Malware Analysis Report

2025-01-22 19:34

Sample ID 240601-mhw58shh7x
Target dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e
SHA256 dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e

Threat Level: Known bad

The file dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

xmrig

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 10:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 10:28

Reported

2024-06-01 10:31

Platform

win7-20240221-en

Max time kernel

125s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GPHUkpG.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\QfJrFqy.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\GscKezA.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\zigtDOs.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\CLNdIKt.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\gMdJBZn.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\ETUyPaU.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\pxmQbiM.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\xYAHcDn.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\AvSFvpT.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\UdrpbAQ.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\izwNejn.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\SIuvKXs.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\VXZfuLw.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\WVaiwlM.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\hUHZzmT.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\LAoWqJc.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\DKvVXtL.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\jWlGbmB.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\vUlgIpo.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\mnCsKJU.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\VXZfuLw.exe
PID 2872 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\VXZfuLw.exe
PID 2872 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\VXZfuLw.exe
PID 2872 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\WVaiwlM.exe
PID 2872 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\WVaiwlM.exe
PID 2872 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\WVaiwlM.exe
PID 2872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\QfJrFqy.exe
PID 2872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\QfJrFqy.exe
PID 2872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\QfJrFqy.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\hUHZzmT.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\hUHZzmT.exe
PID 2872 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\hUHZzmT.exe
PID 2872 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\LAoWqJc.exe
PID 2872 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\LAoWqJc.exe
PID 2872 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\LAoWqJc.exe
PID 2872 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\GscKezA.exe
PID 2872 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\GscKezA.exe
PID 2872 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\GscKezA.exe
PID 2872 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\AvSFvpT.exe
PID 2872 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\AvSFvpT.exe
PID 2872 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\AvSFvpT.exe
PID 2872 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\gMdJBZn.exe
PID 2872 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\gMdJBZn.exe
PID 2872 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\gMdJBZn.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\jWlGbmB.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\jWlGbmB.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\jWlGbmB.exe
PID 2872 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\UdrpbAQ.exe
PID 2872 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\UdrpbAQ.exe
PID 2872 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\UdrpbAQ.exe
PID 2872 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ETUyPaU.exe
PID 2872 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ETUyPaU.exe
PID 2872 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ETUyPaU.exe
PID 2872 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\izwNejn.exe
PID 2872 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\izwNejn.exe
PID 2872 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\izwNejn.exe
PID 2872 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\zigtDOs.exe
PID 2872 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\zigtDOs.exe
PID 2872 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\zigtDOs.exe
PID 2872 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\CLNdIKt.exe
PID 2872 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\CLNdIKt.exe
PID 2872 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\CLNdIKt.exe
PID 2872 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\pxmQbiM.exe
PID 2872 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\pxmQbiM.exe
PID 2872 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\pxmQbiM.exe
PID 2872 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\SIuvKXs.exe
PID 2872 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\SIuvKXs.exe
PID 2872 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\SIuvKXs.exe
PID 2872 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\DKvVXtL.exe
PID 2872 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\DKvVXtL.exe
PID 2872 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\DKvVXtL.exe
PID 2872 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\vUlgIpo.exe
PID 2872 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\vUlgIpo.exe
PID 2872 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\vUlgIpo.exe
PID 2872 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\xYAHcDn.exe
PID 2872 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\xYAHcDn.exe
PID 2872 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\xYAHcDn.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\GPHUkpG.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\GPHUkpG.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\GPHUkpG.exe
PID 2872 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\mnCsKJU.exe
PID 2872 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\mnCsKJU.exe
PID 2872 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\mnCsKJU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe

"C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe"

C:\Windows\System\VXZfuLw.exe

C:\Windows\System\VXZfuLw.exe

C:\Windows\System\WVaiwlM.exe

C:\Windows\System\WVaiwlM.exe

C:\Windows\System\QfJrFqy.exe

C:\Windows\System\QfJrFqy.exe

C:\Windows\System\hUHZzmT.exe

C:\Windows\System\hUHZzmT.exe

C:\Windows\System\LAoWqJc.exe

C:\Windows\System\LAoWqJc.exe

C:\Windows\System\GscKezA.exe

C:\Windows\System\GscKezA.exe

C:\Windows\System\AvSFvpT.exe

C:\Windows\System\AvSFvpT.exe

C:\Windows\System\gMdJBZn.exe

C:\Windows\System\gMdJBZn.exe

C:\Windows\System\jWlGbmB.exe

C:\Windows\System\jWlGbmB.exe

C:\Windows\System\UdrpbAQ.exe

C:\Windows\System\UdrpbAQ.exe

C:\Windows\System\ETUyPaU.exe

C:\Windows\System\ETUyPaU.exe

C:\Windows\System\izwNejn.exe

C:\Windows\System\izwNejn.exe

C:\Windows\System\zigtDOs.exe

C:\Windows\System\zigtDOs.exe

C:\Windows\System\CLNdIKt.exe

C:\Windows\System\CLNdIKt.exe

C:\Windows\System\pxmQbiM.exe

C:\Windows\System\pxmQbiM.exe

C:\Windows\System\SIuvKXs.exe

C:\Windows\System\SIuvKXs.exe

C:\Windows\System\DKvVXtL.exe

C:\Windows\System\DKvVXtL.exe

C:\Windows\System\vUlgIpo.exe

C:\Windows\System\vUlgIpo.exe

C:\Windows\System\xYAHcDn.exe

C:\Windows\System\xYAHcDn.exe

C:\Windows\System\GPHUkpG.exe

C:\Windows\System\GPHUkpG.exe

C:\Windows\System\mnCsKJU.exe

C:\Windows\System\mnCsKJU.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2872-0-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2872-1-0x0000000000180000-0x0000000000190000-memory.dmp

C:\Windows\system\VXZfuLw.exe

MD5 c319a6c4c7a944e0d35c7248ceafdd77
SHA1 bdfe4be8ec8dd11d8e62392f4011470fbec1619a
SHA256 427e362efeb2228c78b14a07b0242343f89ec004e6bab492f9dbdb5b11a8eb71
SHA512 d78e4cc7cb33748f99ae1d6021aaeead67c118950c9738a771101cb50b5a0d30ee3dead1918c2db8518e429660f4686f434a65534898a6a795bb334f34193642

\Windows\system\WVaiwlM.exe

MD5 dc211f08aee421747c67659d91c98635
SHA1 2b4eb15a6c112ac84f63858beaa36e7e2c12a460
SHA256 6cec55821c1cd10a56397e17a76517acf4a9f5fc76c8e268e274b9e885e0119b
SHA512 36bb6d9523ed0a63492d36a42683779990abcb498fa41db6004d4ea6677936a4177b57d114f781e6f3d6f7f833751cbab83357029e79638f8c8fa107ffed7830

\Windows\system\QfJrFqy.exe

MD5 b7795fa9f9ef1fe55b145da62e859e8e
SHA1 57a15c78317c8d676165a5de6437331ea1b1fb6a
SHA256 4ebdfa76a303fde34f121a9181093e49167aa41a0d992ee5e70f95e8afc2de6d
SHA512 ddd70a7d2dddbf25d16e36ef6566245b0539ffb37817f3e4c8d73ad5a8facf9c2f881d6a05694afd1d598d300e7478622eac1fcd31be239a6a92a7a46ed95064

memory/3028-15-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/3012-14-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\LAoWqJc.exe

MD5 0ff67c67b6788015c4990d768034355c
SHA1 55e445dde9790fd000ac3aa74cadad6868709779
SHA256 0672f6ad8a64f77b5923fe6f1c13b75b57e42fa17a4fd584f72dc4b80d73ff54
SHA512 d5fbc1fd5b19e0459f932063ce6e373333380404e25240674fbf5f3186ae33f19dbe1966e0491f2ba1e9679891e841e0a57a4b9648bb9c84cec201d7a49c6124

C:\Windows\system\GscKezA.exe

MD5 3b7795f60c4fafdf1006ac46c70f4a5b
SHA1 e93871d5eb7e7611cc86f451685d5cbda4fa34db
SHA256 bf4f47180987f9fa63525be884f4a6806b31d8423bef0dd3062570bf1d7c991e
SHA512 235aadcc52b7d34c790e663a970b52549c68b867c3916d91c3d7ed8602817f68f4dcb88033c67243b8850e755677a01dfa51188892a1943a10ce07cf420b8b17

C:\Windows\system\jWlGbmB.exe

MD5 4c41ad44add0a0effbb1f837005c5b1a
SHA1 4575dfa9d5ecbaa580acab5207ef29aba380eba5
SHA256 341761406ac2a4df130624e679df2a9773779d902e3c2e147910783d419d7cc4
SHA512 6c2093e519faae696387e294f9bb731e87203d647caea3f708755bdef83cd5ca5771fda08562bd62aeaf71378da329d4146338fe0a4fc7e358ec1309a2ab1b8c

C:\Windows\system\UdrpbAQ.exe

MD5 6389b007a95536dd30d8aa28dd26ae1b
SHA1 4fd043d4e288076a8445541c083211d1169b7481
SHA256 0f5f3b0d67aae12d92ec6105645a7e332f71edb22f603e62db3f1d9b61d9bf55
SHA512 263d2ed5623d02e0ceb008eaabae57e43f7084641924a01a550d84fcaacbdb50a3f1a4987b9341ed246a2d30c76a1544fdef7b3a8462862d5d822d18f20306e3

C:\Windows\system\izwNejn.exe

MD5 722a1d2676670f592feb257bdb988152
SHA1 43418f6a0e62fc421c99265eccc117fa3bd27ad9
SHA256 6f88db252169c7442d3e00bd4f10433b743bd6af8a55709aa765f565764c2d37
SHA512 2a3a300c4827649cb06873955dc1aa654a9c7419a1758cf473eca9b2fd4df7172a3a03e359be886a48e247d9d8be844555b1bd48d7b7d1222025e954b74496ff

C:\Windows\system\CLNdIKt.exe

MD5 69d024c8f8a19e95f61c016eacd90dca
SHA1 9e75bea271b788a010bd209f6ed3ffd92a00034b
SHA256 fda85b67d6c354c599a4be717f4e45934797c7676a92c74e6df2373330efbc64
SHA512 1cc84cc74c1b2626e97fd23d89ee2122930a1db9436122936c247304b2868d8978d6db195e83a68afe34466b960d216f365902a3433ea7a106d4d781179fc0e1

\Windows\system\SIuvKXs.exe

MD5 9efc43fbc3256583b416675d8e4e1df3
SHA1 67462d7b1026d015cbae8dab724dbee79d9ff743
SHA256 188823f2d1786ecf2131146c3a6279fb25a0daad6bb604ae6d67e45d5dd0be06
SHA512 fecd2474f5a1efac1ca6113d40069d0f08c77d2e43f28ae098421980bf620c1c6e0adce23d1c8fe75993c284023b587fe24d7eb016f33400a09db978568f4f36

\Windows\system\GPHUkpG.exe

MD5 15c28299442552678081ab7dcd5c80dc
SHA1 132e502ee1bccb55df38cc382edf74d8f42dc9b9
SHA256 cd8d71e5df1a7c95e592345e09f9fe519a79e78bd91fbfe8cdebfe55d5dfe6a6
SHA512 1d85d6a02e58b3329297fb8bece305847d63b55c1e1aae4fafcbb44b0a007ac43e6fa6920ae80b767de585de452e309dae78c1d1337766beef88fc1e70349e9b

C:\Windows\system\DKvVXtL.exe

MD5 0ac8ac88862f61957baf5f13d093dcc1
SHA1 74db6cc71936756edf0f35de8d2694d08a79ac59
SHA256 c4776ce95bac97af741f4bae4dbf377ecdce1fc56e732a4371d4be5b79c0d4f3
SHA512 902fc5e1f0b9038c37d10f7af3825d51ee1e02c36f98ffc80dfc42f37a999a9ad461a3a50b9171447db34b871224978c11e12b9269caf33c7dafa7c91d60415d

\Windows\system\vUlgIpo.exe

MD5 9876c0284494ef5de6c405f6b8eabc76
SHA1 40743f3e5e0f0ba4b5699541b38a8ebd407acce5
SHA256 553a390f4f8cde3d900e1ad1180ca7b9c5c057f3b620047087a92d29c8dd5d06
SHA512 e20ae14cfb5c6801e11281be4bbfe9d3ab31a22fb9c88f0b88a3134c9a865517e4a47470d3bff258f56576469683e5408ca7264c45e1e53e1936b34e3ccc8faa

C:\Windows\system\mnCsKJU.exe

MD5 c12c3d64019c78641be9abb924c28ee6
SHA1 7444df942598b23c2066af202ff2bf67cf413508
SHA256 bfaeecb648908eaeeaee8544dfab89dfb22cfd9ad9594d27fb764561ccd6bf71
SHA512 2eb029519f27c871c60ee2276d9fd7fc5968708743e14249b38cc03b657e1039ac388a07dfdbf6e9eb1b9b12c263bb070cff4e7a35f1073d35084625c9319cac

C:\Windows\system\xYAHcDn.exe

MD5 cd1ffb051a368ec09806b6a34eff78c7
SHA1 630038aa21b50d66bb0d73cea34f94ba290b9aaf
SHA256 bcd512a3d3a2fcf94180a788a89f58555957056cd5a33f295ff32bc1a11e5a02
SHA512 94246f09ce1aed71e8d0d378e44179e828b5e5288e5d6acaa7218e20b700a30b916c381e2391893560da9b0bca5da199e9ad51e789a269e83c594626ce9dcbcb

C:\Windows\system\pxmQbiM.exe

MD5 b3abf8f6624c5edd5f48f517576ead45
SHA1 a55dd08d92af4024bdd488a257a67ef94def3a9b
SHA256 8427c2cffb61cd9d709510d1bbe834fe11cc28ef45be47bff5aee1ff608778f9
SHA512 6020a2fe518f6d5d1415c8e23724e75ca56b9d2edfec8e1eda528e101ac20f28e23f4c9b4c2b2a768724171784d646efcbab3a72a51042cbae37b703f081195f

C:\Windows\system\zigtDOs.exe

MD5 064d7f0839ff5408e2b3f5184815d5aa
SHA1 b99dfe95f63a4f2dde4a0dc2487b7318f4654e76
SHA256 074267cf20b8127a5e0b9f4b8858f84d5f80be1600b6bdb2fdddc4c426575f32
SHA512 668d36700ce809af59b55b7c403acefd809879b3f55b70965ebd1d156f79bd7a9408953ad6801fffcd4ddc34736b30387088732eaea0aa3f09e6f4c8ecc378e8

C:\Windows\system\ETUyPaU.exe

MD5 7072b2ebd1d2c6f40c8cd518bb835730
SHA1 574a3797466898f31c1b40fda44077b5ec3a4022
SHA256 5b402ee032c1e688d7220c4ce5af1c804e0a2abb8dacc8bb6df4f1b09807ddb5
SHA512 8a4e03f839f8a1ebabd8d8e8c3de18f91b8890454aa98570c7e166a4923c18a390256ddbd868a9c538f770c351e7b9669b512ff65c421a31f7726b3625208593

C:\Windows\system\gMdJBZn.exe

MD5 d3154cb5095bc66b2a51f4681f91ad57
SHA1 3008c109a1231a2b33201c04dba3a30a2e63dcc6
SHA256 7adbfe8b14681206229232290a63bc69a20cfc093f346d30a50a2aeec90df780
SHA512 b9d4c53c53580363974986c9e54021ffe9ae1e040e32d00687ea548ecebe0168116210c588896ef2c2921838c50f7ab401183061a576ff788e8efa61faba6a4d

C:\Windows\system\AvSFvpT.exe

MD5 ce6d8d9f7940d7385867a04fa030e6de
SHA1 6a05e8d15383572bd30e7d1c5caf511482053adf
SHA256 525fe7dd6f14eaed8139b2ce71d617ba14e67aa0c691db802abf3532c4da08be
SHA512 f87d2e18d7477221dfdeeef1ac770518976606f632812cc1dc565a7fd3b08b196f2d1201e40d8a7b06e05bba0b2b1137088ee899ee7c9303edc293aeee16b128

C:\Windows\system\hUHZzmT.exe

MD5 ac6a67013a5e02302d7d2f47c9996178
SHA1 b638a4b45d317fbf04e20838b3e53deef83bd264
SHA256 4ed237a616027d8c444e78cc476d8d80100c5f0a6701f9a02e275159a34e9562
SHA512 eb92ebf2e6ba8653353f2103f79ddeeebdd7ecfa1ea4535d5aa47b4e3551ff7ea53026056944719805230babf0ff585e716e1115152fddb806ed210fdd4928e2

memory/2872-26-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2484-25-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2872-21-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/2872-13-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2648-113-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2560-114-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2492-116-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2872-117-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2872-115-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2872-121-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/2872-123-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/920-124-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2496-126-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2872-133-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2872-134-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/572-132-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2872-131-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/800-130-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2872-129-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2568-128-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2872-127-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2872-125-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2488-122-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2412-120-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2872-119-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/2544-118-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2872-135-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2648-136-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/3028-137-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/3012-138-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2484-139-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2560-140-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2544-141-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2492-142-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2412-143-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/920-145-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2488-144-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2496-146-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2568-147-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/800-148-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/572-149-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2648-150-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 10:28

Reported

2024-06-01 10:31

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sNeMvRw.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\xMoXxsm.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\ZMkbUfR.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\KUbRFAp.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\ISizzjE.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\FRcNFDu.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\IxgCgIi.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\ygIqRnp.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\jpDpuDu.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\CoDiejo.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\xqKHSUD.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\TIwTHCo.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\iBwWZtp.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\yiaYTBJ.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\xKzIGhO.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\ozIVfEi.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\AdAbnIE.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\MLlYjmy.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\izWHqSx.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\hBLqSsg.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
File created C:\Windows\System\thrKkxg.exe C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\IxgCgIi.exe
PID 3988 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\IxgCgIi.exe
PID 3988 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\AdAbnIE.exe
PID 3988 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\AdAbnIE.exe
PID 3988 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\xMoXxsm.exe
PID 3988 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\xMoXxsm.exe
PID 3988 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ZMkbUfR.exe
PID 3988 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ZMkbUfR.exe
PID 3988 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ygIqRnp.exe
PID 3988 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ygIqRnp.exe
PID 3988 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\xqKHSUD.exe
PID 3988 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\xqKHSUD.exe
PID 3988 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\MLlYjmy.exe
PID 3988 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\MLlYjmy.exe
PID 3988 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\KUbRFAp.exe
PID 3988 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\KUbRFAp.exe
PID 3988 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\jpDpuDu.exe
PID 3988 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\jpDpuDu.exe
PID 3988 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ISizzjE.exe
PID 3988 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ISizzjE.exe
PID 3988 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\TIwTHCo.exe
PID 3988 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\TIwTHCo.exe
PID 3988 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\izWHqSx.exe
PID 3988 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\izWHqSx.exe
PID 3988 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\hBLqSsg.exe
PID 3988 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\hBLqSsg.exe
PID 3988 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\thrKkxg.exe
PID 3988 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\thrKkxg.exe
PID 3988 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\CoDiejo.exe
PID 3988 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\CoDiejo.exe
PID 3988 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\iBwWZtp.exe
PID 3988 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\iBwWZtp.exe
PID 3988 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ozIVfEi.exe
PID 3988 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\ozIVfEi.exe
PID 3988 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\yiaYTBJ.exe
PID 3988 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\yiaYTBJ.exe
PID 3988 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\xKzIGhO.exe
PID 3988 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\xKzIGhO.exe
PID 3988 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\FRcNFDu.exe
PID 3988 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\FRcNFDu.exe
PID 3988 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\sNeMvRw.exe
PID 3988 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe C:\Windows\System\sNeMvRw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe

"C:\Users\Admin\AppData\Local\Temp\dd1a553a4f8d1d1a97d9b9b54b6416bf545c430564bf093ed412da240dd6b45e.exe"

C:\Windows\System\IxgCgIi.exe

C:\Windows\System\IxgCgIi.exe

C:\Windows\System\AdAbnIE.exe

C:\Windows\System\AdAbnIE.exe

C:\Windows\System\xMoXxsm.exe

C:\Windows\System\xMoXxsm.exe

C:\Windows\System\ZMkbUfR.exe

C:\Windows\System\ZMkbUfR.exe

C:\Windows\System\ygIqRnp.exe

C:\Windows\System\ygIqRnp.exe

C:\Windows\System\xqKHSUD.exe

C:\Windows\System\xqKHSUD.exe

C:\Windows\System\MLlYjmy.exe

C:\Windows\System\MLlYjmy.exe

C:\Windows\System\KUbRFAp.exe

C:\Windows\System\KUbRFAp.exe

C:\Windows\System\jpDpuDu.exe

C:\Windows\System\jpDpuDu.exe

C:\Windows\System\ISizzjE.exe

C:\Windows\System\ISizzjE.exe

C:\Windows\System\TIwTHCo.exe

C:\Windows\System\TIwTHCo.exe

C:\Windows\System\izWHqSx.exe

C:\Windows\System\izWHqSx.exe

C:\Windows\System\hBLqSsg.exe

C:\Windows\System\hBLqSsg.exe

C:\Windows\System\thrKkxg.exe

C:\Windows\System\thrKkxg.exe

C:\Windows\System\CoDiejo.exe

C:\Windows\System\CoDiejo.exe

C:\Windows\System\iBwWZtp.exe

C:\Windows\System\iBwWZtp.exe

C:\Windows\System\ozIVfEi.exe

C:\Windows\System\ozIVfEi.exe

C:\Windows\System\yiaYTBJ.exe

C:\Windows\System\yiaYTBJ.exe

C:\Windows\System\xKzIGhO.exe

C:\Windows\System\xKzIGhO.exe

C:\Windows\System\FRcNFDu.exe

C:\Windows\System\FRcNFDu.exe

C:\Windows\System\sNeMvRw.exe

C:\Windows\System\sNeMvRw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3988-0-0x00007FF6B2C50000-0x00007FF6B2FA4000-memory.dmp

memory/3988-1-0x000001FF658D0000-0x000001FF658E0000-memory.dmp

C:\Windows\System\IxgCgIi.exe

MD5 3b8b60da0b5d0f8531f3f9053092aa96
SHA1 cb120cd6bc751792c7b2a5fbbb3cf3e3b5a2114e
SHA256 4ac13dd1e29d483c31a79695895c922afdb166736fd59c29a06d8b4cf184b328
SHA512 322b8c4e0bf9b4285daf19100105a67c1b404e9858ded7a53b19b9ac84720b15bac900c4ae96535934108801fea5532221bc240740ae784e3c74114b6989b823

C:\Windows\System\xMoXxsm.exe

MD5 8b7e6caedb30249566d9f1e11e9d5e8f
SHA1 7265682604314c13b8f96ddbb359d3ef97183039
SHA256 5222af1c9a6803b48d401eaba3116a42557df9e999873d2a1c287ab26dd91e10
SHA512 35b89fb24ac9c7f1d927bf307953f4ac50d7904ec4fdd9fcd416c74099bce0df859783937428b46eb1317b47c78b8c0eaf6aeea28821233f7033b10f0c0bd129

C:\Windows\System\AdAbnIE.exe

MD5 04410ef1cc8649a3b969323642332259
SHA1 e9baf50662498db9f2e39c034ade4f49da4252b2
SHA256 37cd9de84fadada0a84d23c0bea3459c5e0a64aaad822a882f36927dd760ac02
SHA512 a166c0174f84c6f99e283340160efba3964e043b1c1aee7b4152182e6a40dc32faecb15e9ae7e08e27a9fe954fe917f295063f74aae560e5a65c2e97b2ef50c1

C:\Windows\System\ZMkbUfR.exe

MD5 d8195bddef2133ca6ec1d88267cf4a80
SHA1 736c3fdbb8f4411abfa45290c002ebdd3528b326
SHA256 d4fcd42b555b96677c17a306f35b614ea5c6705552678ec012456ad09b4a7d04
SHA512 8208cb1df391168afbe2b8d02630b9bae37ca350df1b5d502c6fa619ce75f6f33082fcf58c277e6c0eb8245c5c4976eff791a3179b97f7b9d2c3711777dfda03

memory/4928-19-0x00007FF71CD70000-0x00007FF71D0C4000-memory.dmp

memory/1548-14-0x00007FF7FC690000-0x00007FF7FC9E4000-memory.dmp

memory/1184-7-0x00007FF69B1D0000-0x00007FF69B524000-memory.dmp

memory/3620-34-0x00007FF711160000-0x00007FF7114B4000-memory.dmp

C:\Windows\System\xqKHSUD.exe

MD5 1ffd5d718b79415dff4482720d443a6c
SHA1 14e2bb4d560e8b760ac68f8bc34461c41914ac21
SHA256 60b5f488d5c5301e1c6477d78c5b6869f354a0bb73f1915ec604ac79068dda67
SHA512 8b7def7991133ab31bac1c91076351a57e9a1cacbb5d42ce468f4aa9f74e2d656d2aa1e4852650f2272a42e5ca75888f7ded1b16000ee929924515a1d3ac7a7e

C:\Windows\System\ygIqRnp.exe

MD5 d1d62c5e2aaba1c4587a81b04e74cabf
SHA1 fab82e98dc91940c5446b4a8b39df74c506cf4d8
SHA256 577ddfb8d20b08e6c2bb1ab89de5f5ece8053e3336e67b71d075e607dbff4564
SHA512 ed3dac5782906377936afe8c3fcb7d797c86901c34d6b2b96203c36d92dcf8de3d3bb9da5b78f8a0f364ff537aba3420b161aa43bb8e5db1212fbc563f88dd10

memory/3216-32-0x00007FF7033D0000-0x00007FF703724000-memory.dmp

memory/1564-31-0x00007FF73C930000-0x00007FF73CC84000-memory.dmp

C:\Windows\System\MLlYjmy.exe

MD5 ba41864637f0d93aa33010318af7f324
SHA1 f28c6af0f1fed9f5e8bc3e24b292dffe0aa16342
SHA256 0370885b6460db7c62a9d68a14aba0152bc711018779d23ff1fc494f833a56e2
SHA512 56fbc2172a5dc6bfb680ca552721c0e3e2f405880b798ce828c0dcfd9c3fe68623a21af5a32c476426cc2ac7ac017e29096b230fff916be17c9c6e9f277c207b

memory/3412-44-0x00007FF7C21D0000-0x00007FF7C2524000-memory.dmp

C:\Windows\System\KUbRFAp.exe

MD5 c8969dcc8681b9d99451a1aa650a7388
SHA1 95032fd127ec481be9104b63076d801650f95d44
SHA256 f6b94307c958f21ff5c932176d625bfe93251db36731cb0b50563d06d5053689
SHA512 be8fe0d99e8a772da9da2f5ea49d3fef456e2d9c80ee8e1a5be208e9594bec384051b234c180c463e783c924b3242529a760ccf462162ef265da3da98f51fd06

C:\Windows\System\jpDpuDu.exe

MD5 0de2addabef8cab6f05f630e29197975
SHA1 6bb2e5c80b1ddf755350a67afc3d3fab385b2e75
SHA256 ba8681a059eaaa045321c6a2bfdd444dcd758a76724210b20494cecaf7253bdb
SHA512 0fca65441ab3937d75ca954161540e465b455c7099e86bf9892351948c5d998ba1cb55c7de98fd1787ea1570aad2fb106c1253d5128acec731d494a141079fbd

memory/2036-55-0x00007FF783930000-0x00007FF783C84000-memory.dmp

memory/2120-60-0x00007FF6EF110000-0x00007FF6EF464000-memory.dmp

C:\Windows\System\TIwTHCo.exe

MD5 6a4a4042c2545ad5cf56e4d4b704ac11
SHA1 48f550f586eb67e2cb10de75d8a293835ec4201a
SHA256 cce36a2c84bef3cdd5f641707cac44c587782e606c5cb1c2b0f02299558d2a2f
SHA512 d5dfc5831c4837f13964444805eb4ea6fa634dafba5e1a26e3e76bb963941a88d8a91a392391e307527e25b7a7eeea0edcd281f3ed3f9096e1ca5f44a42d2b0f

C:\Windows\System\ISizzjE.exe

MD5 8f7d51b30c77d3e9019609d289d16d83
SHA1 d97d8e43f1c04c5435d6df79c4854920e8c5db7f
SHA256 2b3a196512c4883f7eacb37dff554fc3ae79c86ccabe38c61266b9b4501a6c13
SHA512 fe2c676382ca953de744fd596003f2b8a35507818b6595fbadb61092c6fc2966aeb61fe4434ace3e5a1e8903cac84d57d28bc352380d3100411eeadbd45a10ee

memory/4036-59-0x00007FF751810000-0x00007FF751B64000-memory.dmp

memory/2940-66-0x00007FF7BD0B0000-0x00007FF7BD404000-memory.dmp

C:\Windows\System\izWHqSx.exe

MD5 e65d82e1adeb355720f677e301725abe
SHA1 7f15166a213594d197153c19c6a3849fe0362e2d
SHA256 f370e6500169c827c069e00fb0ded0d4034de279ed685008b4917ea8a679b171
SHA512 57feb71f7b29e0f633e9b20f02084501e245879f62de2b7504dd0f79e2fc4a04afb072e3c0f8b219c95fdf2191a42879643e9da1c4349eb47e5b64910b2a01a3

memory/4972-73-0x00007FF61BD90000-0x00007FF61C0E4000-memory.dmp

memory/3988-72-0x00007FF6B2C50000-0x00007FF6B2FA4000-memory.dmp

memory/1184-84-0x00007FF69B1D0000-0x00007FF69B524000-memory.dmp

memory/4864-93-0x00007FF64AF20000-0x00007FF64B274000-memory.dmp

memory/4432-98-0x00007FF74AE90000-0x00007FF74B1E4000-memory.dmp

memory/1952-102-0x00007FF7AC170000-0x00007FF7AC4C4000-memory.dmp

C:\Windows\System\ozIVfEi.exe

MD5 090372721cc5a735e3d9cf04589f47b6
SHA1 51bff6f60861ae3340f650b071dd2eacbdf2f8e1
SHA256 dab1e0a54d6f449357abcdf0b694c7df1ef940ecb8d572ec542070ff7af607b3
SHA512 aafb451f991dfc2ba3e03c4b09ae74869d0d7ef8bc1a384866fea0772165c07f90073525e0f0c59ee56f0807bf85ccbea38855b01fa14700b25253702c54038d

C:\Windows\System\iBwWZtp.exe

MD5 f15799e24e6e349da559a0627e4e7c5d
SHA1 ffc58178bd4883afdd4d4b867baf4194f4b94bc0
SHA256 bad2047d1785e24bd6dd2f19a5d37f41fcd6df89d0a63ec3a85f6890154a8539
SHA512 1cbbe77f99a106b6a07c360a1b3f21059bb0ad4a670d8e9e9ecbede8adbcd59e0f1f892a9c95666a0350e4aa8200865e50f37885e0e656d0cffbd4fff8870d02

memory/1564-101-0x00007FF73C930000-0x00007FF73CC84000-memory.dmp

memory/4928-99-0x00007FF71CD70000-0x00007FF71D0C4000-memory.dmp

C:\Windows\System\thrKkxg.exe

MD5 680a2094e63699e5bbf6ad520c42c29c
SHA1 1b085be48deb0fc65ff92d82022ab5cea0218658
SHA256 dd01d09b4ddab29283c679f56239ad5133bfecf155a145f5baf028502bdc4c3c
SHA512 8c678b50759ba3754d93684a6ef089c0887fb9d98756f2938bc9d9e26f92d77685c06c3670fa7541ef492e6ef6c7db37ac54e3d2b8078fc72d085bf6a1b39502

memory/1548-94-0x00007FF7FC690000-0x00007FF7FC9E4000-memory.dmp

C:\Windows\System\CoDiejo.exe

MD5 3024f85162113372ad24fa90d2412dbf
SHA1 9c3669900b37abdebeaed3ef941c9564f168d968
SHA256 273397a77e4fea825921bf279c02a2f2f22d4a7079b6770746ed1ea36484f6b8
SHA512 30c7063ee5476fb9addcb0c0e053f737a2c3ea2a4a8b25f21828e839e07220f03440e5273e0b2fdc1a606e9d1f43d0b2069104a81b5dc9c808d9acaaf95d60c1

C:\Windows\System\hBLqSsg.exe

MD5 7d1a5737902851057ebadbcda6157bde
SHA1 42b4578ba0336acb8874aea8be240ff05266be2e
SHA256 ba16e2c30a12fe8f6faaccf33e360c1695e19d8efaaab2351fad69ea369919c7
SHA512 614c444c99be2182fa7b4751667900c9643deeffa0aeb386276d4f6ed21318f2a6c4574b8ed086c439167752087ffa271e5cea7a7cdf8f285cbef9c21fed5e24

memory/3600-85-0x00007FF72A5D0000-0x00007FF72A924000-memory.dmp

memory/3772-110-0x00007FF753EA0000-0x00007FF7541F4000-memory.dmp

C:\Windows\System\yiaYTBJ.exe

MD5 5aea54a9fa3f3beaec07382a039ffa49
SHA1 2c1c4964498ba0308a21020584d4e974b0ef669f
SHA256 7f967633730850e3dc0979c27eda4e7515c78dd1fe72e2b795dd02b72dd40f61
SHA512 9c4ec7056ba2f5088200c2990cf5fe691e6bec7e5081f5e73d78e1e5b356fc57e9a89391e98b1dc6f46279da9028c43198de02ae791cc51d0da3d87a77f1aed5

memory/3216-109-0x00007FF7033D0000-0x00007FF703724000-memory.dmp

C:\Windows\System\xKzIGhO.exe

MD5 121f79cc29303e7c5cf9ea6bd2254c52
SHA1 ea7e42e6b36493c594c26cce122a1a2d4a2bc19c
SHA256 1e71adf317d9e45ac8472ed13c61c19a7d51d583d3853b1dabfc059d7c1a7933
SHA512 132d742ff56a35206da1371ba79d45497b7f928e63088a48e88e1a9874514ac3000984898d401fb60084b1ca20cf37657eb6fca335279eff0cfe8a2a12f0404b

C:\Windows\System\FRcNFDu.exe

MD5 225521f2e35165c16f8801fd1424332f
SHA1 19e6e5199c96fafd46a7a4f6d77fef69ae37f4aa
SHA256 b405f763f86fe287216996605b3328e394e1732d54291733bd2b505a80710ebd
SHA512 1956d5cc8c0cf0521ced9126d4f23f375e71fe55e249939c1eb7e060a7aae9416d10c5d8721518a457858a9faf2874833e4fc3b9813c1902c0fe5d259759881e

C:\Windows\System\sNeMvRw.exe

MD5 0db59a3f478755767e5f5cc2293cf76f
SHA1 ff496500aceff11f53a534cc1fff81c2c7956f23
SHA256 5dd141fd8d557d1f76e52254c495a5896f886719aaa890702031109dfe42269b
SHA512 ff5af015e2f8512f46b60bb1a559c4f9b0fbe4eacc36f4eb7291554591c3db49db33c8dc4d9ea7da4551d8cb99cc2846cc3bf1d113306672a272a2fab1d0bf22

memory/3620-121-0x00007FF711160000-0x00007FF7114B4000-memory.dmp

memory/3412-134-0x00007FF7C21D0000-0x00007FF7C2524000-memory.dmp

memory/3776-133-0x00007FF714910000-0x00007FF714C64000-memory.dmp

memory/2592-135-0x00007FF7F5D80000-0x00007FF7F60D4000-memory.dmp

memory/4216-132-0x00007FF662950000-0x00007FF662CA4000-memory.dmp

memory/1732-131-0x00007FF63C7F0000-0x00007FF63CB44000-memory.dmp

memory/2120-136-0x00007FF6EF110000-0x00007FF6EF464000-memory.dmp

memory/2940-137-0x00007FF7BD0B0000-0x00007FF7BD404000-memory.dmp

memory/4972-138-0x00007FF61BD90000-0x00007FF61C0E4000-memory.dmp

memory/4864-139-0x00007FF64AF20000-0x00007FF64B274000-memory.dmp

memory/3600-140-0x00007FF72A5D0000-0x00007FF72A924000-memory.dmp

memory/1952-141-0x00007FF7AC170000-0x00007FF7AC4C4000-memory.dmp

memory/1184-142-0x00007FF69B1D0000-0x00007FF69B524000-memory.dmp

memory/1548-143-0x00007FF7FC690000-0x00007FF7FC9E4000-memory.dmp

memory/4928-144-0x00007FF71CD70000-0x00007FF71D0C4000-memory.dmp

memory/1564-145-0x00007FF73C930000-0x00007FF73CC84000-memory.dmp

memory/3620-147-0x00007FF711160000-0x00007FF7114B4000-memory.dmp

memory/3216-146-0x00007FF7033D0000-0x00007FF703724000-memory.dmp

memory/3412-148-0x00007FF7C21D0000-0x00007FF7C2524000-memory.dmp

memory/2036-149-0x00007FF783930000-0x00007FF783C84000-memory.dmp

memory/4036-150-0x00007FF751810000-0x00007FF751B64000-memory.dmp

memory/2940-151-0x00007FF7BD0B0000-0x00007FF7BD404000-memory.dmp

memory/2120-152-0x00007FF6EF110000-0x00007FF6EF464000-memory.dmp

memory/4972-153-0x00007FF61BD90000-0x00007FF61C0E4000-memory.dmp

memory/3600-154-0x00007FF72A5D0000-0x00007FF72A924000-memory.dmp

memory/4432-155-0x00007FF74AE90000-0x00007FF74B1E4000-memory.dmp

memory/4864-156-0x00007FF64AF20000-0x00007FF64B274000-memory.dmp

memory/1952-157-0x00007FF7AC170000-0x00007FF7AC4C4000-memory.dmp

memory/3772-158-0x00007FF753EA0000-0x00007FF7541F4000-memory.dmp

memory/1732-159-0x00007FF63C7F0000-0x00007FF63CB44000-memory.dmp

memory/3776-160-0x00007FF714910000-0x00007FF714C64000-memory.dmp

memory/2592-161-0x00007FF7F5D80000-0x00007FF7F60D4000-memory.dmp

memory/4216-162-0x00007FF662950000-0x00007FF662CA4000-memory.dmp