Malware Analysis Report

2025-01-22 19:46

Sample ID 240601-jz19qseh61
Target 4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05
SHA256 4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05

Threat Level: Known bad

The file 4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05 was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

xmrig

Cobaltstrike

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 08:07

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 08:07

Reported

2024-06-01 08:09

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OOnElAd.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\CKvXAui.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\FveXqjH.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\NGowYdf.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\GbIqvul.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\jTRZRXU.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\CMrkNEV.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\zzxsCTA.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\QpuowHJ.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\JIYbtxZ.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\fNtBxgF.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\XUXNoJV.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\YpFpVIu.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\xSrlZKS.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\kBeYkkb.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\tGGogDg.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\lLSOyEl.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\FmTyWDb.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\VreqvRi.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\FbZkUwj.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\jbrHbtG.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\lLSOyEl.exe
PID 1368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\lLSOyEl.exe
PID 1368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\lLSOyEl.exe
PID 1368 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\FmTyWDb.exe
PID 1368 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\FmTyWDb.exe
PID 1368 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\FmTyWDb.exe
PID 1368 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\GbIqvul.exe
PID 1368 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\GbIqvul.exe
PID 1368 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\GbIqvul.exe
PID 1368 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\jTRZRXU.exe
PID 1368 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\jTRZRXU.exe
PID 1368 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\jTRZRXU.exe
PID 1368 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\OOnElAd.exe
PID 1368 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\OOnElAd.exe
PID 1368 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\OOnElAd.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\VreqvRi.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\VreqvRi.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\VreqvRi.exe
PID 1368 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\CKvXAui.exe
PID 1368 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\CKvXAui.exe
PID 1368 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\CKvXAui.exe
PID 1368 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\FveXqjH.exe
PID 1368 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\FveXqjH.exe
PID 1368 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\FveXqjH.exe
PID 1368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\QpuowHJ.exe
PID 1368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\QpuowHJ.exe
PID 1368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\QpuowHJ.exe
PID 1368 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\FbZkUwj.exe
PID 1368 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\FbZkUwj.exe
PID 1368 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\FbZkUwj.exe
PID 1368 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\JIYbtxZ.exe
PID 1368 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\JIYbtxZ.exe
PID 1368 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\JIYbtxZ.exe
PID 1368 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\fNtBxgF.exe
PID 1368 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\fNtBxgF.exe
PID 1368 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\fNtBxgF.exe
PID 1368 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\YpFpVIu.exe
PID 1368 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\YpFpVIu.exe
PID 1368 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\YpFpVIu.exe
PID 1368 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\CMrkNEV.exe
PID 1368 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\CMrkNEV.exe
PID 1368 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\CMrkNEV.exe
PID 1368 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\xSrlZKS.exe
PID 1368 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\xSrlZKS.exe
PID 1368 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\xSrlZKS.exe
PID 1368 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\XUXNoJV.exe
PID 1368 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\XUXNoJV.exe
PID 1368 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\XUXNoJV.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\kBeYkkb.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\kBeYkkb.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\kBeYkkb.exe
PID 1368 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\zzxsCTA.exe
PID 1368 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\zzxsCTA.exe
PID 1368 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\zzxsCTA.exe
PID 1368 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\NGowYdf.exe
PID 1368 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\NGowYdf.exe
PID 1368 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\NGowYdf.exe
PID 1368 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\tGGogDg.exe
PID 1368 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\tGGogDg.exe
PID 1368 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\tGGogDg.exe
PID 1368 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\jbrHbtG.exe
PID 1368 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\jbrHbtG.exe
PID 1368 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\jbrHbtG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe

"C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe"

C:\Windows\System\lLSOyEl.exe

C:\Windows\System\lLSOyEl.exe

C:\Windows\System\FmTyWDb.exe

C:\Windows\System\FmTyWDb.exe

C:\Windows\System\GbIqvul.exe

C:\Windows\System\GbIqvul.exe

C:\Windows\System\jTRZRXU.exe

C:\Windows\System\jTRZRXU.exe

C:\Windows\System\OOnElAd.exe

C:\Windows\System\OOnElAd.exe

C:\Windows\System\VreqvRi.exe

C:\Windows\System\VreqvRi.exe

C:\Windows\System\CKvXAui.exe

C:\Windows\System\CKvXAui.exe

C:\Windows\System\FveXqjH.exe

C:\Windows\System\FveXqjH.exe

C:\Windows\System\QpuowHJ.exe

C:\Windows\System\QpuowHJ.exe

C:\Windows\System\FbZkUwj.exe

C:\Windows\System\FbZkUwj.exe

C:\Windows\System\JIYbtxZ.exe

C:\Windows\System\JIYbtxZ.exe

C:\Windows\System\fNtBxgF.exe

C:\Windows\System\fNtBxgF.exe

C:\Windows\System\YpFpVIu.exe

C:\Windows\System\YpFpVIu.exe

C:\Windows\System\CMrkNEV.exe

C:\Windows\System\CMrkNEV.exe

C:\Windows\System\xSrlZKS.exe

C:\Windows\System\xSrlZKS.exe

C:\Windows\System\XUXNoJV.exe

C:\Windows\System\XUXNoJV.exe

C:\Windows\System\kBeYkkb.exe

C:\Windows\System\kBeYkkb.exe

C:\Windows\System\zzxsCTA.exe

C:\Windows\System\zzxsCTA.exe

C:\Windows\System\NGowYdf.exe

C:\Windows\System\NGowYdf.exe

C:\Windows\System\tGGogDg.exe

C:\Windows\System\tGGogDg.exe

C:\Windows\System\jbrHbtG.exe

C:\Windows\System\jbrHbtG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1368-0-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1368-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\lLSOyEl.exe

MD5 803cd954258f0902d44004ad84b77f9e
SHA1 60d682e9f0daa01cc6a32152a50e7436f55ccc91
SHA256 c3a69b20d7941fdc7177bbd5f584a20aecd7efd76cfabb4ae8984d88627eec05
SHA512 a458b8348f4f7f925a9cc54ffb4cc805a6e88f6eb8917693442d61ffb9d99bb1f1abaf801a19c0466c1f8dfabc6e0b390c488bb549a2a608a79cd29d9bdca627

\Windows\system\FmTyWDb.exe

MD5 bd1352cfde839648144f9526b075f052
SHA1 1a4eddcddd69e897367c10e35d5e9736b94e921f
SHA256 1e75d7a735a2a3f45fb2704dd6f96443e8bda067546325b70732ba0671ee8f29
SHA512 341063c15b8695f02fe38314016bda02cb6b18d8cc1ca3312b57dd185470fecf4f741e4ad6c424e84d48e8db5ce6cbe8de20b4edac82b677b18acbee31ac540b

C:\Windows\system\GbIqvul.exe

MD5 05053a81624f8088120ef1aaf199f91a
SHA1 bfa7666ac429d0eba9d35eb8bb30e993476afd9a
SHA256 ce642f069b55c9f9fa03577db6143bad3af7fca02c66a2d8d978ff2a160d5611
SHA512 26f45d8cdb2cf2cd260ceeeaf1a6d388861e18797b221db7633c1f7f94ecd42081023f2a70988b65fbf4b2aa5027de1b2c8116d953853c4487b047bfc5cbee07

\Windows\system\jTRZRXU.exe

MD5 4c3371c3c219297ac57655cee816e516
SHA1 d82e32bd01c104be4564ddeb79d155fd74ea8792
SHA256 6bd1cc739f61cc2aac9e1f3b4c1ef2f42a2327b3e34650477e1d554c7edf9c9f
SHA512 a119d374c854c50b9f54633cf9eb207720bfb43c4c02a2570a9c37c12605fe173406530b3f85341214150f5f0b33bf6ffdd0fe72ffbe07b47672c228a9043f1c

C:\Windows\system\CKvXAui.exe

MD5 406595e66e5823e0f6416c0703f755a2
SHA1 904eda06919c91d14ee7514562d3abea717d4e8e
SHA256 cfd07e5df73fd95d71dababd37d04f5f17eadf5426102ec80789d8e96e9cf225
SHA512 810ea79bbbffbfeb7462bea3582bc7c59d11fcf3ba84431b38833b6bb80d2f32d371d61c800e7a0354f0ec49b0ed93519554e44cd20e210ee728c625d99c9a2d

C:\Windows\system\FveXqjH.exe

MD5 f8724315e1693d79ebae457fc6bf758f
SHA1 3b01a16d31921097b783adfe7fc4dc1e17b9df7d
SHA256 7e7f17264f889c1d5a351ad27cf7e6c717f0fc80be97e2b5e16d6fe2e088c249
SHA512 5807eb22b929527a3ea3ccd10699b8b3064124a1d8dbdb3ee08e9b2e766f24162b1165237a7999074ebec144b1efc19dcc282feb25cf7ac4890a4930862ed61a

C:\Windows\system\JIYbtxZ.exe

MD5 cdd9638a889ae87bd50633d5de376ff4
SHA1 3cf480ea31f08a56bcecd4dd6a0c1ad72deabc2b
SHA256 3171957401932230ecb28ecac62452a05b765fb4991494275636c71a305d873f
SHA512 60b64bf08fc063c17bcee953a7b584efe67cd570d7798f0f7fd9d2d729703e60f6f525a02716f1d3ef6c9fe6a5aff7a66bbe8c6e8957906b0e9434942320d020

C:\Windows\system\XUXNoJV.exe

MD5 f1e41dfa28b435d25b4e8139f64a1f31
SHA1 0021b83cd1832ed5dd43ab1ccc878062e2d58802
SHA256 71809bcd122f25b841e29435ef76386ce8bf4c1b04c4acac182b7b83f4b0781c
SHA512 e599d86ba43006f1784ac3a3142dad290b80036174d4160c7b0dd406652a6de731e44f2da5e26a8d60b30e74bbb930f5e255a1144d3ee852e3cc7ffb2d9b0f39

C:\Windows\system\NGowYdf.exe

MD5 05eaab3912d23940255bc8bd8bf9700d
SHA1 987dd90950c41273b7f887079e6b82e901ca5623
SHA256 4eda163828c13b045aab1d2062cdd322fc8e1fda0f6fa75c875f8c3e5e9ec514
SHA512 2e1d387df31d1b945abb8d3ee8e1a9bbcfcbea645d7ec654a474fab12f001d3a2dba23bbedd0ef0e509551b070532b0bcb5e6db25f00b018d0d4c9d80c8e4dbc

C:\Windows\system\jbrHbtG.exe

MD5 09b73a75fc61af15996709ec63810300
SHA1 12584d5432df3cbab1b9c758d9984b416ecceaff
SHA256 a29b6c66c47ff529b4260186739fcefb715a59f32a0dd95ec3e1f8d9da807e34
SHA512 073f4cde8f2798d04fa754bd299cd7933add85fafeff09f8a36b0f9b6d48021a4b96a359d1aa6adff2d43ba8b392f9c23ce17109df08c1ad935f64f482de0513

C:\Windows\system\tGGogDg.exe

MD5 81ef439f838faea822325e133ef0d461
SHA1 b25e8306bfd9366a26a9d96cd80b394fde4535f2
SHA256 898d76353c561e134f004b051a894095aa499281ec0b9e6fc62a6bd5692c8e31
SHA512 ac169c380cb9fdd2ee36202e7462ca3f3fafe3a7cc786da202381c2eb74c4dce9294e3b4a8a4c04e211f4c3c68f7ca4f1c93d559620c2ce8f1fb0b2d7d58d137

C:\Windows\system\zzxsCTA.exe

MD5 775020314e0cc8c8f62659fdfaee7b95
SHA1 858a4ac3449b8ce68b87a30408ef92cc9cda45f7
SHA256 31c13da4d52c18fdc8158e7a5380b756daa44e9cf322cdaeb3ec9560c5f042a2
SHA512 4e1b80c02f3e292ac3e4e8daaabda414e08804c3f50ea8d9aa1e56ee3e24e90d023bae4134fef22d19d89a3cfca65b85ae774870879d8aa6186e6ea62f8ef9fc

C:\Windows\system\kBeYkkb.exe

MD5 254e9f76ac6340c184e92f84ac6212e3
SHA1 461507a6b7a58500168e8e07dee973d922b2d6fc
SHA256 9c0d36204ccc6a9d727fcaf0526b46132f0c5a4fae0a5172a36569f03e88ed7c
SHA512 e4b8c70dfdd47ef0265eb10d4c841b3c8267dbbd1639dd494fcc4b7ef9233c716c9ea34a33a320d3f2e09f1334926bf0aaec4663c09993817cb8634bfed5113a

C:\Windows\system\xSrlZKS.exe

MD5 cc25615d44609e3f93b318f02a9676a9
SHA1 8d1ccf8d56a0c126325954f01026177c6f08db6f
SHA256 b398fea66a0185d8d72c6192c3ac9c0a151ec3ee3a57eea883eb4504d1b87067
SHA512 c818bc412ef8811534d542de2b57b3f65d530ed12768d09db2b35ee95883e725365ad63c43b55a5e3c81ef062979162c1e97fbdea03d163d87492a827546a82f

C:\Windows\system\CMrkNEV.exe

MD5 46b46c57c21087c1d48cd9722e032d61
SHA1 17737bdb4fa10dd42c0bb5e52d49402a917d8274
SHA256 8de27ee263594580a8a2eb23983933f0cee491ac6080344589249683fe297060
SHA512 d795c83a97acf62d9e2cc6a3c710db56520fd74667bcd08d1e147a4136f637d38f85ce30a63f09424ad420570313601984b308762afdac08ee89177a7728e635

C:\Windows\system\YpFpVIu.exe

MD5 c78b641bf427a4a8a135e47bc71d4f67
SHA1 9754dea6f454e7b5180e35a1467abe712136d6ac
SHA256 60f705fe76b5c8e3ccc2657abbe069cce3b5b69f9f1d7915df3e3ccfde0173c1
SHA512 da23255c3fe0292af046797ab01f7eb7f7a7b7ce02316d42caf7396bb25fd807c0df18145b1d903cb52681a8741b4b890e3aab881cfa3075c5ab67c0aacf030b

C:\Windows\system\fNtBxgF.exe

MD5 69744bc7695818e7a9e45f40eda4e88c
SHA1 abaf71cbe248463045884f4ae341a7a46e768a99
SHA256 b7dc95400681846a13884fdbbbf62d7673b404405f0059dac193393723392514
SHA512 7be98d79f010b38aef848ecb737d52c466a1b1a3145e5df94ad8357f2f44cad205bd1a3e78c49122c2e8d79a6ba690cb7411df338d5652381543edcc083d6830

C:\Windows\system\FbZkUwj.exe

MD5 446a9f1f0e51c62653f21f237874fa45
SHA1 87737f747cac65c442fa054b272650f35a208bb8
SHA256 e9367a5ee2dac056e42b61577c5134b56e2c41713a6ad0fa809b512d284f6c1b
SHA512 c9f5934e1140f9a167c038c0d3308502f9b6aa0d80f78a7202e3b50748e0835752b85efe0d763e0cc573f3fb1dc1daea9efb3bcb0984d631a954e6528c8ddc47

C:\Windows\system\QpuowHJ.exe

MD5 9e724dee6d3d741dba93d19e45d28204
SHA1 d3f9edf41a685d099ed3fc146404f42369c74419
SHA256 ea1320f4e2f6f087ea59356c46b698ad4b1f8a65ce88299f93536121afd68a36
SHA512 39990a5f759690255c455f4f0f2cd1c806dcdb960c6c7f14faa2bde464ff67d5ec6479d406409e573a896b301a8ad555eb2b8b43c6ccd7ec580d176d2d90f9b6

C:\Windows\system\VreqvRi.exe

MD5 f5f19e032cad5f6e3e73d310bb275f17
SHA1 d5c2a7647bc888b842082e37d08bbb49f90748f9
SHA256 fca6eab2d5d92a569165480f36dcdd1048aa63c40e8fd1e99d36d0a50cc54060
SHA512 3539ac496b1d5122b1c5afb4f30354a902e050c4330b4eb3ded880c6bfe6cf97da9c7dd314acb6cc83afd8452d431ee38eb78bac3908c4bf3757602a20d24b63

C:\Windows\system\OOnElAd.exe

MD5 46f0b7d457d7ee1ded40c1a06672a71d
SHA1 528362a25d4b6c987c23b9aa4529994efbc5ed67
SHA256 29ac5632e7d28ed02a2e01019a22609a5a361170c16c3203da86ecb65386c2e7
SHA512 5c02cc94110cc26f28da6b9b1ac6433e0e14529ceadb5726a8111e52cb5be2f95c62b113a68259b5daad7520606986c303e3c409b0404148e9193b8e8b579610

memory/1368-107-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/1368-109-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/2324-108-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2708-121-0x000000013F220000-0x000000013F574000-memory.dmp

memory/1368-120-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2772-119-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2508-118-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/1368-117-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2624-116-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1368-115-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2760-114-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/1368-113-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2704-112-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1368-111-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2644-110-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2984-122-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2232-123-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/1368-126-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2620-125-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1368-124-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2688-131-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/1368-130-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2212-129-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/1368-128-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2788-127-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1368-132-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1368-133-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2232-142-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2984-143-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2620-144-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2788-145-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2212-146-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2624-141-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2324-140-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2704-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2708-138-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2508-137-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2644-136-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2688-135-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2760-134-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2772-147-0x000000013FA30000-0x000000013FD84000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 08:07

Reported

2024-06-01 08:09

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wybjcZC.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\BKkPGFO.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\HfoIWvE.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\fUMAokU.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\eRxPTjs.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\pTrVMEo.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\MvsHskj.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\XxWBxNg.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\mVzebEf.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\onmtIXe.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\RVMyYeQ.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\KbvkmzN.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\QBqBdAM.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\YCPbotk.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\SRmDchL.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\ffprlOo.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\gsERvsY.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\wEUAKsF.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\IzoSVAd.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\fpkzGig.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
File created C:\Windows\System\fAJeJru.exe C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\onmtIXe.exe
PID 232 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\onmtIXe.exe
PID 232 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\RVMyYeQ.exe
PID 232 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\RVMyYeQ.exe
PID 232 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\pTrVMEo.exe
PID 232 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\pTrVMEo.exe
PID 232 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\KbvkmzN.exe
PID 232 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\KbvkmzN.exe
PID 232 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\fpkzGig.exe
PID 232 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\fpkzGig.exe
PID 232 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\fAJeJru.exe
PID 232 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\fAJeJru.exe
PID 232 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\MvsHskj.exe
PID 232 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\MvsHskj.exe
PID 232 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\YCPbotk.exe
PID 232 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\YCPbotk.exe
PID 232 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\SRmDchL.exe
PID 232 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\SRmDchL.exe
PID 232 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\QBqBdAM.exe
PID 232 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\QBqBdAM.exe
PID 232 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\fUMAokU.exe
PID 232 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\fUMAokU.exe
PID 232 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\ffprlOo.exe
PID 232 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\ffprlOo.exe
PID 232 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\XxWBxNg.exe
PID 232 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\XxWBxNg.exe
PID 232 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\eRxPTjs.exe
PID 232 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\eRxPTjs.exe
PID 232 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\wybjcZC.exe
PID 232 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\wybjcZC.exe
PID 232 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\gsERvsY.exe
PID 232 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\gsERvsY.exe
PID 232 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\BKkPGFO.exe
PID 232 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\BKkPGFO.exe
PID 232 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\wEUAKsF.exe
PID 232 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\wEUAKsF.exe
PID 232 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\HfoIWvE.exe
PID 232 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\HfoIWvE.exe
PID 232 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\IzoSVAd.exe
PID 232 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\IzoSVAd.exe
PID 232 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\mVzebEf.exe
PID 232 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe C:\Windows\System\mVzebEf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe

"C:\Users\Admin\AppData\Local\Temp\4a003d449db0389d0a4dd219177469b4768e0feb64e50c51326995f9f353ef05.exe"

C:\Windows\System\onmtIXe.exe

C:\Windows\System\onmtIXe.exe

C:\Windows\System\RVMyYeQ.exe

C:\Windows\System\RVMyYeQ.exe

C:\Windows\System\pTrVMEo.exe

C:\Windows\System\pTrVMEo.exe

C:\Windows\System\KbvkmzN.exe

C:\Windows\System\KbvkmzN.exe

C:\Windows\System\fpkzGig.exe

C:\Windows\System\fpkzGig.exe

C:\Windows\System\fAJeJru.exe

C:\Windows\System\fAJeJru.exe

C:\Windows\System\MvsHskj.exe

C:\Windows\System\MvsHskj.exe

C:\Windows\System\YCPbotk.exe

C:\Windows\System\YCPbotk.exe

C:\Windows\System\SRmDchL.exe

C:\Windows\System\SRmDchL.exe

C:\Windows\System\QBqBdAM.exe

C:\Windows\System\QBqBdAM.exe

C:\Windows\System\fUMAokU.exe

C:\Windows\System\fUMAokU.exe

C:\Windows\System\ffprlOo.exe

C:\Windows\System\ffprlOo.exe

C:\Windows\System\XxWBxNg.exe

C:\Windows\System\XxWBxNg.exe

C:\Windows\System\eRxPTjs.exe

C:\Windows\System\eRxPTjs.exe

C:\Windows\System\wybjcZC.exe

C:\Windows\System\wybjcZC.exe

C:\Windows\System\gsERvsY.exe

C:\Windows\System\gsERvsY.exe

C:\Windows\System\BKkPGFO.exe

C:\Windows\System\BKkPGFO.exe

C:\Windows\System\wEUAKsF.exe

C:\Windows\System\wEUAKsF.exe

C:\Windows\System\HfoIWvE.exe

C:\Windows\System\HfoIWvE.exe

C:\Windows\System\IzoSVAd.exe

C:\Windows\System\IzoSVAd.exe

C:\Windows\System\mVzebEf.exe

C:\Windows\System\mVzebEf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp

Files

memory/232-0-0x00007FF7DDF90000-0x00007FF7DE2E4000-memory.dmp

memory/232-1-0x000001F33B5D0000-0x000001F33B5E0000-memory.dmp

C:\Windows\System\onmtIXe.exe

MD5 e679f4ca49c1df50975909184bb1d065
SHA1 88dbb0ebeff324f46d45fe109a11d06b4bb75a59
SHA256 220628030f61cf49d2ea0eac73a743ffd68b3b988966c81efa8ec2a6b643ed07
SHA512 3590121a622b1ed0f1ea013dd4ca4c38be6b3cae5e35fe9d311d4c1ea174658599ad1ed7cd7e17836ab7e9cd4d0f9491581c9bf74c67ef1fb9989b3418a8afd1

memory/924-8-0x00007FF7CDE80000-0x00007FF7CE1D4000-memory.dmp

C:\Windows\System\RVMyYeQ.exe

MD5 14274e812e43adbbff127cf870b70726
SHA1 4b1b406a014e9cfc412786ebacadd62f0f1988c3
SHA256 3aace6a5b9658cbbd307cc3ff82e6e1080fdf23cab2b179291c30f95544cc440
SHA512 34610ef99e95aaa0fc634838e8dd02d9dbdbca6aee3ceefaacb2114a772af30caf098e584436e28a6d15cf6df73da91a55fe13d915a6838a73d61ce0d7eef1b9

memory/4692-14-0x00007FF651320000-0x00007FF651674000-memory.dmp

C:\Windows\System\pTrVMEo.exe

MD5 d47a8b0923e0619402c8043c91eb2cc0
SHA1 858ed8be36579c57cb0b24031752d4c4e373933b
SHA256 5fc4deee1fbd0070121ac4da3fdee75ee24e0caa289b8006294309dedf26f0d0
SHA512 3713257aa08e2d307ed2c6957e417d87915fd69dd5bdde0958b3688f9de8a99d3b02a5e659fe69f2e992545be479984016da91c2a10172d7298b989ea9dc35f5

memory/1056-20-0x00007FF68F0D0000-0x00007FF68F424000-memory.dmp

C:\Windows\System\KbvkmzN.exe

MD5 c87beac0b3b8a45e8ca9e7ae4594d363
SHA1 e9db31df6894b66c09ff1feb2c80cc0a208f9943
SHA256 ab397070639d9b977a255f5e5352745509a8c791e1a638e265b76a532b82a922
SHA512 be315555f9d84bdcd736952042ed079a09dd0b6007c63f0927ad236ac52eb18cd1a530c998e6133e6ee8ff0cc2a6750fa42d726779d812e6b1588998db975ca4

memory/4192-26-0x00007FF6CC980000-0x00007FF6CCCD4000-memory.dmp

C:\Windows\System\fpkzGig.exe

MD5 7d53a366fd1957bf55e667889ce442c0
SHA1 baa1471f39f88e103dfb816522466541fc099b82
SHA256 de7677e294a6b94e98ace5b06ae57047de0f1590b307e1f6a22bec2da6e9ef67
SHA512 0a1299e428a155afaeee591a9d2077847df07c3ee916f41660244e222c27032a70a25bd4a36dc08ecfe02712e5ecee1e9a4e005c3f63dc6442f8321dba62bc79

C:\Windows\System\fAJeJru.exe

MD5 fe932f4a21cbb001c1f0314909429a18
SHA1 835606a9e8981106dfb28176e01ea7c6fd8ee1e9
SHA256 8d713d2962fd502cdf5086e7ddc0508aff11dcc9498fcfe2ccd8095760fef466
SHA512 86b0dc70d427763630133b51f4854d807c71eeda7fee9b0464226ddde6d3a2973c6acdbe7d85a38c7b874f6bb814f593eec411aeb0fc627dcba8aaf87e28d330

C:\Windows\System\MvsHskj.exe

MD5 e68ebf14ed5e4724c13413ad830c5070
SHA1 0e6c379ec2a2819c8728d8fa769a2291215a8d2e
SHA256 3f4ad9205f1763d32e0f180d1ae0a1abd84dbe1cda88083759011a316e4e373f
SHA512 e6e4938b373842626c44080d47af4ae550430e927c286b3db851c404639f35e5b61488d7bbe49f9f11371e2c287ae18af4a567cebe7d0f264ca5e93df235163e

C:\Windows\System\YCPbotk.exe

MD5 da548b729d9d58a4f3ce21bca84fdbff
SHA1 ff1f7656abb69c902b3b785f4f8d589af1920d71
SHA256 83739098e9c35fa98176e3ce9bcb6e3179f5ea9b58a8c7ef28c8f3f884f9e814
SHA512 9c37b199608af676638e65a9dcb906f0ae99e91ad0c12c86686876708edd6627b37ceee717f4db71120d25dc0fa24efa395e925ef94a38017ad2ba3dfc85af48

memory/3988-48-0x00007FF63CC10000-0x00007FF63CF64000-memory.dmp

memory/1560-44-0x00007FF64BC60000-0x00007FF64BFB4000-memory.dmp

memory/3480-40-0x00007FF7CA730000-0x00007FF7CAA84000-memory.dmp

memory/2792-32-0x00007FF6D01E0000-0x00007FF6D0534000-memory.dmp

C:\Windows\System\SRmDchL.exe

MD5 634be665a006528990ae84ba36ffceb3
SHA1 1d924607e3f96f8f810aa0f40d703d2371a67bd0
SHA256 020538ed299539ec7ee9f650020b2a948a09fc79827836cd75315dc7551521e3
SHA512 883044cf7ad131948bc8370bfd3acefeace6b9b18ed092095a9c9000add70cc355fb29317f28dfc449f095206aab464422ef745b80d7509a7f9af1a5baa5c07a

C:\Windows\System\QBqBdAM.exe

MD5 f94c6decc7fdc0ce9b50730cf9361720
SHA1 8c4ff8702c7b2cce646a93c704d6b56e22165023
SHA256 50660bc7a2ae8382e8647e22b3ea94144e82b6c31b39d4e76588207e3e9d5a33
SHA512 b2d1b947b95eb27266d6de4420efb51fd8aa2eab0f7d1fb5f02b9dcad6e646ec43317945707a262a450173c4dcadb310db3288ab517adf3eb4b3442df078b9b2

memory/1012-58-0x00007FF7F9F20000-0x00007FF7FA274000-memory.dmp

C:\Windows\System\ffprlOo.exe

MD5 b5848164f286a308687fdf36e66850f3
SHA1 048e0e6a0ac89e52e3fde60ab3b00e10928a0a98
SHA256 dcd6e32671f766c11db5b42b8f4626ca3c1c859f10b5498e9bde10a9829002d8
SHA512 d7c205ac246641d7f42bddfc14f46907451287edba4c7d9bea05cc7a1017e24c46291c6f1ac78816487e1acf110fc35431c18a751e7ccb5bf592df8432738a96

C:\Windows\System\fUMAokU.exe

MD5 6e87e6a72a2069dcd93727bb1a9c1026
SHA1 4fec99071f416bdb5de5fa5170a6e361671a85f5
SHA256 5e47c7f7d3fb882e57f9740bd540d4af4db45024f53c41ce5a54adde531f9a74
SHA512 b5b2da7fb5d1d4f7c6f42cf33e56605199875f948abc1fa28ca9f8895f59a776e5478fe7f63751751215eeeb65e84e3904c2f28e04eb3b8b89440d7d5f6b8e3b

C:\Windows\System\XxWBxNg.exe

MD5 b1d52f5e6671339cb2bb678eb28a476d
SHA1 ff7225aea39bca4415d1159038cfdb8d5fe748d8
SHA256 da6a156bb554e8579b279003c044685562302999b116b4b739db2a8928880dbe
SHA512 6f72d36c7308c6b767d4cb6bb4b0900fc39394bd385ea6323258e43f54abf21fba6e0061a22ad2ef2da73bcceb1c689206582edf41743eef642e44293f1287a8

memory/2312-85-0x00007FF7B1510000-0x00007FF7B1864000-memory.dmp

memory/1088-89-0x00007FF671FF0000-0x00007FF672344000-memory.dmp

C:\Windows\System\wybjcZC.exe

MD5 50a75ddada829206da860a046693ab6c
SHA1 020382de1e8f8e9ad8e70c154ae9f57ed48e01c2
SHA256 6a166a03ac4d032e21730f4a1516d6c601e27d443df1b92c7e48532fcba20ae8
SHA512 7e9a67a31fb558431ffebde702b8bcf9e23d491c13f58a2d110812ed3697e9c99ba2796b6538d2fd192bd3153de3579e5eadf4ac950aa1e2711e0a1a247d3db4

C:\Windows\System\eRxPTjs.exe

MD5 78241c6b89e9b66a229a30aa2c4bab14
SHA1 43079bae1bf0ec59c62263e570f9a96b3cf8f72f
SHA256 a945e40eeea677a4bccccb178a0da40e1440bffa428261b77f65bb4b4c2e7641
SHA512 3afcec0a6b9bb9b958e96566333caf568840eea9f98bb46ad0d4ca2126700a45e96d05a621395b390e13925bf6605b87927bb2989c4e182db8835d4f8fe78ff0

memory/2028-91-0x00007FF6150E0000-0x00007FF615434000-memory.dmp

memory/4676-77-0x00007FF6EB3F0000-0x00007FF6EB744000-memory.dmp

memory/4692-76-0x00007FF651320000-0x00007FF651674000-memory.dmp

memory/3192-71-0x00007FF7B0F40000-0x00007FF7B1294000-memory.dmp

memory/924-69-0x00007FF7CDE80000-0x00007FF7CE1D4000-memory.dmp

memory/3520-68-0x00007FF75E120000-0x00007FF75E474000-memory.dmp

memory/232-64-0x00007FF7DDF90000-0x00007FF7DE2E4000-memory.dmp

C:\Windows\System\gsERvsY.exe

MD5 e929b7134b7750cfeba5412c083d6b7d
SHA1 b512d4963384d11c0d202063304810fa4f6f4b9d
SHA256 a46cea3f718cd4ad7f5853d3f4e7348ea82617292415a08ca7fb46a9ec410098
SHA512 26d99dda810ba0832577dd85968c69adacdfbce35766d925e4f653075c14e90ef117a55ee58440f10239e7daaeb2df9f65014071002b864c51652967b08a8e1a

C:\Windows\System\BKkPGFO.exe

MD5 e56c33a46d128497772d08146c7cfcec
SHA1 0b96aaea43991a034e3af19fb4265ef47e719a7d
SHA256 49a27d881d09fc9775d17bdfac578ab3f178646d4f4264f29bff4b549e69842e
SHA512 0e9c39b1ee8a687a47cc89a194ffda4e23b795857d75ee59e87647f611d648f4507a5962a843685f69f7c1a2efcb47619d5f8d6636ecff92624892e6a96c9f6c

memory/4468-109-0x00007FF77FDC0000-0x00007FF780114000-memory.dmp

C:\Windows\System\HfoIWvE.exe

MD5 95f0e415e31a1cba880fca7884823b63
SHA1 bd9e8546c8c9b40e78e0cd2e9bba8f1416cf6b92
SHA256 1efc13443eb12d5d113fed34796c2ed029de4db1fa1958489452138847475c5c
SHA512 7aa045c0484a8c1b7536093dee37af91ac18b5581a522cca58a8b556eafcbae74a8494b65fff9d34776245c078465279d71610ea44d5f99f6006d901aad45c65

memory/2932-115-0x00007FF7B6B80000-0x00007FF7B6ED4000-memory.dmp

C:\Windows\System\wEUAKsF.exe

MD5 1786900d6364385baa1b9b8b7ec8bff9
SHA1 ae50b1209adadf3d60214a7f910a1c40d98256ec
SHA256 e80f8aa3efbb820c3b2dc3f41f9d253dbcdc9f545051cd4a73b4eca0445d5a2f
SHA512 aa98e3f2fa375f3ab2419b3ff30644a403ebe5e2296940659e9296aa5b10a7488a8787a63ceb58b17a55b834e84b890cb471b1d08a5bf5a3c3367d3f1a14cfbd

memory/3956-116-0x00007FF66D470000-0x00007FF66D7C4000-memory.dmp

memory/1560-111-0x00007FF64BC60000-0x00007FF64BFB4000-memory.dmp

memory/1300-110-0x00007FF6C04A0000-0x00007FF6C07F4000-memory.dmp

C:\Windows\System\IzoSVAd.exe

MD5 6d99d05097aeeb91601c9b8fd2d803de
SHA1 7cf57ca261a0c101ebf4691f4917b2aadf9f68f2
SHA256 accfc3ea48ded9cfe8c68f8816bb4aaf3a36dc056611cbeea57bb8e61459cbde
SHA512 490d165ef60376d22f9a72b759e4ec4ffbdb8a87d4e69742108e1031ba912c2ef7bb24e75e7325dad8dc179bab26472a89a54d42220f0b779bbf08fd598788f0

memory/1972-126-0x00007FF73AC70000-0x00007FF73AFC4000-memory.dmp

memory/3988-124-0x00007FF63CC10000-0x00007FF63CF64000-memory.dmp

C:\Windows\System\mVzebEf.exe

MD5 6824c05938272f5094002105a2539585
SHA1 e2a908da8083842ce53b5cbb053edc25c46ef28a
SHA256 08a17823a2867ae8fc50468f082f970554488c2ad4c104e53ee20b56a4fefb89
SHA512 46aa34781919d834d7baf624235983eb82bc5d9df0d5845694793fec854fcde38ea42ad918e19f1d1f705888c0387b7e3cc901b13dcc9ff42c0705b905ce7bf1

memory/2352-132-0x00007FF6836D0000-0x00007FF683A24000-memory.dmp

memory/3192-133-0x00007FF7B0F40000-0x00007FF7B1294000-memory.dmp

memory/4676-134-0x00007FF6EB3F0000-0x00007FF6EB744000-memory.dmp

memory/1088-135-0x00007FF671FF0000-0x00007FF672344000-memory.dmp

memory/2028-136-0x00007FF6150E0000-0x00007FF615434000-memory.dmp

memory/2932-137-0x00007FF7B6B80000-0x00007FF7B6ED4000-memory.dmp

memory/3956-138-0x00007FF66D470000-0x00007FF66D7C4000-memory.dmp

memory/1972-139-0x00007FF73AC70000-0x00007FF73AFC4000-memory.dmp

memory/924-140-0x00007FF7CDE80000-0x00007FF7CE1D4000-memory.dmp

memory/4692-141-0x00007FF651320000-0x00007FF651674000-memory.dmp

memory/1056-142-0x00007FF68F0D0000-0x00007FF68F424000-memory.dmp

memory/4192-143-0x00007FF6CC980000-0x00007FF6CCCD4000-memory.dmp

memory/2792-144-0x00007FF6D01E0000-0x00007FF6D0534000-memory.dmp

memory/3480-145-0x00007FF7CA730000-0x00007FF7CAA84000-memory.dmp

memory/1560-146-0x00007FF64BC60000-0x00007FF64BFB4000-memory.dmp

memory/3988-147-0x00007FF63CC10000-0x00007FF63CF64000-memory.dmp

memory/1012-148-0x00007FF7F9F20000-0x00007FF7FA274000-memory.dmp

memory/3520-149-0x00007FF75E120000-0x00007FF75E474000-memory.dmp

memory/4676-150-0x00007FF6EB3F0000-0x00007FF6EB744000-memory.dmp

memory/2312-151-0x00007FF7B1510000-0x00007FF7B1864000-memory.dmp

memory/3192-152-0x00007FF7B0F40000-0x00007FF7B1294000-memory.dmp

memory/1088-153-0x00007FF671FF0000-0x00007FF672344000-memory.dmp

memory/2028-154-0x00007FF6150E0000-0x00007FF615434000-memory.dmp

memory/4468-155-0x00007FF77FDC0000-0x00007FF780114000-memory.dmp

memory/1300-156-0x00007FF6C04A0000-0x00007FF6C07F4000-memory.dmp

memory/2932-157-0x00007FF7B6B80000-0x00007FF7B6ED4000-memory.dmp

memory/3956-158-0x00007FF66D470000-0x00007FF66D7C4000-memory.dmp

memory/1972-159-0x00007FF73AC70000-0x00007FF73AFC4000-memory.dmp

memory/2352-160-0x00007FF6836D0000-0x00007FF683A24000-memory.dmp