Malware Analysis Report

2025-01-22 19:36

Sample ID 240601-jvaafseg2w
Target a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460
SHA256 a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460

Threat Level: Known bad

The file a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460 was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

Xmrig family

Cobaltstrike

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:58

Reported

2024-06-01 08:01

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uYTPwmv.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\XhMEMJV.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\kGiVVCD.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\TfoqopQ.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\jMwJUqd.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\cLMbUKI.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\zZEjaHp.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\ZxWEQRG.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\oxhFMXU.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\WqmfZcN.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\fqkorfq.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\hIcwodA.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\LynGdmX.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\xUnMnxQ.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\YCEzDDb.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\fCTcsmk.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\LIrHUfP.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\CGDpPTk.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\DynDPzK.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\lUKebSW.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\pSGjtXk.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\XhMEMJV.exe
PID 668 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\XhMEMJV.exe
PID 668 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\LynGdmX.exe
PID 668 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\LynGdmX.exe
PID 668 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\CGDpPTk.exe
PID 668 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\CGDpPTk.exe
PID 668 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\ZxWEQRG.exe
PID 668 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\ZxWEQRG.exe
PID 668 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\kGiVVCD.exe
PID 668 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\kGiVVCD.exe
PID 668 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\TfoqopQ.exe
PID 668 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\TfoqopQ.exe
PID 668 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\oxhFMXU.exe
PID 668 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\oxhFMXU.exe
PID 668 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\xUnMnxQ.exe
PID 668 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\xUnMnxQ.exe
PID 668 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\YCEzDDb.exe
PID 668 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\YCEzDDb.exe
PID 668 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\DynDPzK.exe
PID 668 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\DynDPzK.exe
PID 668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\jMwJUqd.exe
PID 668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\jMwJUqd.exe
PID 668 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\WqmfZcN.exe
PID 668 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\WqmfZcN.exe
PID 668 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\cLMbUKI.exe
PID 668 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\cLMbUKI.exe
PID 668 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\fCTcsmk.exe
PID 668 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\fCTcsmk.exe
PID 668 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\uYTPwmv.exe
PID 668 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\uYTPwmv.exe
PID 668 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\fqkorfq.exe
PID 668 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\fqkorfq.exe
PID 668 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\hIcwodA.exe
PID 668 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\hIcwodA.exe
PID 668 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\lUKebSW.exe
PID 668 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\lUKebSW.exe
PID 668 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\zZEjaHp.exe
PID 668 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\zZEjaHp.exe
PID 668 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\pSGjtXk.exe
PID 668 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\pSGjtXk.exe
PID 668 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\LIrHUfP.exe
PID 668 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\LIrHUfP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe

"C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe"

C:\Windows\System\XhMEMJV.exe

C:\Windows\System\XhMEMJV.exe

C:\Windows\System\LynGdmX.exe

C:\Windows\System\LynGdmX.exe

C:\Windows\System\CGDpPTk.exe

C:\Windows\System\CGDpPTk.exe

C:\Windows\System\ZxWEQRG.exe

C:\Windows\System\ZxWEQRG.exe

C:\Windows\System\kGiVVCD.exe

C:\Windows\System\kGiVVCD.exe

C:\Windows\System\TfoqopQ.exe

C:\Windows\System\TfoqopQ.exe

C:\Windows\System\oxhFMXU.exe

C:\Windows\System\oxhFMXU.exe

C:\Windows\System\xUnMnxQ.exe

C:\Windows\System\xUnMnxQ.exe

C:\Windows\System\YCEzDDb.exe

C:\Windows\System\YCEzDDb.exe

C:\Windows\System\DynDPzK.exe

C:\Windows\System\DynDPzK.exe

C:\Windows\System\jMwJUqd.exe

C:\Windows\System\jMwJUqd.exe

C:\Windows\System\WqmfZcN.exe

C:\Windows\System\WqmfZcN.exe

C:\Windows\System\cLMbUKI.exe

C:\Windows\System\cLMbUKI.exe

C:\Windows\System\fCTcsmk.exe

C:\Windows\System\fCTcsmk.exe

C:\Windows\System\uYTPwmv.exe

C:\Windows\System\uYTPwmv.exe

C:\Windows\System\fqkorfq.exe

C:\Windows\System\fqkorfq.exe

C:\Windows\System\hIcwodA.exe

C:\Windows\System\hIcwodA.exe

C:\Windows\System\lUKebSW.exe

C:\Windows\System\lUKebSW.exe

C:\Windows\System\zZEjaHp.exe

C:\Windows\System\zZEjaHp.exe

C:\Windows\System\pSGjtXk.exe

C:\Windows\System\pSGjtXk.exe

C:\Windows\System\LIrHUfP.exe

C:\Windows\System\LIrHUfP.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/668-0-0x00007FF722AC0000-0x00007FF722E14000-memory.dmp

memory/668-1-0x000001EE271E0000-0x000001EE271F0000-memory.dmp

C:\Windows\System\XhMEMJV.exe

MD5 4428f349f3bcfedd5c226f186649c0a4
SHA1 0ea3ceacd4f4bb562d756ef160593b0780cf2b3a
SHA256 a1a3ba87266187c08e13c09b3fea11186f6d615c09d02a06b2f592bcb92e22f2
SHA512 d6d4ff8168089ad223845247f618902c18d2dcf653673b433ad4fdc9ac7cfd0528568dc3e1fd461741dc087023b7a55d226df9154b744efe36bd83f50ce99d65

memory/3016-8-0x00007FF623E90000-0x00007FF6241E4000-memory.dmp

C:\Windows\System\LynGdmX.exe

MD5 6e98bf200e05462e4fb227966a54ae33
SHA1 2f6e4a5e71caf24cb6d57b7ad9a9f613641411c1
SHA256 fcbd5f34186b6f419b64f6eeedf3d375edd41760b5cce1f5c0687b58c3e51655
SHA512 6fc1019df906e5103b1b54c1d1bd29110675891e72dc08f74dbb771e035ada355b8e807aa3de5ea467ce222d7e1a4f57d99671798825ca61dd03c6b438601af2

C:\Windows\System\ZxWEQRG.exe

MD5 666f1d6fc6dda484be31704c47c36377
SHA1 95a6f93e57befbab3c5440f7586a61def51e7458
SHA256 72e0bc9e0c92813164a7c19049a986ce4ead1fd4b45f5b3345ac7913034c5ead
SHA512 b3078d7979a8ade5bca8385c676b5e52e84e5903c984a382028b1b2fd4eb07b461fc13a3980062c01290d16c1c91b09d2282f0e316b7e721bbe31294a7d00486

C:\Windows\System\CGDpPTk.exe

MD5 ec455ec3b40e55f3d70d4942674bd6d8
SHA1 3c1e8c13cb1807620efb1c23b9c8208919fbe211
SHA256 e8cf8ab5a07a28da8bd64bb88c95b20fa8cafa9f340ce0e53dcaeb438ab9dae2
SHA512 40ce553526e46dcff0d7ea0e685ae5d98370662c39ce30b74423b0eae2f1ef7383dc2f45202d3d05cb201ecc431c92f59b8b4bcb9f5edfc8eb391b50db673b28

C:\Windows\System\kGiVVCD.exe

MD5 cdb4080aaf9494288fee03408a925579
SHA1 b6c13b6911822e46db15998984d2644ce0e9f167
SHA256 359d63827d05bbd34e46b5c281c3112dfcc59818c84f9b0c11f2116b69eee76e
SHA512 f0f06e1923fa01e9f3e136937c50f606fd3d723b83b859b0940ad41172d715198d72e4aeb4b31f2c84fb49cd92fbbb1eae68c4f2bc5622b8f5205cff5260a0e3

C:\Windows\System\TfoqopQ.exe

MD5 fe026ddb0b7fb81db7711c607c432017
SHA1 8785c191f6573542bef299ea6f6048c61996847b
SHA256 48655dc68912813f7a378ebfcf131e3517383ee845fb9b228b1fc7b0eac3d5c7
SHA512 436c1913eb4a677aedfa6a1c8305191ec516468eefaa840a1f02bc69b4f995ae6294f4093cb7b8140e1d722aa1ceb9b8db3c57b2ef1d99aa60e240ca1614c835

memory/1484-36-0x00007FF729180000-0x00007FF7294D4000-memory.dmp

memory/2324-30-0x00007FF721070000-0x00007FF7213C4000-memory.dmp

memory/5064-26-0x00007FF756040000-0x00007FF756394000-memory.dmp

memory/4472-21-0x00007FF662010000-0x00007FF662364000-memory.dmp

memory/224-19-0x00007FF787AF0000-0x00007FF787E44000-memory.dmp

C:\Windows\System\oxhFMXU.exe

MD5 02bb371e4611d92839ba11bbc71fa784
SHA1 80940dec226b824384d1eac61dd3530e863079a2
SHA256 24c844ffa9d7e1e252da1d3abffc8722093c57c00dd98df166bc24ed174150f2
SHA512 e72e6168fcba211a35b6215686d329779e45d38e3d39ae98ee0be276c0939a6627b7562faf93d1563840ce9528823104197463baf67074198cefbdeef8fcf680

memory/2428-42-0x00007FF62D800000-0x00007FF62DB54000-memory.dmp

C:\Windows\System\YCEzDDb.exe

MD5 b62914619d5ab29baf65e2a1212538d1
SHA1 3e68e7161288bac100ed9ec31884e55e19a8ef72
SHA256 0ea5b35dbd7bc5e1d9ab62fdb20a6a72dd62c054071a74b9ed28455a4d18b1bf
SHA512 62cf7edaba0432c4fc0a6a8a3b88fcb09eac56a728307d4f99e194daa93dfd93b71e003b21df460708bf3d63f92bc22cb15c7643ffbacf4723f1ff5ae311de39

C:\Windows\System\DynDPzK.exe

MD5 24ce87b5923640e79dbcd4b8aa7dc379
SHA1 855c0373a285b148cb755998983894c7927a3a0d
SHA256 798a9a0ab38d38b431d9a35b3f9adac36b13df43f33c7550002de94b59cbfad9
SHA512 4141efccc0d173a27bba5db8373da0c8bb929a778e7f08da9a8ee761784e53842a30b76c397f75013bf604830435c4fe2885f90dd5e20e02931151cf104bad05

C:\Windows\System\jMwJUqd.exe

MD5 6aceb2771342f021992ca96096ab92f2
SHA1 32081b5960cd8b909be9b419f869a30815de79dc
SHA256 7399a16ad6cf5666ba3791105ad0c8c9fa5c5795522eb71d490e6d9016239417
SHA512 a62a933de21126d4a9ed4088f95707735ac5b3ba8a62fa9567fdecf4b8ca5b72e30e366d2e18a92be0cb1d21d7b9ad400af4fad6310de273bfb7a03902003288

C:\Windows\System\WqmfZcN.exe

MD5 ef6e82236ef21f40ba20666d1070d608
SHA1 e1ec607b93707573e20393d419e83aad020c90b5
SHA256 5f83f7ac9998012d5b59d574b213c8ea9528428361e969d6570b8f1c56a5c6a8
SHA512 c66dca47943b7b3a85551b80612339493865c9ce01eb3dea6120466e330508746616af40be161c204e6e4747db6f4d69d0f14599a210db3b5040474aa6e542b5

C:\Windows\System\cLMbUKI.exe

MD5 0db7ef6680f114486bf65c650935b849
SHA1 c7a2018863d03bea1b8cdb81e1501c8b842269a6
SHA256 bc79a5759be2392229febd8103faa3f37926d59973c1fea028c737cd02dfcf4e
SHA512 f5dcc2346d89748b67b15f76a50f0cfb0276038b53bb7bb1b465852f2f8de27843420ce8e6a5a1495a24f1e4c441a918b73aff3f46818db5da83d98dd602879e

memory/5044-93-0x00007FF74F2E0000-0x00007FF74F634000-memory.dmp

C:\Windows\System\pSGjtXk.exe

MD5 7a7334045611d10b5fce873a5c3bba3e
SHA1 b4556c66abf9164730920950378de11fd5b21b7c
SHA256 2083af36f9e1b0ebbb40c87f679cd6e9c8a9f314a0a83528909e7aa05560e402
SHA512 6de66b8f3668afd543c3d4d865fb884543926860a8b6aa441c723f767bffb1fb3cdc33801f8404e4fd46b1058e380a550aae3afe95feeb626f1f757c42467337

C:\Windows\System\zZEjaHp.exe

MD5 a05194d4cfcf7d4a611424f66040f8f4
SHA1 783c42097e7da37e428045712378b1bf1e62c566
SHA256 0a30bb4363276ab4c49aaf577b3cf82f06e9235ef4789c66386f9dc65c15028f
SHA512 c4e7ba1424a54a7718f6a858ee0ad8eb02ac10aadd3e33b88bd3a2496129ca665a696e3054d0c5de37af449b5cd7e2dee16c337f9c3011716ae96a0af06a8e3a

memory/668-121-0x00007FF722AC0000-0x00007FF722E14000-memory.dmp

memory/1184-127-0x00007FF6F9100000-0x00007FF6F9454000-memory.dmp

memory/1956-128-0x00007FF6A0D10000-0x00007FF6A1064000-memory.dmp

memory/1036-126-0x00007FF6193B0000-0x00007FF619704000-memory.dmp

C:\Windows\System\LIrHUfP.exe

MD5 24e2159a1eef3e310502ae3b89b6dd7c
SHA1 de8d78d51c3a882bf430ef33c4a2237efa2000e8
SHA256 764f6b3aa7f7278f1e0b9b532261221c770834be1729c1e73d5e39abb100e655
SHA512 f58e392fd1ea29625766b731508b534eabec4640358c17e760107633941ffaddcc204d806a6de897b1aaf5e8ff5c9649dd1a66d693801273ead70b501effe69e

memory/5092-123-0x00007FF623E20000-0x00007FF624174000-memory.dmp

memory/2904-122-0x00007FF61AD40000-0x00007FF61B094000-memory.dmp

memory/4868-120-0x00007FF6DD460000-0x00007FF6DD7B4000-memory.dmp

memory/1600-119-0x00007FF659770000-0x00007FF659AC4000-memory.dmp

memory/2580-114-0x00007FF6788F0000-0x00007FF678C44000-memory.dmp

C:\Windows\System\lUKebSW.exe

MD5 19fc56cef76b96919e1e12a7ec97f7a5
SHA1 b3ac2cf72bc3d6d260ad21dde57e87e6dde70975
SHA256 43938a27c3b94497444f7375360d96e76d7fca4933280757f1727c83f53e2581
SHA512 cfa5f3d972f916a77959e7ef14724d4bf3e4cdb1e170191e958b65765bf78f8c1a9576b391597f04b167280762dfb4383ad02d34166b2fe1ccca87e0b6a57feb

C:\Windows\System\hIcwodA.exe

MD5 c27d55378fc58597e9acb56da42de778
SHA1 6881944afebec77921f574ef62d04c6bad085446
SHA256 80fe67420ab8ec0ea3e1b659e67e43be1584771d1ea8cd2542b49b052d88e811
SHA512 73fba597ab599176604b62a16fafd447af505b991c783506b16d88facf652876e82cf5c49a93241908be3e96ad61e8fac53d7442346a0aaf1231bdf469c2f962

memory/4532-108-0x00007FF7960A0000-0x00007FF7963F4000-memory.dmp

memory/4792-105-0x00007FF62A920000-0x00007FF62AC74000-memory.dmp

C:\Windows\System\uYTPwmv.exe

MD5 060c9fa9836472850a909aff1d76dde1
SHA1 8e1203ccf6096e6130cf1d83238fc863af42757a
SHA256 9abbcb4d80a907d4c5b8830234be778081a7051c8f7f6a1c1566206a525d263a
SHA512 836a60c75bca3094b7a2d93c1d4efa3d77c7ffb5899a85cae3b58d16a608d4bfaa414e4732138c361852b20ac1242809f87b7e61a7f992917b8fa3c0113d396a

C:\Windows\System\fqkorfq.exe

MD5 6bd4d13159c29a7faa0c2359ab927a6b
SHA1 e0428936b74d28e56d5d707d174601675815c2b7
SHA256 6176682cf03468860e96b52b72dfd69654f680809cbc851fb25419531ccaf358
SHA512 9f81a3f989087396f7135dba0d23352cf8dd1a2061a568c414d159e43ba0af159990611762520363f92a11b58bed2564c6028b7711264b4be34c66825af9b109

C:\Windows\System\fCTcsmk.exe

MD5 f04ba567b1415b9dbdec3800233092df
SHA1 aee37f14150d3c35b04b2381f64527562da79a9c
SHA256 657d2e359936495484b39285123555f2201ca04bd0f0a9a4cbde6500cd6e2d70
SHA512 c33e81becac34347f628eb6b83246af9bd29b0992cfc7bad975ca62fd471bbad52bb99f086423ce2b5ff5db2805cd6c98da627d36958ac79aa39cb2d5654500f

memory/2568-64-0x00007FF764960000-0x00007FF764CB4000-memory.dmp

memory/1060-59-0x00007FF6309A0000-0x00007FF630CF4000-memory.dmp

memory/4776-57-0x00007FF7423D0000-0x00007FF742724000-memory.dmp

C:\Windows\System\xUnMnxQ.exe

MD5 136b53e90352f9ec74d1bf6dd7fb053f
SHA1 b38a5e587afc62c387de4280c19a6d8447c40aad
SHA256 7bdc1ba3103eab5d39c17d5d18edb9dee1d93e5fe18ba1230857b6cafe23a2b3
SHA512 fee5df384e77d78fe9f9998b38f3f7a2c83dc60aabf7053ed468e6548c570b880651d15ed10e6989c0d5381a7b15ab85281eb7ae36de76732461e194477798ad

memory/224-129-0x00007FF787AF0000-0x00007FF787E44000-memory.dmp

memory/4472-130-0x00007FF662010000-0x00007FF662364000-memory.dmp

memory/5064-131-0x00007FF756040000-0x00007FF756394000-memory.dmp

memory/2324-132-0x00007FF721070000-0x00007FF7213C4000-memory.dmp

memory/1484-133-0x00007FF729180000-0x00007FF7294D4000-memory.dmp

memory/2428-134-0x00007FF62D800000-0x00007FF62DB54000-memory.dmp

memory/2568-135-0x00007FF764960000-0x00007FF764CB4000-memory.dmp

memory/5044-136-0x00007FF74F2E0000-0x00007FF74F634000-memory.dmp

memory/1600-137-0x00007FF659770000-0x00007FF659AC4000-memory.dmp

memory/3016-138-0x00007FF623E90000-0x00007FF6241E4000-memory.dmp

memory/224-139-0x00007FF787AF0000-0x00007FF787E44000-memory.dmp

memory/4472-140-0x00007FF662010000-0x00007FF662364000-memory.dmp

memory/5064-141-0x00007FF756040000-0x00007FF756394000-memory.dmp

memory/2324-142-0x00007FF721070000-0x00007FF7213C4000-memory.dmp

memory/1484-143-0x00007FF729180000-0x00007FF7294D4000-memory.dmp

memory/2428-144-0x00007FF62D800000-0x00007FF62DB54000-memory.dmp

memory/4776-145-0x00007FF7423D0000-0x00007FF742724000-memory.dmp

memory/1060-146-0x00007FF6309A0000-0x00007FF630CF4000-memory.dmp

memory/2568-147-0x00007FF764960000-0x00007FF764CB4000-memory.dmp

memory/2904-148-0x00007FF61AD40000-0x00007FF61B094000-memory.dmp

memory/5044-149-0x00007FF74F2E0000-0x00007FF74F634000-memory.dmp

memory/5092-150-0x00007FF623E20000-0x00007FF624174000-memory.dmp

memory/4792-151-0x00007FF62A920000-0x00007FF62AC74000-memory.dmp

memory/2580-153-0x00007FF6788F0000-0x00007FF678C44000-memory.dmp

memory/4532-152-0x00007FF7960A0000-0x00007FF7963F4000-memory.dmp

memory/1036-155-0x00007FF6193B0000-0x00007FF619704000-memory.dmp

memory/4868-156-0x00007FF6DD460000-0x00007FF6DD7B4000-memory.dmp

memory/1600-154-0x00007FF659770000-0x00007FF659AC4000-memory.dmp

memory/1184-157-0x00007FF6F9100000-0x00007FF6F9454000-memory.dmp

memory/1956-158-0x00007FF6A0D10000-0x00007FF6A1064000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:58

Reported

2024-06-01 08:01

Platform

win7-20240221-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NHTOjgq.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\afLUbMr.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\iYbGemJ.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\EajQLTr.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\dJrlzhv.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\nkRKkaa.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\ORtAdhq.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\fKCOKpq.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\geluIlq.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\HFPsaFX.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\JxDIeUs.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\yEpYpLO.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\DafljTl.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\WQZuZSV.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\iAazqWr.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\GNxVNTw.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\vZpePyu.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\prZFhqv.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\SoRBpko.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\XznAENg.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
File created C:\Windows\System\lxOQjEW.exe C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\geluIlq.exe
PID 1288 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\geluIlq.exe
PID 1288 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\geluIlq.exe
PID 1288 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\NHTOjgq.exe
PID 1288 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\NHTOjgq.exe
PID 1288 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\NHTOjgq.exe
PID 1288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\vZpePyu.exe
PID 1288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\vZpePyu.exe
PID 1288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\vZpePyu.exe
PID 1288 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\HFPsaFX.exe
PID 1288 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\HFPsaFX.exe
PID 1288 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\HFPsaFX.exe
PID 1288 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\prZFhqv.exe
PID 1288 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\prZFhqv.exe
PID 1288 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\prZFhqv.exe
PID 1288 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\iYbGemJ.exe
PID 1288 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\iYbGemJ.exe
PID 1288 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\iYbGemJ.exe
PID 1288 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\SoRBpko.exe
PID 1288 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\SoRBpko.exe
PID 1288 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\SoRBpko.exe
PID 1288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\JxDIeUs.exe
PID 1288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\JxDIeUs.exe
PID 1288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\JxDIeUs.exe
PID 1288 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\XznAENg.exe
PID 1288 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\XznAENg.exe
PID 1288 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\XznAENg.exe
PID 1288 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\DafljTl.exe
PID 1288 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\DafljTl.exe
PID 1288 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\DafljTl.exe
PID 1288 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\yEpYpLO.exe
PID 1288 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\yEpYpLO.exe
PID 1288 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\yEpYpLO.exe
PID 1288 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\WQZuZSV.exe
PID 1288 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\WQZuZSV.exe
PID 1288 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\WQZuZSV.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\nkRKkaa.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\nkRKkaa.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\nkRKkaa.exe
PID 1288 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\EajQLTr.exe
PID 1288 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\EajQLTr.exe
PID 1288 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\EajQLTr.exe
PID 1288 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\iAazqWr.exe
PID 1288 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\iAazqWr.exe
PID 1288 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\iAazqWr.exe
PID 1288 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\ORtAdhq.exe
PID 1288 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\ORtAdhq.exe
PID 1288 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\ORtAdhq.exe
PID 1288 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\fKCOKpq.exe
PID 1288 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\fKCOKpq.exe
PID 1288 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\fKCOKpq.exe
PID 1288 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\dJrlzhv.exe
PID 1288 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\dJrlzhv.exe
PID 1288 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\dJrlzhv.exe
PID 1288 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\GNxVNTw.exe
PID 1288 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\GNxVNTw.exe
PID 1288 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\GNxVNTw.exe
PID 1288 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\afLUbMr.exe
PID 1288 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\afLUbMr.exe
PID 1288 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\afLUbMr.exe
PID 1288 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\lxOQjEW.exe
PID 1288 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\lxOQjEW.exe
PID 1288 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe C:\Windows\System\lxOQjEW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe

"C:\Users\Admin\AppData\Local\Temp\a1ea4248d6ec9c946b53c6976251423e398f6577839f86a1f52e5b765699b460.exe"

C:\Windows\System\geluIlq.exe

C:\Windows\System\geluIlq.exe

C:\Windows\System\NHTOjgq.exe

C:\Windows\System\NHTOjgq.exe

C:\Windows\System\vZpePyu.exe

C:\Windows\System\vZpePyu.exe

C:\Windows\System\HFPsaFX.exe

C:\Windows\System\HFPsaFX.exe

C:\Windows\System\prZFhqv.exe

C:\Windows\System\prZFhqv.exe

C:\Windows\System\iYbGemJ.exe

C:\Windows\System\iYbGemJ.exe

C:\Windows\System\SoRBpko.exe

C:\Windows\System\SoRBpko.exe

C:\Windows\System\JxDIeUs.exe

C:\Windows\System\JxDIeUs.exe

C:\Windows\System\XznAENg.exe

C:\Windows\System\XznAENg.exe

C:\Windows\System\DafljTl.exe

C:\Windows\System\DafljTl.exe

C:\Windows\System\yEpYpLO.exe

C:\Windows\System\yEpYpLO.exe

C:\Windows\System\WQZuZSV.exe

C:\Windows\System\WQZuZSV.exe

C:\Windows\System\nkRKkaa.exe

C:\Windows\System\nkRKkaa.exe

C:\Windows\System\EajQLTr.exe

C:\Windows\System\EajQLTr.exe

C:\Windows\System\iAazqWr.exe

C:\Windows\System\iAazqWr.exe

C:\Windows\System\ORtAdhq.exe

C:\Windows\System\ORtAdhq.exe

C:\Windows\System\fKCOKpq.exe

C:\Windows\System\fKCOKpq.exe

C:\Windows\System\dJrlzhv.exe

C:\Windows\System\dJrlzhv.exe

C:\Windows\System\GNxVNTw.exe

C:\Windows\System\GNxVNTw.exe

C:\Windows\System\afLUbMr.exe

C:\Windows\System\afLUbMr.exe

C:\Windows\System\lxOQjEW.exe

C:\Windows\System\lxOQjEW.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1288-0-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/1288-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\geluIlq.exe

MD5 f9ddcf1402f320c28bbfa6e3ff0f6e01
SHA1 08d3538dd07d4f6a57041673509b8e246c572bf0
SHA256 b8f4a7d83a27a71fb92f1db14014f1dd79c6bef5bf7babd3296eddd275a144fa
SHA512 853af82f127af753f98eefd05046db3b593d7cdb98de69853cba6f17ea14a06f9aceb1d4145b216d377e5cdc544e7d7adf651bfdb5f005a7b20e1d118ebd0c1a

memory/112-8-0x000000013F4E0000-0x000000013F834000-memory.dmp

\Windows\system\NHTOjgq.exe

MD5 fc6115a909d50504d71e22e0aedf2e62
SHA1 e3e3d6d0d3bb5ec74d1833133e51525ba96d0d8f
SHA256 de3f4678c05705ba3c7a9ac20fc5dfc016080b42b24cf127a42f431ee7d4fac6
SHA512 58cfcff56a51b589cde9ec35f382a6a68e4d305fbbc61fd461649062ff7fcdf3c8ff7e3ee596c75b4b301e8f8283a72d02de38c70271cb9d471d5d93a240a8d0

memory/1288-13-0x0000000002590000-0x00000000028E4000-memory.dmp

C:\Windows\system\vZpePyu.exe

MD5 78acbc1600a562158969ca08c73dfbc5
SHA1 187f275b59f8b4c170c8f94a4cb11b03793de13e
SHA256 e0cb0ffba5cc54907e5258cddb32d11cde2fb8ccef78e139619388ad88990f17
SHA512 d4f6e702f41ab138f1c116b8363dfc8a1d27b095be2a48a6674d2950df0c04270158c59e101eb8215be1025ce0747401538823731f6cde41ddcea3be0b3b6547

memory/2972-19-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/1288-22-0x0000000002590000-0x00000000028E4000-memory.dmp

memory/2580-21-0x000000013FF40000-0x0000000140294000-memory.dmp

\Windows\system\HFPsaFX.exe

MD5 2e1e2ac82db572cb049958c36faeacd3
SHA1 1422ffa93a823825841ae4563fcc560ffe9cafdd
SHA256 baad3482075ad0e29654e9c843dbc837f227238b556a8505e01830e6dd52fe32
SHA512 15e22a367cdcc3d4df8f346110efcd27acc8d38f9f399b8b9f5d1e8dd1eca4821464d539fd47fda1599d600f9755dea37e3d5205f7e5367813fab1be70e06ac6

memory/1288-28-0x0000000002590000-0x00000000028E4000-memory.dmp

C:\Windows\system\prZFhqv.exe

MD5 58fc3055fb119721853684905caa3531
SHA1 b315e46a7a9d5f3894475b0afac3dd39f46db67b
SHA256 448cf9acca4e77352ac8ba3b702e617099b913206e127ccfbcfc287e4264b9df
SHA512 495b545c5c3267faff6e783d06ef4ea9456e730703682e772857d159845e2617f7f8430487fe15ada56b4f638650c7e0312c42acb0a2455fe4142c2fd80b11f1

memory/1288-33-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

C:\Windows\system\iYbGemJ.exe

MD5 e49f0b69b21debbf5cb90a2d2f129db9
SHA1 cc86447eb346f623bd40182dc5cd010a865d774b
SHA256 19aa09095ecc4efea439e3388d7cca0a9287e14c795e8d31617610d3ce34efac
SHA512 8c6f7897235c076a001fd6d447f8b3e349232aab606a5c07140703971e1de37cc3b3d05a5e4131b469615e988a8b215d015ac224114107bc8e9c0a064e9fa716

memory/1288-41-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2584-42-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2556-35-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2728-30-0x000000013FEE0000-0x0000000140234000-memory.dmp

\Windows\system\JxDIeUs.exe

MD5 0bdfd2ebf4c802ff3227d81ecf9d7bbd
SHA1 27334b0834125bdf9816db0eedefe5fd51d0c4e0
SHA256 3c81ee233bb311577d320cb7ffa31e2aa9b7cd04384d4ca6a8089c13f7cdafb6
SHA512 7ad3beabc642a08e29c61603cf7b4b710b6c62294390792d6abc684d0a4d69bbba7f85e60d450b8c1589deb2ad8ac91e94fad7126fa35057058f670e4a8ed761

memory/2600-54-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/112-55-0x000000013F4E0000-0x000000013F834000-memory.dmp

\Windows\system\SoRBpko.exe

MD5 d0acf1e23c76eddc4a0b8eff410d5aed
SHA1 295515574c3e43dae33d62b7c5a1e6e027577382
SHA256 4c072371b9bd818840fa4fa4ae63f57397913411e75702599f5cf29671f0b40d
SHA512 bbc420a4620799c6951d2c1f946dafc4778f665773ffdcb2fe26f60071959050b431acd3e5afb09e136a8c68f015be0c1c6ae42825a7d687b7eea79b8d76492f

memory/1288-46-0x000000013FC80000-0x000000013FFD4000-memory.dmp

C:\Windows\system\XznAENg.exe

MD5 59a21a1a8cdae00cb1d441f8e4a487c2
SHA1 8ed713e0563ef966f498a143af7641252eab765f
SHA256 a75661e80c45191dba3e0d87e06c32b199ea90edceaba7766fa6f06f8c47fe8a
SHA512 7d8314477bcbfdc258dddc80dd787054e6f32738633f39d6dc87ed8c6475b2b867dc5912806fa440da37196a15f0e2711cee90feda563960f7f419ce4a03a6c4

memory/2420-62-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2500-70-0x000000013F170000-0x000000013F4C4000-memory.dmp

\Windows\system\WQZuZSV.exe

MD5 5328eda9e00a8e19fef5108aa50e2e25
SHA1 58ac03687ef3c7c609804519138efd626b8393a4
SHA256 beee53996ca892a884380270c71ca403b35a1123eaba6a6984cef5c8032c7583
SHA512 389988add923a06176006457621d81d29c317066f74e403b9359f31814232d734bb87cfb26fb0785d92b1aa65fe2db9da57aa16180916fd33fa91d7739c7ebfe

memory/240-84-0x000000013FA30000-0x000000013FD84000-memory.dmp

\Windows\system\lxOQjEW.exe

MD5 fe724e4de76d02341b5bcd42aead1c6b
SHA1 85d4ea75500b73e70a2fee6e0176a218fec3dfd3
SHA256 ec7f6a1f01c571d9b41836c228537256396e8edda2cd077d47408db6a064653e
SHA512 8758a48efd285bd57cc9999b62ddd0bdbbfe360c4cf2c43251027f0105cc79112ae46b758be410ea59f6eef8ef42030476a9a959aa716a492cfca303bd943d50

C:\Windows\system\afLUbMr.exe

MD5 edb17b8afa57d5faad271692b9a15bcf
SHA1 25eee526146e8bf374734060ebf5f1c70563c523
SHA256 530bc547d10b5188354e0b92166b8509f4d86fcbf14cc20996800eb35376572c
SHA512 15d5a348295fb58b6b57da96822d34aa52f76b0a146652c25753b1d1f51bd1df530043aa216b74d16e2fed2c1d99acb77fe3e8e6c64f7691306a30e1bee94a19

C:\Windows\system\GNxVNTw.exe

MD5 1c072a24cd15bda13a47a27bf73509c3
SHA1 9fb7a4c68cfec91566762d1d7d112400c01c0d48
SHA256 b5b41ef1292fb8f6a14773dec92db2e932e9d818dcf1e30521819034335b04dd
SHA512 a04206736f7e4f007e67d65c2206af90a25573ef96c8baa3983e5f265008ef08703ceb73914edb163cdd8a1543f20e7a6abf0b9abb53323423c85eb3946c1a98

C:\Windows\system\dJrlzhv.exe

MD5 7189debec6d1ddbd027205217343fa63
SHA1 100aeec594252e29ee65479cdc980c3e5c9d72e3
SHA256 7ab8e042e1d96baaecaab2a91c496cbc9186e130c88340472fa9e736407f5ba4
SHA512 15a50f6525d8e1aa555e4b80bdcba9d1469b20340de4cefff4faa14f196659d1a4e67b228812f8e396f2632d773ac82a9c77db6881f189fc73f78ca3b2b95559

C:\Windows\system\fKCOKpq.exe

MD5 301eb6b43de6e45be1e40f8632811873
SHA1 7538474183d1bf0b2ae835e4dcb2203b27283b28
SHA256 01da1896e648e310f9615356f1e776dbb6406e4094a8639f56a97ae161122021
SHA512 4c4b4e9dea549cb910ff8fbff377d1ab7da9547fa782302fcb6ee9a8daa05cbd607952b819baa2527aabc0c69f42e02c6e8ce5e47c5561cd9ebb341ec91acad2

memory/2600-135-0x000000013FAE0000-0x000000013FE34000-memory.dmp

C:\Windows\system\ORtAdhq.exe

MD5 7c0a506e02ef0dff5f6252200cae92a3
SHA1 a8d2ce39ed2696d2407e03e96c7d9a9f695c2853
SHA256 d6ec5145250b726445ccf1bb8e01617485c9cfc9fec9e4427ffeecdae2e348fa
SHA512 b03c7c0ff833bd79aecddd316e075796d7dc187672ba5fdda20e94aa2a984c616523cc6604b4e626900f23db1e2300362e353b7304653352fbf7c5a44bc77f3e

memory/1288-104-0x0000000002590000-0x00000000028E4000-memory.dmp

C:\Windows\system\iAazqWr.exe

MD5 2f648cb2ca74ff2169a99ccb89555706
SHA1 a0e649133ad1bab143cee8c5f1d8bc80ee98172e
SHA256 d06997edd768dce340617b95cf2e8e828778612a36f9c26c0d1fa6a04913e70a
SHA512 34452691912d407fc0a826241b30d37b9d27fd950abec86f34244507f27742fd5d87c7e3713d5487b4b4a18fa6d21d7ba70e91532b387e0158e91138bf237b26

memory/2360-97-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/1288-96-0x0000000002590000-0x00000000028E4000-memory.dmp

C:\Windows\system\EajQLTr.exe

MD5 e747c151eb1c0ed322aac376ac211908
SHA1 d0fa23450ec2ad586c8d5ed460f1ca054a783472
SHA256 f593dd08d99e1a039543f3f14d388c1a3390a3dde6811cef3ccb3db259b972fa
SHA512 645d26994a1754d381bcefe3eec6f2267684a49eb1c4103c770d7c4717919198f71648f121fa6154f1c8b600891c63ada4e7639f6386d9c1a329907dfa363030

memory/1544-91-0x000000013F190000-0x000000013F4E4000-memory.dmp

C:\Windows\system\nkRKkaa.exe

MD5 93db8804ef22d5573206ef0443d0cc5e
SHA1 6b06f430ec044d9ce2f6b28a05cdc932090d288f
SHA256 e35e6db1cca73ffd4325b4ce329ce74c977c8852309ad5087449d38786cd6c54
SHA512 c8398a0cb350ee97d68cdad110063dbbaec0629ae72d43abff9d8c3b5b9060b905a2b57e47fd84feb99e4ea14eaaba8c8f27339291b12c8ab4a13715eea52aae

memory/3040-76-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/1288-75-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2556-83-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/1288-80-0x0000000002590000-0x00000000028E4000-memory.dmp

C:\Windows\system\yEpYpLO.exe

MD5 7e92e954a24e0753252e45584ed8842c
SHA1 d57c637b8eca30a573ef55e0d6efe7a83039fca7
SHA256 b8cae56b8e4e32500a183a8f9b76a0cf15b362403c56039af954b1bbf62f122f
SHA512 cb7be0d8269e4fa7228c6407a04279a9250186d234bbe1112b9c2fe5287aa1b96972a26afc89b77a055831ebaf527eaa063a1641ac7c0d401a7607443d24d904

memory/1288-61-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1288-69-0x000000013F170000-0x000000013F4C4000-memory.dmp

C:\Windows\system\DafljTl.exe

MD5 b741662cd8e6fde7e1e9196980765e87
SHA1 8a421ea71f1f600be3b9aa5ec8aa3862240753b0
SHA256 79db05f8f65d2d05783f29bb03a7dc3adfc7ce9d41f0cee53e099f8c382231de
SHA512 f598fc9d537a96540c744fdd0f55588f201449ad6ae2976183e077e84885ed0fd356bf5a432481f9c8438062fe3bfee5f1cebda86309f8c73197dfdb13a0c2e7

memory/2560-57-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2420-137-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1288-136-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1288-138-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2500-139-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/1288-140-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/3040-141-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/1288-142-0x0000000002590000-0x00000000028E4000-memory.dmp

memory/240-143-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/1544-144-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1288-145-0x0000000002590000-0x00000000028E4000-memory.dmp

memory/2360-146-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/112-147-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2972-148-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2580-149-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2728-150-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2584-151-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2560-152-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2556-154-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2600-153-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2420-155-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2500-156-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/3040-157-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/240-158-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/1544-159-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2360-160-0x000000013FF20000-0x0000000140274000-memory.dmp