK.exe

MD5 81f0d9db174960863daf84232919341f
SHA1 d78f8568f43df92009a7d8f76c31bec4afaa7cae
SHA256 674ad222e3dea172006d9316a123de7acabc12fdfbae056ed59b7475c0a91944
SHA512 70e8dd74438ea5dd1132745d52a6a04d06a4115b1b6a79433d22c645d04dd7e608582886abf4162a2858e970856610ce44ae930dfa098a5832d37c6ef9b45fb5

memory/2848-41-0x000000013FDB0000-0x0000000140104000-memory.dmp

\Windows\system\iMztHxR.exe

MD5 b14473b31dc636a7d9dd15df060a2a03
SHA1 5dc4f96036e090eb7fe858686fa076d8e403b5db
SHA256 1de1b0a49f8dc0e08a8f3418415fa88a5a9a35163acb2b6457d1e66770fb19cf
SHA512 2730babbb2270839bdff5afd734fa28646b52be546e778b97f6c68a0ade7f4c2068cbdba641d0a9a161e8477298d2d422f2646e3821f3d3f2b4bf501fc803117

C:\Windows\system\mHERTJf.exe

MD5 b1396b3a01f0635ae2b8aeb1fd804fa6
SHA1 4b612024664a9e81d4338eb248080956b164d651
SHA256 28fa2a829c7468396b669d1ebf861ad69da493f6d45863028d3bc95338450c2a
SHA512 8b6e60ce66eb9913543dfb429c92f2fdc0685e14f19c91ce212b049e02e6589f49a83436dc18a76933ca4496813afbcdf7445acace43ebfefd84cb7faf7456e9

memory/2776-53-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2500-84-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2724-97-0x000000013F470000-0x000000013F7C4000-memory.dmp

C:\Windows\system\qMFHYGu.exe

MD5 0605fe87b292f50937a17d2609dae823
SHA1 052fabac733b8c6c451b667fdbe34acf605f30cf
SHA256 e1c0bdcd78b7675612107adaaee0b9d8ac2a8741584d906874ba0cfa01fa2e24
SHA512 3e845d01dee52babe3c0a3cd4df4e7919b2a21461cac37d2843b2a9fd3eceb8c06cfbf4bfe3fb997ede0b91ae5ed718cdaf068a9d7687554dee4281032921bb8

C:\Windows\system\azvirUP.exe

MD5 b26ae9c84ec5add2732c9b472f8536b1
SHA1 c136a0e257d1f51eccc3d9ea3f7645ccd11fadf3
SHA256 d54aaee7cf186e85a07b4c038a1176272406e6092e9cbd1924a10b88ab1459c8
SHA512 e5603020204f9fd9a253818bf7a41ca29bfae5f69fc39ea36845a9eed2236f5925919d8aca7988647f187fda0064f90f8de74b12ed431edb12e0761eedb2a1b7

\Windows\system\QnGLZLA.exe

MD5 20c18de86239b00f17bb62fa31de5dc9
SHA1 4b5fa1785b9c842e29f44465381d7cf0ca369a4c
SHA256 618932a4ae3e2fa252a342f954d0bf8b0c0e89c6f124c7e1a02f3c058c4c5773
SHA512 187499253a7be2cfb77abfa422c0f8b841528db99864091b7e605665c83443e8f47e84f12c6c39bd83b1559721ffeacd4bee1f8220a98938c846dbc479a552b7

C:\Windows\system\aEesDTf.exe

MD5 ad1c2a5d7306a4578fb6fc1035d6fbc8
SHA1 7be382b44e82e416e769608a9c049cd23758a777
SHA256 a1c3970fa8e0ac13add1a0c20bc82d834688013734593a4b5e3a820c1a760732
SHA512 3a45c546a3d0370e54b5a53b47c6deeea48c31fcd29ebf6205fb5030b8af37cb74a1c88692896953d6916c3a577f42d3ad83ae92aa249a8a5c7e6a83b24d5079

C:\Windows\system\gAPvlpm.exe

MD5 70d12ed216c8ef9fd51bb2dbdd804504
SHA1 f2c1ad6555b33839b7f9951a8d6d2a684890d147
SHA256 d0452378f5ab232f58df00caf6a07db0628fc0509de67b025b05186c34af0a4e
SHA512 f202ae4ede55175ce21d6ca6cf9b6330993090140abae3e5a177f74973f878a8ab70faaf9799079c693b9a309c61950e2473ed9dc7567bd2f58a0df4d89cc3d2

C:\Windows\system\qJPxtiM.exe

MD5 b11831aa883ab9169087cb61050fa1d5
SHA1 5bbf42faae209f4336536555f3ce58bc3ddbf652
SHA256 2f587aa79f2d043ac8de72d3015493ddcc6ae228ca668d3ec5b0c392dc3c562c
SHA512 934fd29307eb023ab8520d36d56d7f733a64d3b722d94680b3be39c1dd9b83b94bc96c7ca9ac5d4b8d8eb56fdb76017593ab2235630ccb896f5b44512f1f94a2

memory/2848-106-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2808-105-0x000000013FDB0000-0x0000000140104000-memory.dmp

C:\Windows\system\rjGvxSK.exe

MD5 9468e3709cda46249cd031e02403083b
SHA1 4118fb9428fbe6b3a4d437576357cb24fd942878
SHA256 a6640055da13e0e39e86dfdf757e27b1ad68ef896ea59888afc29cf781bb83cb
SHA512 d97b9a9ef294d744538edc4bd81ebc84895ae41a274a66066553ebed9fe2696e063ed7308c2459d954a52f4ca59909cf26ae2b06d6bbfad6aa6d456a38cee876

memory/2564-99-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2848-98-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\iQxlxHm.exe

MD5 317c4b5aebd99091a7d08661d2b6f099
SHA1 f41b5cf9657c56216bdf317d781e8c83ba832632
SHA256 782a9ab96ecc3d4e2075c0b3a421caaeac26818289ca30237b76840ee46456ab
SHA512 685e224946856353f79c497f80e30b67fa4218aa9369fe9ff677e1a8745db3fd440947573652cccf21dd735ddbe2a040e6fcd145ddc738f98d4f3f3d337574d8

memory/2772-90-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2848-89-0x0000000002210000-0x0000000002564000-memory.dmp

C:\Windows\system\GnPuriU.exe

MD5 85ab2033837b5c0e1f0327a065b44057
SHA1 3920f6dbde1868469e45c9158b3cbcf258be8aaa
SHA256 700162547adf86390d86e124cd05e384708ba7f5436f092dd077ddea4a5d2d29
SHA512 575ee7d51c6f37fbd3726f489b43a5913a121f002f003fe847a3af89c795869f5a17c2d388179159d115478ede34542a3d12aaf2cd8222629ef9ede0d663b4c5

memory/2116-76-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2848-75-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2848-83-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2128-82-0x000000013FD60000-0x00000001400B4000-memory.dmp

C:\Windows\system\YtZsUvg.exe

MD5 ceb6dcee7dbb7fd0106e73b891b86593
SHA1 e0c05e70e23088fae66f586879717387b5df2bc4
SHA256 59ec97dfe353c39a160e4290c3410ee089da948902afe0cce47487ec9527feaa
SHA512 e7ee4db8cfba4c4b0c6e3fd4bec8081ea66855e1c96a9c37c32acfaecd75700bfb96803b35110b66ae47071c87b9c49c5f43f5f7427d16b197f9cd0e19177751

memory/2536-61-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2548-60-0x000000013F320000-0x000000013F674000-memory.dmp

C:\Windows\system\swjFvUj.exe

MD5 c0b73709c7e8469787759b9d2d95947a
SHA1 5da957e407bfe0527033c3578c31c5babd7aa70f
SHA256 f1fc9969e21fa2d315f17668bada6705043ec71cd2280f53a7d545f040e7d05e
SHA512 de3bb82a1eef4afef3deb9df2eb9d8035d88f8f8591882b56cdf3d0b27b5f8722a44e8bedc2385cc0ff8c49ff7aaebbbcd1c4efed152c4f793af903773ebdc2e

memory/2640-67-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2848-66-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\ayOhFAr.exe

MD5 2e6b09bf4214d4bd127894e43ae9ee0e
SHA1 741ec8d2a74bbcece762749e75006d390990a769
SHA256 9a9a4540947ca8e84078abf1e5e357cd85d3f82ff4a5fc30ace86b8cdfa64686
SHA512 09b357d51232ec682635f702f22b90e89b7cd3bb49c12ee469f4e4a706f0ae7fa16bb17786c397bc765b07e322124c22b2e50401244f8bc22dbe43f32f6298be

C:\Windows\system\zDkeEVL.exe

MD5 a03381e1b2b7306f8196ba31d140aa0f
SHA1 ece6db9ed5539d73b5c40111c371bb15ccc81e6b
SHA256 a5040bae0db4f4a8b98556a609b8499ec34e4dfe2478155c8d65dac059c59dcf
SHA512 2ad3a947b28880cacf335ff4c5505038bc230de4564f550df818eb7d631d0d4a78aceea703791aec27834376d3d09fd733014dbc2726af7427b015e556727f1b

memory/2848-52-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2848-48-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2808-42-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2724-35-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2848-34-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2776-137-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2848-139-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2536-140-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2548-138-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2848-141-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2640-142-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2848-143-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2116-144-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2500-145-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2772-146-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2848-147-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2564-148-0x000000013F230000-0x000000013F584000-memory.dmp

memory/3036-149-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2144-150-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2676-151-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2128-152-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2724-153-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2808-154-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2776-155-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2536-156-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2640-157-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2548-158-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2500-160-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2116-159-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2772-161-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2564-162-0x000000013F230000-0x000000013F584000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 03:26

Reported

2024-05-30 03:28

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\aXpymkq.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\iIFWeUP.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\xfiAVfD.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\QXnTggO.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\LOtUomW.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\REGYcLM.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\joSDjtZ.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\jCTEdUH.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\espeuQi.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\aSXjZyE.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\wnOTlqy.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\hDrZzxR.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\iEaxVFa.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\dlaCZcR.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\BOlrvvY.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\ZjtynMI.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\FXkIPvX.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\FFAlDeP.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\XVkxbEg.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\nKvrJwS.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
File created C:\Windows\System\gJHZzzm.exe C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\xfiAVfD.exe
PID 1068 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\xfiAVfD.exe
PID 1068 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\wnOTlqy.exe
PID 1068 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\wnOTlqy.exe
PID 1068 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\nKvrJwS.exe
PID 1068 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\nKvrJwS.exe
PID 1068 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\gJHZzzm.exe
PID 1068 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\gJHZzzm.exe
PID 1068 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\hDrZzxR.exe
PID 1068 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\hDrZzxR.exe
PID 1068 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\QXnTggO.exe
PID 1068 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\QXnTggO.exe
PID 1068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\ZjtynMI.exe
PID 1068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\ZjtynMI.exe
PID 1068 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\FFAlDeP.exe
PID 1068 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\FFAlDeP.exe
PID 1068 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\aXpymkq.exe
PID 1068 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\aXpymkq.exe
PID 1068 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\LOtUomW.exe
PID 1068 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\LOtUomW.exe
PID 1068 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\REGYcLM.exe
PID 1068 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\REGYcLM.exe
PID 1068 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\joSDjtZ.exe
PID 1068 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\joSDjtZ.exe
PID 1068 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\XVkxbEg.exe
PID 1068 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\XVkxbEg.exe
PID 1068 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\jCTEdUH.exe
PID 1068 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\jCTEdUH.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\espeuQi.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\espeuQi.exe
PID 1068 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iIFWeUP.exe
PID 1068 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iIFWeUP.exe
PID 1068 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\FXkIPvX.exe
PID 1068 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\FXkIPvX.exe
PID 1068 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\dlaCZcR.exe
PID 1068 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\dlaCZcR.exe
PID 1068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\aSXjZyE.exe
PID 1068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\aSXjZyE.exe
PID 1068 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iEaxVFa.exe
PID 1068 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\iEaxVFa.exe
PID 1068 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\BOlrvvY.exe
PID 1068 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe C:\Windows\System\BOlrvvY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe

"C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe"

C:\Windows\System\xfiAVfD.exe

C:\Windows\System\xfiAVfD.exe

C:\Windows\System\wnOTlqy.exe

C:\Windows\System\wnOTlqy.exe

C:\Windows\System\nKvrJwS.exe

C:\Windows\System\nKvrJwS.exe

C:\Windows\System\gJHZzzm.exe

C:\Windows\System\gJHZzzm.exe

C:\Windows\System\hDrZzxR.exe

C:\Windows\System\hDrZzxR.exe

C:\Windows\System\QXnTggO.exe

C:\Windows\System\QXnTggO.exe

C:\Windows\System\ZjtynMI.exe

C:\Windows\System\ZjtynMI.exe

C:\Windows\System\FFAlDeP.exe

C:\Windows\System\FFAlDeP.exe

C:\Windows\System\aXpymkq.exe

C:\Windows\System\aXpymkq.exe

C:\Windows\System\LOtUomW.exe

C:\Windows\System\LOtUomW.exe

C:\Windows\System\REGYcLM.exe

C:\Windows\System\REGYcLM.exe

C:\Windows\System\joSDjtZ.exe

C:\Windows\System\joSDjtZ.exe

C:\Windows\System\XVkxbEg.exe

C:\Windows\System\XVkxbEg.exe

C:\Windows\System\jCTEdUH.exe

C:\Windows\System\jCTEdUH.exe

C:\Windows\System\espeuQi.exe

C:\Windows\System\espeuQi.exe

C:\Windows\System\iIFWeUP.exe

C:\Windows\System\iIFWeUP.exe

C:\Windows\System\FXkIPvX.exe

C:\Windows\System\FXkIPvX.exe

C:\Windows\System\dlaCZcR.exe

C:\Windows\System\dlaCZcR.exe

C:\Windows\System\aSXjZyE.exe

C:\Windows\System\aSXjZyE.exe

C:\Windows\System\iEaxVFa.exe

C:\Windows\System\iEaxVFa.exe

C:\Windows\System\BOlrvvY.exe

C:\Windows\System\BOlrvvY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 226.238.32.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1068-0-0x00007FF6F2550000-0x00007FF6F28A4000-memory.dmp

memory/1068-1-0x000001D2B0D90000-0x000001D2B0DA0000-memory.dmp

C:\Windows\System\xfiAVfD.exe

MD5 d3efd4f2b0e5777e58fb32ae56175bd5
SHA1 2016ba511318e43ca5c70c1b61fd0906f525efd9
SHA256 fb0bed6b388e018a298771c1b59ded7aef85cb8dd7eec92113653f4c83110412
SHA512 dfa3b3434775d277cdc944e87f2500a40851a6e1cd0f63c9b9243a00350932278271add581102e6b1d2f2c3344f732ac2ff8411c13cb766c8009cb7ef4416842

memory/4472-8-0x00007FF7D0900000-0x00007FF7D0C54000-memory.dmp

C:\Windows\System\wnOTlqy.exe

MD5 d576f4489321a3c5472ddebaa345b328
SHA1 88a579bd7a0c55d7e214143926c791717c80460c
SHA256 c64577731daff8e23bb0bdb8151dfe701b8f4df0e324a1bb0b191f09216dd42e
SHA512 095cc91fefa3605b6f48d3288214f630a2acfd4b963b076d3be6fdd10e71c723540b24606b11f11b97f09d1a46e75debcef478accc78f9cc91011b4aeb273e1d

memory/3384-14-0x00007FF61E070000-0x00007FF61E3C4000-memory.dmp

C:\Windows\System\gJHZzzm.exe

MD5 562b68a2a0cc96a22efe36e94f13db99
SHA1 5cb6463e9f4a4ae2646c3cafe4509e77be178211
SHA256 c45d46952de246cde852149e7cc50411ee9207c1350cf4c05fc926a6e6b2bf08
SHA512 47d9ab087d18236e4620cd047f2e9077fc22bc9d85a87dc959076c9efc9db6e8422215ac3d0cd6ee2b7faec4a746b5c38f64f880d057b6d61482dbc05fe8491b

C:\Windows\System\hDrZzxR.exe

MD5 3ae64c0219a77d3dce4fb30ba5eb930f
SHA1 5577549c559404a2171648aded50704658b5e4cc
SHA256 90a0af902531860a093cd969d4274c2cc239feb35be3738d78f4371271910b1f
SHA512 c1ab16f4b95b6fae96861ab28c06b9cb6254a8a7e09f8531b70d99743c37d5f1917feecb5d43c8c07a4b30c9ade5cae0122bbbe79dceb9a6e782bfb3b6d7a297

memory/4952-29-0x00007FF7225A0000-0x00007FF7228F4000-memory.dmp

memory/1460-34-0x00007FF7A5F30000-0x00007FF7A6284000-memory.dmp

C:\Windows\System\ZjtynMI.exe

MD5 63881b488e90325061b6cf126633a193
SHA1 61b60d53b4945ffb42b90c5090a49eea900b34dd
SHA256 ed42c420df1f006acb9359a25ff18212ce514a693b35741e2367affe0c1f0643
SHA512 33d07ebd83aa6a7aafa63672aee646ef0a22169ef4bb11b10ef89bf30a2863ebd751ab7ec26afa38a110c2ae66190e35bc522eefe222d535640479193394d3b8

C:\Windows\System\QXnTggO.exe

MD5 87d14058da5bda1f73e6f4a652e361aa
SHA1 73414b25af0940aa6395a0416dba7fb832c1e024
SHA256 8bda4887a7f2da1ac5b4a0e110b1b9034d9c6081234f7c4cda38c8d36095f5db
SHA512 99c4e02fc20195875fcf36a76e8ad2f086b9ec331d9d5448ed29239f74819e35a8c20fc1a63ca5770de54c4d725529b7ab11bbcd7858440d96ec616d12ea0c52

memory/60-38-0x00007FF62EBA0000-0x00007FF62EEF4000-memory.dmp

C:\Windows\System\FFAlDeP.exe

MD5 6f6d6722ac79b9cd5c351bca2a88f1f3
SHA1 518fb80c032235c17f8c2be3ed7a1e767d4b4583
SHA256 a595707284719510608abdec16820559097bc8c7484053f31686340fb6672fbb
SHA512 4b5182ca81089e1a9b9074dedd1fbe0fe1fb055c29cc0413f75fed2ca25ded1485489927a669ddab2b50e218210ae6c69ac8df5fcddf3a04f2c1cf65b7d6426b

C:\Windows\System\aXpymkq.exe

MD5 6ddce8e58a50d0c64b9351e9a309684b
SHA1 b70b957272aaa89ab8cbb9c47072db3bd8b465e0
SHA256 6f040c61438486afaaf753803467fa2876da8372de83ff68b173402a27d41774
SHA512 53c65d0ff16470f6aea352ea6952b25fa764f835fa94bb7121995dbeeb8dab6aa0a650522eeef90902da6aff5070eeac800163c88ac0246631170afc870e542b

C:\Windows\System\LOtUomW.exe

MD5 8b98174e7946fda389f262b08c0891ee
SHA1 6e16de810fc3ea980ba7764f65156e44728d371d
SHA256 b489f65356b9e2bc5cfca704e273271c489b5a98834676708f19a2c4b4cdb120
SHA512 f264f0ddbef633407239f4dff42cba3b12452635e96a6dd8a11d747d2b4a0ab11188ae9c37d44a6c676dbab16dffc6594af693f317a8968b8452f28efd577c6b

memory/4844-67-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp

C:\Windows\System\joSDjtZ.exe

MD5 179d0c7be4b396b9bfe28fed9c2c1f3d
SHA1 1c0015f3a239fdd071f45b64021973b17aff0c0e
SHA256 0c45de09135d33aac916a1a0ae3086598145702939c3eba23d75dbf288309850
SHA512 963f62aa65952b3732a9d4bbb2a06992d7b814944e6aab1261c392e6d86360cd059b1e0631e157ed7e3575ab229d9237820aeddc7811fc9852d7a65c4241c4b5

memory/4564-79-0x00007FF655220000-0x00007FF655574000-memory.dmp

C:\Windows\System\jCTEdUH.exe

MD5 8bd9f653e9d68321a77ee829e1affedc
SHA1 4955bee16c610ce5ebe708720b1b6f0691a619db
SHA256 fc55b9bcca73667bd2a828f3b741b7f5163c46809134017321cac1adfe2aaaac
SHA512 b2357cd095b476a7be44b588addc5eb00e76595ef420cf45905c2068820fadcf4e73b21e3974c1356b8fbe288b2abccdd7779304ca00cff2b67d42938bb26398

memory/2944-85-0x00007FF7539B0000-0x00007FF753D04000-memory.dmp

memory/1068-89-0x00007FF6F2550000-0x00007FF6F28A4000-memory.dmp

C:\Windows\System\espeuQi.exe

MD5 1ce641669b7f904077da5623eda0d04b
SHA1 5cd7f863a051d3a416010dd0ac71ba25bbbd383b
SHA256 f26df6d0e8efee1deeb4dada7cd7de8797b100a5ab05387f096fbb9a43b47702
SHA512 b09accee17d434c9d372e40d7318a69020214e997cad2c9ad3776791147274082e9e4e0e82f3a820e8cc38721535f828f4908ea26a10b237425320e2f15da804

memory/2168-91-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp

memory/2992-90-0x00007FF7C7200000-0x00007FF7C7554000-memory.dmp

C:\Windows\System\aSXjZyE.exe

MD5 c395c60cc7a86436664fdc899d6b1d0f
SHA1 abd1b501d223c628a6ec7edcff94f6eb1577fe63
SHA256 1e4748e7bead775d039d652b8e33064eb4f0c107d993f5c1d589297af077ce12
SHA512 82ab6757db518810ac6e9d33a1c032f1b208654ceae638c46597a7385eeb4ab00ccfef60d09895fac442e535ada17032e9b49c4318588ffadd20c3d91b11688f

C:\Windows\System\iEaxVFa.exe

MD5 ce596d8f38f314ad6106fadab438603c
SHA1 53e5b180aeb2d6de82a64d2009c9db87676ceb17
SHA256 962a31b894d2d461e90e3831ed1318a533c72a5c4e227caf25c2e12d29f5bd03
SHA512 715baca6cc3e2e1924394bb2e0d21542e2ceb37cfe5478a2deb5c9ced4a8f0ba9fa93c337ce7db5dcddebbc6a217abd2f9dfff8675cbe03a75190a1ff9aa309c

C:\Windows\System\BOlrvvY.exe

MD5 0f170349df60481a87f1fe3393443c87
SHA1 1fb2cc19451e671a12f347e037d5f32b0a32889f
SHA256 0cd4a12c00da11f863ca3b12f6b1b8570adff747a61787e1627d9267e67dfb09
SHA512 e0c0d79df04e774b522a179655ca9f529df573019e1f5ef51e35a56b25ac96d16b24c2826b13b3b07ccdcc0e7f687b02fb2360a9ebba6c6a0d305641db778ee0

C:\Windows\System\dlaCZcR.exe

MD5 350194d80ab97c31679d2382d7da2200
SHA1 8869adf464bee5c8fcfe6a39331de3d6bda16cbb
SHA256 d5a3ca9dc0f231398c4a837c6eb7c948b78766630174390426cfe13d90f17ccc
SHA512 71858afdc5f875dd35dc6766f0531d89df70935b4ebddc78877a39a8e95bcea2120dd4f471c94726fc45ea95e66c2f77734bb36115424892a923eb0b65c24ee4

C:\Windows\System\FXkIPvX.exe

MD5 dcef448ccdf8a8e1b81d42c700a2919a
SHA1 3596c64dbbcff03d7d7b11f85b9608101ae032c5
SHA256 a9d01ba9cdfffb4f0a6850144b31532aba507e2617ca46832f96a7d930003f1b
SHA512 9f330572dcccbb507cb52a536773dd367bc5d3cda164ce36a80b5f77ab511b2c466b19da9ac8d3ba269f8301326b04af21432d7f7f2bfb70dadf638621bb0fe5

C:\Windows\System\iIFWeUP.exe

MD5 3e75489ca1ced1979576060cc4699fcd
SHA1 bfe96d56ad83184caf1e9e174bc6b450de12c31e
SHA256 665a232de3c9fb5aef8c5ee890f60d03fc07a83d1897e2cc172ac3deeeb26c1d
SHA512 4f839fee1b7cd1831a38fd76990ea6268a48a3954c3cf983d5bb6e09bbe71509328af745aa24dcac93980f199f2dd98a519a00bf1d610b84f3c0457b2db196a1

C:\Windows\System\XVkxbEg.exe

MD5 52984192391bef3e8750343e9e0321f1
SHA1 ad31520c88493cc6c4ce9b4e355c900796576e71
SHA256 1cfe5be8216b4a557b719b20191547d7e448db722ce8d116aff88226e63357ad
SHA512 4f0250c85d18ecd49d9576d5a25f5a0aa6ba9eb96035cff3ed72798967a2187530ee6d164865197ef69ad8cf7a543f18d83df009a82715bc506e6d0e6e2d7b1b

memory/2088-76-0x00007FF718680000-0x00007FF7189D4000-memory.dmp

memory/3536-73-0x00007FF6BAFC0000-0x00007FF6BB314000-memory.dmp

memory/1256-69-0x00007FF765F40000-0x00007FF766294000-memory.dmp

memory/2764-64-0x00007FF7BAE20000-0x00007FF7BB174000-memory.dmp

C:\Windows\System\REGYcLM.exe

MD5 c123296e795e73df7fb89ef8ea1a013c
SHA1 7bf3c5bc6892aafafc90768d86c91ae7b4e7d3c7
SHA256 f95d2c3ee2beade243b0ff2ee42b9eff48b17916043776173b075ae400de6ebc
SHA512 ea086309dc1882bf556209af9ebdfed4082b63dbef613d6c4ca8888271c6b47af7540965ae10eaf95f5be44533b35dcddb1106cc184e9c4073d1a418d289bc42

memory/4880-22-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp

C:\Windows\System\nKvrJwS.exe

MD5 a930b825c30f0d72ca768bba6a09e0ff
SHA1 4fded3b18346f2dff065b68d49a840be02f274f8
SHA256 0a6993d667c0e71a9e69aa278a61b2b69e168cc804cb2abf166973774dec85b8
SHA512 0f44b08f1be770e272f9adefe0ad819ac7163936262df2de113a62122c53bee3bf54c649da69ce534e0b2bb893d5b512ac359bc9cbdda5d701ca2f42b8075bf0

memory/5080-126-0x00007FF6D3040000-0x00007FF6D3394000-memory.dmp

memory/3796-125-0x00007FF7B3890000-0x00007FF7B3BE4000-memory.dmp

memory/3700-124-0x00007FF6C81F0000-0x00007FF6C8544000-memory.dmp

memory/3384-123-0x00007FF61E070000-0x00007FF61E3C4000-memory.dmp

memory/2540-127-0x00007FF61D6C0000-0x00007FF61DA14000-memory.dmp

memory/3368-129-0x00007FF6040E0000-0x00007FF604434000-memory.dmp

memory/4904-128-0x00007FF7D38C0000-0x00007FF7D3C14000-memory.dmp

memory/4952-130-0x00007FF7225A0000-0x00007FF7228F4000-memory.dmp

memory/1460-131-0x00007FF7A5F30000-0x00007FF7A6284000-memory.dmp

memory/60-132-0x00007FF62EBA0000-0x00007FF62EEF4000-memory.dmp

memory/2168-133-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp

memory/4472-134-0x00007FF7D0900000-0x00007FF7D0C54000-memory.dmp

memory/3384-135-0x00007FF61E070000-0x00007FF61E3C4000-memory.dmp

memory/4880-136-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp

memory/4952-137-0x00007FF7225A0000-0x00007FF7228F4000-memory.dmp

memory/1460-138-0x00007FF7A5F30000-0x00007FF7A6284000-memory.dmp

memory/60-140-0x00007FF62EBA0000-0x00007FF62EEF4000-memory.dmp

memory/2764-139-0x00007FF7BAE20000-0x00007FF7BB174000-memory.dmp

memory/2088-141-0x00007FF718680000-0x00007FF7189D4000-memory.dmp

memory/4844-142-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp

memory/1256-143-0x00007FF765F40000-0x00007FF766294000-memory.dmp

memory/3536-144-0x00007FF6BAFC0000-0x00007FF6BB314000-memory.dmp

memory/4564-145-0x00007FF655220000-0x00007FF655574000-memory.dmp

memory/2944-146-0x00007FF7539B0000-0x00007FF753D04000-memory.dmp

memory/2992-147-0x00007FF7C7200000-0x00007FF7C7554000-memory.dmp

memory/2168-148-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp

memory/3700-149-0x00007FF6C81F0000-0x00007FF6C8544000-memory.dmp

memory/3796-150-0x00007FF7B3890000-0x00007FF7B3BE4000-memory.dmp

memory/5080-151-0x00007FF6D3040000-0x00007FF6D3394000-memory.dmp

memory/2540-152-0x00007FF61D6C0000-0x00007FF61DA14000-memory.dmp

memory/4904-153-0x00007FF7D38C0000-0x00007FF7D3C14000-memory.dmp

memory/3368-154-0x00007FF6040E0000-0x00007FF604434000-memory.dmp